Recent Questions - Server Fault

---

• Route UDP traffic through one IP and TCP traffic through another
• Find device source of the last inserted USB drive
• How to create a working initial app release with Firebase OTP and Google App Signing without re-releasing?
• Breakdown of AWS S3 DataTransfer-Out-Bytes costs per object
• Google Kubernetes Engine - cannot see logs containing pod's output
• Linux Routing "L3 Switch on a stick", single interface
• Apache on Debian : server flooded by a lot of 400 , how to protect from it?
• dsregcmd on windows server core
• Why does my OpenVPN not route the network behind?
• Procmail on Postfix - delivering Email to Inbox
• Connect to device in wan network from nested subnetwork with two AVM Fritz!Box routers
• qemu-kvm: prevent host from accessing passthru LVM disks
• Shorewall: IPSet from blrules not applying
• How to stop rejection of DNS queries?
• Pod assigned node role instead of service account role on AWS EKS
• How to supply hostname using isc-dhcp-server to hosts without fixed-address
• Particular Email DB In Users Folder In Roundcube
• HAProxy no passing headers with HTTPS
• PHPBREW configure: error: Cannot find OpenSSL's
• How to change Azure RM deployment name when deploying through Azure Portal link?
• Is a CNAME sufficient for a www. record?
• On a system with 64GB mem the Linux Buffer run full while copying with dd to dev null and io stops till manual drop_caches
• PAM Winbind Expired Password
• Problems with my.cnf and php.ini - Using mysql tuner
• Per-user dynamic traffic shaping
• add space to virtual disk on vmware
• What do I need to send an Extended DHCPOFFER with multiple boot options?
• Gerrit replication, reject HostKey
• How to change key size in OpenSSH?
• How to build/install calendar.so for php?

Route UDP traffic through one IP and TCP traffic through another Posted: 12 Jun 2022 06:13 PM PDT Let's say I have 1 server with 3 IP addresses assigned to it. I install OpenVPN on this server and use it (obviously) as a VPN server. I connect to OpenVPN through IP #1. How do I route ALL UDP traffic through IP #2 and ALL TCP traffic through IP #3? This way, when I play games and connect to other UDP-based services the traffic will go through IP #2, and all of my normal web browsing port 80/443 (and other tcp traffic) will be routed through IP #3. UDP-based applications will only see IP #2 and TCP-based applications will only see IP #3. NOBODY will see IP #1 Naturally, IP #2 will route all UDP traffic back to IP #1 and IP #3 will route all TCP traffic back to IP #1. Setting up the VPN server is no issue. I have a problem, however, routing the traffic through the appropriate IP addresses according to the protocol (udp or tcp). I'm using Ubuntu 22.04 and occasionally would be using Ubuntu 20.04. This is certainly a more complex topic than others, and any assistance is appreciated!

Find device source of the last inserted USB drive Posted: 12 Jun 2022 06:17 PM PDT To eventually put into a bash script and/or Makefile, I'm wanting to find the device source of the last inserted USB drive on a Debian system. It will most likely be /dev/sdb1, but rather than assuming & hardcoding this, I'd like to find the device source programmatically, if possible. I can see a list of mount points using findmnt and spot the USB drive by eye in that list, but there doesn't seem to be a robust way to search using findmnt unless you know either the USB drive's "target" or "source" field value exactly, (e.g. /media/n/Thtw) which we can't know dynamically: Some guides I looked at online mentioned you could trawl the output of dmesg to get information about the last inserted USB device, and that looks promising (because there's a sdb: sdb1 line, and entries are logged by time), but how/what to pattern match for such output given it would probably be most sensible to look for entries after, say, usb-storage first for context, and it could be a variable amount of lines before we get to the sdb: sdbX entry? Any ideas? Or better yet, is there a tool specifically for this job (preferably one that bundles with Debian by default) that I am yet to discover? Thanks!

How to create a working initial app release with Firebase OTP and Google App Signing without re-releasing? Posted: 12 Jun 2022 05:33 PM PDT I have a white-label app that uses OTP phone verification via Firebase. I plan to brand and publish this app several times with distinguishable icons and themes under different names. I want to use Google App Signing in which I release a bundle file (.aab) and let Google sign the application for me. This is what Google recommends, because it will prevent the keystore from being leaked / exploited. After all, using Google App Signing will streamline the publishing experience, since Apple will sign my app for the App Store as well. I also want to restrict my Firebase API key that is added in the Google Cloud. In summery: The SHA-1 and SHA-256 signature hash from Google's keystore needs to be added in the project settings of Firebase and in the app restriction section of my Firebase API key within the Google Cloud Credentials dashboard, because only then I can use the Firebase OTP phone verification. However, I also have to download the google-services.json and add it to my app build. If I don't do the last step, I will still get the error: E FirebaseAuth [SmsRetrieverHelper] SMS verification code request failed: unknown status code: 17499 Requests from this Android client application are blocked. To fix this, I have to provide the SHA-1 and SHA-256 hash to Firebase before building my app, since I have to download and add the google-services.json to my build after this step. The crux is, I cannot obtain the signing hashes before creating a release: Long story short: I have to create a release with a wrong google-services.json to be able to obtain my SHA-1 and SHA-256, which I then add in Firebase, re-download my now correct google-services.json just to create another release and to fix my app? This is a heavy additional step that feels absolutely unnecessary and hindering for mass publishing. Is there any way to circumvent this terrible design choice by Google to make my app work with OTP Firebase phone verification on the initial release when using Google App Signing?

Breakdown of AWS S3 DataTransfer-Out-Bytes costs per object Posted: 12 Jun 2022 05:24 PM PDT I have an app where various customers upload files to a single S3 bucket in my AWS account. Over time the costs of DataTransfer-Out-Bytes have grown and I want to see if there's some way to understand which objects/URLs are getting the most traffic or contributing the most to costs. I found a way to get per-bucket cost breakdown but is there any way to get an idea of which objects/URLs are contributing the most toward the costs (or receiving the most traffic)?

Google Kubernetes Engine - cannot see logs containing pod's output Posted: 12 Jun 2022 04:45 PM PDT In freshly installed cluster (Kubernetes version: v1.22.8-gke.201) I have the following test deployment: apiVersion: apps/v1 kind: Deployment metadata: name: busybox labels: app: busybox spec: replicas: 1 strategy: type: RollingUpdate selector: matchLabels: app: busybox template: metadata: labels: app: busybox spec: containers: - name: busybox image: busybox:latest imagePullPolicy: IfNotPresent command: ['sh', '-c', 'while true; do printf "$(date +%Y-%m-%d\ %H:%M:%S\ %Z) => your lucky number is: $RANDOM\n"; sleep 5; done'] I can see output produced by the pod using: kubectl logs <pod_name> But in the console, after going to Kubernetes Engine -> Workloads, in Overview tab, Logs, clicking Container Logs link redirects to Operations Logging and all Logs Explorer returns is: 'No data found'. In Cluster details, section Features, Cloud Logging is enabled and Components set as 'System and Workloads' (which is the default). What else should be done to be able to see pod's output in Logs Explorer?

Linux Routing "L3 Switch on a stick", single interface Posted: 12 Jun 2022 03:57 PM PDT I am trying to set up a Debian VM to behave essentially like a L3 switch, but with a single physical interface for multiple VLANs. I'd like for the VM to be act as the gateway for each VLAN, and send anything it doesn't know how to route to the main router, both for inter-VLAN and internet-bound traffic. I have four interfaces: ens18 - vid 1 - 10.0.0.254 ens18.10 - vid 10 - 10.0.1.254 ens18.20 - vid 20 - 10.0.2.254 ens18.30 - vid 30 - 10.0.3.254 The following is happening: Interfaces can ping devices within their same vlan segment Interfaces can ping the main router on its main address and vlan addresses Interfaces cannot ping anything beyond their vlan segment, including the internet Is there anything special I need to do as far as routing goes? I can't add multiple default gateways, but I know I can add extra routing tables however I've had no such luck with this.

Apache on Debian : server flooded by a lot of 400 , how to protect from it? Posted: 12 Jun 2022 04:19 PM PDT My HTTPS server has been experiencing slowness for a few days, so I consulted the log file (the access.log, I use apache2). And I found out that my server is flooded by a lots of 400 : If I change the apache config for stop listening the port 443, the flood of queries stop (but my website becomes inaccessible x) ) I tried to add some iptables rules. I try theses rules by example : /sbin/iptables -N SYN_FLOOD /sbin/iptables -A INPUT -p tcp --syn -j SYN_FLOOD /sbin/iptables -A SYN_FLOOD -m limit --limit 10/s --limit-burst 10 -j RETURN /sbin/iptables -A SYN_FLOOD -j DROP (source) When I add the last rule (-A SYN_FLOOD -j DROP), the flood stopped (great !) but my website become again inaccessible :/ My knowledges about server administration and the iptable command are very limited... why my website become inaccessible after this rules ? what should I modify ? maybe the use of iptable its not a good approach for my issue ? Thank for any help/explanation :)

dsregcmd on windows server core Posted: 12 Jun 2022 01:41 PM PDT I have installed windows server core 2022 (standard) and successfully joined it to a domain as a member server. I'm now trying to use dsregcmd /status to show the domain join status. For some reason, the C:\Windows\system32\dsregcmd.exe binary is missing on this server. Is it normal that dsregcmd is not available on this edition of windows server? I have checked and can confirm that it is present on the non-core edition of windows server 2022.

