raid - ZFS on top of Hardware Mirroring, or just mirror in ZFS?

I have an IBM x346 with dual 3.2Ghz Xeons and 2x36GB 15k SCSI disks. I'm running an entirely ZFS-based install of FreeBSD 8.1.

I can configure the bios to mirror the two disks, and then put ZFS on that "single" drive, or I can mirror the drives using ZFS, and install to that.

If I go the all-ZFS route, I suppose I have a little more freedom with how I use the devices (I could set up a fast non-redundant striped area, in addition to my mirrored system install, for example). Do I gain anything as far as error correction goes? Rebuild performance/ease/time?

I know that both configurations are probably the same to within a gnat's eyelash, but I'd like a second opinion.

Answer

Don't know about the speed, but here is what I believe running ZFS on RAID would means:

• You loose the benefits of atomic writes because now the RAID controller has the last say on when a write happens to the disk. Which means you rely on the RAID controllers NVRAM.




• ZFS also may get lied to if the data was written inporperly, ZFS would have to take the RAID controllers word for it.




• You would also loose repairing files because, from ZFS's point of view, you have a single disk, if the data's integrity is bad, ZFS would have no way to repair it because there is no second copy. (assuming you don't set copies=2)




• If the RAID drives fall out of sync the RAID drive may take some time to sync depending on the journaling ability. ZFS will resilver the data it finds bad and at least some OSs may run a resilver periodically to ensure the integrity. Again because the RAID will only display one drive to ZFS, ZFS can't help with the repair/rebuild.




• You would be able to expand the RAID (if the RAID has the capability) and maybe rebuild the ZFS data across more drives. (For me not a big plus considering the negatives so far.)




• Of course all the snapshot functionality of ZFS would be unaffected (assuming the data doesn't silently get corrupted).

Hardware RAID would almost negate any advantages that ZFS would have. Personally, I wouldn't recommend using anything under ZFS, I would run ZFS on bare metal.

However, if there is an advantage I hadn't consider I'm open to hearing it.

raid1 - How does Rebuild in host-raid RAID-1 works?

I am testing a Non-Hardware Raid with 3 1TB Disks.
I create a RAID-1 Array with my first 2 Disks and installed Windows 7 on the Raid disk that i'd created. I unplugged the first disk SATA cable in RAID Array and reboot the system. When i entered the RAID Controller by pressing "Ctrl+I" I get the message which asked me to add the free disk to the array. after i add that disk The Raid Volume status changed to Rebuild. under the Screen there is a yellow message : "Volumes with Rebuild status will be rebuilt within the operating system".

Here are my questions:

1. What does it mean by that message ? does it mean that i just need to boot into my windows and all the Rebuild happens automatically or do I need any kind of software ?


2. How can i monitor how much the Rebuilding process is completed ?

Answer

You are using an Intel Rapid Storage RAID controller. This is not hardware RAID. Like most onboard/motherboard RAID controllers it is host-RAID.

"Volumes with Rebuild status will be rebuilt within the operating system" means exactly that, Rapid Storage relies on a driver within the OS to perform it's work. It is incapable of doing any actual RAID'ing by itself.

Status will be shown using the Intel Rapid Storage console which normally comes bundled with the RAID driver. You're also better off adding/removing/replacing disks using the Windows software and not the very limited BIOS interface.

How botmaster use Domain Generating Algorithms (DGA)?

Domain Generation Algorithms(DGAs) are used in malware to generate a large number of domain names that can be used in communications to the malware’s command and control servers

For example, an infected computer could create thousands of domain names such as: www.(gibberish).com and would attempt to contact a portion of these with the purpose of receiving an update or commands. - Wikipedia

But my question is we need to buy and register a domain name before we want to use. Then how hacker can generate 10 Thousand of domain name ? and use them ?

mac osx - SSH Tunnel Not Working As Expected

I'm trying to tunnel through a public IP to a private server's port 80. I know for a fact that apache is running on port 80 because if I ssh into the public IP I can access the private server via lynx just fine. The command I am using is as follows:

ssh  -N -L 9080::80

Then accessing http://localhost:9080 says unable to connect. I'm doing this from OSX. Running ssh -version I get the following in case it matters:

OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009

As requested by Ernest, here is some debug. This is after I enter my password. Removed IP address for security purposes.

debug3: packet_send2: adding 48 (len 63 padlen 17 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug1: Local connections to LOCALHOST:9080 forwarded to remote address :80

debug3: channel_setup_fwd_listener: type 2 wildcard 0 addr NULL
debug1: Local forwarding listening on ::1 port 9080.
debug2: fd 4 setting O_NONBLOCK
debug3: fd 4 is O_NONBLOCK
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 9080.
debug2: fd 5 setting O_NONBLOCK
debug3: fd 5 is O_NONBLOCK
debug1: channel 1: new [port listener]
debug1: Requesting no-more-sessions@openssh.com

debug1: Entering interactive session.

And then this debug when I make a request:

debug1: channel 3: free: direct-tcpip: listening port 9080 for zmanda port 80, connect from ::1 port 64917, nchannels 5
debug3: channel 3: status: The following connections are open:
  #2 direct-tcpip: listening port 9080 for zmanda port 80, connect from ::1 port 64912 (t4 r0 i0/0 o0/0 fd 6/6 cfd -1)
  #3 direct-tcpip: listening port 9080 for zmanda port 80, connect from ::1 port 64917 (t4 r1 i3/0 o3/0 fd 7/7 cfd -1)
  #4 direct-tcpip: listening port 9080 for zmanda port 80, connect from ::1 port 64918 (t3 r-1 i0/0 o0/0 fd 8/8 cfd -1)


debug3: channel 3: close_fds r 7 w 7 e -1 c -1
debug2: channel 4: open confirm rwindow 2097152 rmax 32768
debug2: channel 4: rcvd eof
debug2: channel 4: output open -> drain
debug2: channel 4: obuf empty
debug2: channel 4: close_write
debug2: channel 4: output drain -> closed
debug2: channel 4: read<=0 rfd 8 len 0
debug2: channel 4: read failed

debug2: channel 4: close_read
debug2: channel 4: input open -> drain
debug2: channel 4: ibuf empty
debug2: channel 4: send eof
debug2: channel 4: input drain -> closed
debug2: channel 4: send close
debug3: channel 4: will not send data after close
debug2: channel 4: rcvd close
debug3: channel 4: will not send data after close
debug2: channel 4: is dead

debug2: channel 4: garbage collecting
debug1: channel 4: free: direct-tcpip: listening port 9080 for zmanda port 80, connect from ::1 port 64918, nchannels 4
debug3: channel 4: status: The following connections are open:
  #2 direct-tcpip: listening port 9080 for zmanda port 80, connect from ::1 port 64912 (t4 r0 i0/0 o0/0 fd 6/6 cfd -1)
  #4 direct-tcpip: listening port 9080 for zmanda port 80, connect from ::1 port 64918 (t4 r1 i3/0 o3/0 fd 8/8 cfd -1)

debug3: channel 4: close_fds r 8 w 8 e -1 c -1

Answer

So the issue was a few things.

1. The web application is running over SSL so I had to do port 443 instead of 80


2. For whatever reason, you can't forward 443 to a different local port. So I had to forward to 443.

The final command looked like this:

sudo ssh gdboling@ -N -L 443::443 

rewrite - Disabling URL decoding in nginx proxy

When I browse to this URL: http://localhost:8080/foo/%5B-%5D server (nc -l 8080) receives it as-is:

GET /foo/%5B-%5D HTTP/1.1

However when I proxy this application via nginx (1.1.19):

location /foo {
        proxy_pass    http://localhost:8080/foo;
}

The same request routed through nginx port is forwarded with path decoded:

GET /foo/[-] HTTP/1.1

Decoded square brackets in the GET path are causing the errors in the target server (HTTP Status 400 - Illegal character in path...) as they arrive un-escaped.

Is there a way to disable URL decoding or encode it back so that the target server gets the exact same path when routed through nginx? Some clever URL rewrite rule?

Answer

Quoting Valentin V. Bartenev (who should get the full credit for this answer):

A quote from documentation:

• If proxy_pass is specified with URI, when passing a request to the server, part of a normalized request URI matching the location is replaced by a URI specified in the directive




• If proxy_pass is specified without URI, a request URI is passed to the server in the same form as sent by a client when processing an original request

The correct configuration in your case would be:

location /foo {

   proxy_pass http://localhost:8080;
}

networking - Windows server 2012 two external routes / 2 NICs

Our current server layout has 4 servers running on an external IP address all multi-homed using the 192.168.1.x network for external public access and the 192.168.5.x network for internal communication between all servers.

The 192.168.1.x and 192.168. 5.x networks are individual NICs on each server and run through distinct routers.

We have a bank of IP addresses, 1.2.3.122 being our current main site, the secondary (internal) router we would like to set up for testing and load balancing (mainly to get our system traffic off the same pipe as client traffic).

The 1.2.3.122 traffic works fine through the 192.168.1.x network and the servers all respond to traffic and requests without issue. However, attempting to access the 192.168.5.x network through a new IP address (1.2.3.125) is not working at all. If you are internal to the network, you can access the website on the server at (5.100), but it will not accept traffic through the external router.

However, if we switch the 192.168.5.x router to be on the 1.2.3.122 IP address, we can access our servers.

Is there a way to allow Windows Server 2012 to watch for internet traffic on both the 192.168.1.x and the 192.168.5.x subnets and properly respond to outside requests from them?

