https://wiki.dhits.nl/api.php?action=feedcontributions&user=Tony&feedformat=atom
DWIKI - User contributions [en]
2024-03-29T14:08:18Z
User contributions
MediaWiki 1.39.1
https://wiki.dhits.nl/index.php?title=PineTime&diff=8806
PineTime
2024-03-27T14:59:48Z
<p>Tony: /* Gadgetbridge */</p>
<hr />
<div>=Links=<br />
*[https://wiki.pine64.org/wiki/PineTime PineTime Wiki]<br />
*[https://docs.infinitime.io/en/latest/user-documentation/index.html Inifinitime documentation]<br />
*[https://github.com/InfiniTimeOrg/InfiniTime/blob/develop/doc/gettingStarted/gettingStarted-1.0.md Getting started with Infinitime]<br />
*[https://github.com/InfiniTimeOrg/InfiniTime/blob/develop/README.md#documentation InfiniTime documentation]<br />
*[https://github.com/InfiniTimeOrg/InfiniSim InfiniSim Emulator]<br />
<br />
=Discussions=<br />
==Sleep tracking==<br />
*[https://forum.pine64.org/showthread.php?tid=15490 Forum thread on sleep tracking]<br />
*[https://github.com/InfiniTimeOrg/InfiniTime/issues/307 Feature request: sleep tracking]<br />
=Tools=<br />
==Gadgetbridge==<br />
[https://github.com/Freeyourgadget/Gadgetbridge/wiki/PineTime Gadgetbridge and PineTime]<br />
Available via f-droid<br />
===Connecting gadgetbridge and PineWatch===<br />
It'll usually just say "Not Connected" without showing a way to connect.<br />
The secret solution: tap on the "Not connected" text.<br />
<br />
====Can't create device support====<br />
Make sure bluetooth is on, close and try again?<br />
<br />
==Notifications==<br />
*[https://gadgetbridge.org/basics/features/notifications/ Notifications]<br />
<br />
==itd==<br />
https://gitea.arsenm.dev/Arsen6331/itd<br />
<br />
=FAQ=<br />
==Reboot==<br />
Hold the button for at least 5 seconds</div>
Tony
https://wiki.dhits.nl/index.php?title=Apache&diff=8805
Apache
2024-03-26T16:15:21Z
<p>Tony: /* Check which MPM is running ( prefork or worker) */</p>
<hr />
<div>From the [http://httpd.apache.org/ apache homepage]:<br />
<blockquote>The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.</blockquote><br />
<br />
= Links =<br />
<br />
{| style="width:600px" border="0"<br />
|-<br />
| colspan="2" | '''Documentation'''<br />
|-<br />
| [http://httpd.apache.org/ http://httpd.apache.org/]<br />
| Apache homepage<br />
|-<br />
| [http://httpd.apache.org/docs/2.2/ http://httpd.apache.org/docs/2.2/]<br />
| 2.2 Reference<br />
|-<br />
| [http://httpd.apache.org/docs/2.0/ http://httpd.apache.org/docs/2.0/]<br />
| 2.0 Reference<br />
|-<br />
| [http://httpd.apache.org/docs/1.3/ http://httpd.apache.org/docs/1.3/]<br />
| 1.3 Reference<br />
|-<br />
| [http://www.tuxick.net/docs/apache_ssl.html Apache and SSL]<br />
|-<br />
| [http://ilovett.com/blog/projects/installing-ssl-on-debian-apache2 Apache2, Debian and SSL]<br />
|-<br />
| [http://www.vanemery.com/Linux/Apache/apache-SSL.html More Apache and SSL]<br />
|-<br />
| colspan="2" | '''Articles'''<br />
|-<br />
| [http://www.onlamp.com/pub/a/apache/2003/07/24/vhosts.html vhosts explained]<br />
| "Simplify Your Life with Apache Virtual Hosts" Russell Dyer 07/24/2003<br />
|-<br />
| colspan="2" | '''Tools'''<br />
|-<br />
| [http://awstats.sourceforge.net/ http://awstats.sourceforge.net/]<br />
| Apache log analyzer<br />
|}<br />
<br />
*[http://mod-qos.sourceforge.net/ QoS for Apache]<br />
*[https://github.com/alecthomas/geoip/blob/master/GeoIPCountryWhois.csv GeoIPCountryWhois.csv]<br />
<br />
=Documentation=<br />
==Virtual hosts==<br />
*[http://mysqlresources.com/cgi-bin/article.cgi?article_id=68 Apache Virtual Hosting]<br />
<br />
= Application & modules =<br />
<br />
=Log analyzers=<br />
*[[awstats]]<br />
*piwik<br />
*[[webalizer]]<br />
*[[urchin]]<br />
* zapache<br />
<br />
<br />
===Notes===<br />
* Don't use the CGI to present the data unless it is protected. Best use '''awstats_buildstaticpages.pl''' to build the static pages and present those. Save resources and is more secure.<br />
<br />
= Related Items =<br />
== Web-based Single Sign-On ==<br />
=== Applications ===<br />
* [http://www.umich.edu/~umweb/software/cosign/ http://www.umich.edu/~umweb/software/cosign/] CoSign<br />
* [http://a-select.surfnet.nl/ http://a-select.surfnet.nl/] A-Select<br />
=== Comparisons ===<br />
* [http://www.jisc.ac.uk/uploaded_documents/CMSS-Gilmore.pdf http://www.jisc.ac.uk/uploaded_documents/CMSS-Gilmore.pdf]<br />
* [http://www.umich.edu/~umweb/downloads/WebSSOImplementationComparision.pdf http://www.umich.edu/~umweb/downloads/WebSSOImplementationComparision.pdf]<br />
<br />
<br />
=HOWTO=<br />
==Log SSL protocols==<br />
CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"<br />
<br />
<br />
<br />
= FAQ =<br />
<br />
==Enable module==<br />
===On Debian===<br />
a2enmod<br />
===On RedHat===<br />
<br />
<br />
<br />
==Enable HSTS==<br />
a2enmod headers<br />
and in config<br />
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"<br />
<br />
== AH01630: client denied by server configuration ==<br />
<br />
Probably using 2.2 config on 2.4, change<br />
<br />
Order allow,deny<br />
Allow from all<br />
<br />
to<br />
<br />
Require all granted<br />
<br />
== [core:emerg] [pid 3317] (28)No space left on device: AH00023: Couldn't create the rewrite-map mutex ==<br />
<br />
Check<br />
<br />
ipcs -s<br />
<br />
&nbsp;<br />
<br />
==Check which MPM is running ( prefork or worker) ==<br />
httpd -V | grep MPM<br />
or more modern<br />
apache2ctl -t -D DUMP_MODULES | grep mpm<br />
<br />
== NameVirtualHost *:80 has no VirtualHosts ==<br />
<br />
This means you're using <VirtualHost *> instead of <VirtualHost *:80> Or you have multiple declarations of NameVirtualHost *:80<br />
<br />
== Telnet session to webserver ==<br />
<br />
telnet www.example.com 80<br />
get / HTTP/1.1<br />
<enter><br />
<enter><br />
<br />
For a virtual also pass host:<br />
<br />
get / HTTP/1.1<br />
host: virtual.host.com<br />
<enter><br />
<br />
&nbsp;<br />
<br />
== Apache memory usage ==<br />
<br />
ps aux|grep http|awk '{sum+=$4} END {print sum}'<br />
<br />
&nbsp;<br />
<br />
== Authentication ==<br />
<br />
Read:<br />
<br />
*[http://www.askapache.com/htaccess/apache-authentication-in-htaccess.html Apache Authentication in htaccess] <br />
*[http://weavervsworld.com/docs/other/passprotect.html Password Protection with .htaccess & .htpasswd] <br />