Why does my OpenVPN not route the network behind? Posted: 12 Jun 2022 02:31 PM PDT I have an OpenVPN Network with some clients. One of the Clients haves a full network with Printers. The Server is running on Ubuntu 20.04 LTS and the Printserver on Debian 8.11. The Server.conf looks like that: port 1194 proto tcp dev tun ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-crypt tc.key topology subnet server 10.170.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" ifconfig-pool-persist ipp.txt push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" push "route 10.133.10.0 255.255.255.0" keepalive 10 120 cipher AES-256-CBC user nobody group nogroup persist-key persist-tun verb 3 crl-verify crl.pem The Printservers Client.conf looks like that: dev tun proto tcp remote 168.119.40.249 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server auth SHA512 cipher AES-256-CBC verb 5 pull-filter ignore redirect-gateway Still, not even the server can Ping any of the Printers. I assumed, that the routing may not have been added, but it is: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.178.1 0.0.0.0 UG 0 0 0 eth2 10.133.10.0 10.170.0.1 255.255.255.0 UG 0 0 0 tun0 10.133.10.0 0.0.0.0 255.255.254.0 U 0 0 0 eth1 10.170.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 192.168.178.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 Also, i added following to the printservers iptables: -A INPUT -s 10.170.0.0/24 -j ACCEPT still, the Printserver can Ping the Printer: ping 10.133.10.1 PING 10.133.10.1 (10.133.10.1) 56(84) bytes of data. 64 bytes from 10.133.10.1: icmp_seq=1 ttl=64 time=0.149 ms 64 bytes from 10.133.10.1: icmp_seq=2 ttl=64 time=0.139 ms 64 bytes from 10.133.10.1: icmp_seq=3 ttl=64 time=0.128 ms But the OpenVPN-Server (or any client) can't: ping 10.133.10.1 PING 10.133.10.1 (10.133.10.1) 56(84) bytes of data. ^C --- 10.133.10.1 ping statistics --- 13 packets transmitted, 0 received, 100% packet loss, time 12281ms The Logs of the Client-OpenVPN: openvpn /etc/openvpn/server.conf Sun Jun 12 20:44:33 2022 us=251723 Current Parameter Settings: Sun Jun 12 20:44:33 2022 us=251924 config = '/etc/openvpn/server.conf' Sun Jun 12 20:44:33 2022 us=251980 mode = 0 Sun Jun 12 20:44:33 2022 us=252029 persist_config = DISABLED Sun Jun 12 20:44:33 2022 us=252079 persist_mode = 1 Sun Jun 12 20:44:33 2022 us=252125 show_ciphers = DISABLED Sun Jun 12 20:44:33 2022 us=252179 show_digests = DISABLED Sun Jun 12 20:44:33 2022 us=252225 show_engines = DISABLED Sun Jun 12 20:44:33 2022 us=252270 genkey = DISABLED Sun Jun 12 20:44:33 2022 us=252318 key_pass_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=252363 show_tls_ciphers = DISABLED Sun Jun 12 20:44:33 2022 us=252410 connect_retry_max = 0 Sun Jun 12 20:44:33 2022 us=252456 Connection profiles [0]: Sun Jun 12 20:44:33 2022 us=252502 proto = tcp-client Sun Jun 12 20:44:33 2022 us=252547 local = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=252592 local_port = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=252637 remote = '168.119.40.249' Sun Jun 12 20:44:33 2022 us=252686 remote_port = '1194' Sun Jun 12 20:44:33 2022 us=252732 remote_float = DISABLED Sun Jun 12 20:44:33 2022 us=252776 bind_defined = DISABLED Sun Jun 12 20:44:33 2022 us=252822 bind_local = DISABLED Sun Jun 12 20:44:33 2022 us=252867 bind_ipv6_only = DISABLED Sun Jun 12 20:44:33 2022 us=252914 connect_retry_seconds = 5 Sun Jun 12 20:44:33 2022 us=252959 connect_timeout = 120 Sun Jun 12 20:44:33 2022 us=253006 socks_proxy_server = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=253052 socks_proxy_port = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=253100 tun_mtu = 1500 Sun Jun 12 20:44:33 2022 us=253164 tun_mtu_defined = ENABLED Sun Jun 12 20:44:33 2022 us=253211 link_mtu = 1500 Sun Jun 12 20:44:33 2022 us=253264 link_mtu_defined = DISABLED Sun Jun 12 20:44:33 2022 us=253311 tun_mtu_extra = 0 Sun Jun 12 20:44:33 2022 us=253365 tun_mtu_extra_defined = DISABLED Sun Jun 12 20:44:33 2022 us=253419 mtu_discover_type = -1 Sun Jun 12 20:44:33 2022 us=253465 fragment = 0 Sun Jun 12 20:44:33 2022 us=253519 mssfix = 1450 Sun Jun 12 20:44:33 2022 us=253573 explicit_exit_notification = 0 Sun Jun 12 20:44:33 2022 us=253626 Connection profiles END Sun Jun 12 20:44:33 2022 us=253680 remote_random = DISABLED Sun Jun 12 20:44:33 2022 us=253732 ipchange = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=253784 dev = 'tun' Sun Jun 12 20:44:33 2022 us=253835 dev_type = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=253889 dev_node = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=253941 lladdr = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=253995 topology = 1 Sun Jun 12 20:44:33 2022 us=254046 ifconfig_local = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=254100 ifconfig_remote_netmask = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=254157 ifconfig_noexec = DISABLED Sun Jun 12 20:44:33 2022 us=254210 ifconfig_nowarn = DISABLED Sun Jun 12 20:44:33 2022 us=254264 ifconfig_ipv6_local = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=254318 ifconfig_ipv6_netbits = 0 Sun Jun 12 20:44:33 2022 us=254370 ifconfig_ipv6_remote = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=254423 shaper = 0 Sun Jun 12 20:44:33 2022 us=254470 mtu_test = 0 Sun Jun 12 20:44:33 2022 us=254514 mlock = DISABLED Sun Jun 12 20:44:33 2022 us=254559 keepalive_ping = 0 Sun Jun 12 20:44:33 2022 us=254605 keepalive_timeout = 0 Sun Jun 12 20:44:33 2022 us=254650 inactivity_timeout = 0 Sun Jun 12 20:44:33 2022 us=254728 ping_send_timeout = 0 Sun Jun 12 20:44:33 2022 us=254774 ping_rec_timeout = 0 Sun Jun 12 20:44:33 2022 us=254819 ping_rec_timeout_action = 0 Sun Jun 12 20:44:33 2022 us=254911 ping_timer_remote = DISABLED Sun Jun 12 20:44:33 2022 us=254963 remap_sigusr1 = 0 Sun Jun 12 20:44:33 2022 us=255007 persist_tun = ENABLED Sun Jun 12 20:44:33 2022 us=255051 persist_local_ip = DISABLED Sun Jun 12 20:44:33 2022 us=255106 persist_remote_ip = DISABLED Sun Jun 12 20:44:33 2022 us=255153 persist_key = ENABLED Sun Jun 12 20:44:33 2022 us=255201 passtos = DISABLED Sun Jun 12 20:44:33 2022 us=255248 resolve_retry_seconds = 1000000000 Sun Jun 12 20:44:33 2022 us=255295 resolve_in_advance = DISABLED Sun Jun 12 20:44:33 2022 us=255341 username = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=255396 groupname = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=255450 chroot_dir = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=255498 cd_dir = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=255554 writepid = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=255603 up_script = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=255648 down_script = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=255699 down_pre = DISABLED Sun Jun 12 20:44:33 2022 us=255744 up_restart = DISABLED Sun Jun 12 20:44:33 2022 us=255790 up_delay = DISABLED Sun Jun 12 20:44:33 2022 us=255835 daemon = DISABLED Sun Jun 12 20:44:33 2022 us=255882 inetd = 0 Sun Jun 12 20:44:33 2022 us=255939 log = DISABLED Sun Jun 12 20:44:33 2022 us=256001 suppress_timestamps = DISABLED Sun Jun 12 20:44:33 2022 us=256053 machine_readable_output = DISABLED Sun Jun 12 20:44:33 2022 us=256111 nice = 0 Sun Jun 12 20:44:33 2022 us=256164 verbosity = 5 Sun Jun 12 20:44:33 2022 us=256210 mute = 0 Sun Jun 12 20:44:33 2022 us=256268 gremlin = 0 Sun Jun 12 20:44:33 2022 us=256318 status_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=256364 status_file_version = 1 Sun Jun 12 20:44:33 2022 us=256417 status_file_update_freq = 60 Sun Jun 12 20:44:33 2022 us=256469 occ = ENABLED Sun Jun 12 20:44:33 2022 us=256515 rcvbuf = 0 Sun Jun 12 20:44:33 2022 us=256561 sndbuf = 0 Sun Jun 12 20:44:33 2022 us=256606 mark = 0 Sun Jun 12 20:44:33 2022 us=256656 sockflags = 0 Sun Jun 12 20:44:33 2022 us=256700 fast_io = DISABLED Sun Jun 12 20:44:33 2022 us=256756 comp.alg = 0 Sun Jun 12 20:44:33 2022 us=256807 comp.flags = 0 Sun Jun 12 20:44:33 2022 us=256851 route_script = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=256905 route_default_gateway = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=256958 route_default_metric = 0 Sun Jun 12 20:44:33 2022 us=257009 route_noexec = DISABLED Sun Jun 12 20:44:33 2022 us=257056 route_delay = 0 Sun Jun 12 20:44:33 2022 us=257109 route_delay_window = 30 Sun Jun 12 20:44:33 2022 us=257161 route_delay_defined = DISABLED Sun Jun 12 20:44:33 2022 us=257212 route_nopull = DISABLED Sun Jun 12 20:44:33 2022 us=257263 route_gateway_via_dhcp = DISABLED Sun Jun 12 20:44:33 2022 us=257313 allow_pull_fqdn = DISABLED Sun Jun 12 20:44:33 2022 us=257358 Pull filters: Sun Jun 12 20:44:33 2022 us=257411 ignore "redirect-gateway" Sun Jun 12 20:44:33 2022 us=257462 management_addr = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=257507 management_port = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=257560 management_user_pass = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=257612 management_log_history_cache = 250 Sun Jun 12 20:44:33 2022 us=257660 management_echo_buffer_size = 100 Sun Jun 12 20:44:33 2022 us=257801 management_write_peer_info_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=257849 management_client_user = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=257896 management_client_group = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=257945 management_flags = 0 Sun Jun 12 20:44:33 2022 us=257990 shared_secret_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=258036 key_direction = not set Sun Jun 12 20:44:33 2022 us=258097 ciphername = 'AES-256-CBC' Sun Jun 12 20:44:33 2022 us=258143 ncp_enabled = ENABLED Sun Jun 12 20:44:33 2022 us=258189 ncp_ciphers = 'AES-256-GCM:AES-128-GCM' Sun Jun 12 20:44:33 2022 us=258235 authname = 'SHA512' Sun Jun 12 20:44:33 2022 us=258282 prng_hash = 'SHA1' Sun Jun 12 20:44:33 2022 us=258329 prng_nonce_secret_len = 16 Sun Jun 12 20:44:33 2022 us=258381 keysize = 0 Sun Jun 12 20:44:33 2022 us=258432 engine = DISABLED Sun Jun 12 20:44:33 2022 us=258478 replay = ENABLED Sun Jun 12 20:44:33 2022 us=258532 mute_replay_warnings = DISABLED Sun Jun 12 20:44:33 2022 us=258584 replay_window = 64 Sun Jun 12 20:44:33 2022 us=258630 replay_time = 15 Sun Jun 12 20:44:33 2022 us=258674 packet_id_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=258725 use_iv = ENABLED Sun Jun 12 20:44:33 2022 us=258776 test_crypto = DISABLED Sun Jun 12 20:44:33 2022 us=258828 tls_server = DISABLED Sun Jun 12 20:44:33 2022 us=258909 tls_client = ENABLED Sun Jun 12 20:44:33 2022 us=258956 key_method = 2 Sun Jun 12 20:44:33 2022 us=259002 ca_file = '[[INLINE]]' Sun Jun 12 20:44:33 2022 us=259058 ca_path = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259110 dh_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259161 cert_file = '[[INLINE]]' Sun Jun 12 20:44:33 2022 us=259208 extra_certs_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259257 priv_key_file = '[[INLINE]]' Sun Jun 12 20:44:33 2022 us=259302 pkcs12_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259347 cipher_list = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259392 cipher_list_tls13 = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259443 tls_cert_profile = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259488 tls_verify = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259544 tls_export_cert = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259595 verify_x509_type = 0 Sun Jun 12 20:44:33 2022 us=259640 verify_x509_name = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259692 crl_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=259743 ns_cert_type = 0 Sun Jun 12 20:44:33 2022 us=259789 remote_cert_ku[i] = 65535 Sun Jun 12 20:44:33 2022 us=259840 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=259886 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=259938 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=259989 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260040 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260090 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260135 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260184 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260232 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260285 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260336 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260381 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260433 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260485 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260535 remote_cert_ku[i] = 0 Sun Jun 12 20:44:33 2022 us=260580 remote_cert_eku = 'TLS Web Server Authentication' Sun Jun 12 20:44:33 2022 us=260634 ssl_flags = 0 Sun Jun 12 20:44:33 2022 us=260684 tls_timeout = 2 Sun Jun 12 20:44:33 2022 us=260729 renegotiate_bytes = -1 Sun Jun 12 20:44:33 2022 us=260783 renegotiate_packets = 0 Sun Jun 12 20:44:33 2022 us=260835 renegotiate_seconds = 3600 Sun Jun 12 20:44:33 2022 us=260882 handshake_window = 60 Sun Jun 12 20:44:33 2022 us=260935 transition_window = 3600 Sun Jun 12 20:44:33 2022 us=260986 single_session = DISABLED Sun Jun 12 20:44:33 2022 us=261031 push_peer_info = DISABLED Sun Jun 12 20:44:33 2022 us=261084 tls_exit = DISABLED Sun Jun 12 20:44:33 2022 us=261134 tls_auth_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=261185 tls_crypt_file = '[[INLINE]]' Sun Jun 12 20:44:33 2022 us=261237 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261284 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261337 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261388 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261433 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261483 