Our servers are Windows Server 2012 R2. Router on one side (192.168.1.x subnet / 1.2.3.122 external - default gateway) is a Cisco RV082 (small business router). On the other side (192.168.5.x subnet / 1.2.3.125 external / routing rules set up to pass traffic through 192.168.5.1 router for gateway to 192.168.5.x network - the side that doesn`t work externally) we have a Cisco 2911 router.

Answer

Your responses to comments are enough to clarify for me.

Windows Server 2012 doesn't have the functionality to do what you're looking for. You're looking for some basic policy-based routing functionality, which Windows has never had decent support for.

I don't know about the Cisco RV082 (which, if memory serves, is a re-badged Linksys offering), but the 2911 could NAT the traffic from the Internet to an address local to its 192.168.5.0/24 interface. Assuming you could get the same thing going on the RV082 side you'd find that the Windows machines would respond to requests out the "correct" NIC.

This is likely not a real world solution. This would be problematic because the Windows machines wouldn't have knowledge of the real source IP address of clients. Surely, at the least, this would be an analytics problem, if not exposing other problems in your apps where it might be assumed that you'll have knowledge of the client's IP address.

A better solution would be to put a policy-based routing solution in place ahead of the Windows Server machines. (I'd probably throw a Linux machine (or machines) upstream from the Windows Server machines running one of the various popular HTTP reverse-proxy applications, but that's personal preference.)

networking - What is the difference between UDP and TCP?

My router has two protocols (and a "both" option) that I can select when setting up port forwarding: UDP and TCP. What is the difference between these two protocols and when would you select one over the other in port forwarding?

Answer

TCP is backed by acks and retries to make sure you data gets where it's going. UDP is connectionless and "fire and forget". UDP is mostly used for streaming type applications, where if you lose some data you don't need to try to send it again.

Which one you use depends on the application. For example, a web server uses TCP.

linux - Multiple cgroup in service cron status: what does it mean?

I'm trying to diagnose some funky behaviour with cron on one of our Ubuntu 16.04 LTS server.

When I do service cron status I get this:

root@baobaospa:/etc/cron.d# service cron status
● cron.service - Regular background program processing daemon
   Loaded: loaded (/lib/systemd/system/cron.service; enabled; vendor preset: enabled)

   Active: active (running) since mar 2018-06-12 21:54:33 CEST; 12min ago
     Docs: man:cron(8)
 Main PID: 11789 (cron)
    Tasks: 6
   Memory: 4.2G
      CPU: 13min 59.438s
   CGroup: /system.slice/cron.service
           ├─ 8297 /usr/sbin/CRON -f
           ├─ 8302 /bin/sh -c php /var/www/web1/baobao/shop/cron.php
           ├─ 8304 php /var/www/web1/baobao/shop/cron.php

           ├─ 8348 /usr/bin/php /var/www/web1/baobao/shop/cron.php -mdefault
           └─11789 /usr/sbin/cron -f

This is the first time that I see those multiple entries under CGroup: what are thos supposed to mean? I'm worried because I see multiple entry running that cron.php via php-cli: does it mean that the file is being called multiple times?

I already tried to inspect under /etc/cron.d* but I only get one hit with cron.php and I've no crontab -l set for ANY users.

Answer

You’re seeing the members of the control group associated with the service: there are two cron processes (I have no idea why one of them is in uppercase), one /bin/sh spawned by cron, one /usr/bin/php process spawned by that shell, and the other php process is presumably spawned by the first one.

If a service routinely spawns other processes, or has several helper processes running alongside the main process all the time, then it’s normal to see more than one entry in the cgroup. For example, on my server, apache2, postfix@- and dovecot all have multiple processes. You can also see the full tree of control groups and processes with systemctl status or systemd-cgls.

VLAN's in ESXi - require seperate vswitches?

I am trying to configure two separate vlans in ESXi. Right now I have two vlan's set up on a single vswitch in separate port groups (one for vlan 100, one for vlan 110). None of the ports connected to the port group for vlan 100 can go anywhere, including the gateway. Everything connected to the port group for vlan 110 works just fine. I've verified that both VLANs are configured on the router and on the local physical switch. The physical switch ports are set up in trunking mode currently per the KB articles I could find for vlan setup.

The only other thing that may be a bit strange is that the management IP for esx/vsphere is located on vlan 110, though I'm not sure if that would make any difference.

Based on some of the EB's, will I need to set up a separate vswitch for each vlan instead of using two port groups on a single vswitch?

Edit: here is a screenshot

Here is the switchport config (this same config applied to each port connected):

interface GigabitEthernet2/3
 description basqa1vm01 Sig
 switchport
 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 100,110
 switchport mode trunk
 switchport nonegotiate
 no ip address
 wrr-queue cos-map 1 1 0 1
 wrr-queue cos-map 1 3 2
 wrr-queue cos-map 2 1 3
 wrr-queue cos-map 2 2 4 6 7
 no cdp enable
end

Answer

Separate vSwitches are only required when you need a hard separation of which physical up-links can be used.

The vSwitch itself will have a NIC teaming configuration which determines the default behavior for both port groups and kernel ports. Typically I set all NICs as active here for the default behavior.

Then at each port group or kernel port, you can override which NICs are active and which are standby for that object, unless you run into performance tuning issues, you can be lazy and not do this and just leave all the NICs as active.

In a performance scenario, you might set the vSwitch default to use all uplinks, and then set management to use the first NIC standby to the rest. vMotion to use the 2nd NIC, standby to the rest, and so forth.

So in this case... if both physical uplinks have been added to the vSwitch, and you've set the VLAN-ID on each port group, and one works, and one does not I am going to guess that either:

1) you have the native VLAN set on the other side as the one that is working

or

2) you haven't sent all the vlans down the trunk

How about a screenshot of this vSwitch?

What type of physical switch are you uplinking to?

hp - Third-party SSD in Proliant g8?

Anyone having success with third-party SATA or SAS drives with Proliant G8's? I know the G7's were flaky and had BIOS issues.

We're looking for real-world success stories with particular brands and models of enterprise-class SSDs.

(We'd hoped to install some Intel 910 cards, but they're so scarce these days it's impossible to locate them before our implementation deadline.)

apache 2.4 - Address already in use... could not bind to address... no listening sockets available

I am using this server as a staging area and plan to access it via its ip addy, not a domain name. When attempting to start apache, I get the following error:

(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80 no listening sockets available

---

If i was suspicious of a setting, I did several searches around it and indicated so. Thanks for your help. I'll quickly fetch whatever you need.

apachectl -t -D DUMP_VHOSTS produced:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 0.0.0.0. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80                   localhost (/etc/apache2/sites-enabled/mydomain_staging.conf:3)

sudo netstat -lnp | grep :80 produces NOTHING

j@jjireh:/$ sudo netstat -lnp | grep :80
j@jjireh:/$ 

sudo netstat -tulpn produced: (address numbers replaced by "z")

tcp        0      0 127.0.0.1:zzzz          0.0.0.0:*               LISTEN      zzzz/mysqld     

tcp        0      0 0.0.0.0:zzzz            0.0.0.0:*               LISTEN      zzzz/sshd       
udp        0      0 0.0.0.0:123             0.0.0.0:*                           zzzz/ntpd       
udp        0      0 127.0.0.1:123           0.0.0.0:*                           3881/ntpd       
udp        0      0 0.0.0.0:123             0.0.0.0:*                           3881/ntpd       
udp6       0      0 z::z:z:z:123            :::*                                3881/ntpd       
udp6       0      0 z:z::z:z:z              :::*                                3881/ntpd       
udp6       0      0 ::1:123                 :::*                                3881/ntpd       
udp6       0      0 :::123                  :::*                                3881/ntpd 

/etc/apache2/envvars:

unset HOME # several searches around this
...

/etc/apache2/apache2.conf:

...
PidFile ${APACHE_PID_FILE} # several searches around the pid file

...

The only file in sites-available and sites-enabled is "/etc/apache2/sites-available/mydomain_staging.conf":

Listen 0.0.0.0:80  


  ServerAdmin  jay@email.com
  DocumentRoot /home/j/mydomain_staging/public


  LogLevel  warn
  ErrorLog  /home/j/logs/mydomain_staging-error.log
  CustomLog /home/j/logs/mydomain_staging-access.log combined

  
      # This relaxes Apache security settings.
      AllowOverride all
      # MultiViews must be turned off.
      Options -MultiViews

  

After restoring GitLab backup, new SSH public keys randomly supersede other users' existing keys

This occurred with a new (not upgraded) installation of GitLab 8.6.4.

I installed GitLab and my team evaluated it. Of course I and others entered our SSH public keys.

As part of our evaluation I made a GitLab backup and restored it.

After I restored the backup, new user Shung Wang entered his SSH public key.

Now, whenever I try to access the git repositories via SSH, the server thinks I am Shung Wang. For example, when I tested my SSH connection from my Ubuntu 14.04 laptop, I got this:

ssh -T git@gitserver

Welcome to GitLab, Shung Wang!


As a second test, I tried to clone a private repository to which Shung did not have access:

git clone git@gitserver:sw/devops.git
Cloning into 'devops'...
GitLab: The project you were looking for could not be found.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights

and the repository exists.


Then I made Shung a member of the devops project, and git clone succeeded. I really am accessing GitLab repositories as Shung Wang.

Obviously this is a most unsatisfactory security situation. How can I access GitLab repositories as myself other than Shung Wang?

Answer

Explanation

GitLab maintains file ~git/.ssh/authorized_keys, in which it gives each SSH public key names key-1, key-2, and so on.

