Tuesday, May 17, 2022

Recent Questions - Server Fault

Recent Questions - Server Fault

Can Samba close a single user session coming from a shared host?

Posted: 17 May 2022 05:10 AM PDT

If I want to close a user session on a Samba server, the smbcontrol close-share and smbcontrol kill-client-ip commands are available to achieve this. However when dealing with a shared client (a Windows Terminal Server for example) these commands close the session of all users on that client.

Is it possible to close the session of only one user if that session comes from a shared host? I've looked at the smbcontrol, samba-tool and net utilities, and although net rap session looked promising, it doesn't seem to work. I also tried net rpc file CLOSE, but that too doesn't seem to work.

Iptables redirection to main proxy after filter on local proxy

Posted: 17 May 2022 04:43 AM PDT

I manage a subnet linked to an Institutional network (IN). Internet access from my subnet is through a proxy with credentials (they are not related to the users of my domain) in the IN. I need to apply several filters that are not implemented by that proxy. For that purpose I use squid on my local network with a non-transparent proxy. The problem is that after filtering with squid, I need to redirect to the IN proxy. I implement an iptables DNAT in PREROUTING and that way my clients are authenticated and navigate correctly. The issue is that when I change the destination address of the packets they don't go through my firewall .

iptables -t nat -A PREROUTING -o eth0 -p tcp --dport 8080 -j DNAT --to-destination 10.2.12.100:3128

I need something like this

iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 8080 -j DNAT --to-destination 10.2.12.100:3128

Is it correct when I assume that the normal route of packets in iptables directed to my proxy is ...,INPUT, LOCAL PROCESSES(run squid), OUTPUT,...? Thanks in advance

Node exporter to be exposed on public IP

Posted: 17 May 2022 04:26 AM PDT

I am running node_exporter as systemd service on more servers, but only on one server metrics are exposed on the private IP address.

I want it to be exposed on public IP so I could add to Prometheus targets its A record rather than private IP address.

Curling metrics on public IP is not possible but it is with private. I used the same method of installing node exporter on all servers.

Does springBoot Jar and React build from ubuntu server will work on CentOs server?

Posted: 17 May 2022 04:20 AM PDT

We have our jenkins on ubuntu server, we have 2 jobs, one is to create springboot jar's and another one to build react project.

After successful completion of job we have to copy it on UAT server which is CentOs server.

Does it will have any effect on the web application i.e. we are building code on ubuntu and running it on CentOs.

Please help.

Openvpn and routing for outside

Posted: 17 May 2022 04:41 AM PDT

I installed openvpn on my router. Everything works great. But, when the tunnel is up, my router is no longer accessible from the outside (I have a "white" dedicated address). Packets get to the external interface and the response goes into the tunnel through the routing - this is clear. But how to deal with it?

I can't show the server configuration (this is ProtonVPN), I can show the client configuration - it's standard

client  dev tun  proto udp    remote X.X.X.X 80  server-poll-timeout 20    remote-random  resolv-retry infinite  nobind    # The following setting is only needed for old OpenVPN clients compatibility. New clients  # automatically negotiate the optimal cipher.  cipher AES-256-CBC    auth SHA512  verb 3    setenv CLIENT_CERT 0  tun-mtu 1500  tun-mtu-extra 32  mssfix 1450  persist-key  persist-tun    reneg-sec 0    remote-cert-tls server  auth-user-pass  pull  fast-io    block-outside-dns    <ca>  -----BEGIN CERTIFICATE-----  MIIFozCCA4ugAwIBAgIBATANBgkqhkiG9w0BAQ0FADBAMQswCQYDVQQGEwJDSDEV  ...............................  -----END CERTIFICATE-----  </ca>    key-direction 1  <tls-auth>  # 2048 bit OpenVPN static key  -----BEGIN OpenVPN Static key V1-----  6acef03f62675b4b1bbd03e53b187727  .........  -----END OpenVPN Static key V1-----  </tls-auth>

docker containaer promiscuous mode partially working

Posted: 17 May 2022 04:10 AM PDT

I have strange virtual (docker bridges) networking condition

I have two dockers connected to the same bridge via docker-compose. One docker is "probe" and one is "injector". Injector uses tcpreplay to replay capture and "probe" should receive it via tcpdump. Needless to say the capture replayed does not have any relation to IPs or macs of the NICS attached to the bridge. pinging is working fine between the hosts.

Now there's a third NIC exposed to the host machine automatically by docker.

       +--->NIC1 ["injector" docker / uses tcpreplay to inject ]  bridge +--->NIC2 ["probe" docker / uses tcpdump to listen]  |  +--- NIC3 host [used for testing sometimes as injector and sometimes as listener]

Now what actually happens is that when tcpreplay is run from HOST (injects capture via NIC3) everything is working fine, and tcpdump on "probe" shows the replayed traffic. However when tcpreplay is used on injector and injects the capture via NIC1 only first two packets of the capture can be seen on "probe" and then all traffic on "probe" stops (also injecting from host will stop working). if tcpdump is run on NIC3 it's receiving all captured traffic from injector normally.