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261530 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261578 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261626 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261684 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261736 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261787 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261832 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261885 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261935 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=261980 pkcs11_protected_authentication = DISABLED Sun Jun 12 20:44:33 2022 us=262036 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262087 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262133 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262187 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262238 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262284 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262337 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262388 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262439 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262490 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262536 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262585 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262632 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262685 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262737 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262789 pkcs11_private_mode = 00000000 Sun Jun 12 20:44:33 2022 us=262840 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=262903 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=262952 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263006 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263056 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263101 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263153 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263203 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263249 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263301 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263352 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263397 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263449 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263500 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263546 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263593 pkcs11_cert_private = DISABLED Sun Jun 12 20:44:33 2022 us=263641 pkcs11_pin_cache_period = -1 Sun Jun 12 20:44:33 2022 us=263689 pkcs11_id = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=263744 pkcs11_id_management = DISABLED Sun Jun 12 20:44:33 2022 us=263816 server_network = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=263867 server_netmask = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=263936 server_network_ipv6 = :: Sun Jun 12 20:44:33 2022 us=263989 server_netbits_ipv6 = 0 Sun Jun 12 20:44:33 2022 us=264048 server_bridge_ip = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=264103 server_bridge_netmask = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=264156 server_bridge_pool_start = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=264206 server_bridge_pool_end = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=264256 ifconfig_pool_defined = DISABLED Sun Jun 12 20:44:33 2022 us=264305 ifconfig_pool_start = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=264359 ifconfig_pool_end = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=264409 ifconfig_pool_netmask = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=264459 ifconfig_pool_persist_filename = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=264507 ifconfig_pool_persist_refresh_freq = 600 Sun Jun 12 20:44:33 2022 us=264559 ifconfig_ipv6_pool_defined = DISABLED Sun Jun 12 20:44:33 2022 us=264621 ifconfig_ipv6_pool_base = :: Sun Jun 12 20:44:33 2022 us=264674 ifconfig_ipv6_pool_netbits = 0 Sun Jun 12 20:44:33 2022 us=264728 n_bcast_buf = 256 Sun Jun 12 20:44:33 2022 us=264779 tcp_queue_limit = 64 Sun Jun 12 20:44:33 2022 us=264830 real_hash_size = 256 Sun Jun 12 20:44:33 2022 us=264876 virtual_hash_size = 256 Sun Jun 12 20:44:33 2022 us=264928 client_connect_script = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=264975 learn_address_script = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=265028 client_disconnect_script = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=265079 client_config_dir = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=265126 ccd_exclusive = DISABLED Sun Jun 12 20:44:33 2022 us=265176 tmp_dir = '/tmp' Sun Jun 12 20:44:33 2022 us=265221 push_ifconfig_defined = DISABLED Sun Jun 12 20:44:33 2022 us=265275 push_ifconfig_local = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=265325 push_ifconfig_remote_netmask = 0.0.0.0 Sun Jun 12 20:44:33 2022 us=265375 push_ifconfig_ipv6_defined = DISABLED Sun Jun 12 20:44:33 2022 us=265425 push_ifconfig_ipv6_local = ::/0 Sun Jun 12 20:44:33 2022 us=265479 push_ifconfig_ipv6_remote = :: Sun Jun 12 20:44:33 2022 us=265524 enable_c2c = DISABLED Sun Jun 12 20:44:33 2022 us=265576 duplicate_cn = DISABLED Sun Jun 12 20:44:33 2022 us=265627 cf_max = 0 Sun Jun 12 20:44:33 2022 us=265679 cf_per = 0 Sun Jun 12 20:44:33 2022 us=265725 max_clients = 1024 Sun Jun 12 20:44:33 2022 us=265776 max_routes_per_client = 256 Sun Jun 12 20:44:33 2022 us=265827 auth_user_pass_verify_script = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=265874 auth_user_pass_verify_script_via_file = DISABLED Sun Jun 12 20:44:33 2022 us=265925 auth_token_generate = DISABLED Sun Jun 12 20:44:33 2022 us=265971 auth_token_lifetime = 0 Sun Jun 12 20:44:33 2022 us=266023 port_share_host = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=266068 port_share_port = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=266118 client = ENABLED Sun Jun 12 20:44:33 2022 us=266164 pull = ENABLED Sun Jun 12 20:44:33 2022 us=266209 auth_user_pass_file = '[UNDEF]' Sun Jun 12 20:44:33 2022 us=266274 OpenVPN 2.4.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 16 2020 Sun Jun 12 20:44:33 2022 us=266338 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08 Sun Jun 12 20:44:33 2022 us=268773 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sun Jun 12 20:44:33 2022 us=268919 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sun Jun 12 20:44:33 2022 us=268984 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sun Jun 12 20:44:33 2022 us=269048 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sun Jun 12 20:44:33 2022 us=269273 Control Channel MTU parms [ L:1623 D:1154 EF:96 EB:0 ET:0 EL:3 ] Sun Jun 12 20:44:33 2022 us=269401 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ] Sun Jun 12 20:44:33 2022 us=269514 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client' Sun Jun 12 20:44:33 2022 us=269568 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server' Sun Jun 12 20:44:33 2022 us=269655 TCP/UDP: Preserving recently used remote address: [AF_INET]168.119.40.249:1194 Sun Jun 12 20:44:33 2022 us=269754 Socket Buffers: R=[87380->87380] S=[16384->16384] Sun Jun 12 20:44:33 2022 us=269811 Attempting to establish TCP connection with [AF_INET]168.119.40.249:1194 [nonblock] Sun Jun 12 20:44:34 2022 us=270392 TCP connection established with [AF_INET]168.119.40.249:1194 Sun Jun 12 20:44:34 2022 us=270551 TCP_CLIENT link local: (not bound) Sun Jun 12 20:44:34 2022 us=270595 TCP_CLIENT link remote: [AF_INET]168.119.40.249:1194 WRSun Jun 12 20:44:34 2022 us=295598 TLS: Initial packet from [AF_INET]168.119.40.249:1194, sid=524c914c 8714a143 WWRWRSun Jun 12 20:44:34 2022 us=367225 VERIFY OK: depth=1, CN=ChangeMe Sun Jun 12 20:44:34 2022 us=368405 VERIFY KU OK Sun Jun 12 20:44:34 2022 us=368498 Validating certificate extended key usage Sun Jun 12 20:44:34 2022 us=368565 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sun Jun 12 20:44:34 2022 us=368626 VERIFY EKU OK Sun Jun 12 20:44:34 2022 us=368684 VERIFY OK: depth=0, CN=server RWWWRRWRWSun Jun 12 20:44:34 2022 us=497066 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Sun Jun 12 20:44:34 2022 us=497258 [server] Peer Connection Initiated with [AF_INET]168.119.40.249:1194 Sun Jun 12 20:44:35 2022 us=670987 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) WRRSun Jun 12 20:44:35 2022 us=759338 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.133.10.0 255.255.255.0,sndbuf 512000,rcvbuf 512000,route-gateway 10.170.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.170.0.19 255.255.255.0,peer-id 0,cipher AES-256-GCM' Sun Jun 12 20:44:35 2022 us=759756 OPTIONS IMPORT: timers and/or timeouts modified Sun Jun 12 20:44:35 2022 us=759832 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified Sun Jun 12 20:44:35 2022 us=759905 Socket Buffers: R=[372480->425984] S=[87040->425984] Sun Jun 12 20:44:35 2022 us=759976 OPTIONS IMPORT: --ifconfig/up options modified Sun Jun 12 20:44:35 2022 us=760030 OPTIONS IMPORT: route options modified Sun Jun 12 20:44:35 2022 us=760083 OPTIONS IMPORT: route-related options modified Sun Jun 12 20:44:35 2022 us=760136 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Sun Jun 12 20:44:35 2022 us=760189 OPTIONS IMPORT: peer-id set Sun Jun 12 20:44:35 2022 us=760243 OPTIONS IMPORT: adjusting link_mtu to 1626 Sun Jun 12 20:44:35 2022 us=760308 OPTIONS IMPORT: data channel crypto options modified Sun Jun 12 20:44:35 2022 us=760379 Data Channel: using negotiated cipher 'AES-256-GCM' Sun Jun 12 20:44:35 2022 us=760481 Data Channel MTU parms [ L:1554 D:1450 EF:54 EB:406 ET:0 EL:3 ] Sun Jun 12 20:44:35 2022 us=760952 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Jun 12 20:44:35 2022 us=761040 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Jun 12 20:44:35 2022 us=761769 ROUTE_GATEWAY 192.168.178.1/255.255.255.0 IFACE=eth2 HWADDR=00:0d:b9:3d:e8:82 Sun Jun 12 20:44:35 2022 us=762707 TUN/TAP device tun0 opened Sun Jun 12 20:44:35 2022 us=762822 TUN/TAP TX queue length set to 100 Sun Jun 12 20:44:35 2022 us=762965 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Sun Jun 12 20:44:35 2022 us=763065 /sbin/ip link set dev tun0 up mtu 1500 Sun Jun 12 20:44:35 2022 us=767441 /sbin/ip addr add dev tun0 10.170.0.19/24 broadcast 10.170.0.255 Sun Jun 12 20:44:35 2022 us=771677 /sbin/ip route add 10.133.10.0/24 via 10.170.0.1 Sun Jun 12 20:44:35 2022 us=775371 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Sun Jun 12 20:44:35 2022 us=775477 Initialization Sequence Completed What am i doing wrong? I need to get it working for my final exam. Edit1: i appended following to the server.conf client-config-dir /etc/openvpn/ccd log-append /var/log/openvpn.log route 10.133.10.0 255.255.255.0 i created the ccd-directory and added a file named server_hq as the printservers CN is (which stands in the logs). This now contains: ifconfig-push 10.170.0.19 255.255.255.0 iroute 10.133.10.0 255.255.255.0 Logs of the connection of server_hq (printserver) Sun Jun 12 21:25:36 2022 MULTI: Learn: 10.133.10.40 -> server_hq/<IP>:19295 Sun Jun 12 21:28:18 2022 server_hq/<IP>:19295 Connection reset, restarting [0] Sun Jun 12 21:28:18 2022 server_hq/<IP>:19295 SIGUSR1[soft,connection-reset] received, client-instance restarting Sun Jun 12 21:29:04 2022 TCP connection established with [AF_INET]<IP>:19294 Sun Jun 12 21:29:05 2022 <IP>:19294 TLS: Initial packet from [AF_INET]<IP>:19294, sid=9264ab12 043d9161 Sun Jun 12 21:29:05 2022 <IP>:19294 VERIFY OK: depth=1, CN=ChangeMe Sun Jun 12 21:29:05 2022 <IP>:19294 VERIFY OK: depth=0, CN=server_hq Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_VER=2.4.9 Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_PLAT=linux Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_PROTO=2 Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_NCP=2 Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_LZ4=1 Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_LZ4v2=1 Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_LZO=1 Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_COMP_STUB=1 Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_COMP_STUBv2=1 Sun Jun 12 21:29:05 2022 <IP>:19294 peer info: IV_TCPNL=1 Sun Jun 12 21:29:05 2022 <IP>:19294 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Sun Jun 12 21:29:05 2022 <IP>:19294 [server_hq] Peer Connection Initiated with [AF_INET]<IP>:19294 Sun Jun 12 21:29:05 2022 server_hq/<IP>:19294 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/server_hq Sun Jun 12 21:29:05 2022 server_hq/<IP>:19294 MULTI: Learn: 10.170.0.19 -> server_hq/<IP>:19294 Sun Jun 12 21:29:05 2022 server_hq/<IP>:19294 MULTI: primary virtual IP for server_hq/<IP>:19294: 10.170.0.19 Sun Jun 12 21:29:05 2022 server_hq/<IP>:19294 MULTI: internal route 10.133.10.0/24 -> server_hq/<IP>:19294 Sun Jun 12 21:29:05 2022 server_hq/<IP>:19294 MULTI: Learn: 10.133.10.0/24 -> server_hq/<IP>:19294 Sun Jun 12 21:29:06 2022 server_hq/<IP>:19294 PUSH: Received control message: 'PUSH_REQUEST' Sun Jun 12 21:29:06 2022 server_hq/<IP>:19294 SENT CONTROL [server_hq]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,sndbuf 512000,rcvbuf 512000,route-gateway >Sun Jun 12 21:29:06 2022 server_hq/<IP>:19294 Data Channel: using negotiated cipher 'AES-256-GCM' Sun Jun 12 21:29:06 2022 server_hq/<IP>:19294 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Jun 12 21:29:06 2022 server_hq/<IP>:19294 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Jun 12 21:29:25 2022 MULTI: Learn: 10.133.10.40 -> server_hq/<IP>:19294 Then i restarted both OpenVPN's and tried to ping one of the Printers ... without success.

