Recent Questions - Server Fault

I have been tasked to explain a proposal for a Hyper V or VMWare failover cluster for a customer - [closed]
How to block all outgoing connections from a particular user except localhost?
Active Directory forest level and NAS
Memory usage: big difference in `free -m` and htop as well calculation of used memory in htop compared from /proc/meminfo
Redirect all the headers from upstream to another location in nginx
Mod_Security prevent brute force for Joomla
Can't logon to domain controllers
iptables local routing between 2 local interfaces and forward to another device
I can't receive emails with Foxmail, but the email has been received locally
AWK Command to add new line ending to send Encrypted Private Key via API
What's the Point of PF Firewalls?
How to execute some command always after hard reboot (ubuntu server)?
Migrating Ubuntu 18.04 LTS from hyper-v to ESXi
How to determine the common name (CN) for a microsoft sql certificate?
How does Outlook detect where the Exchange server is with just an email and no password?
Wrapping Kubernetes with Wireguard
Can not redirect https with upstream directive
Mass administration in Linux [closed]
How to set SELinux boolean using custom policy?
Trouble with DNS resolution on and Microk8s cluster
What is the HeavyUsage charge on AWS DynamoDB?
Install and enable exif
New Windows Server 2016 Machine can't ping or be pinged
Windows search not showing file content results from mapped DFS drive
MariaDB optimal configuration on CentOS
How to monitor MySQL socket using icinga2
SSL - Apache and Node.js on the same Amazon EC2 instance
Displaying a remote SSL certificate details using CLI tools
How to reconnect to the backend with HAProxy
apache times out with low cpu and memory usage

I have been tasked to explain a proposal for a Hyper V or VMWare failover cluster for a customer - [closed]

Posted: 31 Mar 2022 03:50 AM PDT

Imagine we are customers and you have been tasked to explain a proposal for a Hyper V or VMWare failover cluster.

The implementation will have:

· 3x Hyper V/VMWare hosts

· 1x SAN with 2 controllers

· 2x SAN Switches

· 2x 'Access' Switches

I have to explain how the parts would be used and connected and draw a simpel diagram. Now I have some basic understandings of Failover and HA and so on but actually designing the above I could do with some guidance to build from please?

How to block all outgoing connections from a particular user except localhost?

Posted: 31 Mar 2022 03:42 AM PDT

I wish to block all outgoing connections from a particular user user after they have ssh'd into my server (running RHEL 7.4), that is, user should not be able to ssh into/ping other servers on the network.

I initially configured the following firewall-cmd rule, and it was working.

firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 -m owner --uid-owner user -j DROP

However, user now needs to access Jupyter Notebook also running on the same server (http://localhost:8888), but was unable to. There was an error about the websocket. Once the firewall rule above was removed, user can access the Notebook.

I'm not sure why user was unable to access localhost, because I thought the rule only blocks outgoing connections.

How do I allow user to access localhost on any port, or a specific port range, while still blocking network access to everywhere else?

Active Directory forest level and NAS

Posted: 31 Mar 2022 03:38 AM PDT

I am in this situation. I have an Active Directory domain with forest level still at 2003. The servers are Windows Server 2012R2. I would like to raise the forest level to the same level as the servers. But i also have two nas registered to the domain. So the question is: if i raise the forest level to 2012R2 the two nas will no longer dialogue with the domain?

Or does raising the forest level affect only Domain Controllers and not member-only servers?

Memory usage: big difference in `free -m` and htop as well calculation of used memory in htop compared from /proc/meminfo

Posted: 31 Mar 2022 03:14 AM PDT

I'm aware of this question https://stackoverflow.com/questions/41224738/how-to-calculate-system-memory-usage-from-proc-meminfo-like-htop Answer seems outdated regarding memory usage and this question seems more complex.

htop definitely now doesn't calculate total memory via MemTotal - MemFree anymore. There https://access.redhat.com/solutions/406773 I found a soluation that could fit. According to that it would be calculated via MemTotal - MemFree - Buffers - Cached - Slab but that leads to a too low memory usage compared to htop.

Memory usage in htop seems to be quite related as free -m shows in cell Mem: used

But if you create a ramdisk, things change a lot:

mkdir mnt  sudo mount -t tmpfs none mnt  cd mnt   sudo dd if=/dev/urandom of=test bs=32M status=progress

Above will create a RAM disk 50 % size of installed memory and fill this ramdisk.

htop now shows a bit more than half of the physical RAM used, in test case 3.82 GB of 7.44 GB used. However free -m shows still only 104 MB used compared to 102 MB before creating and filling the RAM disk. So 104 MB used is definitely wrong, because half of the physical system memory can't be available anymore since it is used by RAM disk.

In /proc/meminfo size of RAM disk seems to be included in Cached, so for calculating used memory cached shouldn't be substracted.

So why does free -m report such a wrong free memory value? By default there are various tmpfs on distributions like Debian or Ubuntu which then means free -m gives wrong impression of free memory.

Memory calculation of htop seems quite reasonable. So how can the htop value be calculated from /proc/meminfo?

Redirect all the headers from upstream to another location in nginx

Posted: 31 Mar 2022 03:03 AM PDT

Could you please tell me if it's possible to redirect all the headers in nginx from upstream /auth_gateway to /connection. My request and nginx configuration

curl -silent -include -X 'GET' -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZa0hadkt5YUJuNU9oaVF6d3kxWXduNFBHYm5RSDV0aDh1ZkhOWHZiTVdrIn0' -H 'x-realy-company: google' -H 'x-realy-request-id: 12545787' https://mycooldomain.org/connection/

New headers will be to add on the authorization service /auth_gateway, such as x-realy-privileges, x-realy-user and others.

location ~* ^/connection/ {              if ($http_authorization !~ "^Bearer .{20,}"){                  return 403 "Not authorized";              }              auth_request /auth_gateway;              auth_request_set $auth_status $upstream_status;              proxy_pass http://10.xx.xx.xx:8080;          }            location = /auth_gateway {              proxy_pass http://10.xx.xx.xx:8081/authorize;              proxy_set_header X-Original-URI $request_uri;          }

These headers are extracted from the Bearer authorization token and I would like to redirect them to the /connection

x-realy-user: da82fe4b-d0ef-477e-a3d1-facc78b605c7  x-realy-privileges: 1,2,3,4,5,6,7,8,9,10  x-realy-global-roles: ROLE_OPERATOR  x-realy-okt-id: da82fe4b-d0ef-477e-a3d1

Thanks and advance!