  • ifconfig on "probe" doesn't show any dropped packets
  • iptables on host does not increase counters of dropped packets (hopefully i a am doing it correctly "sudo iptables -L -v -n | grep -i drop")
  • tcpdump automatically enables promiscuous mode on probe

Does anyone have explanation for this asymmetric behavior? Any idea how to debug it?

Injector and host - AlmaLinux:8, probe -Centos:7 tcpreplay version 4.4.1

Two different sites with one domain

Posted: 17 May 2022 03:28 AM PDT

This the scenario I have two sites

The sites are connected together by a P2P wireless connection

Windows Servers 2012 on both sites acts as a domain controller. We have one domain for both

DHCP service is enabled in both servers with a failover setting

Users in each site are browsing the internet via two TMG Proxy

The TMG settings are pushed to the users when they login in via GPO setting so the users use the local TMG server as a proxy on their site.

Each site has an individual ISP VPN circuit for getting some applications from a third site. However, currently, both site has a default gateway of the VPN circuit of site 1 so all users are retrieving the applications of the third site via one VPN circuit which is in site 1.

Site 1 ---->TMG1---->Internet

       ----->VPN1---->Site3 applications

Site 2 ---->TMG2---->Internet

       ----->VPN1---->Site3 applications

The question is: How I can force Site2 to go through VPN2 to retrieve Site 3 applications when the Wireless link is dropped? In different words how I can configure site 2 to use VPN 2 as a gateway in only that case (Wireless connective is dropped) without changing the current configuration of the DHCP.

Both VPNs can see each other as they are already configured to do so by the ISP.

How to send an email with openssl and Microsoft Exchange Online?

Posted: 17 May 2022 04:52 AM PDT

With Microsoft disabling basic auth in Exchange Online, I set out to add support Modern Authentication in our application. Our app sends basic email alerts. Currently we use SMTP basic auth or open relay for this, but Modern Auth would be a nice addition.

To fully understand the process, I'd like to go through the entire email process manually. I have a development tenant at Microsoft, in which I have registered our application. I have no issues in acquiring the Oauth token with an email scope. It's the communication with the SMTP server that I can't get through.

As the communication has to be encrypted, I use openssl (instead of telnet). I connect to the server with this command:

openssl s_client -connect smtp.office365.com:587 -crlf -starttls smtp

There is some feedback around SSL negotiation and then the server responds with:

250 SMTPUTF8

At that point I believe I am supposed to use the EHLO command. However, after

EHLO

The response is just (Server changes on every attempt)

' [AM4PR0101CA0056.eurprd01.prod.exchangelabs.com]

At this point I'm not sure what to do. I believe it may be necessary to insert some domain after the ehlo command (to identify the Microsoft online tenant to connect to?). However, whatever domain I insert, the response is always:

501 5.5.4 Invalid domain name [AM4PR0101CA0056.eurprd01.prod.exchangelabs.com]

Can somebody explain how to initiate communications with a Microsoft Exchange Online tenant via OpenSSL? What do I put after EHLO? Am I connecting to the right address at all? I'm just trying to get to a point where I can issue a AUTH XOAUTH2 command to log in on my tenant.

I've been able to do the complete process om Gmail's smtp server (smtp.gmail.com). On there, it does not matter what you add after the ehlo command, after issuing it you will be greeted and can proceed to login with various AUTH commands.

Vagrant + Docker: sync folder permision

Posted: 17 May 2022 02:16 AM PDT

all!

I use Vagrant to manage a Ubuntu-14.04 docker.

I have a sync shared folder name: common (create by my personal user in host)

config.vm.synced_folder "common", "/common"

The vagrant Docs says:

The Docker provider does not support specifying options for owner or group on folders synced with a docker container.

In my case, vagrant user(docker) and my personal user (host), have diferents UID. This causes permissions problem when I try copy files from docker in the common folder.

Is there a generic solution to this problem?

How to delete a Scheduled task folder with PowerShell?

Posted: 17 May 2022 02:15 AM PDT

I need to delete a scheduled task folders on a lot of machines, ideally with PowerShell. I couldn't find anything on how to do that - it seems like the documentation covers everyting but folders.

Did I miss someting?

Best practice for AWS root account or superuser?

Posted: 17 May 2022 01:06 AM PDT

Normally, we have the rule of 3 people having superuser access with 3 username/passwords and if anyone is ever offboarded(they leave or are fired), on vacation, out sick, different time-zone, someone has access still and we are never crippled. When looking at AWS, I don't get why it seems there is only one AWS 'root account' and password. It would seem the person with the keys to the castle is not in a position to ever be fired in this case or rather he will know as soon as you ask him for the single account (when it is tied to MFA especially).

Am I missing something? Is there a 'superuser' we can add for 2 more people that has the power to remove the root account?

In devops, this has been done for years in linux, windows, etc.

Oh, for compliance, all accounts will need MFA enabled as well which means we can't share this root account really either. How are others handling this so 3 different people can support the company while others are out sick?

Oh man, what if the guy with the root password/login died. Would the company be screwed?

thanks!