Procmail on Postfix - delivering Email to Inbox Posted: 12 Jun 2022 11:47 AM PDT I have setup a Postfix mail server, and my goal was to pipe incoming emails to a script. I did this via Procmail. The script is getting run without any issues. my issue is: I want to deliver a copy of the incoming email to the users inbox as well. following is my .procmailrc file. Also I'm using Maildir format. LOGFILE=$HOME/procmail.log VERBOSE=YES SHELL=/bin/sh MAILDIR=$HOME/Maildir :0 |/home/user1/script.sh :0c !user1@notification.mydomain.com with the above .procmailrc file, script is getting run, but no email is getting delivered to users inbox.

Connect to device in wan network from nested subnetwork with two AVM Fritz!Box routers Posted: 12 Jun 2022 11:58 AM PDT I have the following network setup: Internet ^ | WAN | +---------+----------+ | Router A | | | | | | 192.168.178.0/32 | | | | | +----+-------+-------+ | | +-----+ +--------+ WAN | | +---------+----------+ | | Router B | +-----+------+ | | | Device C | | | | | | 172.16.0.0/32 | | | | | | | | | +------------+ +-------+----+-------+ | | +-----+ +-----+ | | +------+-----+ +------+-----+ | Device D | | Device E | | | | | | | | | | | | | +------------+ +------------+ Both of the routers are Fritz!Box from AVM. Is there any way i can reach Device C from Device D without exposing the whole network of Router A to the network of Router B or even merging them? Due to some structural constraints of the building the network is set up in, i can not move Device C to the network of Router B.