Mod_Security prevent brute force for Joomla

Posted: 31 Mar 2022 02:53 AM PDT

I am trying to find/create a Mod_Security rule to detect & block multiple login failures on the latest version of Joomla. I found an answer from March 2015 here: https://serverfault.com/a/646608/960638 but in my own tests it does not detect login failures. Even with logging enabled it's not detecting anything. I suspect the code is outdated.

I found another ModSec rule published by IT Octopus at https://www.itoctopus.com/a-modsecurity-rule-to-block-brute-force-attacks-on-a-joomla-website The code is below. I tested it on a server but I found it was too sensitive and it blocked me after I logged in + out of Joomla (with correct credentials).

<Location /administrator>      SecDefaultAction phase:2,deny,status:403,log,auditlog      SecRule IP:bf_counter "@eq 5" "id:1000002,phase:2,log,block,expirevar:IP.bf_counter=3600,msg:'IP address blocked because of a suspected brute force attack on the Joomla website'"      SecRule ARGS:option "@streq com_login" "id:1000000,phase:2,chain,t:none,log,pass,msg:'Multiple Joomla authentication failures from IP address', setvar:IP.bf_counter=+1"  </Location>

Next, I found a ModSecurity rule at http://artefact.io/brute-force-protection-modsecurity/ and it's the one I've been using on my servers for many months. It's been working really nicely until yesterday when we found a bug. A client has 10 Joomla websites and they found when they logged into them (with correct credentials) it resulted in their IP being restricted. I was able to replicate this during my own testing. Therefore the code below is the best code we've found yet but the com_login / login lines don't seem to distinguish between login failures and successful logins. It works to prevent general brute force but it doesn't work when a client has many Joomla sites and is legitimately accessing multiple installs at once. This is the code:

# Joomla Brute Force  SecAction "phase:1,pass,setvar:TX.max_requests=6,setvar:TX.requests_ttl=180,setvar:TX.block_ttl=900,initcol:ip=%{REMOTE_ADDR},nolog,id:5001000"  <LocationMatch "/administrator/index.php">  SecAction "phase:2,chain,nolog,id:5001022"  SecRule REQUEST_METHOD "^POST$" "chain"  SecRule ARGS_POST_NAMES "^username$" "chain"  SecRule ARGS_POST_NAMES "^passwd$" "chain"  SecRule ARGS_POST:option "^com_login$" "chain"  SecRule ARGS_POST:task "^login$" "chain"  SecAction "setvar:ip.request_count=+1,expirevar:ip.request_count=%{TX.requests_ttl}"    SecRule IP:request_count "@ge %{TX.max_requests}" "phase:2,drop,setvar:ip.blocked=1,expirevar:ip.blocked=%{TX.block_ttl},log,msg:'Joomla brute force. Blocking for %{TX.block_ttl} seconds',id:5001023"    </LocationMatch>

Finally, I read some posts that suggested "the P3P header is returned after a successful login" and this could be used in a ModSecurity rule. It was suggested by @godzillante here: https://serverfault.com/a/646608/960638

It uses ModSecurity phase 5 (analysing the log files) so I'm not sure if this is a disadvantage. And more importantly, in my testing I couldn't get it to work. Even with logging enabled, it didn't detect failed logins and didn't restrict access. Here is the code:

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000144  <Locationmatch "/administrator/index.php">      SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000145,msg:'ip address blocked for 5 minutes, more than 5 login attempts in 3 minutes.'"      SecRule RESPONSE_HEADERS:P3P "streq 0" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000146"      SecRule RESPONSE_HEADERS:P3P "!streq 0" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000147"      SecRule ip:bf_counter "@gt 5" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0"  </locationmatch>

My objective here is to improve the code "Joomla Brute Force" (above) because it does block brute force flooding but unfortunately it also blocks users when they are legitimately logging into Joomla a lot. I need code that can tell the difference between a login failure and a successful login to Joomla. I've been working on this for some time so I'm reaching out to the community here. Thanks in advance!

Can't logon to domain controllers

Posted: 31 Mar 2022 02:31 AM PDT

We have 2 domain controllers with 2019 server, system administrator made something with GPO which deny access for group "Domain Admins" to workstations, now it is distributed throughout the domain (including domain controllers and servers). He aslo made changes to Active Directory Users and Computers (like include domain admins to Protected user group, deny delegation for domain admins in profiles, reset krbtgt password).

GPO was like:

 Deny access to this computer from the network   Deny log on as a batch job   Deny log on as a service   Deny log on locally   Deny log on through Remote Desktop Services user rights

error:

Logon failure: user account restriction. Possible reasons are blank passwords not allowed,logon hour restrictions, or a policy restriction has been enforced.

So we can't logon to domain controllers or other servers/workstations with domain admin logins. All remote control is also blocked. I don't know if it's just the GPO or something else (because if viewed remotely, the GPO should not be applied to the OU with domain controllers)

I did Authoritative Restore (DSRM) of all AD, didn't worked, i see that sysvol folder still have this GPO (files deleted but folder structure preserved). Also all changes made to AD still preserved (like Domain admins users still in Protected users group) Why are these changes not rolled back?

gpupdate /force from workstations show error cause gpt.ini from this GPO not exist and group policy cannot be apply.

Any help please?

iptables local routing between 2 local interfaces and forward to another device

Posted: 31 Mar 2022 01:49 AM PDT

I have 3 devices inside VPN:

laptop (client): tun0 10.8.0.x
device 1 (router): tun0 10.8.0.y, ecm0 192.168.2.2, eth0 192.168.135.254
device 2 (web server on port 8080): eth0 192.168.135.6

Here is my iptables NAT table:

-P INPUT ACCEPT  -P OUTPUT ACCEPT  -P POSTROUTING ACCEPT  -A PREROUTING -i tun0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.135.6:8080  -A PREROUTING -d 192.168.2.2/32 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.135.6:8080  -A POSTROUTING -o eth0 -j MASQUERADE  -A POSTROUTING -d 192.168.135.6/32 -p tcp -m tcp --dport 8080 -j SNAT --to-source 192.168.2.2

I'm able to access http://device2_hostname:8080 from laptop client through tun0 VPN:

laptop tun0 10.8.0.x --> device1 tun0 10.8.0.y:8080 --> device2 192.168.135.6:8080

I can also access webserver from http://192.168.2.2:8080 for debugging purpose:

device1 ecm0 192.168.2.2:8080 --> device2 eth0 192.168.135.6:8080

What I want to do:

laptop tun0 10.8.0.x --> device1 tun0 10.8.0.y:8080 --> device1 ecm0 192.168.2.2:8080 --> device2 eth0 192.168.135.6:8080

How could I do that?