NGINX proxy_pass with changing URI

Posted: 17 May 2022 03:45 AM PDT

What I want to achieve:

When I access my site "https://my.domain.com/comics", it will point to http://192.168.1.55:3322/login page which is the comic webserver login page. I will enter my password, the comic web server will then to http://192.168.1.55:3322/dashboard. After which I can navigate to books, accounts, etc pages of said webserver.

The only way I can get this to work if my settings were like this:

 location / {       proxy_pass              http://192.168.1.55:3322/;       proxy_set_header        X-Forwarded-Host        $server_name:$server_port;       proxy_hide_header       Referer;       proxy_hide_header       Origin;       proxy_set_header        Referer                 '';       proxy_set_header        Origin                  '';       add_header              X-Frame-Options         "SAMEORIGIN";

With these settings, everything works fine. The pages get directed as intended. I understand that it works because location / matches with everything.

So, what I want to do is that when I type https://my.domain.com/comics it points to the login page which is http://192.168.1.55:3322/login, then after that it proceeds according the URI as set by the web server.

The comic webserver has pages like:

http://192.168.1.55:3322/login  http://192.168.1.55:3322/dashboard  http://192.168.1.55:3322/account  http://192.168.1.55:3322/books

I am quite new at nginx and willing to learn. I tried reading the manual pages, but have difficulty visualizing how certain parameters work. The parameters I wrote above was from another page that teaches how to set up nginx with a torrent server.

Thank you in advance.

Extending File-system after EBS volume increase on M5 type EC2 with Ubuntu 16.04

Posted: 17 May 2022 05:11 AM PDT

Production AWS Instance: We have an m5 ec2 nitro instance that is in need of query optimization. However, we are in a time crunch and have decided to temporarily throw memory and storage at this until we can complete the optimization of queries. (Apologies in advance)

There is 50GB on one EBS volume (/dev/sda1) and another 50GB on a second volume (/dev/sdf). As far as I can tell, the EC2 is only using one of the 50GB volumes, dev/sda1.

Linux Kernal version: 4.4.0-1128-aws 32GB RAM (M5a.2xlarge)

Our /dev/nvme0n1p1 | (/tmp) directory is filling up creating an SQL 28 No Disk Space error and we want to increase the size of the /tmp directory from 20GB to 50GB. while we optimize queries to reduce the sizes of the temporary database (.MAI) files stored in /tmp

Where I am at: In our testing environment/EC2 (also an M5.2xlarge) I was able to increase the volume size to 100GB and I have followed the steps in https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/recognize-expanded-volume-linux.html

  • This is what shows when I run lsblk
NAME                MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT    nvme0n1             259:0    0   100G  0 disk                                                                                                           ├─nvme0n1p1         259:1    0    20G  0 part /                                                                                                         ├─nvme0n1p2         259:2    0     2G  0 part [SWAP]                                                                                                    └─nvme0n1p3         259:3    0    28G  0 part                                                                                                             ├─vg_xxx-logs     251:0    0     8G  0 lvm  /var/log                                                                                                    └─vg_xxx-app      251:1    0    19G  0 lvm  /home/xxx

This is what shows when I run df -hT:

Filesystem              Type      Size  Used Avail Use% Mounted on  udev                    devtmpfs   16G     0   16G   0% /dev  tmpfs                   tmpfs     3.1G  183M  3.0G   6% /run  /dev/nvme0n1p1          ext4       20G  8.6G   11G  45% /  tmpfs                   tmpfs      16G     0   16G   0% /dev/shm  tmpfs                   tmpfs     5.0M     0  5.0M   0% /run/lock  tmpfs                   tmpfs      16G     0   16G   0% /sys/fs/cgroup  /dev/loop0              squashfs   44M   44M     0 100% /snap/certbot/1788  /dev/loop1              squashfs  111M  111M     0 100% /snap/core/12834  /dev/loop3              squashfs   62M   62M     0 100% /snap/core20/1434  /dev/loop5              squashfs   56M   56M     0 100% /snap/core18/2409  /dev/loop4              squashfs   25M   25M     0 100% /snap/amazon-ssm-agent/4046  /dev/loop2              squashfs   56M   56M     0 100% /snap/core18/2284  /dev/mapper/vg_xxx-logs xfs       8.0G  362M  7.7G   5% /var/log  /dev/loop6              squashfs   26M   26M     0 100% /snap/amazon-ssm-agent/5656  /dev/loop8              squashfs   44M   44M     0 100% /snap/certbot/2035  /dev/loop7              squashfs   62M   62M     0 100% /snap/core20/1328  /dev/mapper/vg_xxx-app  xfs        19G  4.7G   15G  25% /home/xxx  tmpfs                   tmpfs     3.1G     0  3.1G   0% /run/user/1000  tmpfs                   tmpfs     3.1G     0  3.1G   0% /run/user/1001

As you can see, it shows that nvme0n1 has 100GB available, however, the 3 partitions still equal 50GB. when I get to step 7 on the AWS documentation on extending the filesystem to occupy the new added volume space, I get the following:

ubuntu@ip-xx-xx-xx-xxx:~$ **sudo resize2fs /dev/nvme0n1p1**                                                                                             resize2fs 1.42.13 (17-May-2015)                                                                                                                     **The filesystem is already 5242619 (4k) blocks long.  Nothing to do!**

I have an ext4 filesystem (except that I see two lvms in the sub directory of nvme0n1p3 but I don't think that changes anything) and have tried growpart, parted, but these solutions found online are generally for Ubuntu and not specifically for EC2 EBS volumes, so I do not want to divert too much away from what should be a AWS provided solution that I cannot seem to find. That being said, those also produced error messages saying the drive/directory was in use.