qemu-kvm: prevent host from accessing passthru LVM disks Posted: 12 Jun 2022 06:27 PM PDT I am running multiple Ubuntu (5.4.0-117-generic) qemu-kvm hosts. On each I am passing multiple block devices through to VMs thusly: <disk type='block' device='disk'> <driver name='qemu' type='raw'/> <source dev='/dev/disk/by-id/scsi-SATA_ST5000LM000-2AN1_WCJ3RALZ'/> <target dev='vdc' bus='virtio'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x0b' function='0x0'/> </disk> there to be used by the guest OS (also Ubuntu) for LVM (gluster with snapshot capability but that's another post). I am concerned about how much the host accesses the drives. The LVM volumes are picked up by the mapper, show under lsblk, and spew 'not a block device' every time I run a update-grub. Even more concerning is that I can deactivate logical volumes from the host with vgchange. That can't be good! Obviously the hosts need to "see" devices in order for me to present them to the VMs. But is there something to be done to otherwise prevent the host from playing with them?

Shorewall: IPSet from blrules not applying Posted: 12 Jun 2022 02:55 PM PDT We're hoping to make use of IPSet to manage temporary IP blocking from sources (CSF+LFD, fail2ban, wherever relevant). The purpose would be that routers using Shorewall at the edges would make use of these to block traffic from malicious remotes temporary. Nothing out of the ordinary. Our routers are running Shorewall 5.2.3.4 and IPSet 7.10 (protocol version 7). Shorewall is referencing IPSet lists "blocklist" and "blocklist6" via Shorewall's "blrules" for IPv4 and IPv6 listings respectively: #ACTION SOURCE DEST PROTO DPORT DROP:info all:+blocklist all DROP:info net:+blocklist $FW #ACTION SOURCE DEST PROTO DPORT DROP:info all:+blocklist6 all DROP:info net:+blocklist6 $FW The IPSets were created as "hash:net" type: create blocklist hash:net comment family inet hashsize 1024 maxelem 65536 create blocklist6 hash:net comment family inet6 hashsize 1024 maxelem 65536 However if an IP address is added to "blocklist" or "blocklist6", for example "93.184.216.34" and for "example.com" it's still pingable and HTTPS accessible both by the router itself and nodes behind it: $ ipset add blocklist $(dig +short example.com A) comment "Testing block for example.com." $ ping $(dig +short example.com A) PING 93.184.216.34 (93.184.216.34) 56(84) bytes of data. 64 bytes from 93.184.216.34: icmp_seq=1 ttl=55 time=79.2 ms $ ipset add blocklist6 $(dig +short example.com AAAA) comment "Testing block for example.com." $ ping $(dig +short example.com AAAA) PING 2606:2800:220:1:248:1893:25c8:1946(2606:2800:220:1:248:1893:25c8:1946) 56 data bytes 64 bytes from 2606:2800:220:1:248:1893:25c8:1946: icmp_seq=1 ttl=55 time=83.1 ms To test this further I've added the following to Shorewall's "rules": #ACTION SOURCE DEST PROTO DPORT # Block listed DROP all:+blocklist all DROP net:+blocklist $FW #ACTION SOURCE DEST PROTO DPORT # Block listed DROP all:+blocklist6 all DROP net:+blocklist6 $FW Cleared, updated, and restarted both Shorewall IPv4 & IPv6, still contactable. Shorewall's configuration has the following options set that appear to be relevant: BLACKLIST="NEW,INVALID,UNTRACKED" BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" BLACKLIST_DISPOSITION=DROP DYNAMIC_BLACKLIST=Yes IPSET_WARNINGS=Yes SAVE_IPSETS=Yes What have we missed to get this working? The expectation would be that any traffic to/from IP addresses (or CIDRs) listed is dropped. Thanks, Adam

How to stop rejection of DNS queries? Posted: 12 Jun 2022 04:33 PM PDT Although service dns is allowed through firewalld, DNS queries received through an internal interface are denied. Here is the network: PC ------------- SERVER ---------------- DNS Server nslookup Firewalld/ip_forward=1 192.168.2.11 ens244 192.168.2.1 ens160 192.168.1.1 192.168.1.11 This are the log entries: Jun 10 <...> montreal.<...>: FINAL_REJECT: IN=ens224 OUT=ens160 MAC=<...> SRC=192.168.2.11 DST=192.168.1.11 LEN=71 TOS=0x00 PREC=0x00 TTL=127 ID=61889 PROTO=UDP SPT=53254 DPT=53 LEN=51 This are the zone settings: [christine@montreal ~]$ sudo firewall-cmd --list-all --zone=internal internal (active) target: default icmp-block-inversion: no interfaces: ens224 sources: 192.168.2.0/24 services: cockpit dhcpv6-client dns mdns samba-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [christine@montreal ~]$ Tried: Rejection stops when target is set to ACCEPT, but this is not the strategy I want.

Pod assigned node role instead of service account role on AWS EKS Posted: 12 Jun 2022 06:05 PM PDT First some info about the setup: EKS version: 1.21 eksctl version: 0.77.0 AWS Go SDK verion: v1.44.28 Deploying using kubectl I have a k8s cluster on AWS EKS on which I am deploying a custom k8s controller for my application. Using instructions from eksworkshop.com, I created my service account with the appropriate IAM role using eksctl. I assign the role in my deployment.yaml as seen below. I also set the securityContext as that seemed to solve problem in some cases as described here. apiVersion: apps/v1 kind: Deployment metadata: name: tel-controller namespace: tel spec: replicas: 2 selector: matchLabels: app: tel-controller strategy: rollingUpdate: maxSurge: 50% maxUnavailable: 50% type: RollingUpdate template: metadata: labels: app: tel-controller spec: serviceAccountName: tel-controller-serviceaccount securityContext: fsGroup: 65534 containers: - image: <image name> imagePullPolicy: Always name: tel-controller args: - --metrics-bind-address=:8080 - --health-probe-bind-address=:8081 - --leader-elect=true ports: - name: webhook-server containerPort: 9443 protocol: TCP - name: metrics-port containerPort: 8080 protocol: TCP - name: health-port containerPort: 8081 protocol: TCP securityContext: readOnlyRootFilesystem: true runAsNonRoot: true allowPrivilegeEscalation: false But this does not seem to be working. If I describe the pod, I see the correct role. AWS_DEFAULT_REGION: us-east-1 AWS_REGION: us-east-1 AWS_ROLE_ARN: arn:aws:iam::xxxxxxxxx:role/eksctl-eks-tel-addon-iamserviceaccount-tel-t-Role1-3APV5KCV33U8 AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token Mounts: /var/run/secrets/eks.amazonaws.com/serviceaccount from aws-iam-token (ro) /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-6ngsr (ro) But if I do a sts.GetCallerIdentityInput() from inside the controller application, I see the node role. And obviously i get an access denied error. caller identity: (go string) { Account: "xxxxxxxxxxxx", Arn: "arn:aws:sts::xxxxxxxxxxx:assumed-role/eksctl-eks-tel-nodegroup-voice-NodeInstanceRole-BJNYF5YC2CE3/i-0694a2766c5d70901", UserId: "AROAZUYK7F2GRLKRGGNXZ:i-0694a2766c5d70901" } This is how I created by service account eksctl create iamserviceaccount --cluster ${EKS_CLUSTER_NAME} \ --namespace tel \ --name tel-controller-serviceaccount \ --attach-policy-arn arn:aws:iam::xxxxxxxxxx:policy/telcontrollerRoute53Policy \ --override-existing-serviceaccounts --approve I have done this successfully in the past. The difference this time is that I also have role & role bindings attached to this service account. My rbac.yaml for this SA. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: tel-controller-role labels: app: tel-controller rules: - apiGroups: [""] resources: [events] verbs: [create, delete, get, list, update, watch] - apiGroups: ["networking.k8s.io"] resources: [ingressclasses] verbs: [get, list] - apiGroups: ["", "networking.k8s.io"] resources: [services, ingresses] verbs: [create, get, list, patch, update, delete, watch] - apiGroups: [""] resources: [configmaps] verbs: [create, delete, get, update] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: [get, create, update] - apiGroups: [""] resources: [pods] verbs: [get, list, watch, update] - apiGroups: ["", "networking.k8s.io"] resources: [services/status, ingresses/status] verbs: [update, patch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: tel-controller-rolebinding labels: app: tel-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: tel-controller-role subjects: - kind: ServiceAccount name: tel-controller-serviceaccount namespace: tel What am I doing wrong here? Thanks.