I can't receive emails with Foxmail, but the email has been received locally

Posted: 31 Mar 2022 01:19 AM PDT

Maillog doesn't show any errors. I see a new email in my /home/mail/domain/www3/new. I just can't read the email by using the client or telnet 110/143. Dovecot info The log doesn't seem to show any errors. I don't know what to do. Everything shows that there seems to be no problem. /etc/postfix/main.cf have some configurations：

ssqueue_directory = /var/spool/postfix  command_directory = /usr/sbin  daemon_directory = /usr/libexec/postfix  data_directory = /var/lib/postfix  mail_owner = postfix  inet_interfaces = all  inet_protocols = all  unknown_local_recipient_reject_code = 550  alias_maps = hash:/etc/aliases  alias_database = hash:/etc/aliases  debug_peer_level = 2  debugger_command =  PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin  ddd $daemon_directory/$process_name $process_id & sleep 5  sendmail_path = /usr/sbin/sendmail.postfix  newaliases_path = /usr/bin/newaliases.postfix  mailq_path = /usr/bin/mailq.postfix  setgid_group = postdrop  html_directory = no  manpage_directory = /usr/share/man  sample_directory = /usr/share/doc/postfix-2.10.1/samples  readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES  virtual_uid_maps = static:200   virtual_gid_maps = static:12  smtpd_sasl_type = dovecot  smtpd_sasl_path = private/auth  smtpd_sasl_authenticated_header = yes  smtpd_sasl_auth_enable = yes  smtpd_sasl_security_options = noanonymous  broken_sasl_auth_clients = yes  virtual_alias_maps = pgsql:/etc/postfix/pgsql/virtual_alias_maps.cf   virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/virtual_domains_maps.cf   virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf   virtual_mailbox_base = /home/mail   relay_domains = $mydestination, proxy:pgsql:/etc/postfix/pgsql/relay_domains.cf  virtual_mailbox_limit = 512000000   virtual_minimum_uid = 8  virtual_transport = virtual   local_transport = virtual   local_recipient_maps = $virtual_mailbox_maps

dovecot.conf have some configurations：

dict {  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext   #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext  }  !include conf.d/*.conf  mail_location = maildir:/home/mail/%u/  namespace inbox {    type = private    inbox = yes    location =  mailbox Drafts {    special_use = \Drafts  }  mailbox Junk {    special_use = \Junk  }  mailbox Sent {    special_use = \Sent  }  mailbox "Sent Messages" {    special_use = \Sent  }  mailbox Trash {    special_use = \Trash  }  prefix =  }  protocols = imap pop3 lmtp  ssl = no  login_greeting = mail.xxxxxx.com  auth_mechanisms = plain login  auth_debug = yes  auth_debug_passwords = yes  service auth {    # Postfix smtp-auth    unix_listener /var/spool/postfix/private/auth {      mode = 0660      user = postfix      group = postfix    }    # Auth process is run as this user.    user = postfix    group = postfix  }  service imap {      executable = imap  }  userdb {      driver = sql      args = /etc/dovecot/dovecot-sql.conf  }  passdb {      driver = sql      args = /etc/dovecot/dovecot-sql.conf  }  first_valid_uid = 200   mail_uid = 200   mail_gid = 12  disable_plaintext_auth = no  mail_plugins = $mail_plugins zlib  plugin {      zlib_save_level = 6      zlib_save = gz  }  protocol imap {      mail_plugins = $mail_plugins imap_zlib  }   mail_max_userip_connections = 50  log_path = /var/log/dovecot.log  info_log_path = /var/log/dovecot-info.log

dovecot-sql.conf have some configurations：

driver = pgsql  connect = host=localhost dbname=postfix user=postfix password=xxxxxxxx  default_pass_scheme = MD5-CRYPT  password_query = SELECT username AS user,password FROM mailbox WHERE username = '%u'   AND active='1'  user_query = SELECT '/home/mail/' || maildir AS home, 200 as uid, 12 as gid FROM   mailbox WHERE username = '%u' AND active = '1'

virtual_mailbox_maps or others like this:

user = postfix  password = xxxxxxxx  hosts = localhost  dbname = postfix  query = SELECT maildir FROM mailbox WHERE username='%s' AND active = true

Other configurations should be irrelevant.Can anyone help me, because all the information seems to indicate that they are normal, but I can't get the expected results.Thanks.By the way, I can use Foxmail to send mail. maillog:

Mar 31 15:33:40 mail postfix/master[28261]: daemon started -   version 2.10.1, configuration /etc/postfix  Mar 31 15:33:58 mail postfix/smtpd[28327]: connect from   xmbg7.mail.xx.com[101.91.43.51]  Mar 31 15:33:58 mail postfix/smtpd[28327]: D0F0D1413AC:   client=xmbg7.mail.xx.com[101.91.43.51]  Mar 31 15:33:59 mail postfix/cleanup[28335]: D0F0D1413AC:   message-id=<tencent_D9E32A8B5B16629BCC935B64F05261DABE06@xx.com>  Mar 31 15:33:59 mail postfix/qmgr[28263]: D0F0D1413AC: from=   <xxx@xx.com>, size=2746, nrcpt=1 (queue active)  Mar 31 15:33:59 mail postfix/virtual[28337]: D0F0D1413AC: to=   <www8@xx.com>, relay=virtual, delay=0.26,   delays=0.24/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to   maildir)

Mar 31 15:33:59 mail postfix/qmgr[28263]: D0F0D1413AC: removed

AWK Command to add new line ending to send Encrypted Private Key via API

Posted: 31 Mar 2022 12:11 AM PDT

How to add new line ending \n to Encrypted private key which has a blank line.

Example Encrypted Private:

I tried the below command, but it does not consider the blank line :

awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}'

Below is the output:

But the expected result should have \n\n reflecting a blank line after DEK-Info: AES-128-CBC,35D7ADF9A8CD58CE3B0D881497052104:

-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-128-CBC,35D7ADF9A8CD58CE3B0D881497052104\n\nPpHyOhF/iU....

What's the Point of PF Firewalls?