Upon backup restore, the name gets reset to key-1, so subsequent keys have duplicate names. Here is my ~git/.ssh/authorized_keys file showing my key and Shung Wang's key both named key-1:

# Managed by gitlab-shell
command="/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAA...2SkSQ== jm...@wavecomp.com
###################################################################################################################################################################################
#####################################################################################################################################################################################
command="/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAA...nKQ== wang....@wavecomp.com
...

Apparently the last occurrence of key-1 is used for both me and Shung.

I reported this GitLab bug in GitLab issue 1263.

Workarounds

Until the bug is fixed, users can try these workarounds.

Workaround 1

Use sudo gitlab-rake gitlab:shell:setup to rebuild the authorized_keys file

Workaround 2

I recommend trying workaround 1 first.

The following is what I actually did myself before discovering workaround 1.

1. After you restore a backup, log in as some existing user and register a new SSH public key


2. Search file ~git/.ssh/authorized_keys for key-1. If you find two, you have the problem described above.


3. Those lines of ######... are not decoration. They are keys that were deleted by users. When a key is deleted, GitLab replaces every character in it with a #, presumably so the remaining keys do not move around in the file. Replace all characters in all SSH keys created before the backup restore with the # character in a fashion similar to what you see in the ~git/.ssh/authorized_keys shown above.


4. Tell all your users they must re-enter their SSH public keys. If they complain, remind them to be thankful that the rest of the backup worked.

Rather than all that tedious editing in step 3, I suspect that you can simply move file ~git/.ssh/authorized_keys aside and replace it with an empty file, and then tell everyone to re-enter their SSH public keys. However I did not try this myself. If this works for you, please tell us in a comment.

networking - Performance Implications to Using a Full Class A Subnet

Let's say you have a small network (50-60 IPs) and assign everything a 10.x.x.x IP with a subnet of 255.0.0.0. This gives you a huge range of usable IPs. What performance implications will this have on the network if any?

performance - Are networks now faster than disks?

This is a software design question

I used to work on the following rule for speed

cache memory > memory > disk > network

With each step being 5-10 times the previous step (e.g. cache memory is 10 times faster than main memory).

Now, it seems that gigabit ethernet has latency less than local disk. So, maybe operations to read out of a large remote in-memory DB are faster than local disk reads. This feels like heresy to an old timer like me. (I just spent some time building a local cache on disk to avoid having to do network round trips - hence my question)

Does anybody have any experience / numbers / advice in this area?

And yes I know that the only real way to find out is to build and measure, but I was wondering about the general rule.

edit:

This is the interesting data from the top answer:

• Round trip within same datacenter 500,000 ns




• Disk seek 10,000,000 ns

This is a shock for me; my mental model is that a network round trip is inherently slow. And its not - its 10x faster than a disk 'round trip'.

Jeff attwood posted this v good blog on the topic http://blog.codinghorror.com/the-infinite-space-between-words/

Answer

Here are some numbers that you are probably looking for, as quoted by Jeff Dean, a Google Fellow:

Numbers Everyone Should Know

L1 cache reference                             0.5 ns
Branch mispredict                              5 ns
L2 cache reference                             7 ns
Mutex lock/unlock                            100 ns (25)
Main memory reference                        100 ns
Compress 1K bytes with Zippy              10,000 ns (3,000)
Send 2K bytes over 1 Gbps network         20,000 ns
Read 1 MB sequentially from memory       250,000 ns
Round trip within same datacenter        500,000 ns

Disk seek                             10,000,000 ns
Read 1 MB sequentially from network   10,000,000 ns
Read 1 MB sequentially from disk      30,000,000 ns (20,000,000)
Send packet CA->Netherlands->CA      150,000,000 ns

It's from his presentation titled Designs, Lessons and Advice from Building Large Distributed Systems and you can get it here:

The talk was given at Large-Scale Distributed Systems and Middleware (LADIS) 2009.

Other Info

---

It's said that gcc -O4 emails your code to Jeff Dean for a rewrite.

---

centos - PXE Boot FreeBSD ISO from a Linux PXE server

I have a working PXE boot server running on CentOS 5.5 that works perfectly for any flavor of Linux. I'm trying to add FreeBSD to the install options as a ISO memdisk, but so far nothing is working out. When I try to boot, I get the following:

Loading memdisk....Ready
MEMDISK 3.11 2005-09-02 Copyright 2001-2005 H. Peter Anvin
MEMDISK: No ramdisk image specified

Snippit from my /tftpboot/pxelinux.cfg/default. The CentOS install works fine, but the FreeBSD one fails.

default menu.c32
prompt 0
timeout 300
ONTIMEOUT local

MENU TITLE PXE Menu

LABEL CentOS 6.0 x86_64 NO KS eth0
        MENU LABEL CentOS 6.0 x86_64 NO KS eth0
        KERNEL images/centos/x86_64/6.0/vmlinuz nofb text

        APPEND initrd=images/centos/x86_64/6.0/initrd.img ramdisk_size=100000 ksdevice=eth0 

LABEL FreeBSD 9.0 NO KS eth0
        MENU LABEL FreeBSD9.0 AMD64
        kernel memdisk
        append iso
        initrd images/freebsd_isos/FreeBSD-9.0-RELEASE-amd64-bootonly.iso

I've tried "append iso raw", "append iso" and "append raw", but it does not appear to make any difference. I've also tried using the FreeBSD Memstick .img file and "append raw", but same results.

new domain name while retaining the web hosting

I have client/customer level rights to a 3 yr. old domain + windows web hosting (IIS web server) for http://www.22shrutiharmonium.com and it has html and asp pages.

Now, I need to change the domain name to www.22shruti.com (this has been purchased from another provider), but I want to keep the files on the currrent hosting (http://www.22shrutiharmonium.com). So, only domain name to be changed, not the hosting service.

Please guide me about the step by step procedure to -

1> Carry out the domain transition.
2> While retaining (OR, minimize the decrease in) the search engine credentials of my website.

Thanks in advance.

Why is Postfix trying to connect to other machines SMTP port 25?

I get these errors:

Jul  5 11:09:25 relay postfix/smtp[3084]: connect to ab.xyz.com[10.41.0.101]:25: Connection refused
Jul  5 11:09:25 relay postfix/smtp[3087]: connect to ab.xyz.com[10.41.0.247]:25: Connection refused
Jul  5 11:09:25 relay postfix/smtp[3088]: connect to ab.xyz.com[10.41.0.101]:25: Connection refused
Jul  5 11:09:25 relay postfix/smtp[3084]: connect to ab.xyz.com[10.41.0.247]:25: Connection refused
Jul  5 11:09:25 relay postfix/smtp[3087]: connect to ab.xyz.com[10.41.0.110]:25: Connection refused
Jul  5 11:09:25 relay postfix/smtp[3088]: connect to ab.xyz.com[10.41.0.110]:25: Connection refused
Jul  5 11:09:25 relay postfix/smtp[3084]: connect to ab.xyz.com[10.41.0.102]:25: Connection refused
Jul  5 11:09:30 relay postfix/smtp[3085]: connect to ab.xyz.com[10.41.0.102]:25: Connection refused

Jul  5 11:09:30 relay postfix/smtp[3086]: connect to ab.xyz.com[10.41.0.247]:25: Connection refused
Jul  5 11:09:30 relay postfix/smtp[3086]: connect to ab.xyz.com[10.41.0.102]:25: Connection refused
Jul  5 11:09:55 relay postfix/smtp[3087]: connect to ab.xyz.com[10.40.40.130]:25: Connection timed out
Jul  5 11:09:55 relay postfix/smtp[3084]: connect to ab.xyz.com[10.40.40.130]:25: Connection timed out
Jul  5 11:09:55 relay postfix/smtp[3088]: connect to ab.xyz.com[10.40.40.130]:25: Connection timed out
Jul  5 11:09:55 relay postfix/smtp[3087]: connect to ab.xyz.com[10.41.0.135]:25: Connection refused
Jul  5 11:09:55 relay postfix/smtp[3084]: connect to ab.xyz.com[10.41.0.110]:25: Connection refused
Jul  5 11:09:55 relay postfix/smtp[3088]: connect to ab.xyz.com[10.41.0.247]:25: Connection refused

Is this a DNS thing, doubtful as I've changed from our local DNS to Google's..still Postfix will occasionally try and connect to ab.xyz.com from a variety of addresses that may or may not have port 25 open and act as mail servers to begin with.

Why is Postfix attempting to connect to other machines as seen in the log?

• Mail is being sent properly, other than that, it appears all is good.

Occasionally I'll also see:

relay postfix/error[3090]: 3F1AB42132: to=,
relay=none, delay=32754, delays=32724/30/0/0, dsn=4.4.1,
status=deferred (delivery temporarily suspended: connect to
ab.xyz.com[10.41.0.102]:25: Connection refused)

I have Postfix setup with very little restrictions:

mynetworks = 127.0.0.0/8, 10.0.0.0/8

only. Like I said it appears all mail is getting passed through, but I hate seeing errors and it is confusing me as to why it would be attempting to connect to other machines as seen in the log.