My understanding is that AWS EBS allows for an ec2 to increase volume size and then extend the file-system without stopping the instance or unmounting the device being extended. Nonetheless, I have not been able to do the same when stopping the staging instance I am testing on. I am open to stopping the instance to get this done, however, would prefer to do it without unmounting device and/or stopping instance.

I can also upgrade the instance to provide more RAM if need be, but I'd still need to extend the filesystem first.

Any help is appreciated!

Use mytop as a root user, without specifying a database

Posted: 17 May 2022 02:27 AM PDT

Is it possible to use mytop without specifying a database? That is to say, can I use it as a root mySQL user, in order to monitor all of the databases on the server?

For example, I can use the same credentials with mysql, like this

mysql -uroot -p

which prompts me for my password. However, I've yet to find the same thing for mytop (found nothing related to this in the man mytop).

I have tried using it like this

mytop -u root -p<mypass>

Of course, this doesn't work, and it tries connecting to a non-existing DB (taken from the config file).

How can I use mytop as a root user, without specifying a database?

Mount error (112) - Host is down, specifying SMB protocol version does not resolve issue

Posted: 17 May 2022 04:01 AM PDT

Hoping someone can help.

I have previously been able to mount a local network drive to my server (was running Ubuntu 16.04.7, now running 18.04.6). However, recently when I try it gives the following error:

mount error(112): Host is down

I use the command below to mount:

mount /mnt/directoryname

My fstab looks like:

//network/share/ /mnt/directoryname cifs uid=1000,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm,noauto,user 0 0

Having read through previous posts with similar issues, I have attempted to force the use of specific SMB protocols (1, 2, 2.1 and 3), using the following fstab (in this example for version 1):

//network/share/ /mnt/directoryname cifs uid=1000,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm,noauto,user,vers=1.0 0 0

No matter which version I specify I continue to get the same error.

If I comment out the line in the fstab and attempt to mount via the command-line I continue to receive the same error. Below is the mount options I use:

sudo mount -t cifs //network/share/ /mnt/directoryname -o username=myusername,vers=1.0

I have also seen the addition of "defaults" to the fstab options:

//network/share/ /mnt/directoryname cifs uid=1000,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm,noauto,defaults,user 0 0

but that just produces an invalid argument error message (so perhaps I added it incorrectly).

I'm not sure what to do now. I can connect to the network drive via my PC and the webpage. I can ping the network drive from the server. Therefore, I know it is up and running.

I have tried using smbclient as well:

smbclient //network/share/ --user=MYUSERNAME

That gives the following error:

protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED

Which possibly has more to do with the fact I don't really know how to use the smbclient command but may be indicative of an associated issue.

If anyone has any ideas, please let me know.

Thank you for reading.

ETA: correct mount command when commenting out the fstab line

Apache Proxypass redirects "localhost:port" as url string instead of local service of the port

Posted: 17 May 2022 01:26 AM PDT

Environment

Server version: Apache/2.4.6 (CentOS)

I have two servers which are almost duplicates.

aaa.com. and bbb.com.

They have almost same Apache rulesets.

aaa.com. config

<Location "/serviceEndpoint/">    ProxyPass http://localhost:8100/serviceEndpoint/    ProxyPassReverse http://localhost:8100/serviceEndpoint/  </Location>  <Location "/fruit/apple">    ProxyPass "/fruit/apple" "http://localhost:8100/serviceEndpoint/fruit/apple"    ProxyPassReverse "/fruit/apple" "http://localhost:8100/serviceEndpoint/fruit/apple"  </Location>

So /serviceEndpoint is a service using 8100 port, and /fruit/apple is a servlet of it.

bbb.com. config

<VirtualHost _default_:80>    ProxyPass "/serviceEndpoint/" "http://localhost:20100/serviceEndpoint/"    ProxyPassReverse "/serviceEndpoint/" "http://localhost:20100/serviceEndpoint/"      ProxyPass "/fruit/apple" "http://localhost:20100/serviceEndpoint/fruit/apple"    ProxyPassReverse "/fruit/apple" "http://localhost:20100/serviceEndpoint/fruit/apple"  </VirtualHost>

Looks the same, but it's inside VirtualHost:80, if that makes anything different.
(*edit I tested using the same config, but the result was same)

Problem

Both aaa.com/fruit/apple or bbb.com/fruit/apple works well.