How to supply hostname using isc-dhcp-server to hosts without fixed-address Posted: 12 Jun 2022 12:46 PM PDT I have a DHCP+DNS setup on my network using bind9 and isc-dhcp-server. It works fine for all clients that have a "proper" hostname configured without any special setup in dhcpd.conf in the server. There are also a couple of hosts I have setup with fixed addresses using blocks like the following: option domain-name "dyna.mynet"; host someserver { hardware ethernet 00:11:22:33:44:55; fixed-address someserver.mynet; # someserver.mynet has a DNS entry in bind9 server-name "nameserver.mynet"; } So using the above, this host is reachable via someserver.mynet and via someserver.dyna.mynet. However, without the fixed-address I can't get host sections like this working. e.g. Another host block in the same dhcpd.conf host worklaptop { hardware ethernet AA:BB:CC:DD:EE:00; } I've also tried: host worklaptop { hardware ethernet AA:BB:CC:DD:EE:00; option host-name "worklaptop"; } Neither works. I don't see any entries like Added new forward map from ... as I would expect in the logs. Is there anything else I need to add? Edit: Just to clarify based on one of the comments, I don't need the actual device hostnames to change. I just need a DNS entry to be added, so I can address these devices using a DNS name. Related info: I think what the problem might be with the laptop is that it is a windows laptop and advertises the hostname with full work AD domain name e.g. worklaptop.mywork.com. And i don't have a DNS Zone for mywork.com in my LAN. The other devices that don't get a name are things like Elgato lights, that have spaces in their hostname. I can't seem to override those hostnames either with these host blocks in the dhcpd.conf file.

Particular Email DB In Users Folder In Roundcube Posted: 12 Jun 2022 12:18 PM PDT I am trying to make db for every particular mail in user folder but when I use getenv('HOME') and getenv('_RCUBE') it shows me unable to connect with db. This is how I use it $config['db_dsnw'] = 'sqlite:///' . $_SERVER['HOME'] . '/etc/' . $_SERVER['_RCUBE'] . '.rcube.db?mode=0600'; $config['db_dsnw'] = 'sqlite:///' . getenv('HOME') . '/etc/' . getenv('_RCUBE') . '.rcube.db?mode=0600'; In both the way I had tried.

HAProxy no passing headers with HTTPS Posted: 12 Jun 2022 01:08 PM PDT I've have a problem that is burning my neurons for some weeks, I have a HAProxy LB + 2 Web servers. The idea is to be able to know the real IP of the computer that hit the haproxy node, for that I have the following configuration: LB : 10.0.0.1 - haproxy.example.test Web1 : 10.0.0.2 - web1.example.test Web2 : 10.0.0.3 - web2.example.test The certificate is on each of the web nodes and it is working ok with the exception of the headers not being passed. haproxy.cfg global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats timeout 30s user haproxy group haproxy daemon defaults log global option forwardfor option httplog # option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 frontend http_front bind *:80 stats uri /haproxy?stats default_backend http_back frontend https_front bind *:443 default_backend https_back backend http_back balance roundrobin mode http http-request add-header X-CLIENT-IP %[src] http-request set-header X-Request-Start t=%Ts%ms server web1 10.0.0.2:80 check server web2 10.0.0.3:80 check backend https_back balance roundrobin mode tcp option forwardfor http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forward-For %[src] http-request add-header X-CLIENT-IP %[src] http-request set-header X-Request-Start t=%Ts%ms server webs1 10.0.0.2:443 check server webs2 10.0.0.3:443 check If I access the 10.0.0.1 (haproxy.example.test) using HTTP I get the expected headers: HTTP_X_CLIENT_IP 65.28.121.161 HTTP_X_REQUEST_START t=1557918661669 HTTP_X_FORWARDED_FOR 65.28.121.161 But if I access with HTTPS none of those headers are passed to Apache... I've tried eveything and can't figure this out, googled for weeks without success. Anyone has an idea why is this happening? UPDATE: Thank you for guiding me in the righ path, the solution passed for the configuration bellow: global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats timeout 30s user haproxy group haproxy daemon defaults log global option forwardfor option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 frontend localhost bind *:80 bind *:443 ssl crt /etc/haproxy/haproxy.crt mode http redirect scheme https if !{ ssl_fc } default_backend nodes backend nodes mode http balance roundrobin option forwardfor option httpchk HEAD / HTTP/1.1\r\nHost:localhost server web01 10.0.0.2:80 check server web02 10.0.0.3:80 check http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } HAProxy will negociate the secure connection and pass the traffic as http, instead of https, to the web servers. It was based in this nice article https://serversforhackers.com/c/using-ssl-certificates-with-haproxy Cheers, Hugo Ferreira

PHPBREW configure: error: Cannot find OpenSSL's Posted: 12 Jun 2022 06:00 PM PDT I'm trying to install an alternative version of PHP. For this reason, I'm using PHPBrew. And when I try to compile it, I have followed error: configure: error: Cannot find OpenSSL's I'm trying to manual install OpenSSL by this tutorial: http://www.ehowstuff.com/how-to-install-and-update-openssl-on-centos-6-centos-7/ Also, I've to install OpenSSL-devel package, pkg-config package. When I'm typing OpenSSL version I receive: OpenSSL 1.0.2k 26 Jan 2017 But OPENSSLDIR is still empty. But when I compiled openssl it displayed follow the path: /usr/local/ssl What am I doing wrong? This is my full command: phpbrew --debug install 7.0.11 +fpm +gd +json +mbstring +mysql +pdo +opcache +curl +cli +mcrypt +filter +hash +zip +xml +tokenizer +openssl=/usr/lib/ -- --with-libdir=/usr/lib/ Also I've tried this: phpbrew --debug install 7.0.11 +fpm +gd +json +mbstring +mysql +pdo +opcache +curl +cli +mcrypt +filter +hash +zip +xml +tokenizer +openssl And another different paths to the openssl Please help me! I have been suffering almost two weeks. I'm using CentOS 6. Thank you!

How to change Azure RM deployment name when deploying through Azure Portal link? Posted: 12 Jun 2022 04:04 PM PDT When deploying a template through Azure Portal, i.e. by following the link: https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F{template name}%2Fazuredeploy.json All deployments created this wah are named Microsoft.Template (and subsequent ones Microsoft.Template_1, Microsoft.Template_2, etc.) in the Deployments section of the portal: Is it possible to customize the name (either by modifying the template, or provide a different name when deploying)? Guessing, I tried adding name at the root level of the azuredeploy.json, but it gets refused with a wrong syntax message.

Is a CNAME sufficient for a www. record? Posted: 12 Jun 2022 01:31 PM PDT I have been doing a server migration, and checking that everything related to DNS is configured correctly by using IntoDNS. After doing this though, it flags up a error saying that there is no A record for WWW. The website is working fine, and I noticed that there is only a CNAME record for that subdomain. My question is, should I have both a CNAME record and an A record for that subdomain, or is a CNAME sufficient and I can safely ignore that error? Could it potentially prevent access for someone using a client that doesn't implement CNAME?

On a system with 64GB mem the Linux Buffer run full while copying with dd to dev null and io stops till manual drop_caches Posted: 12 Jun 2022 05:02 PM PDT I am running a server with linux software raid 10. It is a dual CPU system with 64GB Ram. 2x16GB dimms related to each of the CPUs. I want to use dd to backup kvm virtual machines and run into a serious io problem. First I thought is related to the raid but it's a problem of the linux memory management. Here is an example: Memory is fine: http://i.stack.imgur.com/NbL60.jpg I start dd: http://i.stack.imgur.com/kEPN2.jpg You see also nmon shows the disk access: http://i.stack.imgur.com/Njcf5.jpg After a while the "buffers" are big and the copy progress stops http://i.stack.imgur.com/HCefI.jpg Here is meminfo: http://i.stack.imgur.com/KR0CE.jpg Here the dd output: http://i.stack.imgur.com/BHjnR.jpg I can manually resolve temporary the problem and force dropping the cache: "sync; echo 3 > /proc/sys/vm/drop_caches" The call needs few seconds and instantly after that the dd speed reach normal level. Sure I can a cronjob every min or such things but thats not a real solution. http://i.stack.imgur.com/zIDRz.jpg http://i.stack.imgur.com/fO8NV.jpg Does anybody have a solution or a configuration hint? Here is also my sysctl but all values are centos defaults: http://i.stack.imgur.com/ZQBNG.jpg Edit1 I make a other test and make a dd to disk instead /dev/null. This time also in one command without pv. So its only one process. dd if=/dev/vg_main_vms/AppServer_System of=AppServer_System bs=4M It start with reading without writing (target is not on the same disks) http://i.stack.imgur.com/jJg5x.jpg After a while the writing starts and the reading slow down http://i.stack.imgur.com/lcgW6.jpg After that a writing only time comes: http://i.stack.imgur.com/5FhG4.jpg Now starts the main problem. The copy process slow down to below 1mbs und nothing happend: http://i.stack.imgur.com/YfCXc.jpg The dd process now needs 100% cpu time (1 core) http://i.stack.imgur.com/IZn1N.jpg And again I can manually resolve temporary the problem and force dropping the cache: sync; echo 3 > /proc/sys/vm/drop_caches. After that the same game starts again... Edit2 For the local dd I can workaround with the parameter iflag=direct and oflag=direct. But this is no universal solution because there is also other file access like copy files to the local samba shares from a vm and there I cant use such parameters. There must be a tweak of the system file cache rules, because it cant be normal that you cant copy large files without such problems.