Posted: 31 Mar 2022 12:33 AM PDT

I was reading this:

https://www.giac.org/paper/gsec/693/comparison-packet-filtering-vs-application-level-firewall-technology/101569

Within the context of setting up a server (non public facing), the gist is that you have PF firewalls and Application firewalls. Application firewalls are more secure since they see more of the packet etc etc but they are consequently slower.

If an application firewall is more secure, then what's the point of also having a PF firewall?

How to execute some command always after hard reboot (ubuntu server)?

Posted: 31 Mar 2022 01:10 AM PDT

I am facing an issue that everytime I hard restart my server (maybe went bananas due to out of memory, ddosed etc) supervisor fails to run. And the reason for that is identified and simply /var/run/supervisor directory is deleted.

I learned that /var/run folders are deleted on hard reboot (via ec2 panel for instance force stop then start), so my humble question is:

How can I execute this mkdir /var/run/supervisor after every hard reboot ? Where is the perfect place to add such logic. I guess it is not /etc/profile for sure

(the rest works fine, supervisor is configured as service + uses unix sock at var/run/supervisor/supervisor.sock)

My ubuntu version:

lsb_release -a  No LSB modules are available.  Distributor ID: Ubuntu  Description:    Ubuntu 20.04.2 LTS  Release:        20.04  Codename:       focal

Migrating Ubuntu 18.04 LTS from hyper-v to ESXi

Posted: 31 Mar 2022 03:13 AM PDT

I'm trying to migrate a Ubuntu server 18.04 from hyper-v to VMWare VCenter 7.0.2. I found out after the fact that 18.04 is not supported by the VCenter converter 6.2. Is there anyway to successfully migrate this over from hyper-v? I tried running a repair of GRUB since that is the issue by the looks of it, but it does not work.

How to determine the common name (CN) for a microsoft sql certificate?

Posted: 31 Mar 2022 01:14 AM PDT

I'm in the process of trying to set up a self signed certificate for connecting a jetty server to a development sql database. I'm following the instructions here: https://codekabinett.com/rdumps.php?Lang=2&targetDoc=create-install-ssl-tls-certificate-sql-server but I've run into a bit of a roadblock. When I try to install the certificate in sql server manager, no certificates are showing up in the dropdown. I thought it might be that I needed to add the cert to trusted, so I did that and tried again with the same result.

My suspicion now is that the common name (CN) I chose when creating the cert does not match what sqlserver is expecting. According to the instructions

This must be the computer name (the local Windows computer name, not DNS name) of the SQL Server computer.

The sql server is on a remote machine. How do I determine what the correct CN is for the cert? Is it even possible to configure the certificates for that sql server using SQLServerManager running on my local machine? If not how, to I go about this?

How does Outlook detect where the Exchange server is with just an email and no password?

Posted: 31 Mar 2022 12:16 AM PDT

From what I understand, autodiscover requires authentication to return any information. Is that correct?

With the Outlook app, I can type in test@marctest3.xyz (no password), and it pops up with webmail.hostingcloudapp.com. I have _autodiscover._tcp.marctest3.xyz pointing to autodiscover.hostingcloudapp.com, but how is it able to determine webmail.hostingcloudapp.com without authentication?

Video for extra clarity: https://drive.google.com/file/d/1y9auhivQcSmaMuX4V-cD4MxfBS7QuF-R/view?usp=sharing

Wrapping Kubernetes with Wireguard

Posted: 31 Mar 2022 04:53 AM PDT

I've a scenario with many different nodes. Some have public IPv4, some have IPv6, some are dual stack. So I've created a wireguard network (10.11.12.0/24), so that any peer can reach any other inside a private network regarding of IP-stack and location. I'd like to build a Kubernetes over this wireguard networks.

I've build a small test cluster ...

node   public ip        wireguard ip  vm1    192.168.10.10    10.11.12.10  vm2    192.168.10.11    10.11.12.11  vm3    192.168.10.12    10.11.12.12  ...

... in my local playground with kubeadm 1.23.5 based on docker.io (debian default):

vm01> kubeadm init --apiserver-advertise-address=10.11.12.10 --pod-network-cidr=10.20.0.0/16  vm01> kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/k8s-manifests/kube-flannel-rbac.yml  vm01> kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml  ...  all nodes> kubeadm join 10.11.12.10:6443 --token ... --discovery-token-ca-cert-hash sha256:...  ...  vm01> helm upgrade --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace

When I look from vm1 to vm2 via tcpdump -n host 192.168.10.11, I can see only traffic thru wireguard UDP packets. Fine...

Then I've defined a simple Deployment, a Service, a ClusterIP, an Ingress and it's deployed

---  apiVersion: apps/v1  kind: Deployment  metadata:    name: kubernetes-tutorial-deployment  spec:    replicas: 2    selector:      matchLabels:        app: kubernetes-tutorial-deployment    template:      metadata:        labels:          app: kubernetes-tutorial-deployment      spec:        containers:        - name: kubernetes-tutorial-application          image: auth0blog/kubernetes-tutorial          ports:            - containerPort: 3000  ---  apiVersion: v1  kind: Service  metadata:    name: kubernetes-tutorial-cluster-ip  spec:    ports:    - port: 80      protocol: TCP      targetPort: 3000    selector:      app: kubernetes-tutorial-deployment    type: ClusterIP  ---  apiVersion: networking.k8s.io/v1  kind: Ingress  metadata:    name: kubernetes-tutorial-ingress  spec:    ingressClassName: nginx    rules:    - host: test.example.com      http:        paths:        - path: /          pathType: Prefix          backend:            service:              name: kubernetes-tutorial-cluster-ip              port:                number: 80

When I check with the browser, I'm getting response. But...

The response is very slow (I can confirm via a simple curl, it takes 10-20sec for the service to respond to a single request - that is strange slow for such a simple deployment.

When I look via tcpdump I see traffic outside the wireguard network, which is much more strange.