Some Output of cat /var/log/mail.log|grep 3F1AB42132

Jul 5 02:04:01 relay postfix/smtpd[1653]: 3F1AB42132:
client=unknown[10.41.0.109]

Jul 5 02:04:01 relay postfix/cleanup[1655]: 3F1AB42132:
message-id=

Jul 5 02:04:01 relay postfix/qmgr[1588]: 3F1AB42132:
from=, size=3404, nrcpt=1 (queue active)

Jul 5 02:04:31 relay postfix/smtp[1634]: 3F1AB42132:
to=, relay=none, delay=30,
delays=0.02/0/30/0, dsn=4.4.1, status=deferred (connect to
ab.xyz.com[10.41.0.110]:25: Connection refused)

Jul 5 02:13:58 relay postfix/qmgr[1588]: 3F1AB42132:
from=, size=3404, nrcpt=1 (queue active)

Jul 5 02:14:28 relay postfix/smtp[1681]: 3F1AB42132:
to=, relay=none, delay=628,
delays=598/0.01/30/0, dsn=4.4.1, status=deferred (connect to
ab.xyz.com[10.41.0.247]:25: Connection refused)

Jul 5 02:28:58 relay postfix/qmgr[1588]: 3F1AB42132:

from=, size=3404, nrcpt=1 (queue active)

Jul 5 02:29:28 relay postfix/smtp[1684]: 3F1AB42132:
to=, relay=none, delay=1527,
delays=1497/0/30/0, dsn=4.4.1, status=deferred (connect to
ab.xyz.com[10.41.0.135]:25: Connection refused)

Jul 5 02:58:58 relay postfix/qmgr[1588]: 3F1AB42132:
from=, size=3404, nrcpt=1 (queue active)

Jul 5 02:59:28 relay postfix/smtp[1739]: 3F1AB42132:
to=, relay=none, delay=3327,
delays=3297/0/30/0, dsn=4.4.1, status=deferred (connect to
ab.xyz.com[10.40.40.130]:25: Connection timed out)

Jul 5 03:58:58 relay postfix/qmgr[1588]: 3F1AB42132:
from=, size=3404, nrcpt=1 (queue active)

Jul 5 03:59:28 relay postfix/smtp[1839]: 3F1AB42132:
to=, relay=none, delay=6928,

delays=6897/0.03/30/0, dsn=4.4.1, status=deferred (connect to
ab.xyz.com[10.41.0.101]:25: Connection refused)

Jul 5 04:11:03 relay postfix/qmgr[2039]: 3F1AB42132:
from=, size=3404, nrcpt=1 (queue active)

Jul 5 04:11:33 relay postfix/error[2093]: 3F1AB42132:
to=, relay=none, delay=7653,
delays=7622/30/0/0, dsn=4.4.1, status=deferred (delivery temporarily
suspended: connect to ab.xyz.com[10.41.0.101]:25: Connection refused)

Jul 5 05:21:03 relay postfix/qmgr[2039]: 3F1AB42132:
from=, size=3404, nrcpt=1 (queue active)

Jul 5 05:21:33 relay postfix/error[2217]: 3F1AB42132:
to=, relay=none, delay=11853,
delays=11822/30/0/0, dsn=4.4.1, status=deferred (delivery temporarily
suspended: connect to ab.xyz.com[10.41.0.101]:25: Connection refused)

Jul 5 06:29:25 relay postfix/qmgr[2420]: 3F1AB42132:

from=, size=3404, nrcpt=1 (queue active)

Jul 5 06:29:55 relay postfix/error[2428]: 3F1AB42132:
to=, relay=none, delay=15954,
delays=15924/30/0/0.08, dsn=4.4.1, status=deferred (delivery
temporarily suspended: connect to ab.xyz.com[10.41.0.101]:25:
Connection refused)

Jul 5 07:39:24 relay postfix/qmgr[2885]: 3F1AB42132:
from=, size=3404, nrcpt=1 (queue active)

Jul 5 07:39:54 relay postfix/error[2936]: 3F1AB42132:
to=, relay=none, delay=20153,
delays=20123/30/0/0, dsn=4.4.1, status=deferred (delivery temporarily
suspended: connect to ab.xyz.com[10.40.40.130]:25: Connection timed
out)

Answer

Most likely they are wrong email addresses or your DNS resolution is failing.

Postfix will try to connect to the SMTP server according to the MX record of the ab.xyz.com domain to deliver the email, but if Postfix cannot find a MX record, it will attempt to deliver to the IP of the A record. (That's the expected behavior).

But if the email address domain is wrong (mistyped, for example) the domain may exist but maybe does not have a MX record and the IP from the A record is a host without a SMTP server.

As an example, some people around here type myaddress@hotmail.com.mx (the correct address is myaddress@hotmail.com), however the hotmail.com.mx domain indeed exists but does not have a MX record, so Postfix tries, and tries, and tries to deliver to a A record host who will never answer at port 25, causing log entries like:

Jul 5 17:03:37 www postfix/smtp[3149]: 6608A108FD2: to=, relay=none, delay=197971, delays=197971/0.02/0.18/0, dsn=4.4.1, status=deferred (connect to hotmail.com.mx[200.94.181.9]:25: Connection refused)

Can ping, can establish SSH connection in one way but not on other way

First of all, sorry for my English.

We're facing a very strange problem with SSH connection between two specific servers.

Let's say we have X1, X2 and Y servers.
Where X1 and X2 are behind the same firewall, have installed the same operating system, use same configurations for everything that's possibly related to the situation.

We don't have any rule set to allow or block only certain IPs or whatever on IPtables on server Y, but anyway... X1 and X2 servers communicate to the exterior using the same IP address.

PROBLEM: Server X1 cannot connect to server Y via SSH. It gets a response on ping, but nothing else, no other service on any other port succeeds to connect.

X2 or any other server succeeds to connect to X1 and X1 succeeds to connect to any other server except Y1.

[root@X1]# ssh -v root@Y1
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to Y1 [Y1] port 22.
** It stalls here **

We've restarted both servers and firewalls.

We've done a test on trying to connect X1 to Y using different port without configuring that port and instead of getting stalled, we get connection refused.
If we configure Y1 SSH daemon to accept connections on that port and do the same test again... it stalls using that newly configured port.

Resizing pre-installed and mounted raid partitions for LVM use

Every time we order a new server from a new provider or even just with a new distro we run into inconsistencies. Meaning even though we go for a minimal distro the server will come with unwanted configurations. In this case I am talking about a server with 2x4TB HDDs that come pre-installed in a raid 1 configuration.
The raid also seems to be configured sensibly.
lsblkreturns the following:

NAME    MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda       8:0    0   3.7T  0 disk

├─sda1    8:1    0    16G  0 part
│ └─md0   9:0    0    16G  0 raid1 [SWAP]
├─sda2    8:2    0   512M  0 part
│ └─md1   9:1    0 511.4M  0 raid1 /boot
├─sda3    8:3    0     2T  0 part
│ └─md2   9:2    0     2T  0 raid1 /
├─sda4    8:4    0   1.7T  0 part
│ └─md3   9:3    0   1.7T  0 raid1 /home
└─sda5    8:5    0     1M  0 part
sdb       8:16   0   3.7T  0 disk

├─sdb1    8:17   0    16G  0 part
│ └─md0   9:0    0    16G  0 raid1 [SWAP]
├─sdb2    8:18   0   512M  0 part
│ └─md1   9:1    0 511.4M  0 raid1 /boot
├─sdb3    8:19   0     2T  0 part
│ └─md2   9:2    0     2T  0 raid1 /
├─sdb4    8:20   0   1.7T  0 part
│ └─md3   9:3    0   1.7T  0 raid1 /home
└─sdb5    8:21   0     1M  0 part

As you can see the largest partition of 2TB is mounted at /.
This means it is currently housing and running most of the system.
Now, I plan to add a LVM abstraction layer to the server to have more/better control over my storage. I can of course not umount /dev/md2 since it is busy.
So my question is: How do I properly and safely access the space (or some of it) on /dev/md2 in order to add it to my LVM configuration?
Is it even possible to have a logical volume mounted at / if it has not been configured during setup (due to image rather than manual install)? If so, how do I not lose data when mounting a LV at /, or more specifically how can I mount a LV on an already existing folder and "transfer" the data inside?
Am I missing something or going about it wrong? Any help is greatly appreciated.

linux - Accidently ran "chown www-data:www-data / -R" as root

I just ran this a few seconds ago. I managed to do Ctrl - C as soon as I realized what I started doing.

So far the only directory it's started going through is /bin.

I'm afraid to do anything else. So far I realized I can't use su as my normal user anymore.

Luckily I still have another root terminal open. What do I do?

Answer

Most everything in /bin/ should be owned by root:root, so if you run the following you can fix the ownership on those files:

chown root:root -R /bin/ 

You may also want to make sure the setuid bit is properly set on /bin/su, which you can fix with the following:

chmod 4755 /bin/su

apache 2.2 - Where should I start to try and debug a CPU spike and timeout when logging in to a Moodle site?

apologies for the newbie nature of this question .. I am a web developer though don't have too much experience maintaining servers or debugging and fixing performance issues.

I have a Moodle site (Moodle 2.2.3) running on an Apache server (LAMP stack) that uses a MySQL database.

Recently, when certain users try to log in they have been reporting a timeout - they simply see a blank page after a given time. Some users are able to log in fine. This appears to be determined by which courses the user is enrolled in. An admin user with no courses for example can log in fine.

I have been able to extend the timeout value in php.ini from 60 seconds to 120 seconds and see the same behaviour. Using $top I can see that the CPU used by www-data spikes around 99% until the timeout kicks in.

I am assuming there is a long call to the database being made, or similar.

How can I see error messages logged by mysql? how can I see error messages logged by PHP? The default error_log (/var/log/php.log) which is defined in my php.ini doesn't appear to be there? How can I get PHP to log errors to this file so I can see whats happening?

Moodle also logs errors to logs/error.log but this doesn't shed any light on things.

All and any good suggestions welcome - thanks!

apache 2.2 - ERR_CONNECTION_TIMED_OUT after GCP instance resize?