PAM Winbind Expired Password Posted: 12 Jun 2022 06:00 PM PDT We've got Winbind/Kerberos setup on RHEL for AD authentication. Working fine however I noticed that when a password has expired, we get a warning but shell access is still granted. What's the proper way of handling this? Can we tell PAM to close the session once it sees the password has expired? Example: login as: ad-user ad-user@server.domain.com's password: Warning: password has expired. [ad-user@server ~]$ Contents of /etc/pam.d/system-auth: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account [default=2 success=ignore] pam_succeed_if.so quiet uid >= 10000000 account sufficient pam_succeed_if.so user ingroup AD_Admins debug account requisite pam_succeed_if.so user ingroup AD_Developers debug account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session [default=2 success=ignore] pam_succeed_if.so quiet uid >= 10000000 session sufficient pam_succeed_if.so user ingroup AD_Admins debug session requisite pam_succeed_if.so user ingroup AD_Developers debug session optional pam_mkhomedir.so umask=0077 skel=/etc/skel session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so

Problems with my.cnf and php.ini - Using mysql tuner Posted: 12 Jun 2022 03:03 PM PDT My server was running fine until a recent update in Plesk and now it has been slow. My server tech had to rebuild the Apache configuration file and ever since the sites have been slow. The server is the XL8 dedicated box from 1and1. it has 16gb of ram and an 8 core cpu. The server contains 2 fairly busy vbulletin forums and some smaller sites. Here is the current my.cnf as I set it- [mysqld] #bind-address=127.0.0.1 #skip-bdb local-infile=0 max_connections=90 open_files_limit=2050 datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock user=mysql # Disabling symbolic-links is recommended to prevent assorted security risks symbolic-links=0 query_cache_limit = 1M query_cache_size = 15M join_buffer_size = 512K read_buffer_size = 1M tmp_table_size = 3024M thread_cache_size = 8 table_cache = 450 innodb_buffer_pool_size = 540M key_buffer_size = 32M table_definition_cache = 4024 max_allowed_packet = 35M max_heap_table_size = 3024M [mysqld_safe] log-error=/var/log/mysqld.log pid-file=/var/run/mysqld/mysqld.pid And here is the latest results from mysql tuner Last login: Tue Sep 24 19:28:02 2013 from ip70-181-17-116.ri.ri.cox.net [root@u16557714 ~]# ./mysqltuner.pl >> MySQLTuner 1.2.0 - Major Hayden <major@mhtx.net> >> Bug reports, feature requests, and downloads at http://mysqltuner.com/ >> Run with '--help' for additional options and output filtering -------- General Statistics -------------------------------------------------- [--] Skipped version check for MySQLTuner script [OK] Currently running supported MySQL version 5.1.69 [OK] Operating on 64-bit architecture -------- Storage Engine Statistics ------------------------------------------- [--] Status: -Archive -BDB -Federated +InnoDB -ISAM -NDBCluster [--] Data in MyISAM tables: 1G (Tables: 3316) [--] Data in InnoDB tables: 111M (Tables: 487) [--] Data in MEMORY tables: 372K (Tables: 329) [!!] Total fragmented tables: 612 -------- Security Recommendations ------------------------------------------- [OK] All database users have passwords assigned -------- Performance Metrics ------------------------------------------------- [--] Up for: 4m 15s (10K q [42.020 qps], 506 conn, TX: 286M, RX: 2M) [--] Reads / Writes: 80% / 20% [--] Total buffers: 4.5G global + 3.1M per thread (90 max threads) [OK] Maximum possible memory usage: 4.8G (30% of installed RAM) [OK] Slow queries: 0% (1/10K) [OK] Highest usage of available connections: 13% (12/90) [OK] Key buffer size / total MyISAM indexes: 1.0G/504.2M [OK] Key buffer hit rate: 98.0% (131K cached / 2K reads) [OK] Query cache efficiency: 71.4% (5K cached / 8K selects) [OK] Query cache prunes per day: 0 [OK] Sorts requiring temporary tables: 0% (0 temp sorts / 429 sorts) [!!] Joins performed without indexes: 6 [!!] Temporary tables created on disk: 34% (109 on disk / 320 total) [OK] Thread cache hit rate: 95% (25 created / 506 connections) [OK] Table cache hit rate: 97% (330 open / 337 opened) [OK] Open file limit used: 4% (509/12K) [OK] Table locks acquired immediately: 99% (4K immediate / 4K locks) [OK] InnoDB data size / buffer pool: 111.0M/540.0M -------- Recommendations ----------------------------------------------------- General recommendations: Run OPTIMIZE TABLE to defragment tables for better performance MySQL started within last 24 hours - recommendations may be inaccurate Enable the slow query log to troubleshoot bad queries Adjust your join queries to always utilize indexes Temporary table size is already large - reduce result set size Reduce your SELECT DISTINCT queries without LIMIT clauses Variables to adjust: join_buffer_size (> 512.0K, or always use indexes with joins) [root@u16557714 ~]# /etc/init.d/mysqld restart Stopping mysqld: [ OK ] Starting mysqld: [ OK ] [root@u16557714 ~]# ./mysqltuner.pl >> MySQLTuner 1.2.0 - Major Hayden <major@mhtx.net> >> Bug reports, feature requests, and downloads at http://mysqltuner.com/ >> Run with '--help' for additional options and output filtering -------- General Statistics -------------------------------------------------- [--] Skipped version check for MySQLTuner script [OK] Currently running supported MySQL version 5.1.69 [OK] Operating on 64-bit architecture -------- Storage Engine Statistics ------------------------------------------- [--] Status: -Archive -BDB -Federated +InnoDB -ISAM -NDBCluster [--] Data in MyISAM tables: 1G (Tables: 3316) [--] Data in InnoDB tables: 111M (Tables: 487) [--] Data in MEMORY tables: 124K (Tables: 329) [!!] Total fragmented tables: 613 -------- Security Recommendations ------------------------------------------- [OK] All database users have passwords assigned -------- Performance Metrics ------------------------------------------------- [--] Up for: 52s (683 q [13.135 qps], 39 conn, TX: 27M, RX: 229K) [--] Reads / Writes: 90% / 10% [--] Total buffers: 4.5G global + 3.1M per thread (90 max threads) [OK] Maximum possible memory usage: 4.8G (30% of installed RAM) [OK] Slow queries: 0% (0/683) [OK] Highest usage of available connections: 2% (2/90) [OK] Key buffer size / total MyISAM indexes: 1.0G/504.3M [!!] Key buffer hit rate: 92.2% (11K cached / 928 reads) [OK] Query cache efficiency: 38.5% (194 cached / 504 selects) [OK] Query cache prunes per day: 0 [OK] Sorts requiring temporary tables: 0% (0 temp sorts / 54 sorts) [!!] Joins performed without indexes: 1 [OK] Temporary tables created on disk: 19% (8 on disk / 41 total) [OK] Thread cache hit rate: 94% (2 created / 39 connections) [OK] Table cache hit rate: 94% (113 open / 120 opened) [OK] Open file limit used: 1% (212/12K) [OK] Table locks acquired immediately: 100% (656 immediate / 656 locks) [OK] InnoDB data size / buffer pool: 111.0M/540.0M -------- Recommendations ----------------------------------------------------- General recommendations: Run OPTIMIZE TABLE to defragment tables for better performance MySQL started within last 24 hours - recommendations may be inaccurate Enable the slow query log to troubleshoot bad queries Adjust your join queries to always utilize indexes Variables to adjust: join_buffer_size (> 512.0K, or always use indexes with joins) [root@u16557714 ~]# /etc/init.d/mysqld restart Stopping mysqld: [ OK ] Starting mysqld: [ OK ] [root@u16557714 ~]# ./mysqltuner.pl >> MySQLTuner 1.2.0 - Major Hayden <major@mhtx.net> >> Bug reports, feature requests, and downloads at http://mysqltuner.com/ >> Run with '--help' for additional options and output filtering -------- General Statistics -------------------------------------------------- [--] Skipped version check for MySQLTuner script [OK] Currently running supported MySQL version 5.1.69 [OK] Operating on 64-bit architecture -------- Storage Engine Statistics ------------------------------------------- [--] Status: -Archive -BDB -Federated +InnoDB -ISAM -NDBCluster [--] Data in MyISAM tables: 1G (Tables: 3316) [--] Data in InnoDB tables: 111M (Tables: 487) [--] Data in MEMORY tables: 124K (Tables: 329) [!!] Total fragmented tables: 612 -------- Security Recommendations ------------------------------------------- [OK] All database users have passwords assigned -------- Performance Metrics ------------------------------------------------- [--] Up for: 25s (411 q [16.440 qps], 25 conn, TX: 14M, RX: 152K) [--] Reads / Writes: 90% / 10% [--] Total buffers: 4.0G global + 3.1M per thread (90 max threads) [OK] Maximum possible memory usage: 4.3G (27% of installed RAM) [OK] Slow queries: 0% (0/411) [OK] Highest usage of available connections: 3% (3/90) [!!] Key buffer size / total MyISAM indexes: 500.0M/504.2M [!!] Key buffer hit rate: 92.5% (8K cached / 610 reads) [OK] Query cache efficiency: 29.7% (91 cached / 306 selects) [OK] Query cache prunes per day: 0 [OK] Sorts requiring temporary tables: 0% (0 temp sorts / 39 sorts) [!!] Joins performed without indexes: 1 [OK] Temporary tables created on disk: 15% (3 on disk / 19 total) [OK] Thread cache hit rate: 88% (3 created / 25 connections) [OK] Table cache hit rate: 92% (81 open / 88 opened) [OK] Open file limit used: 7% (148/2K) [OK] Table locks acquired immediately: 100% (381 immediate / 381 locks) [OK] InnoDB data size / buffer pool: 111.0M/540.0M -------- Recommendations ----------------------------------------------------- General recommendations: Run OPTIMIZE TABLE to defragment tables for better performance MySQL started within last 24 hours - recommendations may be inaccurate Enable the slow query log to troubleshoot bad queries Adjust your join queries to always utilize indexes Variables to adjust: key_buffer_size (> 504.2M) join_buffer_size (> 512.0K, or always use indexes with joins) [root@u16557714 ~]# /etc/init.d/mysqld restart Stopping mysqld: [ OK ] Starting mysqld: [ OK ] [root@u16557714 ~]# ./mysqltuner.pl >> MySQLTuner 1.2.0 - Major Hayden <major@mhtx.net> >> Bug reports, feature requests, and downloads at http://mysqltuner.com/ >> Run with '--help' for additional options and output filtering -------- General Statistics -------------------------------------------------- [--] Skipped version check for MySQLTuner script [OK] Currently running supported MySQL version 5.1.69 [OK] Operating on 64-bit architecture -------- Storage Engine Statistics ------------------------------------------- [--] Status: -Archive -BDB -Federated +InnoDB -ISAM -NDBCluster [--] Data in MyISAM tables: 1G (Tables: 3316) [--] Data in InnoDB tables: 111M (Tables: 487) [--] Data in MEMORY tables: 1M (Tables: 329) [!!] Total fragmented tables: 613 -------- Security Recommendations ------------------------------------------- [OK] All database users have passwords assigned -------- Performance Metrics ------------------------------------------------- [--] Up for: 13s (262 q [20.154 qps], 24 conn, TX: 15M, RX: 64K) [--] Reads / Writes: 83% / 17% [--] Total buffers: 3.5G global + 4.0M per thread (90 max threads) [OK] Maximum possible memory usage: 3.9G (24% of installed RAM) [OK] Slow queries: 0% (0/262) [OK] Highest usage of available connections: 2% (2/90) [!!] Key buffer size / total MyISAM indexes: 32.0M/504.2M [!!] Key buffer hit rate: 89.5% (2K cached / 240 reads) [OK] Query cache efficiency: 46.4% (78 cached / 168 selects) [OK] Query cache prunes per day: 0 [OK] Sorts requiring temporary tables: 0% (0 temp sorts / 13 sorts) [OK] Temporary tables created on disk: 0% (0 on disk / 5 total) [OK] Thread cache hit rate: 91% (2 created / 24 connections) [OK] Table cache hit rate: 88% (54 open / 61 opened) [OK] Open file limit used: 5% (103/2K) [OK] Table locks acquired immediately: 100% (197 immediate / 197 locks) [OK] InnoDB data size / buffer pool: 111.0M/540.0M -------- Recommendations ----------------------------------------------------- General recommendations: Run OPTIMIZE TABLE to defragment tables for better performance MySQL started within last 24 hours - recommendations may be inaccurate Enable the slow query log to troubleshoot bad queries Variables to adjust: key_buffer_size (> 504.2M) Any advice or assistance would be so much appreciated. Thanks so much!! Here is my latest [mysqld] #bind-address=127.0.0.1 #skip-bdb local-infile=0 max_connections=90 open_files_limit=2050 datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock user=mysql # Disabling symbolic-links is recommended to prevent assorted security risks symbolic-links=0 query_cache_limit = 1M query_cache_size = 15M join_buffer_size = 512K read_buffer_size = 1M tmp_table_size = 100M thread_cache_size = 8 table_cache = 450 innodb_buffer_pool_size = 540M key_buffer_size = 32M table_definition_cache = 4024 max_allowed_packet = 35M max_heap_table_size = 100M [mysqld_safe] log-error=/var/log/mysqld.log pid-file=/var/run/mysqld/mysqld.pid