18:39:18.341836 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 128  18:39:18.344382 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 176  18:39:18.344563 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 1452  18:39:18.344571 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 1452  18:39:18.344572 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 1452  18:39:18.344573 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 96  18:39:18.344711 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96  18:39:18.344711 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96  18:39:18.344711 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96  18:39:20.566833 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 128  18:39:20.566833 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 592  18:39:20.567003 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 96  18:39:20.570978 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 128  18:39:20.571309 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96  18:39:20.572538 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 176  18:39:20.572566 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 592  18:39:20.572764 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96  18:39:20.572764 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96  18:39:23.540401 ARP, Request who-has 192.168.10.11 tell 192.168.10.10, length 28  18:39:23.540646 ARP, Reply 192.168.10.11 is-at 7a:1d:d9:fc:fa:eb, length 28  18:39:23.608703 IP 192.168.10.10.42274 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1  IP 10.20.0.5.55222 > 10.20.4.2.3000: Flags [S], seq 3011291899, win 64860, options [mss 1410,sackOK,TS val 2531657982 ecr 0,nop,wscale 7], length 0  18:39:23.609071 IP 192.168.10.11.59205 > 192.168.10.10.8472: OTV, flags [I] (0x08), overlay 0, instance 1  IP 10.20.4.2.3000 > 10.20.0.5.55222: Flags [S.], seq 1444377380, ack 3011291900, win 64308, options [mss 1410,sackOK,TS val 2546470618 ecr 2531657982,nop,wscale 7], length 0  18:39:23.609112 IP 192.168.10.10.42274 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1  IP 10.20.0.5.55222 > 10.20.4.2.3000: Flags [.], ack 1, win 507, options [nop,nop,TS val 2531657983 ecr 2546470618], length 0  18:39:23.609140 IP 192.168.10.10.42274 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1  IP 10.20.0.5.55222 > 10.20.4.2.3000: Flags [P.], seq 1:749, ack 1, win 507, options [nop,nop,TS val 2531657983 ecr 2546470618], length 748  18:39:23.609370 IP 192.168.10.11.59205 > 192.168.10.10.8472: OTV, flags [I] (0x08), overlay 0, instance 1  IP 10.20.4.2.3000 > 10.20.0.5.55222: Flags [.], ack 749, win 501, options [nop,nop,TS val 2546470618 ecr 2531657983], length 0  18:39:23.610441 IP 192.168.10.11.36593 > 192.168.10.10.8472: OTV, flags [I] (0x08), overlay 0, instance 1  IP 10.20.4.2.33592 > 10.20.0.2.53: 53349+ A? test.example.com.default.svc.cluster.local. (60)  18:39:23.610713 IP 192.168.10.10.58646 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1  IP 10.20.0.2.53 > 10.20.4.2.33592: 53349 NXDomain*- 0/1/0 (153)  18:39:23.611018 IP 192.168.10.11.32846 > 192.168.10.10.8472: OTV, flags [I] (0x08), overlay 0, instance 1  IP 10.20.4.2.40077 > 10.20.0.2.53: 57710+ A? test.example.com.svc.cluster.local. (52)  18:39:23.611134 IP 192.168.10.10.41066 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1  IP 10.20.0.2.53 > 10.20.4.2.40077: 57710 NXDomain*- 0/1/0 (145)  18:39:23.611427 IP 192.168.10.11.51546 > 192.168.10.10.8472: OTV, flags [I] (0x08), overlay 0, instance 1  IP 10.20.4.2.59046 > 10.20.0.3.53: 18849+ A? test.example.com.cluster.local. (48)  18:39:23.611567 IP 192.168.10.10.39789 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1  IP 10.20.0.3.53 > 10.20.4.2.59046: 18849 NXDomain*- 0/1/0 (141)  18:39:23.611831 IP 192.168.10.11.50067 > 192.168.10.10.8472: OTV, flags [I] (0x08), overlay 0, instance 1  IP 10.20.4.2.34442 > 10.20.0.3.53: 49768+ A? test.example.com.sol.system. (45)  18:39:25.329861 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 208  18:39:25.330138 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96  18:39:25.613106 IP 192.168.10.10.52981 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1  IP 10.20.0.3.53 > 10.20.4.2.34442: 49768 ServFail- 0/0/0 (45)  18:39:25.613542 IP 192.168.10.11.33388 > 192.168.10.10.8472: OTV, flags [I] (0x08), overlay 0, instance 1  IP 10.20.4.2.59146 > 10.20.0.3.53: 49768+ A? test.example.com.sol.system. (45)  18:39:27.021478 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 224  18:39:27.021876 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96  18:39:27.614533 IP 192.168.10.10.48157 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1  IP 10.20.0.3.53 > 10.20.4.2.59146: 49768 ServFail- 0/0/0 (45)  18:39:27.614906 IP 192.168.10.11.52721 > 192.168.10.10.8472: OTV, flags [I] (0x08), overlay 0, instance 1  IP 10.20.4.2.33596 > 10.20.0.3.53: 32196+ A? test.example.com. (34)  18:39:28.500696 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 128  18:39:28.503146 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 256  18:39:28.503158 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 1452  18:39:28.503159 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 1452  18:39:28.503161 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 1452  18:39:28.503162 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 96  18:39:28.503453 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96  18:39:28.503453 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96  18:39:28.503453 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96  18:39:28.503453 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96  18:39:28.503453 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96  18:39:28.627012 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 128  18:39:28.627292 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 128  18:39:28.627636 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96  18:39:29.615282 IP 192.168.10.10.52590 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1  IP 10.20.0.3.53 > 10.20.4.2.33596: 32196 ServFail- 0/0/0 (34)  18:39:29.615672 IP 192.168.10.11.37175 > 192.168.10.10.8472: OTV, flags [I] (0x08), overlay 0, instance 1  IP 10.20.4.2.50957 > 10.20.0.3.53: 32196+ A? test.example.com. (34)  18:39:29.877400 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 192  18:39:29.877722 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96  18:39:30.898243 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 128  18:39:30.898243 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 592  18:39:30.898330 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 96  18:39:30.902126 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 128  18:39:30.902362 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96  18:39:30.903556 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 176  18:39:30.903696 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 592  18:39:30.904023 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96  18:39:30.904023 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96  18:39:31.617136 IP 192.168.10.10.38253 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1  IP 10.20.0.3.53 > 10.20.4.2.50957: 32196 ServFail- 0/0/0 (34)  18:39:31.619778 IP 192.168.10.11.59205 > 192.168.10.10.8472: OTV, flags [I] (0x08), overlay 0, instance 1  IP 10.20.4.2.3000 > 10.20.0.5.55222: Flags [P.], seq 1:114, ack 749, win 501, options [nop,nop,TS val 2546478629 ecr 2531657983], length 113  18:39:31.619911 IP 192.168.10.10.42274 > 192.168.10.11.8472: OTV, flags [I] (0x08), overlay 0, instance 1  IP 10.20.0.5.55222 > 10.20.4.2.3000: Flags [.], ack 114, win 507, options [nop,nop,TS val 2531665993 ecr 2546478629], length 0  18:39:33.434382 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 128  18:39:33.434488 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 96  18:39:33.434537 IP 192.168.10.10.59120 > 192.168.10.11.59120: UDP, length 128  18:39:33.434860 IP 192.168.10.11.59120 > 192.168.10.10.59120: UDP, length 96

What is the possible reason, why the response is so slow in a LAN network. Is it because of wrong routing to "public" IPs instead of using the wireguard IP? Is it possible to configure the Kubernetes to use the wireguard address for port 8472?