So I'm totally at a loss for what's going on here. I logged into my GCP instance the other day to see that it was prompting me to upgrade the size of my instance. The instance was hosting 4 low traffic wordpress sites on a micro instance, so fair enough, I went ahead and upgraded it to a small instance.

The system took my server offline for about 2 minutes, resized the instance, and then booted it back up. However now post reboot non of my sites are reachable giving me a dreaded ERR_CONNECTION_TIMED_OUT.

I'm gone through the apache2 error logs, but this is the only clue that in here which doesn't seem like something that should totally be bringing down the instance:

[Sun Jul 02 06:29:59.116350 2017] [mpm_prefork:notice] [pid 1854] AH00163: Apache/2.4.10 (Debian) configured -- res
uming normal operations

[Sun Jul 02 06:29:59.116399 2017] [core:notice] [pid 1854] AH00094: Command line: '/usr/sbin/apache2'

[Sun Jul 02 20:54:19.098816 2017] [:error] [pid 17958] [client 179.219.113.226:60741] script '/var/www/argineconsul
ting.com/public_html/command.php' not found or unable to stat

[Mon Jul 03 02:33:51.193230 2017] [mpm_prefork:notice] [pid 844] AH00163: Apache/2.4.10 (Debian) configured -- resu
ming normal operations

[Mon Jul 03 02:33:51.225527 2017] [core:notice] [pid 844] AH00094: Command line: '/usr/sbin/apache2'

[Mon Jul 03 02:48:01.236769 2017] [mpm_prefork:notice] [pid 844] AH00169: caught SIGTERM, shutting down

[Mon Jul 03 02:48:02.309718 2017] [mpm_prefork:notice] [pid 1441] AH00163: Apache/2.4.10 (Debian) configured -- res
uming normal operations

[Mon Jul 03 02:48:02.309788 2017] [core:notice] [pid 1441] AH00094: Command line: '/usr/sbin/apache2'

I've tried going back through the setup for my VPS to make sure everything is working there - nothing seems out of wack. Any thoughts appreciated.

Answer

I figured this out - apparently when you resize an instance on GCP it issues you a new IP address. I had to update Cloud DNS with the new IP addresses and everything worked fine. I think the resize process should have expressly called this out because I wasted a number of hours trying to figure out what was wrong. :-(

raid - HP Proliant ML350 G5 SAS HDD

I am getting problem in HP Proliant ML350 G5. Some few days back one of the SAS HDD failed. It was 146GB SAS 15krpm HDD. We got new one which is 146GB SAS 10k rpm HDD. Its on RAID 1(1+0) configuration.

We replaced the SAS HDD but its not rebuilding. We get message when rebooting server to do AUTOMATIC SERVER RECOVERY and we press F2. It starts recovery but after 20% (in HP System Management), it stops and nothing happen. It shows Logical drive degraded. and also in ACU, it shows ready to rebuild. We tried 2-3 times but it still the same. Whenever we restart it keep on saying Automatic server recovery.

Any suggestion, how to resolve this problem?

hp - Broadcom HT1100 SATA controller not working properly with 1TB drives

I've been using RHEL distro's for several years and always managed to find the answers until now. I know this is more of a hardware issue, but I've been working on this for over a week and trust Linux and the IT community to help more then HP.

I have CentOS 6.3 installed on an HP ProLiant DL145 G3 server with the BroadCom HT1100 IO controller and ServerWorks SATA Controller MMIO BIOS v3.0.0015.6 Firmware. This controller does not support large drives fully.

Here's what I've tried and the results;

1. Stock setup - Freezes on the ServerWorks POST screen. Can't even enter CMOS without disconnecting the drives.




2. If I simply disconnect the SATA cables before it gets to the ServerWorks screen and reconnect afterwards I can boot from a CD, USB, PXE fine. However fiddling with cables at ever boot isn't practical.




3. If I enter the BIOS config I can set it to not try booting the drives but leave the controller enabled. This lets me boot normally but the drives are not visible in the OS (live CDs or USB installed).

I used method #2 to install and update CentOS. I have the /boot partition on a USB drive (everything else is on the SATA drives in software RAID1) hoping that would work around the issue but I get this

Kernel panic - not syncing:Attempted to kill init!
Pid: 1, comm: init Not tainted 2.6.32-279.9.1.el6.x86_6 #1
Call Trace:

[] ? panic+0xa0/0x168
[] ? do_exit+0x862/0x870
[] ? fput+0x25/0x30
[] ? do_group_exit+0x58/0xd0
[] ? sys_exit_group+0x17/0x20
[] ? system_call_fastpath+0x16/0x1b
panic occured, switching back to text console

I'm sure it should be possible to talk to the drives without the BIOS boot check since the BIOS doesn't see them in method #2 either, their disconnected when it checks, but Linux sees them fine. If anyone could help figure out how I would greatly appreciate it!

The other possible option I've come across is a complex firmware update. Tyan has a few boards on their website with the HT1100 and a ServerWorks v3.0.0015.7 update which says "adds support for TB drives" in the release notes. If someone could help me get the Tyan SATA firmware into the HP ROM file so I could just reflash that would also be very much appreciated.

Thanks for any help you guys can offer!

memory - How do you interpret `strace` on an apache process returning `restart_syscall`?

We restart an apache server every day because RAM usage reaches its limit.

Though of value See this serverfault answer, I dont think lowering the MaxClients in the apache configuration is a solution to the unknown root problem.

The apache processes below appear unusually large in MB and long in time. Does this mean there is memory leakage. Does this mean we should lower MaxRequestsPerChild settings?

See http://www.devside.net/articles/apache-performance-tuning

Can you make sense out of the below data?

Below is an extract of what

$top with M

returns:

20839 www-data  20   0 1008m 359m  22m S    4  4.8   1:52.61 apache2                     
20844 www-data  20   0 1008m 358m  22m S    1  4.8   1:51.85 apache2                     
20842 www-data  20   0 1008m 356m  22m S    1  4.8   1:54.60 apache2                     

20845 www-data  20   0  944m 353m  22m S    0  4.7   1:51.80 apache2  

and then investigating a single process with

$sudo strace -p 20839

returns only this one line, which is cryptic, for me:

restart_syscall(<... resuming interrupted call ...> 

Any insights? Thanks.

apache 2.2 - Why is everything after RewriteEngine On ignored?

So I'm trying to get mod_rewrite working on my new site. I've used mod_rewrite successfully a few years ago, but this time not a single command after 'RewriteEngine On' works.

I'm getting exactly the same effect on my local Apache 2.2 as I do on my web host's server, so it's not that the server isn't configured for mod_rewrite. My local machine runs Windows, and the remote server is Linux, so they're pretty independent systems. Here's what I've checked so far for my localhost:

• The 'LoadModule rewrite_module' line in httpd.conf is not commented with a #


• I have 'Options Indexes FollowSymLinks Includes' in place in my httpd.conf for my html directory


• And I have 'AllowOverride All' in place beside the Options line too.


• The .htaccess file I have in my site's root directory is being accessed. Putting nonsense in the first line gets me an Internal Server Error, removing it takes it away


• Putting 'RewriteEngine Cheese' as the first line gets me a line in my error.log that says 'RewriteEngine must be On or Off', so it definitely seems to be ready to do some rewriting...

BUT. Nothing I type after RewriteEngine On has any effect! I can write nonsense in there and get no error message. I've put lots of commands in there as a test, but even this .htaccess file does nothing:

RewriteEngine On
RewriteRule ^.*$ test.html [R]

That should rewrite every page I go to to be test.html shouldn't it? And yet, nothing happens at all - if I go to hello.html, I just get a web page saying that hello.html isn't found.

Please can someone offer a suggestion as to what to try next?

Answer

Linux config files, including Apache config files require the last line to be empty. Everything after the last newline will be ignored.

linux - Avoid a crash when a process allocates too much memory?

Similar to this question, we have a computing server with 96GB of RAM that is used to run large jobs in parallel.

Occasionally, the total amount of physical RAM is exceeded, which causes the server to become unresponsive, forcing a reboot. To me, this is not acceptable behavior, so I'm looking for ways to fix this.

I know one way would be to set limits using "ulimit -v". However I'd like to avoid going down that route if possible, as I may occasionally have a signle very large process (as opposed to many small ones), so setting a useful threshold is going to be difficult.

I suspect the problem may come from the fact that the system has 20GB of swap: instead of killing the offending process(es), the system will allocate memory on disk which will make it unresponsive. Is reducing the amount of swap a good idea?

Any insight or experiences with a similar problem highly appreciated!

EDIT

I made a few experiments using the following leaking C++ program:

#include 

#include 

using namespace std;

int main(int argc,char * argv[])
{
        while(true) {
                vector* a = new vector(50000000);
                sleep(1);
        }

}

I ran it a first time with a 256MB swap file. The system completely hung for about 5 minutes, than came back to life. In the logs, I saw that the OOM killer had succesfully killed my leaky program.

I ran it a second time with no swap. This time, the machine didn't come back to life for at least ten minutes, at which point I rebooted the machine. This came as a surprise for me, as I expected the OOM killer to fire up earlier on a machine with no swap.