Per-user dynamic traffic shaping Posted: 12 Jun 2022 12:01 PM PDT At work we have a dedicated Internet link for everyday use (servers use a different link) with limited upload bandwidth (currently 3Mbps). Since there are ~80 users, sometimes this upstream link shoots up to 100% utilization degrading performance noticeably. Most of the time this is due to several users trying to upload files to Dropbox, Google Drive,... simultaneously. I've tried traffic shaping for the offending services but it requires some maintenance since users seem to be very good at finding new services that eat upload bandwidth for breakfast. I've been thinking about a different approach. Some kind of dynamic bandwidth management on a user basis. In the morning everybody would start "clean", with no traffic shaping in place (or some very basic scheme), but as the day goes by "heavy uploaders" would be shaped more and more aggressively automatically (maybe by some predefined tiers). My idea is to set up a Linux box to act as the router (or maybe a bridge in front of the actual router). Any ideas on how to implement this?

add space to virtual disk on vmware Posted: 12 Jun 2022 01:08 PM PDT I have a VMWare Server 3.5 system with 2 VMs. On one powered on vm I changed the disk size from 1TB to 1,5TB. But the vm didn't see any new unallocated space so that I reboot twice the server. But nothing was happened... the OS on guest is CENTOS and the two disks are LVM. fdisk see the new space... but none partitions on the disk.. lvm does not see any free space... [root@srv-archive ~]# dmesg |grep sdb sd 2:0:1:0: [sdb] 3145728000 512-byte logical blocks: (1.61 TB/1.46 TiB) sd 2:0:1:0: [sdb] Write Protect is off sd 2:0:1:0: [sdb] Mode Sense: 61 00 00 00 sd 2:0:1:0: [sdb] Cache data unavailable sd 2:0:1:0: [sdb] Assuming drive cache: write through sd 2:0:1:0: [sdb] Cache data unavailable sd 2:0:1:0: [sdb] Assuming drive cache: write through sdb: sda1 sda2 sd 2:0:1:0: [sdb] Cache data unavailable sd 2:0:1:0: [sdb] Assuming drive cache: write through sd 2:0:1:0: [sdb] Attached SCSI disk dracut: Scanning devices sda2 sdb for LVM logical volumes vg_srvarchive/lv_swap vg_srvarchive/lv_root and fdisk # fdisk -l /dev/sdb Disco /dev/sdb: 1610.6 GB, 1610612736000 byte 255 testine, 63 settori/tracce, 195812 cilindri Unità = cilindri di 16065 * 512 = 8225280 byte Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Identificativo disco: 0x00000000 and the following is the pvdisplay where u can see 0 free space: # pvdisplay --- Physical volume --- PV Name /dev/sdb VG Name vg_archive PV Size 1000,00 GiB / not usable 4,00 MiB Allocatable yes (but full) PE Size 4,00 MiB Total PE 255999 Free PE 0 Allocated PE 255999 PV UUID 3Qftxe-rpff-TjTA-9CA4-BoeM-qEgc-RzSzXL I want only expand my lvm device.. thanks very much cheers luigi

What do I need to send an Extended DHCPOFFER with multiple boot options? Posted: 12 Jun 2022 12:01 PM PDT According to Wikipedia and a bazillion other pages, you can have: Proxy DHCP If a PXE redirection service (Proxy DHCP) receives an extended DHCPDISCOVER, it replies with an extended DHCPOFFER to the client's port 68/UDP (DHCP client port). An extended DHCPOFFER contains mainly: a PXE Discovery Control field to recommend multicasting, broadcasting, or unicasting to contact PXE boot servers a list of IP addresses of each available PXE Boot Server Type a PXE Boot Menu with each entry representing a PXE Boot Server Type a PXE Boot Prompt telling the user to press a certain key to see the boot menu a timeout to launch the first boot menu entry if it expires The Proxy DHCP service may also run on the same host as the standard DHCP service. Since two services cannot share port 67/UDP, the Proxy DHCP runs on port 4011/UDP and expects the extended DHCPDISCOVER packets from PXE Clients to be DHCPREQUESTs. The standard DHCP service has to send a special combination of PXE options in its DHCPOFFER, so the PXE client knows to look for a Proxy DHCP on the same host, port 4011/UDP. I want to implement such a server that sends out these extended responses. I don't mind setting up another daemon just for this purpose, but if I can just configure isc-dhcp-server to send the response that would be ideal. (before you suggest it, no I can't use syslinux. This is cheating and I'm doing this on an EFI platform and thus have native PXE support)

Gerrit replication, reject HostKey Posted: 12 Jun 2022 05:02 PM PDT I am trying to set up gerrit replication on my environment, but I am getting reject HostKey output. The pubkey of the user running gerrit is in the authorized_keys2 file on the remote host, however I am able to ssh just fine when I manually do it in the terminal. Any ideas?

How to change key size in OpenSSH? Posted: 12 Jun 2022 03:03 PM PDT How to change key size in OpenSSH? I would like to change it from 1024 key size length to 512.

How to build/install calendar.so for php? Posted: 12 Jun 2022 04:04 PM PDT I did the usual untar/configure/build for php 5.2.13. Configure includes --enable-calendar Build works. I then run the libtool as instructed but no calendar.so is produced. How do I make calendar.so? Thank you! (Linux system)

You are subscribed to email updates from Recent Questions - Server Fault. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States