*[http://httpd.apache.org/docs/2.2/howto/auth.html http://httpd.apache.org/docs/2.2/howto/auth.html] <br />
*[https://httpd.apache.org/docs/2.4/howto/auth.html https://httpd.apache.org/docs/2.4/howto/auth.html] <br />
<br />
In .htaccess or </Directory> section put:<br />
<br />
Authtype Basic<br />
AuthUserFile /etc/apache/htusers<br />
Require valid-user<br />
AuthName "Protected"<br />
<br />
== Hide directories ==<br />
<br />
RedirectMatch 404 /\.svn(/|$)<br />
<br />
or<br />
<DirectoryMatch "^/.*/\.git/"><br />
Require all denied<br />
</DirectoryMatch><br />
<br />
== Deny access to files ==<br />
<FilesMatch \.(?i:gif|jpe?g|png)$><br />
Require all denied<br />
</FilesMatch><br />
<br />
<br />
&nbsp;<br />
<br />
== Strange hang and not restarting ==<br />
<br />
ipcs -s|grep apache<br />
for i in `ipcs -s|grep apache|awk {'print $2'}`;do ipcrm sem $i;done;<br />
<br />
== Get core dumps ==<br />
<br />
*[http://wiki.apache.org/httpd/CoreDump http://wiki.apache.org/httpd/CoreDump] <br />
*/usr/share/doc/apache2.2-common/README.backtrace <br />
<br />
*[http://www.cyberciti.biz/tips/configure-apache-web-server-for-core-dump.html http://www.cyberciti.biz/tips/configure-apache-web-server-for-core-dump.html] <br />
<br />
In apache configuration:<br />
<br />
CoreDumpDirectory /tmp/apache2-gdb-dump (make sure to have proper rights)<br />
<br />
=== On freebsd ===<br />
<br />
Set apache22limits_enable="YES in /etc/rc.conf<br />
<br />
In apache configuration:<br />
<br />
CoreDumpDirectory /tmp/apache2-gdb-dump (make sure to have proper rights)<br />
<br />
Other stuff to try<br />
<br />
sysctl kern.sugid_coredump=1<br />
sysctl kern.coredumps=1<br />
<br />
=== On Debian ===<br />
<br />
sysctl fs.suid_dumpable=2&nbsp;?<br />
ulimit -c unlimited&nbsp;?<br />
<br />
== Socket is not connected: core_output_filter: writing data to the network ==<br />
<br />
Bug in some versions?<br />
<br />
== Connection refused: connect to listener on 0.0.0.0:80 ==<br />
<br />
Seems a jail problem, try setting<br />
<br />
Listen 12.33.44.55:80<br />
<br />
&nbsp;<br />
<br />
== No such file or directory: Failed to enable the 'httpready' Accept Filter ==<br />
<br />
In /boot/loader.conf<br />
<br />
accf_data_load="YES"<br />
accf_http_load="YES"<br />
<br />
&nbsp;<br />
<br />
== sorting apache logs ==<br />
<br />
[http://jehiah.cz/archive/sorting-apache-logs http://jehiah.cz/archive/sorting-apache-logs]<br />
<br />
&nbsp;<br />
<br />
== unable to include potential exec ==<br />
<br />
== Rewriting and redirecting ==<br />
<br />
[http://www.aitechsolutions.net/apacheredirect.html http://www.aitechsolutions.net/apacheredirect.html]<br />
<br />
=== redirect http to https ===<br />
<br />
#this usually does the trick<br />
Redirect permanent / [https://foo.com https://foo.com]<br />
<br />
*[https://httpd.apache.org/docs/current/rewrite/avoid.html#redirect Use redirect instead of rewrite]<br />
<br />
== debugging rewrites ==<br />
<br />
== status codes ==<br />
<br />
*[http://www.w3.org/Protocols/HTTP/HTRESP.html http://www.w3.org/Protocols/HTTP/HTRESP.html] <br />
<br />
&nbsp;<br />
<br />
== client denied by server configuration ==<br />
<br />
That's the Deny/Allow bits in config<br />
<br />
&nbsp;<br />
<br />
== AH00179: changing ServerLimit to 700 from original value of 512 not allowed during restart ==<br />
<br />
Needs a real restart<br />
<br />
== AH00162: server seems busy ==<br />
<br />
maybe it's busy<br />
<br />
== server-status: ERROR 500: Internal Server Error==<br />
??</div>
Tony
https://wiki.dhits.nl/index.php?title=Zabbix&diff=8804
Zabbix
2024-03-26T10:56:37Z
<p>Tony: /* HOWTO */</p>
<hr />
<div><br />
= Links =<br />
<br />
*[http://www.zabbix.org/ Homepage] <br />
*[https://zabbix.org/wiki/Docs/DB_schema/4.0 zabbix 4 database schema] <br />
*[https://www.zabbix.com/documentation/current/en/manual/appendix/compatibility Zabbix compatibility matrix]<br />
*[https://www.digitalocean.com/community/tutorials/introduction-to-queries-mysql https://www.digitalocean.com/community/tutorials/introduction-to-queries-mysql] <br />
*[http://zabbix.org/wiki/Compilation_instructions compilation instructions] <br />
*[http://www.zabbix.com/documentation Documentation] <br />
*[https://dev.mysql.com/doc/mysql-tutorial-excerpt/8.0/en/examples.html Examples of Common Queries] <br />
*[http://zabbixzone.com/zabbix/easy-update-on-custom-scripts/ Custom scripts] <br />
*[https://github.com/q1x/zabbix-gnomes Various scripts to automate tasks in Zabbix] <br />
*[https://www.percona.com/blog/2014/11/14/optimizing-mysql-zabbix/ Tuning mysql for zabbix] <br />
*[https://huyabbix.com https://huyabbix.com] <br />
*[http://techblog.procurios.nl/k/n618/news/view/56429/14863/how-to-migrate-mysql-databases-without-downtime.html Migrating zabbix database with minimal downtime] <br />
*[https://support.zabbix.com/browse/ZBX/ Bug tracker] <br />
*[http://www.michaelfoster82.co.uk/zabbix-database-cleanup-delete-old-data/ Clean up database] <br />
*[https://linux.die.net/man/8/zabbix_selinux Zabbix and selinux] <br />
*[https://github.com/a-schild/zabbix-ssl Apache/SSL checks] <br />
*[[Zabbix_on_RHEL/Centos|Zabbix on RHEL/Centos]] <br />
*[[Grafana|Grafana]] <br />
*[https://blog.zabbix.com/zabbix-ha-cluster-setups/8264/ https://blog.zabbix.com/zabbix-ha-cluster-setups/8264/] Zabbix HA cluster] <br />
*[https://blog.zabbix.com/zabbix-agent-active-vs-passive/9207/ Active vs Passive]<br />
*[https://geofrogger.net/review/zabbix20.svg Very old network diagram] <br />
*[https://blog.zabbix.com/fighting-notification-floods-and-misleading-alerts-in-distributed-zabbix-deployments/11600/ Fighting zabbix alert floods] <br />
*[https://github.com/unioslo/zabbix-cli zabbix-cli]<br />
<br />
=Documentation=<br />
==Triggers==<br />
*[https://www.zabbix.com/documentation/current/en/manual/appendix/functions Trigger functions]<br />
Function str() searches for substrings<br />
<br />
==AND OR case==<br />
not, and and or operators are case-sensitive and must be in lowercase. They also must be surrounded by spaces or parentheses.<br />
<br />
<br />
==Installation==<br />
*[https://repo.zabbix.com/ Zabbix repositories]<br />
*[https://wiki.gentoo.org/wiki/User:MalakymR/Zabbix Zabbix on Gentoo]<br />
<br />
== Installing Zabbix from git ==<br />
<br />
git clone [https://github.com/zabbix/zabbix.git https://github.com/zabbix/zabbix.git]<br />
cd zabbix <br />
./bootstrap.sh<br />