What I don't understand is the following: why does linux wait until the system is completely hung to do something about the offending process? Is it too much to expect of an OS to not be completely killed by one badly coded process?

ubuntu - Root user is not able to access

I had a ubuntu user which has root level privileges but I haven't created password for it, there are other user also on the machine but none of them have sudo permissions, unfortunately permissions on .ssh directory in the ubuntu home directory has been changed and now I cannot login using ubuntu user credentials and there is no user with sudo privileges, so what options I have left with to get myself connected from ubuntu user's credentials

nginx: override global ssl directives for specific servers

In my configuration I have placed the ssl_* directives inside the http block and have been using a wildcard certificate certified by a custom CA without any problems. However, I now want to use a new certificate for a new subdomain (a server), that has been certified by a recognized CA.

Let's say the TLD is blah.org. I want my custom certificate with CN *.blah.org to be used on all domains except for new.blah.org that will use its own certificate/key pair of files with CN new.blah.org.

How would one do that? Adding new ssl_* directives inside the server block doesn't seem to override the global settings.

Answer

In my experience, settings in server stanzas do override those set in the surrounding http stanza, although I must admit I've never tried to set SSL parameters (given that you usually only have SSL config in your SSL vhosts).

You might want to describe exactly why you think it isn't working, and provide debug logs and your config files so the cause of your dilemma can be identified.

sql server - Scripting a database copy from MS Sql 2005 to 2008 without detach/backup/RDP

My goal is to move a single SQL 2005 database to a seperate 2008 server. The issue is my level of access to both servers. On each I can only access the database and nothing else. I cant create a backup file or detach the database because I don't have access to the file system or to create a proxy.

I've tried using the generate script function of sql 2005 management studio express to restore the schema but receive command not supported errors when attempting to execute the sql on the new database. Similarly I tried using EMS SQL Manager 2005 Lite to script a backup of the schema and data but ran into similar problems.

How do I go about acomplishing this? I can't seem to find any solutions outside of using the detach and backup functions.

Answer

Ok, I seemed to have got it. I used the data extract function of Sql 2008 Management studio express to extract the tables and data. I then used DB Extract 2010 to pull out my stored procedures. So far everything seems to be working.

Did I miss anything?

iis 6 - IIS 6.0 mitigating BEAST

Recently, my PCI assessor informed me that my servers are vulnerable to BEAST and failed me. I did my homework and I want to change our webservers to prefer RC4 ciphers over CBC. I followed every guide I could find...

I changed my reg keys for my weaker than 128bit encryption to Enabled = 0. completely removed the reg keys for the weaker encryptions. I downloaded IISCrypto and unchecked everything but RC4 128 ciphers and triple DES 168.

My webserver still prefers AES-256SHA. Is there a trick in IIS 6.0 to get your webservers to prefer RC4 ciphers that I am not figuring out? It seems like in IIS 7 they made this very easy to fix but that doesn't help me now!

ubuntu - Nginx gives 404 error for rails app except the root

I have an Ubuntu 12.04 LTS VPS server that serves a static website with Nginx. I would like to set up a rails application that is accesible from the subfolder 'foo'. I use Passenger for serving the rails app

That is how I configured Nginx:

worker_processes  1;

events {
    worker_connections  1024;
}

http {
    passenger_root /home/akarki/.rvm/gems/ruby-1.9.3-p429/gems/passenger-4.0.5;
    passenger_ruby /home/akarki/.rvm/wrappers/ruby-1.9.3-p429/ruby;


    server_names_hash_bucket_size 64;

    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;
    gzip  on;

    gzip_disable "MSIE [1-6]\.(?!.*SV1)";
    gzip_types text/plain application/xml text/css text/js text/xml application/x-javascript text/javascript application/json application/xml+rss;
    charset UTF-8;
    error_log /opt/nginx/logs/file.log warn;

    server {
        listen 80;
        server_name www.domain.com;
        return 301 $scheme://domain.com$request_uri;
    }


    server {
        listen       80;
        server_name  domain.com;
        index  index.html index.htm;
        root /srv/www/domain.com;
        passenger_enabled on;
        passenger_base_uri /foo;
        try_files $uri.htm $uri.html $uri/ =404;


        location = / {
            rewrite ^ /de permanent;
        }

        # redirect server error pages to the static page /50x.html
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }

}

The static website works as expected but the only URL of the rails app that is accessible is the root under 'http://domain.com/foo'

Any other url gives a 404 error.

Do you have any suggestion how to fix this?

IIS URl Rewrite working inconsistently?

I'm having some oddness with the URL rewriting in IIS 7. Here's my Web.config (below). You'll see "imported rule 3," which grabs attempts to access /sitemap.xml and redirects them to /sitemap/index. That rule works great.

Right below it is imported rule 4, which grabs attempts to access /wlwmanifest.xml and redirects them to /mwapi/wlwmanifest. That rule does NOT work.

(BTW, I do know it's "rewriting" not "redirecting" - that's what I want).

So... why would two identically-configured rules not work the same way? Order makes no different; Imported Rule 4 doesn't work even if it's in the first position.

Thanks for any advice!

EDIT: Let me represent the rules in .htaccess format so they don't get eaten :)

RewriteEngine On

# skip existing files and folders
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]

RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]

# get special XML files
RewriteRule ^(.*)sitemap.xml$ /sitemap/index [NC]
RewriteRule ^(.*)wlwmanifest.xml$ /mwapi/index [NC] 

# send everything to index
RewriteRule ^.*$ index.php [NC,L]

The "sitemap" rewrite rule works fine; the 'wlwmanifest' rule returns a "not found." Weird.

Answer

Figured it out. The Web app is running on Zend Framework, and it isn't sufficient to have .htaccess rules as Zend has its own internal routing rules that have to be set up. So my middle two rules weren't even necessary, as they had to be configured within Zend's routes.

How do I prevent IIS 8 from stopping idle ASP.NET applications?

I have an asp.net application running on Windows 2012 in IIS 8 that has a very time consuming application start process (essentially the code running in the Application_Start() event can take up to 2 minutes). Thus I'd like to minimize the number of times the application is started so that the user can avoid a long wait.

I've enabled Preload in the application settings, and I've set the Start Mode to AlwaysRunning in the application pool. Yet the application still ends after not being used for a while, resulting in a very long time for the first visit to the website after the application shuts down.

Does anyone have any ideas on how I can prevent this?

Thanks

Answer

In IIS 7, you had to set the idletimeout for the apppool to "0", I would guess it's something similar for IIS 8. Details here.

php - Contact form from ubuntu to Zoho email address

I would like some support in order to get my Postfix configuration working with my Zoho email account. What I am trying to do is to send a message from my contact form in http://www.g3eo.com/#!/page_Contacts to my Zoho email account. For that I configured Postfix in my ubuntu box in this way (based on http://emanuelesantanche.com/configuring-postfix-to-relay-email-through-zoho-mail/):

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

append_dot_mydomain = no

readme_directory = no

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
inet_protocols = all


# TLS parameters
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_header_checks = pcre:/etc/postfix/smtp_header_checks


myhostname = xxxxxxxxxx
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = xxxxxxxxxx, localhost.com, localhost
relayhost = smtp.zoho.com:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/password
#smtp_sasl_security_options =
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_security_options = noanonymous

smtp_always_send_ehlo = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination

In my website contact form things seem to be working fine, you can test it by sending a message with the Firebug open (press F12) in the Network tab. After sending the email it appears this message "mail sent" in the response tab. However, that message does not reach my email address in my Zoho email account. After checking the /var/log/mail.log it shows:

Jul 4 21:46:42 xxxxxxxxxx postfix/qmgr[9100]: D9B2E5E0292:

from=, size=549, nrcpt=1 (queue active)

Jul 4 21:46:45 xxxxxxxxxx postfix/smtp[27824]: D9B2E5E0292: to=, relay=smtp.zoho.com[165.254.168.48]:587, delay=114224,
delays=114222/0.01/2.6/0, dsn=4.0.0, status=deferred (SASL authentication failed; server smtp.zoho.com[165.254.168.48] said: 535 Authentication Failed)

I understand that the authentication problem is because my message could get into the Zoho smtp server, so it was rejected, not sure if it is the case. I would appreciate if someone could help to understand what is going on here and how to fix it.

My contact form uses the following files:
- http://www.g3eo.com/extras/js/forms.js

and http://www.g3eo.com/extras/bin/MailHandler.php (see below)

  if($_POST['name']!='nope'){
      $messageBody .= '
Visitor: ' . $_POST["name"] . '
' . "\n";
      $messageBody .= '
' . "\n";
  }
  if($_POST['email']!='nope'){
      $messageBody .= '
Email Address: ' . $_POST['email'] . '
' . "\n";

      $messageBody .= '
' . "\n";
  }else{
      $headers = '';
  }
  if($_POST['state']!='nope'){        
      $messageBody .= '
State: ' . $_POST['state'] . '
' . "\n";
      $messageBody .= '
' . "\n";
  }
  if($_POST['phone']!='nope'){        
      $messageBody .= '
Phone Number: ' . $_POST['phone'] . '
' . "\n";

      $messageBody .= '
' . "\n";
  }   
  if($_POST['fax']!='nope'){      
      $messageBody .= '
Fax Number: ' . $_POST['fax'] . '
' . "\n";
      $messageBody .= '
' . "\n";
  }
  if($_POST['message']!='nope'){
      $messageBody .= '
Message: ' . $_POST['message'] . '
' . "\n";
  }


  if($_POST["stripHTML"] == 'true'){
      $messageBody = strip_tags($messageBody);
  }

  try{
      if(!mail($owner_email, $subject, $messageBody, $headers)){
          throw new Exception('mail failed');
      }else{
          echo 'mail sent';
      }

  }catch(Exception $e){
      echo $e->getMessage() ."\n";
  }

EDIT#1:

after changing /etc/postfix/password from smtp.zoho.com:587 to [smtp.zoho.com] I receiced in /var/log/mail.log:

Jul 4 23:46:24 xxxxxxxxxx postfix/pickup[2926]: 8BC545E0261:
uid=33 from=
Jul 4 23:46:24 xxxxxxxxxx postfix/cleanup[2933]: 8BC545E0261:
message-id=<20160705044624.8BC545E0261@xxxxxxxxxx>

Jul 4 23:46:24 xxxxxxxxxx postfix/qmgr[2927]: 8BC545E0261:
from=, size=588, nrcpt=1 (queue active)

Jul 4 23:46:26 xxxxxxxxxx postfix/smtp[2930]: 8BC545E0261:

to=, relay=smtp.zoho.com[165.254.168.48]:587,
delay=2.1, delays=0.13/0/1.8/0.16, dsn=5.5.1, status=bounced (host
smtp.zoho.com[165.254.168.48] said: 530 5.5.1 Authentication Required.
(in reply to MAIL FROM command))

Jul 4 23:46:27 xxxxxxxxxx postfix/cleanup[2933]: 098835E026E:
message-id=<20160705044627.098835E026E@xxxxxxxxxx>

Jul 4 23:46:27 xxxxxxxxxx postfix/bounce[2932]: 8BC545E0261:
sender non-delivery notification: 098835E026E

Jul 4 23:46:27 xxxxxxxxxx postfix/qmgr[2927]: 098835E026E:
from=<>, size=2494, nrcpt=1 (queue active)

Jul 4 23:46:27 xxxxxxxxxx postfix/qmgr[2927]: 8BC545E0261:
removed

Jul 4 23:46:27 xxxxxxxxxx postfix/local[2934]: 098835E026E:
to=, relay=local, delay=0.09,
delays=0.05/0/0/0.04, dsn=2.0.0, status=sent (delivered to mailbox)

Jul 4 23:46:27 xxxxxxxxxx postfix/qmgr[2927]: 098835E026E:
removed

is 587 the problem here?

Answer

Solved!, here the solution:

I had in /etc/postfix/smtp_header_checks:

/^From:.*/ REPLACE From: LOCALHOST System ;

and now I have:

/^From:.*/ REPLACE From:info@g3eo.com

check that I had to delete the semi-colon at the end as well as the whole "LOCALHOST SYTEM" plus blank spaces, and that was it!! hope this helps someone else out there, cheers!

linux - Port not opening even after adding security group rules on Amazon EC2 instance

I have an Amazon EC2 Linux instance. I recently installed SmartFoxServer in my instance. For that I needed to open 9933 port. So I just created inbound rules on Amazon EC2 Manager console website.

My rule is

Custom - TCP Rule - TCP - 9933 - 0.0.0.0/0

But still my port is remain closed. Am unable to connect. Anything else I need to do after adding rules on security groups?

http://www.yougetsignal.com/tools/open-ports/
here in above url I checked whether my port is opened or not. Its closed

docker - How much of my memory is actually used?

I have a VPS with 8 GB of memory running mainly docker containers.

When I go to the cloud monitoring service provided by my provider, I see that ~10% of the RAM is used.

I don't understand how this value is related to the output of the three following commands (I have put the outputs of these at the end of my question):

$ free -mh
$ top
$ docker stats

Could someone explain me why free -mh tells me that I am using 7.5/7.8GB of memory, while my VPS tells me I am only using 10%, and the values given by the top command do not make sense to me?

---

free

free -mh
             total       used       free     shared    buffers     cached
Mem:          7.8G       7.5G       275M       144M       348M       2.3G
-/+ buffers/cache:       4.9G       3.0G
Swap:         1.9G       454M       1.5G

docker stats

docker stats --no-stream
CONTAINER           CPU %               MEM USAGE / LIMIT       MEM %               NET I/O               BLOCK I/O             PIDS
496ec398b3f9        0.09%               2.285 MiB / 7.812 GiB   0.03%               648 B / 648 B         40.96 kB / 0 B        0
e8d13a2df058        0.07%               674.2 MiB / 7.812 GiB   8.43%               196.4 kB / 252.3 kB   10.43 MB / 364.5 kB   0
87f43f54f772        0.01%               276.8 MiB / 7.812 GiB   3.46%               7.396 MB / 7.802 MB   71.07 MB / 0 B        0
6a9039c835ad        3.49%               885.1 MiB / 7.812 GiB   11.06%              150.6 kB / 20.93 MB   124.9 MB / 138.7 MB   0
5f56a4113665        0.91%               1014 MiB / 7.812 GiB    12.67%              2.681 GB / 368.8 MB   197.2 MB / 17.56 MB   0
8dabe37320f9        0.10%               3.762 MiB / 7.812 GiB   0.05%               270.1 MB / 213.4 MB   249.9 kB / 3.883 MB   0

57f6c6b96e72        0.34%               39.24 MiB / 7.812 GiB   0.49%               58.84 MB / 67.32 MB   6.246 MB / 4.649 MB   0
738e3d84e9d4        0.00%               3.562 MiB / 7.812 GiB   0.04%               1.048 GB / 1.045 GB   1.155 MB / 0 B        0
17704ca17a93        0.00%               49.04 MiB / 7.812 GiB   0.61%               271.8 MB / 1.484 GB   83.34 MB / 0 B        0
3beefb4fd14a        0.04%               31.12 MiB / 7.812 GiB   0.39%               342.5 kB / 875.2 kB   5.235 MB / 69.63 kB   0
4035cf7f0af5        0.04%               68.16 MiB / 7.812 GiB   0.85%               215.2 MB / 672.8 MB   148.9 MB / 16.09 GB   0
4fba55aa76a4        0.05%               42.61 MiB / 7.812 GiB   0.53%               147.5 kB / 19.09 kB   167 MB / 24.58 kB     0
83571a1747cb        0.00%               8.207 MiB / 7.812 GiB   0.10%               25.23 MB / 20.19 MB   13.8 MB / 8.192 kB    0

top

top # Sorted by memory usage

top - 10:14:19 up 20 days, 17:27,  1 user,  load average: 0.36, 0.43, 0.47
Tasks: 284 total,   1 running, 283 sleeping,   0 stopped,   0 zombie
%Cpu(s):  1.0 us,  0.4 sy,  0.0 ni, 98.5 id,  0.1 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem:   8191140 total,  7896220 used,   294920 free,   356984 buffers
KiB Swap:  1998844 total,   465312 used,  1533532 free.  2449876 cached Mem

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                                                                                   

 8034 systemd+  20   0  711.4m 469.8m   2.7m S   0.0  5.9   0:00.00 clamd                                                                                                     
43964 998       20   0  712.7m 369.3m   8.1m S   1.7  4.6 144:06.61 bundle                                                                                                    
44897 998       20   0  688.2m 226.1m   7.1m S   0.0  2.8   0:03.19 bundle                                                                                                    
44895 998       20   0  507.8m 194.5m   6.9m S   0.0  2.4   0:02.27 bundle                                                                                                    
46409 www-data  20   0 3728.6m 167.0m   4.7m S   0.0  2.1  10:42.66 node                                                                                                      
43885 998       20   0  505.8m 158.7m   6.8m S   0.0  2.0   0:46.59 bundle                                                                                                    
 8058 Debian-+  20   0  230.3m 114.9m   6.4m S   0.0  1.4   0:00.72 /usr/sbin/amavi                                                                                           
 8057 Debian-+  20   0  228.7m 113.3m   6.4m S   0.0  1.4   0:00.22 /usr/sbin/amavi                                                                                           
 8052 Debian-+  20   0  227.0m 112.1m   5.5m S   0.0  1.4   0:01.21 /usr/sbin/amavi                                                                                           
46410 www-data  20   0  998.3m 105.9m   4.5m S   0.0  1.3   9:20.22 node                                                                                                      

46418 www-data  20   0  983.0m  95.9m   6.1m S   0.0  1.2   0:51.50 node                                                                                                      
46415 www-data  20   0  993.0m  80.7m   4.2m S   0.0  1.0   0:19.56 node                                                                                                      
46400 www-data  20   0  974.3m  78.4m   4.3m S   0.3  1.0  60:12.96 node                                                                                                      
46402 www-data  20   0  991.1m  76.0m   4.7m S   0.0  1.0   0:20.13 node                                                                                                      
46414 www-data  20   0  990.3m  75.7m   4.0m S   0.0  0.9   0:58.40 node                                                                                                      
46411 www-data  20   0  971.2m  74.5m   3.9m S   0.0  0.9   7:59.44 node                                                                                                      
46398 www-data  20   0  985.9m  71.8m   4.0m S   0.0  0.9   0:18.67 node                                                                                                      
46408 www-data  20   0  957.8m  64.1m   3.6m S   0.0  0.8   8:40.84 node                                                                                                      
  311 mikael    20   0  636.8m  63.0m  57.4m S   0.0  0.8   0:00.18 php-fpm7.1                                                                                                
46413 www-data  20   0 1754.8m  52.8m   3.3m S   0.0  0.7   0:01.27 node                                                                                                      

  550 root      20   0 1872.5m  52.0m  19.7m S   0.0  0.7  96:58.89 dockerd                                                                                                   
 1415 999       20   0  966.3m  48.6m   4.9m S   0.0  0.6  19:56.53 mysqld                                                                                                    
  322 mikael    20   0  646.2m  47.1m  31.0m S   0.0  0.6   0:04.53 php-fpm7.1                                                                                                
  321 mikael    20   0  646.2m  46.7m  30.8m S   0.0  0.6   0:05.11 php-fpm7.1                                                                                                
  360 mikael    20   0  643.8m  44.4m  31.0m S   0.0  0.6   0:03.86 php-fpm7.1                                                                                                
13400 999       20   0  937.7m  34.0m   3.9m S   0.0  0.4  12:39.05 mysqld                                                                                                    
30467 999       20   0  344.9m  25.6m   4.6m S   0.0  0.3  38:51.77 mongod                                                                                                    
44940 996       20   0   59.1m  21.7m   7.7m S   0.0  0.3   0:00.14 postgres          

Some commands outputs

$ uname -a
Linux domain.com 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1 (2016-12-30) x86_64 GNU/Linux

$ docker version
Client:
 Version:      1.12.6
 API version:  1.24
 Go version:   go1.6.4

 Git commit:   78d1802
 Built:        Tue Jan 10 20:17:57 2017
 OS/Arch:      linux/amd64

Server:
 Version:      1.12.6
 API version:  1.24
 Go version:   go1.6.4
 Git commit:   78d1802
 Built:        Tue Jan 10 20:17:57 2017

 OS/Arch:      linux/amd64

$ virt-what
vmware

domain name system - bind9 dns proxy

We are offering multiple SSL-enabled services in our local network.
To avoid certificate-warnings we bought certificates for server.ourdomain.tld and firewall.ourdomain.tld.