But, when the service use response.sendRedirect()(java) and redirects the browser to /fruit/apple,
only aaa.com. works and bbb.com. tries to connect literal http://localhost:20100/fruit/apple from the client browser.

aaa.com redirect response header

HTTP/1.1 302  Date: Mon, 09 May 2022 08:01:29 GMT  Server: Apache  X-Frame-Options: SAMEORIGIN  Strict-Transport-Security: max-age=63072000; includeSubDomains  Location: /fruit/#!/some_controller  Content-Length: 0  Set-Cookie: JSESSIONID=4EA61F0E6031621E540DBDC9F6C54D64; Path=/serviceEndpoint; HttpOnly  Set-Cookie: JSESSIONID=4EA61F0E6031621E540DBDC9F6C54D64; Secure; HttpOnly; SameSite=Strict  X-XSS-Protection: 1; mode=block  Keep-Alive: timeout=15, max=95  Connection: Keep-Alive

bbb.com redirect response header

HTTP/1.1 302  Date: Mon, 09 May 2022 08:01:29 GMT  Server: Apache-Coyote/1.1  X-Frame-Options: SAMEORIGIN  Strict-Transport-Security: max-age=63072000; includeSubDomains  Location: http://localhost:20100/fruit/#!/some_controller  Content-Length: 0  Set-Cookie: JSESSIONID=4EA61F0E6031621E540DBDC9F6C54D64; Path=/serviceEndpoint; HttpOnly  Set-Cookie: JSESSIONID=4EA61F0E6031621E540DBDC9F6C54D64; Secure; HttpOnly; SameSite=Strict  Keep-Alive: timeout=15, max=95  Connection: Keep-Alive

Question

From Apache settings, what can cause this behavior and how should I fix this?

Assign a specific machine SID to a new Windows system

Posted: 17 May 2022 03:05 AM PDT

Windows Setup assigns a unique machine SID to a Windows system at install time. The machine SID is not exposed over the network, and as such it usually does not matter what it is, but local users' security identifiers are based on the machine SID, and this can create problems when sharing user profiles and user-created files on NTFS volumes. Even if the files and folders have ACLs with only predefined, non-machine-specific SIDs such as the builtin Administrators group, their owner is the creating local user, identified by the machine SID and user RID. This scenario comes up, for instance, if you want to script-build your development system from fresh Windows installation media as if it were a Linux container. In this case you want every Windows system you build to share the same machine SID.

However, SysInternals' NewSID utility was deprecated and retired way back in 2009, and does not work properly on modern Windows versions. Is there a way to achieve the same result with regular Windows deployment tools? Mark Russinovich hinted in his post deprecating NewSID that this may be the case, but if so this capability is not documented. Of course, it would not be surprising: Microsoft has a long history of undocumented features going back to the days of MS-DOS.

ssh-add returns "Error connecting to agent: No such file or directory" even though agent is running

Posted: 17 May 2022 05:02 AM PDT

Windows 10 20H2, build 19042.685

I'm trying to use the SSH agent in the built-in OpenSSH client on Windows 10. The agent is running:

C:\Users\Daniel> Get-Service | ?{$_.Name -like '*ssh-agent*'}    Status   Name               DisplayName  ------   ----               -----------  Running  ssh-agent          OpenSSH Authentication Agent

However, ssh-add is still throwing the same error:

C:\Users\Daniel> ssh-add C:\Users\Daniel\.ssh\id_ed25519  Error connecting to agent: No such file or directory

Any ideas?

Can't install additional VM with virt-install

Posted: 17 May 2022 04:23 AM PDT

Installing an additional VM with the virt-install command results in the following error:

ERROR    internal error: process exited while connecting to monitor: 2019-02-20T08:21:45.534416Z qemu-system-x86_64: -drive file=/home/chris/VM/ubuntu-16.04.iso,format=raw,if=none,id=drive-ide0-0-0,readonly=on: Could not open '/home/chris/VM/ubuntu-16.04.iso': Permission denied

This is my virt-install command: 

sudo virt-install \  -n VPNserver \  --description "VPN server" \  --os-type=Linux \  --os-variant=ubuntu16.04 \  --ram=1096 \  --vcpus=1 \  --disk path=/var/lib/libvirt/images/vpnserver.img,bus=virtio,size=10 \  --network bridge:br2 \  --graphics none \  --location /home/chris/VM/ubuntu-16.04.iso \  --extra-args console=ttyS0 \  --autostart

File permissions in /chris/home/VM/: -rw-rw-r-- 1 chris chris 93 Jan 3 14:15 Fileserver.README -rwx------ 1 chris chris 334 Nov 21 09:20 installFileserver -rwx------ 1 chris chris 332 Feb 20 08:21 installVPNServer -rwx------ 1 chris chris 331 Nov 21 09:20 installWebserver -rw-rw-rw- 1 chris chris 795 Jan 24 13:10 README.txt -rw-rw-r-- 1 libvirt-qemu kvm 912261120 Jul 31 2018 ubuntu-16.04.iso

Similar question:

virt-install cannot use ISO file as location

What I've tried...

1) "chown" the iso file to user 'chris'

2) Moved the file to the /tmp directory

3) Sudo -s and executed script.

4) Redownload the iso image.