./configure --help<br />
autoreconf -fvi<br />
<br />
If you don't have a Makefile, try<br />
./config.status Makefile<br />
and then<br />
./configure<br />
again<br />
<br />
== Zabbix API ==<br />
<br />
*[https://www.zabbix.com/documentation/current/manual/api The Zabbix API] <br />
*[https://www.zabbix.com/integrations/python API and python] <br />
<br />
<br />
==Zabbix agent paths==<br />
Ubuntu:<br />
/etc/zabbix/zabbix_agentd.conf.d/<br />
/etc/zabbix/zabbix_agentd.conf<br />
<br />
==Simple check==<br />
*[https://www.zabbix.com/documentation/6.4/en/manual/config/items/itemtypes/simple_checks Simple checks]<br />
<br />
<br />
==Zabbix and SNMP==<br />
*[https://bestmonitoringtools.com/tutorial-snmp-traps-on-zabbix/ Zabbix SNMP Traps: A Step-by-Step Guide]<br />
<br />
= Zabbix error codes =<br />
<br />
== Z3005 ==<br />
<br />
Database issue<br />
<br />
= Items =<br />
[https://www.zabbix.com/documentation/6.0/en/manual/config/items/itemtypes/zabbix_agent Agent item keys]<br />
==Item dialog==<br />
*[https://www.zabbix.com/documentation/5.4/en/manual/config/items/item Item documentation]<br />
*[https://www.zabbix.com/documentation/5.4/en/manual/config/items/itemtypes/zabbix_agent Zabbix agent items]<br />
===Units===<br />
<br />
*B<br />
*uptime<br />
*unixtime<br />
*s<br />
<br />
== proc.mem ==<br />
<br />
proc.mem[<name>,<user>,<mode>,<cmdline>,<memtype>]<br />
<br />
=== name ===<br />
<br />
??<br />
<br />
=== cmdline ===<br />
<br />
regex like php-fpm:<br />
<br />
===memtype===<br />
*[https://www.zabbix.com/documentation/5.0/en/manual/appendix/items/proc_mem_notes Notes on proc.mem memtypes]<br />
<br />
<br />
==Item preprocessing==<br />
===Preprocessing regular expressions===<br />
See [https://www.zabbix.com/documentation/current/en/manual/regular_expressions#example Regular expressions: example]<br />
<br />
===XML/xpath preprocessing===<br />
https://blog.zabbix.com/zabbix-xpath-preprocessing/7936/<br />
<br />
NOTE xq -x does not want the number() bit<br />
<br />
<br />
<br />
===Incorrect value for field "Prev. time": a relative time is expected.===<br />
Prev. Time should be something like<br />
now-30s<br />
<br />
==Windows performance counters==<br />
https://www.zabbix.com/documentation/current/en/manual/config/items/perfcounters<br />
<br />
= Templates =<br />
<br />
*[https://github.com/zabbix/community-templates/ Community templates]<br />
<br />
==Template App MySQL==<br />
https://github.com/tiramiseb/zabbix-templates/blob/master/Template%20App%20MySQL.txt<br />
TODO shouldn't this be user zabbix?<br />
<br />
mysql user account:<br />
create user 'monitor'@'localhost' identified by auth_socket;<br />
grant PROCESS,SHOW DATABASES,SHOW VIEW on *.* to 'monitor'@'localhost';<br />
flush privileges;<br />
<br />
= Configuration =<br />
<br />
== Zabbix agent active ==<br />
<br />
=== On client ===<br />
Have port 10051 open and:<br />
ActiveServer zabbix.ser.ver<br />
<br />
=== On server ===<br />
<br />
Set Agent IP to 0.0.0.0<br />
<br />
&nbsp;<br />
=Zabbix and SQL=<br />
==Find hosts with hostmacro defined== <br />
select h.host, m.macro, m.value from hosts h, hostmacro m where macro like '%FOO%' and h.hostid = m.hostid;<br />
<br />
<br />
==most frequent items in history_uint==<br />
select itemid,count(itemid) as freq from history_uint group by itemid order by freq desc limit 5;<br />
<br />
and then<br />
select name from items where itemid = whateveryoufind;<br />
<br />
= HOWTO =<br />
<br />
==Define discovery filters==<br />
<br />
<br />
== LLD with JSON ==<br />
*[https://blog.zabbix.com/low-level-discovery-with-dependent-items/13634/ LLD with JSON and dependent items]<br />
*https://www.zabbix.com/forum/zabbix-help/383827-json-and-lld-understanding <br />
*https://www.zabbix.com/forum/zabbix-troubleshooting-and-problems/456663-lld-macros-with-json<br />
<br />
if you want multiple keys, use jsonpath like <br />
$[?(@.share=='{#FSTYPE}' && @.name=='{#NAME}')].size.first()<br />
===testing jsonpath preprocessing===<br />
In Value paste valid json, then name {#NAME} value somevalue<br />
<br />
== Test trapper ==<br />
<br />
<br />
==Reset admin password==<br />
Mysql prompt:<br />
select * from user where username='Admin';<br />
bcrypt your new password:<br />
htpasswd -nbBC 10 USER YOURPASSWORD|awk -F ':' '{ print $2 }'<br />
Mysql prompt:<br />
update user set passwd = 'your bcrypted pass' where userid = 1<br />
<br />
= FAQ =<br />
<br />
== SERVER ==<br />
<br />
=== Adjust loglevel ===<br />
<br />
zabbix_server --runtime-control log_level_increase=trapper<br />
<br />
<br />
&nbsp;<br />
<br />
=== Reload zabbix server configuration ===<br />
<br />
You can't, but you might want<br />
<br />
zabbix_server -c /etc/zabbix/zabbix_server.conf -R config_cache_reload<br />
<br />
&nbsp;<br />
<br />
=== No media defined for user ===<br />
<br />
=== The frontend does not match Zabbix database. ===<br />
<br />
Probably version conflict between frontend and server<br />
<br />
&nbsp;<br />
<br />
=== value cache working in low memory mode ===<br />
<br />
Increase ValueCacheSize<br />
<br />
<br />
=== Message from 1.2.3.4 is missing header. Message ignored. ===<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
== PROXY ==<br />
<br />
[[ Zabbix Proxy ]]<br />
<br />
===cannot send proxy data to server===<br />
empty string received<br />
<br />
===failed to update local proxy configuration copy: unexpected field "host_inventory.type"===<br />
<br />
<br />
== Front end ==<br />
<br />
===Round numbers===<br />
Preprocessing javascript<br />
2 decimals:<br />
return Math.round(value* 100) / 100<br />
0 decimals:<br />
return Math.round(value)<br />
<br />
=== Visable name vs hostname ===<br />
<br />
Visible name: {HOST.NAME}<br />
<br />
Hostname: {HOST.HOST}<br />
<br />
Host IP: (as defined in Interface->IP/DNS) {HOST.CONN}<br />
<br />
&nbsp;<br />
<br />
=== Acknowledge multiple items ===<br />
<br />
Monitor->Problems apply filters, select all, mass update<br />
<br />
&nbsp;<br />
<br />
=== No permissions to referred object or it does not exist! ===<br />
<br />
Graph no longer exists. Probably items no longer discovered<br />
<br />
Maybe you've been editing a template file, remember to replace template name everywhere<br />
<br />
=== Cannot add host ===<br />
<br />
??<br />
<br />
== Monitoring SNMP ==<br />
<br />