We now created a zone in our local DNS-server in which we pointed the hosts to the corresponding private-ips.

Now, each time another record for ourdomain.tld, like for example www.ourdomain.tld or alike are changed, we need to update it on both our public-dns-server AND the local dns-server.

I would like our local bind-dns to serve all the information from our public-dns but serve different information for these 2 hosts.

I know I could possibly have our private-ips in our public-dns but I don't want that for security reasons.

The internet dns-server is being managed by a third party, while we have full control of the intranet one. Because of this I am looking for a solution which lets the intranet retrieve the records from the internet one.

Answer

Use at a Split DNS configuration in bind. You should be using this anyway to prevent the use of your bind server in amplification attacks. Once you have that running you proceed to a split configuration of your zone file.

Create a zone file for intranet (internal) users and another for Internet (external) users. Place only sub-domains that have different IP addresses in each file. Create a third file containing the rest of the IP addresses and include it in the first two zone files. I would place the serial number in the include file.

Using this configuration you will be able to edit in one place and reload. If you need to change the IP address of one of the servers which has different IP addresses for local and Internet users, you will need to increment the serial number in the third file.

The above approach may leak information about servers you don't want reachable from the Internet. You may be better using two zone files, one for intranet users, an the second for the Internet. If you plan your network well, IP addresses should only need to be changed in one file at time.

The zone file for the Internet should only contain information on domains you want to access from the Internet. It should only include Internet routeable IP addresses.

The zone file for the intranet can contain all the servers you want. It can include servers with private IP addresses: 10.0.0.0/8, 172.16.0.0/12, and/or 192.168.0.0/8. If you use a VPN, configure your split DNS to include VPN hosts on the intranet size.

EDIT: Work really hard at stabilizing the IP addresses visible on the Internet. I have yet to work on a project where they were dynamic. You really should have as few domains as possible visible from the Internet. They should all reside within a DMZ. If possible, multi-home IP address for domains that move frequently. If not, consider creating a sub-domain on the internet side where you change the IP addresses and use CNAMES to point to these records from both the Internet and intranet.

Server/services that must be exposed to the Internet include DNS, Web, SMTP (Mail), and VPN. Carefully consider the risk for other servers/services. (Multiple) Web domains are easily handled with CNAMES. In most cases, database servers should not be exposed to the Internet.

customize alert page for too many connections of apache maxclient

I must make a web page that alert users , this page appair only if apache connections clients exceed specific value, for example 150 or more

hp - Proliant DL320G5P, Embedded RAID controller: Windows installation shows phisycal disks, not logical drive

I am installing Windows 2012R2 on Proliant DL320G5P, with the Embedded SATA RAID controller.

I have 4 disks, with two different RAID 1 (mirror) arrays.

I have a "strange" situation: Windows installation shows all the four phisycal disks, not the two logical drives (as it should).

I tried installing the OS and I have the four drives.

I also tried using HP drivers in windows installation, but I see no changes.

How can I solve this and properly use the RAID controller?

Answer

From the HP site:Storage Controllers: Integrated Intel® 82801IR Serial ATA Host Controller with RAID 0/1 support. (Better known as ICH9R).

This one seems to use Intel® Matrix RAID which is Fake RAID. In other words, you need to configure the RAID in the BIOS, but the actual implementation is done by drivers rather than via hardware. This means that you will need to load these additional drivers in order to use the disks in RAID.

Relevant links with background information and drivers:

How can I solve this and properly use the RAID controller?

You do not have a RAID controller. Not a real one anyway. Real hardware RAID was offered as an option on these proliants, but unless you have that additonal SAS RAID cards (which can be used to connect SATA disks) you have to fall back to one of these three:

1. No RAID. :(



2. Software RAID.


3. Fake RAID with drivers which you might not find for server 2012.

benchmark - How do you do load testing and capacity planning for databases?

This is a canonical question about capacity planning for databases.

Related:

I'm looking to create a canonical question of tools and methods of capacity planning for databases. This is intended to be a canonical question.

Obviously, the general workflow is:

• Put your scenario in place


• Add monitoring


• Add traffic


• Evaluate results


• Remediate based on results


• Rinse, repeat until reasonably happy

Please feel free to describe different tools and techniques for different web-servers, frameworks, etc., as well as best-practices.

Answer

Planning disk and memory capacity for a database server is a black art. More is better. Faster is better.

As general guidelines I offer the following:

• You want more disk space than you'll EVER need.
  Take your best estimate of how much disk space you'll need for the next 3-5 years, then double it.


• You'll want enough RAM to hold your database indexes in memory, handle your biggest query at least two times over, and still have enough room left over for a healthy OS disk cache.
  Index size will depends on your database, and everything else depends heavily on your data set and query/database structure. I'll offer up "At least 2x the size of your largest table" as a suggestion, but note that this suggestion breaks down on really large data warehousing operations where the largest table can be tens or hundreds of gigabytes.

Every database vendor has some instructions on performance tuning your disk/memory/OS kernel -- Spend some time with this documentation prior to deployment. It will help.

---

Assuming you haven't deployed yet…

Many database systems ship with Benchmarking Tools -- For example, PostgreSQL ships with pgBench.
These tools should be your first stop in benchmarking database performance. If possible you should run them on all new database servers to get a feel for "how much work" the database server can do.

Armed now with a raw benchmark that is ABSOLUTELY MEANINGLESS let's consider a more realistic approach to benchmarking: Load your database schema and write a program which populates it with dummy data, then run your application's queries against that data.
This benchmarks three important things:
1. The database server (hardware)
2. The database server (software)
3. Your database design, and how it interacts with (1) and (2) above.

Note that this requires a lot more effort than simple pre-built benchmarks like pgBench: You need to write some code to do the populating, and you may need to write some code to do the queries & report execution time.
This kind of testing is also substantially more accurate: Since you are working with your schema and queries you can see how they will perform, and it offers you the opportunity to profile and improve your database/queries.

The results of these benchmarks are an idealized view of your database. To be safe assume that you will only achieve 50-70% of this performance in your production environment (the rest being a cushion that will allow you to handle unexpected growth, hardware failures, workload changes, etc.).

---

It's too late! It's in production!

Once your systems are in production it's really too late to "benchmark" -- You can turn on query logging/timing briefly and see how long things take to execute, and you can run some "stress test" queries against large data sets during off hours. You can also look at the system's CPU, RAM and I/O (disk bandwidth) utilization to get an idea of how heavily loaded it is.
Unfortunately all these things will do is give you an idea of what the system is doing, and a vague concept of how close to saturation it is.
That brings us to…

---

Ongoing Monitoring

All the benchmarks in the world won't help you if your system is suddenly seeing new/different usage patterns.
For better or worse database deployments aren't static: Your developers will change things, your data set will grow (they never seem to shrink), and your users will somehow create insane combinations of events you never predicted in testing.

In order to do proper capacity planning for your database you will need to implement some kind of performance monitoring to alert you when database performance is no longer meeting your expectations. At that point you can consider remedial actions (new hardware, DB schema or query changes to optimize resource use, etc.).

---

Note: This is a very high level and generic guide to sizing your database hardware and figuring out how much abuse it can take. If you are still unsure about how to determine if a specific system meets your needs you should speak to a database expert.
. Search their question archive or browse the tags specific to your database engine for further advice on performance tuning.

SQL Server and Operating System Combination Sacrifices

Since most responders like to understand why the question is being asked, I offer this brief preface. . .

I am in the process of preparing a version migration document for a state government agency. The migration will be from Microsoft SQL Server 2000 (MSSQL2000) production environments to a later version, i.e., Microsoft SQL Server 2005 SP3 (MSSQL2005), Microsoft SQL Server 2008 SP1 (MSSQL2008), or Microsoft SQL Server 2008 (R2) (Kilimanjaro). The agency is an Oracle shop. The current in situ enterprise-wide Windows Server operating system is Microsoft Windows Server 2003 (R2) Enterprise Edition SP2. There are no plans to move to Windows Server 2008 in the immediate future -- the server unit is not even experimenting with Windows Server 2008 as of this date.

the question: What sacrifices (performance, features, etc.) are you making in running MSSQL2008 or Kilimanjaro on Microsoft Windows Server 2003 (R2) Enterprise Edition SP2?

Thanks in advance to all who respond!