Can not redirect https with upstream directive

Posted: 31 Mar 2022 01:07 AM PDT

With such config a I get redirecting to google.com

server {      listen 80;        proxy_ssl_server_name on;      rewrite_log on;        location / {          proxy_pass https://google.com;      }  }

but if I add upstream instead of host

upstream some-backend {      server google.com:443;  }    server {      listen 80;        proxy_ssl_server_name on;      rewrite_log on;        location / {          proxy_pass https://some-backend;      }  }

I am getting error from google

Mass administration in Linux [closed]

Posted: 31 Mar 2022 02:45 AM PDT

I am curious if Linux have anything close to what PowerShell can do when come to managing servers in Enterprise? For example, retrieving server's information on a big scale and also making changes.I knew that Posh is getting in into Linux territory but I am not sure how much can it do to Linux Also,can Linux return it data in a more structural way in the form of objects and etc?

How to set SELinux boolean using custom policy?

Posted: 31 Mar 2022 12:40 AM PDT

I know that SElinux booleans can be set via setsebool like this:

setsebool -P virt_qemu_ga_read_nonsecurity_files 1

But I want to set this boolean virt_qemu_ga_read_nonsecurity_files using custom SELinux policy.

Is it even possible? How can I do this?

Trouble with DNS resolution on and Microk8s cluster

Posted: 31 Mar 2022 03:57 AM PDT

My microk8s cluster is running on a centos8 vm and I have some issues with DNS resolution of my pods. Nameserver are at x.x.x.101 and x.x.x.100 both are ping able from within the pods and I can also ping 8.8.8.8

nslookup from within a pod looks like this:

root@debug-7857894f66-mnklp:/# nslookup kubernetes.default  Server:         10.152.183.10  Address:        10.152.183.10#53    Name:   kubernetes.default.svc.cluster.local  Address: 10.152.183.1

coredns config looks like this:

apiVersion: v1  data:    Corefile: ".:53 {\n    errors\n    health {\n      lameduck 5s\n    }\n    ready\n      \   log . {\n      class error\n    }\n    kubernetes cluster.local in-addr.arpa      ip6.arpa {\n      pods insecure\n      fallthrough in-addr.arpa ip6.arpa\n    }\n      \   prometheus :9153\n    forward .  x.x.x.101 x.x.x.100 \n    cache 30\n      \   loop\n    reload\n    loadbalance\n}\n"  kind: ConfigMap  metadata:    annotations:      kubectl.kubernetes.io/last-applied-configuration: |        {"apiVersion":"v1","data":{"Corefile":".:53 {\n    errors\n    health {\n      lameduck 5s\n    }\n    ready\n    log . {\n      class error\n    }\n    kubernetes cluster.local in-addr.arpa ip6.arpa {\n      pods insecure\n      fallthrough in-addr.arpa ip6.arpa\n    }\n    prometheus :9153\n    forward .  x.x.x.101 x.x.x.100 \n    cache 30\n    loop\n    reload\n    loadbalance\n}\n"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"addonmanager.kubernetes.io/mode":"EnsureExists","k8s-app":"kube-dns"},"name":"coredns","namespace":"kube-system"}}    creationTimestamp: "2021-08-31T08:57:27Z"    labels:      addonmanager.kubernetes.io/mode: EnsureExists      k8s-app: kube-dns    name: coredns    namespace: kube-system    resourceVersion: "2420090"    selfLink: /api/v1/namespaces/kube-system/configmaps/coredns    uid: 471b258a-253d-4b51-aaf7-7e934ab300d1

the /etc/resolv.conf in my pods looks like this:

search default.svc.cluster.local svc.cluster.local cluster.local xxx.xxxxx  nameserver 10.152.183.10  options ndots:5

when I look at the logs of my kube-dns with $ microk8s kubectl logs --namespace=kube-system -l k8s-app=kube-dns I get the following response:

[INFO] 10.1.107.105:47549 - 5288 "AAAA IN www.google.com. udp 36 false 512" NOERROR - 0 0.000256103s  [ERROR] plugin/errors: 2 www.google.com. AAAA: read udp 10.1.107.127:51486->x.x.x.101:53: read: no route to host

DNS service is up:

$ microk8s kubectl get svc --namespace=kube-system  NAME                        TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                  AGE  [...]  kube-dns                    ClusterIP   10.152.183.10    <none>        53/UDP,53/TCP,9153/TCP   21d

DNS endpoints are exposed:

$ microk8s kubectl get endpoints kube-dns --namespace=kube-system  NAME       ENDPOINTS                                           AGE  kube-dns   10.1.107.127:53,10.1.107.127:53,10.1.107.127:9153   21d

The virtual machine the cluster is running on is using the same nameserver without a problem. Is this something I need to bother our admins about, or am I missing something that is wrongly configured?

EDIT:

Okay I tried out a bit more and there is some weird behavior that I think has to do with me incorrectly creating the coredns config file. I completely reset the cluster and tried again, still same error when I use 8.8.8.8 or 8.8.4.4 as DNS servers. But, when I run the following command: $ microk8s enable dns:x.x.x.101,x.x.x.100 finally it works. Then I tried to configure for this with $ microk8s kubectl -n kube-system edit configmap/coredns and I add both DNS to the config it stops working, and I again get the error: [ERROR] plugin/errors: 2 www.google.com. AAAA: read udp 10.1.107.127:51486->x.x.x.101:53: read: no route to host so what is wrong with my configuration that is automatically correctly set with $ microk8s enable dns:x.x.x.101,x.x.x.100 ?