Multiqueue tun/tap interface

Posted: 17 May 2022 02:38 AM PDT

I am trying to understand how Multiqueue tuntap interface works. Following the instructions provided at: https://www.kernel.org/doc/Documentation/networking/tuntap.txt I was able to create multiple queues. However, I don't know how to check the queus status and where they are created. I tried:

$ tc -s class show dev tap0

(where tap0 is my tap interface), I see around 255 queues, even for a single ioctl call with IFF_MULTI_QUEUE flag. So probably I am looking at the wrong place. Here is the snippet of the output of the above command:

class mq :1 root   Sent 4741 bytes 37 pkt (dropped 0, overlimits 0 requeues 0)   backlog 0b 0p requeues 0  class mq :2 root   Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)   backlog 0b 0p requeues 0  .  .  .  class mq :ff root   Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)   backlog 0b 0p requeues 0  class mq :100 root   Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)   backlog 0b 0p requeues 0

Secondly, I am not sure how to steer packets to these queues based on some filter or classifier using TC or any other tool. I'll really appreciate if someone can shed some light on it.

PS: I'm not sure which is the best forum to ask such questions and will appreciate if someone can point me to the right one. I have tried: https://unix.stackexchange.com/questions/496043/multiqueue-tun-tap-interface but haven't got any convincing answer yet. Thanks!

Unable to enable mpm-event in httpd | centos 7

Posted: 17 May 2022 02:04 AM PDT

I am kind of new to mpm and all so please don't mind. I have a web server running 8 websites (php based) on it. And my RAM usage goes over 90 % and the swap usage goes over 80 %. And when i check

service httpd status

the number of request generally bounces to 30k and i see a lot of httpd processes. i tried to fix it via searching google and trying out this solution thinking that enabling php-fpm and mod_mpm_event will take all the loads off my RAM and SWAP, but it didn't work and the sites loaded like this where as the original site looked like this. So, i reverted to my old configurations.

my configurations:

00-mpm.conf

[root@csmsvr-lin-lv-02 conf.modules.d]# cat 00-mpm.conf  # Select the MPM module which should be used by uncommenting exactly  # one of the following LoadModule lines:    # prefork MPM: Implements a non-threaded, pre-forking web server  # See: http://httpd.apache.org/docs/2.4/mod/prefork.html  LoadModule mpm_prefork_module modules/mod_mpm_prefork.so  <IfModule mpm_prefork_module>      ServerLimit                  800      StartServers                  5      MinSpareServers          75      MaxSpareServers         800      MaxRequestWorkers    800      MaxRequestsPerChild  0  </IfModule>  # worker MPM: Multi-Processing Module implementing a hybrid  # multi-threaded multi-process web server  # See: http://httpd.apache.org/docs/2.4/mod/worker.html  #  #LoadModule mpm_worker_module modules/mod_mpm_worker.so    # event MPM: A variant of the worker MPM with the goal of consuming  # threads only for connections with active processing  # See: http://httpd.apache.org/docs/2.4/mod/event.html  #  #LoadModule mpm_event_module modules/mod_mpm_event.so

/etc/httpd/conf.d/php.conf

[root@csmsvr-lin-lv-02 conf.modules.d]# cat /etc/httpd/conf.d/php.conf  #  # Cause the PHP interpreter to handle files with a .php extension.  #  <FilesMatch \.php$>      SetHandler application/x-httpd-php  </FilesMatch>    #  # Allow php to handle Multiviews  #  AddType text/html .php    #  # Add index.php to the list of files that will be served as directory  # indexes.  #  DirectoryIndex index.php    #  # Uncomment the following lines to allow PHP to pretty-print .phps  # files as PHP source code:  #  #<FilesMatch \.phps$>  #    SetHandler application/x-httpd-php-source  #</FilesMatch>    #  # Apache specific PHP configuration options  # those can be override in each configured vhost  #  php_value session.save_handler "files"  php_value session.save_path    "/var/lib/php/session"