=== Cannot find host interface on "xxxhost" for item key foo ===<br />
<br />
Might mean you're trying to import an SNMP template before configuring SNMP for the host<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
=== No SNMP data ===<br />
<br />
=== snmp_parse_oid(): cannot parse OID "IF-MIB::ifSpeed.3 ===<br />
<br />
<br />
===Timeout while connecting===<br />
Could be wrong community string, remember delay when using proxy.<br />
<br />
== Agent side ping check ==<br />
<br />
UserParameter=pingtime[*],fping -e $1|sed 's/^.*(\([0-9].*\) ms).*$/\1/g'<br />
UserParameter=pingalive[*],fping $1|grep -q alive;echo $?<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
<br />
==LLD/Discovery==<br />
=== Discover: value must be a JSON object ===<br />
<br />
Could mean you need to escape slashes, check output with zabbix_get<br />
<br />
<br />
===Cannot create item: item with the same key already exists===<br />
make sure the key contains "{#SOMENAME}"<br />
<br />
== Discovery data example ==<br />
<br />
Output of a discovery script should look like:<br />
<br />
{"data":[<br />
{"{#VAR1}":"value11","#{VAR2":"value12"},<br />
{"{#VAR1}":"value21","#{VAR2":"value22"}<br />
]}<br />
<br />
<br />
<br />
<br />
== IPMI ==<br />
<br />
=== IPMI Monitoring account for zabbix ===<br />
<br />
[https://www.thomas-krenn.com/en/wiki/Configuring_IPMI_under_Linux_using_ipmitool https://www.thomas-krenn.com/en/wiki/Configuring_IPMI_under_Linux_using_ipmitool]<br />
<br />
ipmitool user set name 3 monitor<br />
ipmitool user set password 3<br />
ipmitool channel setaccess 1 3 link=on ipmi=on callin=on privilege=2<br />
ipmitool user enable 3<br />
<br />
<br />
<br />
===Zabbix credentials===<br />
Authentication algorithm<br />
Default?<br />
<br />
=== cannot connect to IPMI host: [22] Operation canceled ===<br />
<br />
Usually temporary because of broken ipmi lib, ignore it<br />
<br />
&nbsp;<br />
<br />
=== cannot connect to IPMI host: [16777411] Unknown error 16777411 ===<br />
<br />
classic, probably authentication problem<br />
<br />
=== cannot connect to IPMI host: [22] Invalid argument ===<br />
<br />
== zabbix_sender ==<br />
<br />
=== processed: 0; failed: 1 ===<br />
<br />
Possible causes:<br />
<br />
*incorrect hostname <br />
*incorrect item key <br />
*item not in the server configuration cache yet <br />
*Allowed hosts in trapper item <br />
*phase of moon <br />
*aliens <br />
<br />
&nbsp;<br />
<br />
=== Testing zabbix_sender ===<br />
<br />
zabbix_sender stuff<br />
<br />
== Filters ==<br />
<br />
The regular expressions referred to in discovery are found under Administration->General, and then "Regular expressions" in the dropdown at top right of the page<br />
<br />
=== cannot connect to IPMI host: [125] Operation canceled ===<br />
<br />
possibly authentication method issue<br />
<br />
<br />
&nbsp;<br />
== Calculated items ==<br />
See [https://blog.zabbix.com/zabbix-monitoring-with-calculated-items-explained/9950/ Calculated items explained]<br />
=== Cannot create item: Invalid first parameter ===<br />
For calculated items use last("youritemkey")<br />
<br />
=== Cannot create item, error in formula ===<br />
Problably a calculated item, try doublequoting the item key:<br />
<br />
last("foo[bar]")<br />
<br />
===Invalid parameter "/1/params"===<br />
Maybe forgot to use last()?<br />
You might need to doublequote your items, or prepend with double slashes<br />
<br />
<br />
== Reset trigger/alert ==<br />
For example when you changed the settings <br />
Just disable, wait a bit and enable again.<br />
== Install recent zabbix on CentOS/RHEL ==<br />
<br />
rpm -ivh [https://repo.zabbix.com/zabbix/3.4/rhel/7/x86_64/zabbix-release-3.4-2.el7.noarch.rpm https://repo.zabbix.com/zabbix/3.4/rhel/7/x86_64/zabbix-release-3.4-2.el7.noarch.rpm]<br />
yum install zabbix-agent<br />
<br />
<br />
== Backing up tables ==<br />
<br />
[https://www.zabbix.org/wiki/Docs/howto/mysql_backup_script https://www.zabbix.org/wiki/Docs/howto/mysql_backup_script]<br />
<br />
&nbsp;<br />
<br />
== cannot send list of active checks ==<br />
Verify hostname:<br />
/usr/sbin/zabbix_agentd -t 'agent.hostname'<br />
<br />
If in agent log: most likely ServerActive is defined in agent config, while not used at all<br />
<br />
It is also possible agent is sending some active check to server while host is monitored via proxy.<br />
<br />
In proxy/server log:<br />
most likely '''Hostname''' in agent config does not match hostname used on server.<br />
<br />
==cannot send list of active checks to "127.0.0.1": host [Zabbix server] not found==<br />
??<br />
<br />
== active check configuration update started to fail ==<br />
<br />
??<br />
<br />
== Latest 20 issues ==<br />
<br />
DEFAULT_LATEST_ISSUES_CNT in/usr/share/zabbix/include/defines.inc.php<br />
<br />
&nbsp;<br />
<br />
== Zabbix unreachable poller processes more than 75% busy ==<br />
<br />
Increase '''StartPollersUnreachable'''<br />
<br />
&nbsp;<br />
<br />
== Zabbix poller processes more than 75% busy ==<br />
<br />
another mystery<br />
<br />
== More than 100 items having missing data for more than 10 minutes ==<br />
<br />
Could be high load. Also check Administration->Queue<br />
<br />
== Zabbix escalator processes more than 75% busy ==<br />
<br />
probably high system load overall<br />
<br />
== Check agent ==<br />
<br />
zabbix_get -s my.host.com -k agent.version<br />
<br />
== ZBX_NOTSUPPORTED ==<br />
<br />
Could be anything, enable logging on agent. It could be version mismatch. Check<br />
<br />
zabbix_get -s yourhost -k agent.version<br />
<br />
If that works, you're calling for an undefined or unsupported key.<br />
<br />
== Incorrect trigger expression. Host "xx" does not exist or you have no access to this host. ==<br />
<br />
Means there's no related item.<br />
<br />
== zabbix_get returns nothing ==<br />
<br />
best look at log on agent side<br />
<br />
== run playbook on single host ==<br />
<br />
ansible_playbook -l somehost somplay.yml<br />
<br />
[[:Category:Monitoring]]<br />
<br />
&nbsp;<br />
<br />
== Zabbix server is not running: the information displayed may not be current ==<br />
<br />
Might be selinux: [http://sysads.co.uk/2013/11/zabbix-server-running-alert/ http://sysads.co.uk/2013/11/zabbix-server-running-alert/]<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