2nd Edit

I tried to use dig here even when I specify a DNS server it is not working. Is there any reason ping could go through but DNS is blocked by the system? It only happens on the microk8s cluster, host system runs fin docker runs fine ... here are the printouts: this is from within the pod:

root@debug-865cb7fb4-wfhw4:/# dig www.google.com    ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> www.google.com  ;; global options: +cmd  ;; connection timed out; no servers could be reached  root@debug-865cb7fb4-wfhw4:/# dig @x.x.x.101 www.google.com    ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> @x.x.x.101 www.google.com  ; (1 server found)  ;; global options: +cmd  ;; connection timed out; no servers could be reached  root@debug-865cb7fb4-wfhw4:/# dig @8.8.8.8 www.google.com    ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> @8.8.8.8 www.google.com  ; (1 server found)  ;; global options: +cmd  ;; connection timed out; no servers could be reached  root@debug-865cb7fb4-wfhw4:/# dig @x.x.x.100 www.google.com    ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> @x.x.x.100 www.google.com  ; (1 server found)  ;; global options: +cmd  ;; connection timed out; no servers could be reached

and this is from the host system:

$ dig www.google.com    ; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> www.google.com  ;; global options: +cmd  ;; Got answer:  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25735  ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1    ;; OPT PSEUDOSECTION:  ; EDNS: version: 0, flags:; udp: 4000  ;; QUESTION SECTION:  ;www.google.com.                        IN      A    ;; ANSWER SECTION:  www.google.com.         113     IN      A       142.250.185.228    ;; Query time: 0 msec  ;; SERVER: x.x.x.101#53(x.x.x.101)  ;; WHEN: Fri Oct 08 15:10:21 CEST 2021  ;; MSG SIZE  rcvd: 59        $ dig @8.8.8.8 www.google.com    ; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> @8.8.8.8 www.google.com  ; (1 server found)  ;; global options: +cmd  ;; Got answer:  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3924  ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1    ;; OPT PSEUDOSECTION:  ; EDNS: version: 0, flags:; udp: 512  ;; QUESTION SECTION:  ;www.google.com.                        IN      A    ;; ANSWER SECTION:  www.google.com.         300     IN      A       142.250.185.228    ;; Query time: 34 msec  ;; SERVER: 8.8.8.8#53(8.8.8.8)  ;; WHEN: Fri Oct 08 15:10:49 CEST 2021  ;; MSG SIZE  rcvd: 59    $ dig @x.x.x.101 www.google.com    ; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> @x.x.x.101 www.google.com  ; (1 server found)  ;; global options: +cmd  ;; Got answer:  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60305  ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1    ;; OPT PSEUDOSECTION:  ; EDNS: version: 0, flags:; udp: 4000  ;; QUESTION SECTION:  ;www.google.com.                        IN      A    ;; ANSWER SECTION:  www.google.com.         70      IN      A       142.250.185.228    ;; Query time: 0 msec  ;; SERVER: x.x.x.101#53(x.x.x.101)  ;; WHEN: Fri Oct 08 15:11:04 CEST 2021  ;; MSG SIZE  rcvd: 59

I have no idea what seems to be going on ....

What is the HeavyUsage charge on AWS DynamoDB?

Posted: 31 Mar 2022 01:18 AM PDT

What are below cost charges in AWS Cost Explorer

<region-code>-HeavyUsage:dynamodb.write  <region-code>-HeavyUsage:dynamodb.read

Didnot find any documentation about Dynamodb bill/cost explanation. The related doc I found is for EC2 - HeavyUsage.

Any info on what these charges are in DynamoDB?

Note: We do not have any Reserved Capacity in any of the regions.

Install and enable exif

Posted: 31 Mar 2022 01:00 AM PDT

I moved my website to a vps and I used exif function but look like in this new server exif not installed or enabled.. I tied many ways to enable it but no success:

Information:

Linux, Apache, Centos7

First, I run php -m but there is no exif in list.

options.conf

php1_release=7.2  php1_mode=mod_php

configure.php72

--enable-mbstring \  --enable-exif

php.ini

extension=php_mbstring.dll  extension=php_exif.dll

But still I got:

PHP Fatal error: Uncaught Error: Call to undefined function exif_read_data() in...

Any idea?

New Windows Server 2016 Machine can't ping or be pinged

Posted: 31 Mar 2022 02:02 AM PDT

I have purchased a new Dell Poweredge T330 which has Dell have preinstalled Windows Server 2016 Std onto.

I have a draytek router which is setup for the LAN - it's IP is 192.168.1.1

I have a laptop which has an ip of 192.168.1.18 I have an existing server running on windows 10 machine which has an IP of 192.168.1.10 I have a printer which has an IP of 192.168.1.13

I have plugged my new poweredge into the LAN and the router has allocated it an IP of 192.168.1.19

Despite enabling RDP, I am unable to RDP into the server from my laptop. When I try to ping the server from my laptop I get 'destination host unreachable' error. When I try to ping the poweredge from my old server, I get same error.

When I use the Poweredge to try to ping my laptop I get the same 'destination host unreachable' error. I get the same error when I try to ping the old server at 192.168.1.10. However, when I try to ping the router from the new server (192.168.1.1) it responds. It also responds if I ping www.google.com

Have tried switching off the Windows Firewall on the local network - to no avail.

Can anyone suggest why my server can ping the router, but cannot ping, or be pinged, by any hosts on the same LAN subnet?

Thanks in advance :)

Windows search not showing file content results from mapped DFS drive

Posted: 31 Mar 2022 03:06 AM PDT

I already checked the thread Windows 7 search not showing results from mapped Server 2008 R2 BUT my case is different: We have file servers (2012 R2) and Windows 7 workstations. The mapped network drive is from a DFS namespace. When I search from the mapped drive on the workstation I get only the file name matches and an option to search in file contents. When clicking on that it takes ages and anyhow doesn't return all full text matches. On the server I don't have an option "file content". When I search on the server directly the logical drive or mount the server share (\servername\share) on the workstation, I then get all matches including the full text. Here two screenshots from the workstation. The first is the DFS mount, the second the direct server mount. Please note the difference in the file types. DFS namespace share Server share

MariaDB optimal configuration on CentOS

Posted: 31 Mar 2022 05:02 AM PDT

I have a cloud server with the following config:

CPU:8 vCore (4 Core, 4 Processor)  RAM:16 GB  SSD:240 GB

This server features CentOS7-64bit with MariaDB running as the database. (Date bug is fixed)

The server is very database intensive and updated near constantly.

I am seeing > 95% utilization on the server but I believe the default configuration is more to blame then running out of resources.

I'd like to offload more of the work to the RAM which is only 11% used by MySQL/MariaDB.