00-base.conf

 [root@csmsvr-lin-lv-02 conf.modules.d]# cat 00-base.conf  #  # This file loads most of the modules included with the Apache HTTP  # Server itself.  #    LoadModule access_compat_module modules/mod_access_compat.so  LoadModule actions_module modules/mod_actions.so  LoadModule alias_module modules/mod_alias.so  LoadModule allowmethods_module modules/mod_allowmethods.so  LoadModule auth_basic_module modules/mod_auth_basic.so  LoadModule auth_digest_module modules/mod_auth_digest.so  LoadModule authn_anon_module modules/mod_authn_anon.so  LoadModule authn_core_module modules/mod_authn_core.so  LoadModule authn_dbd_module modules/mod_authn_dbd.so  LoadModule authn_dbm_module modules/mod_authn_dbm.so  LoadModule authn_file_module modules/mod_authn_file.so  LoadModule authn_socache_module modules/mod_authn_socache.so  LoadModule authz_core_module modules/mod_authz_core.so  LoadModule authz_dbd_module modules/mod_authz_dbd.so  LoadModule authz_dbm_module modules/mod_authz_dbm.so  LoadModule authz_groupfile_module modules/mod_authz_groupfile.so  LoadModule authz_host_module modules/mod_authz_host.so  LoadModule authz_owner_module modules/mod_authz_owner.so  LoadModule authz_user_module modules/mod_authz_user.so  LoadModule autoindex_module modules/mod_autoindex.so  LoadModule cache_module modules/mod_cache.so  LoadModule cache_disk_module modules/mod_cache_disk.so  LoadModule data_module modules/mod_data.so  LoadModule dbd_module modules/mod_dbd.so  LoadModule deflate_module modules/mod_deflate.so  LoadModule dir_module modules/mod_dir.so  LoadModule dumpio_module modules/mod_dumpio.so  LoadModule echo_module modules/mod_echo.so  LoadModule env_module modules/mod_env.so  LoadModule expires_module modules/mod_expires.so  LoadModule ext_filter_module modules/mod_ext_filter.so  LoadModule filter_module modules/mod_filter.so  LoadModule headers_module modules/mod_headers.so  LoadModule include_module modules/mod_include.so  LoadModule info_module modules/mod_info.so  LoadModule log_config_module modules/mod_log_config.so  LoadModule logio_module modules/mod_logio.so  LoadModule mime_magic_module modules/mod_mime_magic.so  LoadModule mime_module modules/mod_mime.so  LoadModule negotiation_module modules/mod_negotiation.so  LoadModule remoteip_module modules/mod_remoteip.so  LoadModule reqtimeout_module modules/mod_reqtimeout.so  LoadModule rewrite_module modules/mod_rewrite.so  LoadModule setenvif_module modules/mod_setenvif.so  LoadModule slotmem_plain_module modules/mod_slotmem_plain.so  LoadModule slotmem_shm_module modules/mod_slotmem_shm.so  LoadModule socache_dbm_module modules/mod_socache_dbm.so  LoadModule socache_memcache_module modules/mod_socache_memcache.so  LoadModule socache_shmcb_module modules/mod_socache_shmcb.so  LoadModule status_module modules/mod_status.so  LoadModule substitute_module modules/mod_substitute.so  LoadModule suexec_module modules/mod_suexec.so  LoadModule unique_id_module modules/mod_unique_id.so  LoadModule unixd_module modules/mod_unixd.so  LoadModule userdir_module modules/mod_userdir.so  LoadModule version_module modules/mod_version.so  LoadModule vhost_alias_module modules/mod_vhost_alias.so    #LoadModule buffer_module modules/mod_buffer.so  #LoadModule watchdog_module modules/mod_watchdog.so  #LoadModule heartbeat_module modules/mod_heartbeat.so  #LoadModule heartmonitor_module modules/mod_heartmonitor.so  #LoadModule usertrack_module modules/mod_usertrack.so  #LoadModule dialup_module modules/mod_dialup.so  #LoadModule charset_lite_module modules/mod_charset_lite.so  #LoadModule log_debug_module modules/mod_log_debug.so  #LoadModule ratelimit_module modules/mod_ratelimit.so  #LoadModule reflector_module modules/mod_reflector.so  #LoadModule request_module modules/mod_request.so  #LoadModule sed_module modules/mod_sed.so  #LoadModule speling_module modules/mod_speling.so

httpd -l

[root@csmsvr-lin-lv-02 conf.modules.d]# httpd -l  Compiled in modules:    core.c    mod_so.c    http_core.c

SYS config: RAM- 6 GB SWAP- 6 GB CPU- 8 Core php -v: 5.4.16 httpd -v : 2.4.6

How to use HAProxy in load balancing and as a reverse proxy with docker?

Posted: 17 May 2022 02:04 AM PDT

I am using HAProxy docker image to load share between multiple similar containers. It's working fine if I am using a single address like web.abc.com to query only the API containers, which is mapped to my localhost . But now I want to use api.abc.com too with this HAProxy config file .

So the scenario is going to be if I hit web.abc.com it will share the load of web application container using round robin and show me the contents of these containers and if I hit api.abc.com it gives me access of those containers which have the API .

I have tried multiple config changes with my haproxy.cfg , but it's not working .

This is my docker-compose file, and this is the haproxy.cfg I am using , which is obviously not working

Is this scenario even possible with HAProxy ? Help me.

How to get contacts of user on exchange 2013 when have full permission on user's mailboxes

Posted: 17 May 2022 05:02 AM PDT

I want to export user's contacts into .csv file without knowing his password. Now, I can give an account admin full permission to user mailboxes by this cmdlet:

Add-MailboxPermission -Identity abc@example.com -User admin -AccessRights FullAccess

My question is, with this admin account how can I access and export contacts of abc@example.com?

Or if you have any idea to do this, could you please hint me?

Thx,

Ubuntu 14.04 Failing to join domain for Integration with Active Directory (winbind & samba)

Posted: 17 May 2022 01:01 AM PDT

I've followed the tutorial at this link https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto

Everything seems to be configured somewhat correctly, net rpc join worked and the realm is listed when entering the command "realm list" but I am still getting an error when trying to net ads join

kinit works and gives me a ticket shown in klist. wbinfo -g gives no output. wbinfo -a user%pass gives:

plaintext password authentication succeeded  challenge/response password authentication failed  Could not authenticate user jball with challenge response

sudo net ads testjoin -S domain.dc.com -U username -d 3 returns a bunch of errors such as failed to resolve _ldap._tcp..... (Success) and Failed to send DNS query (NT_STATUS_UNSUCCESSFUL). It successfully contacts the LDAP server, but ends in an error message saying 

kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials  Join to domain is not valid: LDAP_INVALID_CREDENTIALS

If any more information is needed or if you would like me to post any config files please let me know, I will respond asap. Any help would be greatly appreciated, thanks.