== Monitoring vmware ==<br />
<br />
=== vmware.hv.cpu.usage[{$URL},{HOST.HOST}]" became not supported: Couldn't resolve host name ===<br />
<br />
Set macro {$URL} to [https://your.ip/sdk/ https://your.ip/sdk/] (shouldn't discovery figure that out from {$HOST}&nbsp;?<br />
<br />
<br />
=== Couldn't resolve host name ===<br />
<br />
Sometimes it's a matter of waiting a few hours<br />
<br />
&nbsp;<br />
<br />
=== vmware events collector returned empty result ===<br />
<br />
???<br />
<br />
=== No "vmware collector" processes started. ===<br />
<br />
Check StartVMwareCollectors on server or proxy<br />
<br />
&nbsp;<br />
<br />
== unsupported item key ==<br />
<br />
This might mean it's expecting a value from the script you're calling.<br />
<br />
echo 1<br />
remember: not supported is not disabled, server/proxy will try again after interval <br />
<br />
=== became not supported: Not supported by Zabbix Agent ===<br />
<br />
probably output by userparameter/script<br />
<br />
== ansible or API not showing host groups ==<br />
<br />
Permissions!! See Administration->User Groups<br />
<br />
&nbsp;<br />
<br />
== failed to update local proxy configuration copy: invalid field name "items.lastlogsize" ==<br />
<br />
check everything&nbsp;:)<br />
<br />
== Received value [11] is not suitable for value type [Numeric (unsigned)] and data type [Decimal] ==<br />
<br />
This probably means the agent returned 1\n1<br />
<br />
&nbsp;<br />
<br />
== database is down: retrying in 10 seconds ==<br />
<br />
try upping max_connections<br />
<br />
== [Incorrect key file for table 'items'; try to repair it ==<br />
<br />
Could be something /tmp related<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
== another network error, wait for 8 seconds ==<br />
<br />
'''UnreachableDelay'''=8<br />
<br />
&nbsp;<br />
<br />
== failed: first network error ==<br />
<br />
Setting '''Timeout '''in server configuration<br />
<br />
also Timeout in agents?<br />
<br />
&nbsp;<br />
<br />
== no active checks on server ==<br />
*Hostname in agent config (-kagent.hostname) must match name on server<br />
*simple no connection possible? firewall?<br />
???<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
== show cpu utilization ==<br />
<br />
Monitoring->host->graphs<br />
<br />
===fuzzytime on command line===<br />
TS=lotsofseconds<br />
#output in hours<br />
echo $(( ($(date +%s) - $TS) / 3600 ))<br />
<br />
==duplicate entry adding user/group==<br />
Check table 'ids'<br />
<br />
<br />
==Troubleshooting==<br />
===zabbix_get: no route to host===<br />
Check the firewall<br />
<br />
[[Category:Monitoring]]</div>
Tony
https://wiki.dhits.nl/index.php?title=Kubernetes&diff=8803
Kubernetes
2024-03-25T15:20:07Z
<p>Tony: /* Links */</p>
<hr />
<div>=Links=<br />
*[https://kubernetes.io/ Kubernetes homepage]<br />
*https://github.com/kubernetes<br />
*[https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/ What is kubernetes?]<br />
<br />
<br />
=HOWTO=<br />
==List all containers==<br />
kubectl get pods --all-namespaces</div>
Tony
https://wiki.dhits.nl/index.php?title=Netplan&diff=8802
Netplan
2024-03-25T15:06:44Z
<p>Tony: /* FAQ */</p>
<hr />
<div><br />
Ubuntu network configuration new style<br />
<br />
<br />
= Links =<br />
<br />
*[https://netplan.io/ Homepage] <br />
*[https://netplan.io/examples/ Netplan examples]<br />
<br />
= FAQ =<br />
<br />
== An error occurred: 'NetplanApply' object has no attribute 'state ==<br />
<br />
That's because netplan is broken, try:<br />
<br />
netplan try --state /etc/netplan<br />
<br />
<br />
== `gateway6` has been deprecated, use default routes instead ==<br />
Use:<br />
routes:<br />
- to: default<br />
via: fe80::1<br />
<br />
<br />
==Error in network definition: expected mapping (check indentation)==<br />
It seems to prefer list of addresses in square brackets<br />
<br />
<br />
==`gateway4` has been deprecated, use default routes instead.==<br />
Try<br />
routes:<br />
- to: default<br />
via: 192.168.10.1</div>
Tony
https://wiki.dhits.nl/index.php?title=ZFS&diff=8801
ZFS
2024-03-25T12:28:47Z
<p>Tony: /* Replace disk in zfs */</p>
<hr />
<div><br />
= Links =<br />
*[http://open-zfs.org http://open-zfs.org] <br />
*[http://www.edplese.com/samba-with-zfs.html http://www.edplese.com/samba-with-zfs.html] <br />
*[http://wintelguy.com/zfs-calc.pl ZFS calculator] <br />
*[https://www.raidz-calculator.com/default.aspx another zfs calculator]<br />
*[https://bm-stor.com/index.php/blog/Linux-cluster-with-ZFS-on-Cluster-in-a-Box/ ZFS clustering] <br />
*[https://jrs-s.net/2015/02/03/will-zfs-and-non-ecc-ram-kill-your-data/ https://jrs-s.net/2015/02/03/will-zfs-and-non-ecc-ram-kill-your-data/] ZFS and ECC] <br />
*[https://docs.joyent.com/private-cloud/troubleshooting/disk-replacement ZFS troubleshooting/disk replacement] <br />
*[https://www.high-availability.com/docs/Quickstart-ZFS-Cluster/ Creating a ZFS HA Cluster using shared or shared-nothing storage]<br />
*[https://arstechnica.com/information-technology/2020/05/zfs-101-understanding-zfs-storage-and-performance/ ZFS 101]<br />
*[https://arstechnica.com/gadgets/2021/06/raidz-expansion-code-lands-in-openzfs-master/ Raidz expansion]<br />
*[https://somedudesays.com/2021/08/the-basic-guide-to-working-with-zfs/ Basic guide to working with zfs]<br />
*[https://wiki.archlinux.org/title/ZFS Archlinux page on ZFS]<br />
*[https://openzfs.github.io/openzfs-docs/Basic%20Concepts/RAIDZ.html Raidz basic concepts]<br />
<br />
=Documentation=<br />
*[https://openzfs.github.io/openzfs-docs/man/4/zfs.4.html zfs manpage]<br />
*[http://zfsonlinux.org/ ZFS on Linux] <br />
*[https://openzfs.org/wiki/ openzfs wiki]<br />
*[https://wiki.gentoo.org/wiki/ZFS https://wiki.gentoo.org/wiki/ZFS] <br />
*[https://blog.programster.org/zfs-cheatsheet ZFS cheatsheet] <br />
*[http://wiki.freebsd.org/ZFSQuickStartGuide http://wiki.freebsd.org/ZFSQuickStartGuide] <br />
*[http://www.opensolaris.org/os/community/zfs/intro/ Opensolaris ZFS intro]<br />
*[http://www.raidz-calculator.com/raidz-types-reference.aspx raidz types reference]<br />
*[https://utcc.utoronto.ca/~cks/space/blog/solaris/ZFSZpoolFragmentationMeaning ZFS fragmentation]<br />
*[https://openzfs.github.io/openzfs-docs/Basic%20Concepts/RAIDZ.html raidz]<br />
<br />
==ARC/Caching==<br />
*[https://linuxhint.com/configure-zfs-cache-high-speed-io/ Configuring ZFS Cache for High-Speed IO]<br />