41724 mysql     20   0 10.163g 1.765g   9704 S 298.0 11.3  19:10.43 mysqld

Using this Serverfault questions I've adjusted my Database config file as best I could.

This has improved some but is there anything else I can do to improve the performance outside of upgrading CPU?

[mysqld]  bind-address = ::  skip_name_resolve  local-infile=0  datadir=/var/lib/mysql  socket=/var/lib/mysql/mysql.sock  key_buffer_size=4G  max_allowed_packet=128M  query_cache_type = 1  query_cache_limit = 100M  query_cache_min_res_unit = 2k  query_cache_size = 784M  tmp_table_size= 2048M  max_heap_table_size= 2048M  skip-name-resolve  innodb_buffer_pool_size= 7G  innodb_file_per_table=1

How to monitor MySQL socket using icinga2

Posted: 31 Mar 2022 03:06 AM PDT

I would like to monitor my MySQL server using icinga2 as the title shows above. My MySQL server uses a unix socket. I tried the following:

object Service "MYSQL" {      import "generic-service"      check_command = "mysql"      vars.mysql_query_hostname = "/var/run/mysqld/mysqld.sock"      vars.mysql_ignore_auth = true      vars.mysql_port = 6800      host_name = "mysql.server"      }

and I restart the icinga2 service. When I check from icinga2 web, I have the following error for the MySQL service: Plugin Output Can't connect to MySQL server on '192.168.2.4' (111)

It seems that icinga2 can't check the MySQL service using the unix socket. Is there something wrong with the config I'm using?

EDIT 1: So, I've installed icinga2 on the client and configured it as a satellite. I've been reading that icinga2 agent is the elegant way to monitor services on a remote service. Since this setup will stay, I'm willing to spend time and efforts to configure everything properly.

On the server, /etc/icinga2/conf.d/services.conf

apply Service "MySQL" {  import "generic-service"  check_command = "mysql"  command_endpoint = host.vars.client_endpoint  assign where host.vars.client_endpoint == "client1.example.com"  }

/etc/icinga2/conf.d/hosts.conf

object Host "client1.example.com" {  import "generic-host"  address = "192.168.2.4"  vars.client_endpoint = "client1.example.com"  vars.mysql_hostname = "/var/run/mysqld/mysqld.sock"  }

On the client, I've installed the required plugin "check_mysql" and icinga2 is running. When I check through the icinga2 web interface, I still get the following plugin output: Plugin Output Can't connect to MySQL server on '192.168.2.4' (111) It seems that it is still checking through TCP. What am I doing wrong?

SSL - Apache and Node.js on the same Amazon EC2 instance

Posted: 31 Mar 2022 05:02 AM PDT

I hosted my website on an EC2 instance, using Apache. SSL was also set up properly, running on HTTPS, port 443.

Currently, I just added a chat application to the website using Node.js + socket.io. The Node.js server listen on port 3333.

How can I run the two servers (Apache and Node.js) on the same instance with SSL secured? Amazon EC2 doesn't allow me to open another port for HTTPS. It only allows 443 for HTTPS.

Displaying a remote SSL certificate details using CLI tools

Posted: 31 Mar 2022 12:11 AM PDT

In Chrome, clicking on the green HTTPS lock icon opens a window with the certificate details:

enter image description here

When I tried the same with cURL, I got only some of the information:

$ curl -vvI https://gnupg.org  * Rebuilt URL to: https://gnupg.org/  * Hostname was NOT found in DNS cache  *   Trying 217.69.76.60...  * Connected to gnupg.org (217.69.76.60) port 443 (#0)  * TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA  * Server certificate: gnupg.org  * Server certificate: Gandi Standard SSL CA  * Server certificate: UTN-USERFirst-Hardware  > HEAD / HTTP/1.1  > User-Agent: curl/7.37.1  > Host: gnupg.org  > Accept: */*

Any idea how to get the full certificate information form a command line tool (cURL or other)?

How to reconnect to the backend with HAProxy

Posted: 31 Mar 2022 01:00 AM PDT

I'm new in working with HAProxy. I couldn't figure out how to make HAProxy to reconnect to backend that was down and started up back again.

I have a configuration of two backend servers. When they are running and I start HAProxy all works OK. The handshake is passed. Then I stop one of the backend and the traffic correctly goes to the server that is keep running. But then, when I start up the stopped server again HAProhy does not recognize that. Only after HAProxy service restart it can again connect.

How to fix this behavior?

apache times out with low cpu and memory usage

Posted: 31 Mar 2022 02:02 AM PDT

Since a few days i recognize that my apache2 is going very slow if it has around 90 current request.

If i do a loader.io test it timeouts for example after 13 successfull requests:

loader.io results http://d.pr/i/S6D1+

What i really wonder about, is that my CPU usage is normal (screenshot while loader test):

htop display http://d.pr/i/kNZ4+

Also my Memory has enough free space.

free -m outputs:

               total       used       free     shared    buffers     cached    Mem:         24158       6494      17663          0        259       2492    -/+ buffers/cache:       3742      20416    Swap:        24574          0      24574

My current apache2 settings:

Timeout 20  KeepAlive On  MaxKeepAliveRequests 75  KeepAliveTimeout 2    <IfModule mpm_prefork_module>      StartServers          10      MinSpareServers       10      MaxSpareServers       30      ServerLimit           200      MaxClients            200      MaxRequestsPerChild   4000  </IfModule>

EDIT:

More Specs as requested:

 OS: Debian 6.0.7 (2.6.32-5-amd64)   mySQL-Server: 5.5.30-1~dotdeb.0-log (Debian)    PHP: 5.3.22-1~dotdeb.0 with Suhosin-Patch (cli)

APC Settings:

; configuration for php apc module  extension=apc.so  apc.enabled=1  apc.shm_size=512M

mySQL Tuning Primer sais also, that everything is ok.

The Site i was testing was a TYPO3 Site with some AJAX on the Startpage.

Just tested the Site on a simple Wordpress on the same Server ( no problems at all )

 Success responses: 3097   Avg response time: 1503   Sent from app: 20.86 MB   Rcvd from loader:  369.10 KB

Testing on this TYPO3 fails early

Any idea why this happens? Even apache2ctl status gets very slow! But the other things on the system acting normal.

Don´t know why this happens after this time.

e-techbytes

Thursday, March 31, 2022

Recent Questions - Server Fault

Recent Questions - Server Fault

No comments:

Post a Comment