FIPS 140-2 on Windows 2012R2 with SQL 2014

Posted: 17 May 2022 03:01 AM PDT

I'm attempting to set my Microsoft SQL 2014 instance to use FIPS 140-2 complaint encryption as described in this KB article for SQL 2012, but it does not appear to be working. I do not see "FIPS" anywhere in the SQL service error logs. I set the FIPS option using the local security policy System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms.

As an aside, I tried setting the same policy via GPO security policy, but the security option did not change the computer's registry key of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled even though GPresults showed it being applied. I don't know if that's a hint or just another oddity. The GPO security policy did apply after two reboots.

I know Microsoft has come out recently about FIPS not being a necessity, but I need to be able to test an app soup-to-nuts with FIPS enabled on the DB.

Any ideas on how to force FIPS on the SQL instance?

How to increase a soft limit of a stack size for processes run by some user (uid) on Solaris 10

Posted: 17 May 2022 01:01 AM PDT

Our enterprise runs on Oracle Tuxedo 10, under Solaris 10. As a result of some recent development (customization source code all across the system was changed by extending sizes of local variables which are declared in C functions) we run into Stack Overflow problem from time to time (depending on how long the functions calls chain is). As a work-around we decided on increasing a soft limit size of a stack (for all Tuxedo processes running by single user). Considering to use ulimit, /etc/project etc. Clear & short step-by-step instruction for our on-site support team on how to extend a stack size (per-user) in Solaris 10 would be very appreciated! Thank you in advance.

How to create a SCSM Email subscription for when the action log of a PROBLE is updated

Posted: 17 May 2022 03:01 AM PDT

Sorry about the title, it wouldn't let me use the word PROBLEM.

In our SCSM we have used SCSM 2012: Notify the analyst when an end-user comment is added to an incident to have our system automatically email the analyst when a comment is added to the incidents action log.

I would like to also be able to automatically email the assigned to user of a Problem when a comment is added to the associated problems action log is updated.

Anyone know how to accomplish this?

What condition on a Hyper-V host would cause high CPU utilization in guests

Posted: 17 May 2022 04:03 AM PDT

I have an odd situation here, so I thought I'd see if anyone else has run into it. I have a Hyper-V host (2012) that had two VM's on it, one of which was an Exchange 2013 server. The other is a 2012 file server. The Exchange server has been pegged at 100% utilization, the file server is about 50%.

As a test I built a Windows 2012R2 server and being a fresh install doing exactly nothing it had CPU utilization of 10-15%.

I have been troubleshooting with MS thinking it was something on the Exchange server causing the issue. But today I moved it (using Hyper-V move while it was running) to another (similar hardware) Hyper-V host, and the utilization has dropped to 2%.

The hardware is roughly equivalent but not exactly the same.

Multiple subnets on a single interface in EC2

Posted: 17 May 2022 04:03 AM PDT

I'm currently working on setting up a QA environment on EC2 along side our production environment. All of the instances are within a VPC setup, with the following subnets:

10.0.83.0/24 - Production  10.0.81.0/24 - QA

I have a EC2 instance running as a gateway machine that is already has 2 NICs, which seems to be the limit (One NIC for the external IP, the other for internal). My initial plan was to just add another NIC in the 10.0.81.0/24 subnet, but that seems to be impossible.

So, my next plan was to add the new IP to the existing internal NIC, which results in this config:

eth1      Link encap:Ethernet  HWaddr 06:84:b1:68:6a:72            inet addr:10.0.83.10  Bcast:10.0.83.255  Mask:255.255.255.0       eth1:0    Link encap:Ethernet  HWaddr 06:84:b1:68:6a:72            inet addr:10.0.81.10  Bcast:10.0.81.255  Mask:255.255.255.0

And then insuring the virtual NIC is in the correct security groups. The routing table appears correct:

10.0.83.0       *               255.255.255.0   U     203    0        0 eth1  10.0.81.0       *               255.255.255.0   U     0      0        0 eth1

I then set up shorewall for the new address, and restarted it:

/etc/shorewall/interfaces:  #ZONE   INTERFACE       BROADCAST       OPTIONS  ....  -       eth1            10.0.83.255,10.0.81.255 logmartians  ....    /etc/shorewall/hosts  #ZONE   HOST(S)                                 OPTIONS  loc     eth1:10.0.83.0/24  qa      eth1:10.0.81.0/24    /etc/shorewall/policy  #SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:  #                               LEVEL   BURST           MASK  qa      net     ACCEPT  $FW     qa      ACCEPT

The generated iptables rules appear sane, however, I do not have connectivity to the 10.0.81.0/24 subnet (either pinging or nmap)

Anyone have experience with a setup like this in EC2, that can hopefully point out something obvious I'm missing?

SSD TRIM Support in Snow Leopard

Posted: 17 May 2022 03:48 AM PDT

Does Mac OS X Snow Leopard officially support SSD TRIM yet? If not, is there an expected availability? Also, is there a brand of SSD that is most compatible with a late-2009 Mac Pro?
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)