*[https://utcc.utoronto.ca/~cks/space/blog/solaris/ZFSARCItsVariousSizes ZFS Arc various sizes]<br />
*[http://dtrace.org/blogs/brendan/2012/01/09/activity-of-the-zfs-arc/ Activity of the ZFS ARC]<br />
*[https://utcc.utoronto.ca/~cks/space/blog/solaris/ZFSUnderstandingARCHits Understanding ARC hits]<br />
*[https://www.45drives.com/community/articles/zfs-caching/ ZFS Caching]<br />
*[https://zfs-discuss.opensolaris.narkive.com/D7v2YmjF/raidz-what-is-stored-in-parity What is stored in parity]<br />
<br />
===L2ARC===<br />
*[https://klarasystems.com/articles/openzfs-all-about-l2arc/ OpenZFS: All about the cache vdev or L2ARC]<br />
<br />
sysctl kstat.zfs.misc.arcstats | egrep 'l2_(hits|misses)'<br />
and<br />
egrep 'l2_(hits|misses)' /proc/spl/kstat/zfs/arcstats<br />
<br />
==Tuning ZFS==<br />
*[https://openzfs.github.io/openzfs-docs/Performance%20and%20Tuning/index.html ZFS Performance and Tuning]<br />
*[https://linuxhint.com/configure-zfs-cache-high-speed-io/ Configuring ZFS Cache for High-Speed IO]<br />
*[https://www.high-availability.com/docs/ZFS-Tuning-Guide/ ZFS Tuning and Optimisation]<br />
([https://forums.oracle.com/ords/apexds/post/part-10-monitoring-and-tuning-zfs-performance-4977 Monitoring and Tuning ZFS Performance]<br />
<br />
==ARC statistics==<br />
*[https://openzfs.github.io/openzfs-docs/Performance%20and%20Tuning/Module%20Parameters.html Tuning module parameters]<br />
*[https://openzfs.github.io/openzfs-docs/man/master/4/zfs.4.html ZFS]<br />
<br />
===ZFS module parameters===<br />
/sys/module/zfs/parameters/<br />
cat /proc/spl/kstat/zfs/arcstats<br />
===data_size===<br />
size of cached user data<br />
<br />
===dnode_size===<br />
<br />
===hdr_size===<br />
size of L2ARC headers stored in main ARC<br />
<br />
===metadata_size===<br />
size of cached metadata<br />
<br />
=Tools=<br />
*[https://github.com/asomers/ztop ztop]<br />
*[https://github.com/jimsalterjrs/ioztat iozstat]<br />
*[https://cuddletech.com/2008/10/explore-your-zfs-adaptive-replacement-cache-arc/ arc_summary]<br />
*[https://github.com/richardelling/zfs-linux-tools zfs-linux-tools] kstat-analyzer is rather helpful<br />
<br />
<br />
==kstat-analyzer==<br />
<br />
===prefetch hit rate is low, consider tuning prefetcher===<br />
Check:<br />
<br />
Supposed to leave that at 0:<br />
cat /sys/module/zfs/parameters/zfs_vdev_cache_size<br />
<br />
<br />
Code: <br />
if (float(kstats['hits']) / accesses) < PREFETCH_RATIO_OK<br />
<br />
Relevant links:<br />
*https://www.truenas.com/community/threads/notes-on-zfs-prefetch.1076/<br />
<br />
*https://www.phoronix.com/news/OpenZFS-Uncached-Prefetch<br />
<br />
=Processes=<br />
==arc_evict==<br />
Evict buffers from list until we've removed the specified number of<br />
bytes. Move the removed buffers to the appropriate evict state.<br />
If the recycle flag is set, then attempt to "recycle" a buffer:<br />
- look for a buffer to evict that is `bytes' long.<br />
- return the data block from this buffer rather than freeing it.<br />
This flag is used by callers that are trying to make space for a<br />
new buffer in a full arc cache.<br />
<br />
<br />
This function makes a "best effort". It skips over any buffers<br />
it can't get a hash_lock on, and so may not catch all candidates.<br />
It may also return without evicting as much space as requested.<br />
<br />
==arc_prune==<br />
<br />
=Commands=<br />
<br />
==Getting arc statistics==<br />
arcstat<br />
<br />
arc_summary<br />
Tip, for details use<br />
arc_summary -d<br />
There is also<br />
cat /proc/spl/kstat/zfs/arcstats<br />
<br />
and<br />
zfetchstat + kstat-analyzer from zfs-linux-tools<br />
<br />
<br />
===zil/slog statistics===<br />
arc_summary -s zil<br />
<br />
===l2arc statistics===<br />
arc_summary -s l2arc<br />
<br />
==Getting IO statistics==<br />
zpool iostat -v 300<br />
<br />
=Terms and acronyms=<br />
==vdev==<br />
'''V'''irtual '''Dev'''ice.<br />
<br />
*[https://wiki.archlinux.org/title/ZFS/Virtual_disks ZFS Virtual disks]<br />
==ARC==<br />
'''A'''daptive '''R'''eplacement '''C'''ache<br />
<br />
Portion of RAM used to cache data to speed up read performance<br />
<br />
==L2ARC==<br />
'''L'''evel '''2''' '''A'''daptive Replacement '''C'''ache'''<br />
<br />
"L2ARC is usually considered if hit rate for the ARC is below 90% while having 64+ GB of RAM"<br />
<br />
SSD cache<br />
<br />
==DMU==<br />
Data Management Unit<br />
<br />
<br />
==MFU==<br />
Most Frequently Used<br />
<br />
==MRU==<br />
Most Recently Used<br />
<br />
==zvol==<br />
kind of block device whose space is allocated from the pool, useful for iscsi targets<br />
<br />
==Scrubbing==<br />
Checking disks/data integrity<br />
zpool status <poolname | grep scrub<br />
<br />
and<br />
zpool scrub <poolname><br />
probably taken care of by cron.<br />
<br />
<br />
==SLOG==<br />
See [ZIL]<br />
<br />
==ZIL==<br />
[https://constantin.glez.de/2010/07/20/solaris-zfs-synchronous-writes-and-zil-explained/ ZIL explained]<br />
<br />
the space synchronous writes are logged before the confirmation is sent back to the client<br />
<br />
==prefetch==<br />
See /proc/spl/kstat/zfs/zfetchstats<br />
<br />
*[https://cuddletech.com/2009/05/understanding-zfs-prefetch/ Understanding ZFS prefetch]<br />
*[https://svennd.be/tuning-of-zfs-module/ Tuning of the ZFS module]<br />
*[https://cuddletech.com/2009/05/understanding-zfs-prefetch/ Understanding ZFS prefetch]<br />
*[https://utcc.utoronto.ca/~cks/space/blog/solaris/ZFSARCStatsAndPrefetch Some basic ZFS ARC statistics and prefetching]<br />
*[https://utcc.utoronto.ca/~cks/space/blog/solaris/ZFSPrefetchStatsNotes Some notes on ZFS prefetch related stats]<br />
*[http://dtrace.org/blogs/brendan/2012/01/09/activity-of-the-zfs-arc/ Activity of the ZFS ARC]<br />
<br />
= HOWTO =<br />
==Caching==<br />
===Add log/cache===<br />
zpool add rpool cache sdf<br />
<br />
===Add ZIL/SLOG write cache===<br />
<br />
zpool add rpool log mirror sdk sdl<br />
<br />
===Remove ZIl/SLOG mirrored cache===<br />
zpool remove mypool mirror-4 sdn1 sdo1<br />
<br />
==Getting statistics==<br />
<br />
===Show cache activity===<br />
dstat --zfs-arc --zfs-l2arc --zfs-zil -d 5<br />
<br />
===zpool===<br />
zpool iostat<br />
====More statistics, every 5 seconds====<br />
zpool -v iostat 5<br />
<br />
===Flush linux caches===<br />
echo 3 > /proc/sys/vm/drop_caches<br />
<br />
===arc statistics===<br />
===l2arc statistics===<br />
<br />
===ZIL statistics===<br />
cat /proc/spl/kstat/zfs/zil<br />
<br />
==Create zfs filesystem==<br />
zfs create poolname/fsname<br />
this also creates mountpoint<br />
<br />
<br />
==Add vdev to pool==<br />
zpool add mypool raidz1 sdg sdh sdi<br />
<br />
== Replace disk in zfs ==<br />
<br />
=== Some links ===<br />
<br />
*[https://itectec.com/ubuntu/ubuntu-replacing-a-dead-disk-in-a-zpool/ https://itectec.com/ubuntu/ubuntu-replacing-a-dead-disk-in-a-zpool/] <br />
<br />
Get information first:<br />
<br />
Name of disk<br />
<br />
zpool status<br />
<br />
<br />
Find uid of disk to replace<br />
<br />
take it offline<br />
<br />
zpool offline poolname ata-WDC_WD20EFRX-68EUZN0_WD-WCC4M5RLZC6V<br />
<br />
Get the disk guid:<br />
<br />
zdb<br />
<br />
guid: 15233236897831806877<br />
<br />
Get list of disk by id:<br />
<br />
ls -al /dev/disk/by-id<br />
<br />
Save the id, shutdown, replace disk, boot:<br />
<br />
Find the new disk:<br />
<br />
ls -al /dev/disk/by-id<br />
<br />
Run replace command. The id is the guid of the old disk, name is of the new disk<br />
<br />
zpool replace tank /dev/disk/by-id/13450850036953119346 /dev/disk/by-id/ata-ST4000VN000-1H4168_Z302FQVZ<br />
<br />
<br />
or just<br />
zpool replace tank /dev/sdi<br />
<br />
<br />
===If disk is shown as '''UNAVAIL'''===<br />
zpool offline tank sdi<br />
<br />
==Showing information about ZFS pools and datasets==<br />
===Show pools with sizes===<br />
zpool list <br />
or<br />
zpool list -H -o name,size<br />
<br />
<br />
===Show reservations on datasets===<br />
zfs list -o name,reservations<br />
<br />
==Swap on zfs==<br />
https://askubuntu.com/questions/228149/zfs-partition-as-swap<br />
<br />
==vdevs==<br />
===multiple vdevs===<br />
Multiple vdevs in a zpool get striped.<br />
What about balance?<br />
<br />
===invalid vdev specification===<br />
Probably means you need -f<br />
<br />
===show balance between vdevs===<br />
zpool iostat -v 'pool' [interval in seconds]<br />
orjust<br />
zpool iostat -vc 'pool'<br />
<br />
== Tuning arc settings ==<br />
See [https://openzfs.github.io/openzfs-docs/Performance%20and%20Tuning/Module%20Parameters.html Tuning ZFS modules parameters]<br />
===zfs_arc_max===<br />
Linux defaults to giving 50% of RAM to arc, this is when:<br />
cat /sys/module/zfs/parameters/zfs_arc_max<br />
0<br />
grep c_max /proc/spl/kstat/zfs/arcstats<br />
To change this:<br />
echo 5368709120 > /sys/module/zfs/parameters/zfs_arc_max<br />
and add to /etc/modprobe.d/zfs.conf<br />
options zfs zfs_arc_max=5368709120<br />
<br />
'''NOTE you might need to run''' <br />
update-initramfs -u <br />
<br />
and perhaps clear caches and reset counters:<br />
<br />
echo 3 > /proc/sys/vm/drop_caches<br />
<br />
===Tune zfs_arc_dnode_limit_percent===<br />
Assuming zfs_arc_dnode_limit = 0: <br />
<br />
echo 20 > /sys/module/zfs/parameters/zfs_arc_dnode_limit_percent<br />
<br />
In /etc/modprobe.d/zfs.conf: <br />
<br />
<br />
options zfs zfs_arc_dnode_limit_percent=20<br />
<br />
<br />
===export iscsi===<br />
https://linuxhint.com/share-zfs-volumes-via-iscsi/<br />
<br />
= FAQ =<br />
==arc_summary==<br />
===VDEV cache disabled, skipping section===<br />
This is normal, vdev caching is considered bad<br />
<br />
<br />
==Arc metadata size exceeds maximum==<br />
So '''arc_meta_used''' > '''arc_meta_limit'''<br />
<br />
<br />
==increasing feed rate==<br />
<br />
<br />
== show status and disks ==<br />
<br />
zpool status<br />
<br />
== show drives/pools ==<br />
<br />
zfs list<br />
<br />
<br />
== check raid level ==<br />
<br />
zfs list -a<br />
<br />
<br />
==Estimate raidz speeds==<br />
raidz1: N/(N-1) * IOPS<br />
raidz2: N/(N-2) * IOPS<br />
raidz3: N/(N-3) * IOPS<br />
<br />
<br />
==VDEV cache disabled, skipping section==<br />
Looks like you just don't have l2arc cache<br />
<br />
<br />
==cannot export 'tank': pool is busy==<br />
After checking stuff like nfs etc try:<br />
zfs unshare -a<br />
zfs umount -a -f<br />
zpool export -f tank</div>
Tony
https://wiki.dhits.nl/index.php?title=Debian&diff=8800
Debian
2024-03-25T12:26:46Z
<p>Tony: </p>
<hr />
<div>=Sites=<br />
*[http://www.debian.org/ Homepage]<br />
*[http://wiki.debian.org/ Wiki]<br />
*[http://www.debian.org/doc/manuals/reference/index.en.html Debian Reference]<br />
*[http://www.debian-administration.org/ debian-administration.org]<br />
*[http://www.debianadmin.com/ http://www.debianadmin.com/]<br />
<br />
=Security=<br />
*http://lists.debian.org/debian-security-announce/<br />
*debsecan<br />
*debsum<br />
<br />
=Links=<br />
*[[debconf]]<br />
<br />
=Netboot/PXE=<br />
*https://wiki.debian.org/DebianInstaller/NetbootAssistant<br />
*[https://wiki.debian.org/DebianInstaller/Preseed Preseed]<br />
*[https://www.howtoforge.com/tutorial/install-debian-9-stretch-via-pxe-network-boot-server/ Install Debian 9 (Stretch) via PXE Network Boot Server]<br />
<br />
=Documentation=<br />
<br />
*[http://www.debian.org/releases/stable/i386/ch08s05.html.en Compiling kernels the Debian way]<br />
*aptitude is often nicer than apt-get, but be careful<br />
*apt-file to find package providing a certain file<br />
<br />
<br />
==Networking on Debian==<br />
===Bonding===<br />
* https://wiki.debian.org/Bonding<br />
*[https://enterprise-support.nvidia.com/s/article/howto-create-linux-bond--lag--interface-over-infiniband-network Bonding on Infiniband]<br />
<br />
<br />
==https==<br />
<br />
*http://www.tuxick.net/docs/apache_ssl.html<br />
<br />
https on debian testing is a mess, ignore: <br />
<br />
*make-ssl-cert<br />
*apache2-ssl-certificate in apache2.2-common only?<br />
*http://www.debian-administration.org/articles/349<br />
<br />
http://www.eclectica.ca/howto/ssl-cert-howto.php looks promising<br />
<br />
==Handling packages==<br />
*[[Compiling Debian Packages]]<br />
===Pinning===<br />
*[http://jaqque.sbih.org/kplug/apt-pinning.html Pinning]<br />
*[http://www.argon.org/~roderick/apt-pinning.html Using APT with more than 2 sources]<br />
*http://wiki.debian.org/AptPinning<br />
<br />
=HOWTO=<br />
==Modules==<br />
===Set module parameters===<br />
in '''/etc/modprobe.d/somename.conf'''<br />
options somemodule paramname=2<br />
<br />
= FAQ =<br />
<br />
==Installer==<br />
===Select a boot disk===<br />
Depends a bit, customer installer would insist on that, but expects /boot to be a separate partition?<br />
<br />
<br />
==APT==<br />
===Repository changed its 'Version' value===<br />
Try <br />
apt-get --allow-releaseinfo-change update<br />
<br />
<br />
== the following packages have been kept back: ==<br />
<br />
Time to apt-get dist-upgrade. But it could be different things.<br />
See https://askubuntu.com/questions/601/the-following-packages-have-been-kept-back-why-and-how-do-i-solve-it<br />
Perhaps:<br />
apt-get upgrade package-that-is-kept-back<br />
<br />
== change default editor ==<br />
<br />
update-alternatives --config editor<br />
<br />
== change timezone ==<br />
<br />
dpkg-reconfigure tzdata<br />
<br />
== kernel packages ==<br />
<br />
*kernel-image <br />
*kernel-source <br />
<br />
volatile<br />
<br />
&nbsp;<br />
<br />
== clean cache ==<br />
<br />
apt-get clean<br />
<br />
<br />
== E: Unable to correct problems, you have held broken packages. ==<br />
<br />
First try<br />
<br />
dpkg --get-selections | grep hold<br />
<br />
==reportbug: The following newer release(s) are available in the Debian archive:==<br />
Ignore than and just continue ( see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900254 )<br />
<br />
<br />
==apt-get update throwing KEYEXPIRED==<br />
Ignore that, it updated just fine. You migh run into the usual warnings when installing packaged. To Be Documented.<br />
For example:<br />
deb [trusted=yes]<br />
<br />
=Show more package information=<br />
apt-cache show packagename*<br />
<br />
<br />
== W: GPG error: ==<br />
<br />
[http://ftp2.de.debian.org http://ftp2.de.debian.org] etch/volatile Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EC61E0B0BBE55AB3<br />
<br />
gpg --keyserver wwwkeys.eu.pgp.net --recv-keys EC61E0B0BBE55AB3<br />
#and that other thing<br />
<br />
Or just:<br />
<br />
apt-get --allow-unauthenticated install debian-archive-keyring<br />
<br />
Or<br />
apt-key adv --keyserver pgp.mit.edu --recv-keys 8B48AD6246925553<br />
<br />
Or<br />
gpg --keyserver keyserver.ubuntu.com --recv-key 03BBF595D4DFD35C<br />
gpg -a --export 03BBF595D4DFD35C | apt-key add -<br />
<br />
==show dependency tree==<br />
apt-cache dotty<br />
apt-rdepends<br />
<br />
==show dependencies==<br />
apt-cache rdepends<br />
aptitude why<br />
<br />
==What package does a file belong to?==<br />
dpkg -S /path/to/file</div>
Tony
https://wiki.dhits.nl/index.php?title=Dosbox&diff=8799
Dosbox
2024-03-24T20:10:52Z
<p>Tony: </p>
<hr />
<div>=Links=<br />
<br />
*[https://www.dosbox.com/ Dosbox homepage]<br />
*[https://dosbox-staging.github.io/ Dosbox-staging]<br />
*[https://www.dosbox.com/wiki Dosbox wiki]<br />
<br />
*[https://nullprogram.com/blog/2014/12/09/ How to build DOS COM files with GCC]<br />
<br />
*[https://www.dosgamesarchive.com/ DOS games archive]<br />
<br />
=FAQ=<br />
==Shader file 'crt/hercules' not found==<br />
You probably forgot to <br />
cp -r resources/glshaders/* ~/.config/dosbox/glshaders</div>
Tony
https://wiki.dhits.nl/index.php?title=Dosbox&diff=8798
Dosbox
2024-03-24T19:10:33Z
<p>Tony: /* Links */</p>
<hr />
<div>=Links=<br />
<br />
*[https://www.dosbox.com/ Dosbox homepage]<br />
*[https://dosbox-staging.github.io/ Dosbox-staging]<br />
*[https://www.dosbox.com/wiki Dosbox wiki]<br />
<br />
*[https://nullprogram.com/blog/2014/12/09/ How to build DOS COM files with GCC]<br />
<br />
*[https://www.dosgamesarchive.com/ DOS games archive]</div>
Tony
https://wiki.dhits.nl/index.php?title=Dosbox&diff=8797
Dosbox
2024-03-24T18:28:01Z
<p>Tony: /* Links */</p>
<hr />
<div>=Links=<br />
<br />
*[https://www.dosbox.com/ Dosbox homepage]<br />
*[https://dosbox-staging.github.io/ Dosbox-staging]<br />
*[https://www.dosbox.com/wiki Dosbox wiki]<br />
<br />
*[https://nullprogram.com/blog/2014/12/09/ How to build DOS COM files with GCC]</div>
Tony
https://wiki.dhits.nl/index.php?title=Dosbox&diff=8796
Dosbox
2024-03-24T18:27:49Z
<p>Tony: /* Links */</p>
<hr />
<div>=Links=<br />
<br />
*[https://www.dosbox.com/ Dosbox homepage]<br />
*[https://dosbox-staging.github.io/ Dosbox-staging]<br />
*[https://www.dosbox.com/wiki Dosbox wiki]<br />
<br />
*[https://nullprogram.com/blog/2014/12/09/ How to build DOS COM files with GCC\</div>
Tony
https://wiki.dhits.nl/index.php?title=Dosbox&diff=8795
Dosbox
2024-03-24T18:19:37Z
<p>Tony: Created page with "=Links= *[https://www.dosbox.com/ Dosbox homepage] *[https://dosbox-staging.github.io/ Dosbox-staging] *[https://www.dosbox.com/wiki Dosbox wiki]"</p>
<hr />
<div>=Links=<br />
<br />
*[https://www.dosbox.com/ Dosbox homepage]<br />
*[https://dosbox-staging.github.io/ Dosbox-staging]<br />
*[https://www.dosbox.com/wiki Dosbox wiki]</div>
Tony
https://wiki.dhits.nl/index.php?title=OpenDKIM&diff=8794
OpenDKIM
2024-03-22T12:43:26Z
<p>Tony: </p>
<hr />
<div>=Links=<br />
*[https://github.com/trusteddomainproject/OpenDKIM Current location of OpenDKIM]<br />
*[http://www.opendkim.org/opendkim-README http://www.opendkim.org/opendkim-README]<br />
*[https://wiki.debian.org/OpenDKIM https://wiki.debian.org/OpenDKIM]<br />
*[https://tweenpath.net/opendkim-postfix-smtp-relay-server-on-debian-7/ DKIM on relay server]<br />
<br />
=HOWTO=<br />
<br />
== OpenDKIM (on Ubuntu) ==<br />
apt install opendkim opendkim-tools<br />
<br />
You might have to create:<br />
mkdir -p /etc/opendkim/keys<br />
chown -R opendkim.opendkim /etc/opendkim<br />
chmod go-rw /etc/opendkim/keys/<br />
<br />
<br />
Then<br />
cd /etc/opendkim/keys<br />
or<br />
cd /etc/dkimkeys<br />
<br />
opendkim-genkey -s selectorname -d domain.name<br />
<br />
Make sure the key ends up in /etc/opendkim/keys and is readable for user opendkim, so<br />
chown -R opendkim.opendkim /etc/opendkim/keys<br />
<br />
== SigningTable ==<br />
<br />
somename is the first field in Keytable :<br />
<br />
*@domain.name somename<br />
<br />
== KeyTable ==<br />
<br />
Here the name of the selector (the part before ._domainkey) is the one you publish in dns<br />
<br />
somename domain.name:selectorname:/etc/opendkim/keys/somename.private<br />
<br />
==Configuration file /etc/opendkim.conf==<br />
Mode s<br />
KeyTable /etc/opendkim/KeyTable<br />
SigningTable refile:/etc/opendkim/SigningTable<br />
Socket inet:8891@localhost<br />
<br />
== Postfix ==<br />
<br />
In /etc/postfix/main.cf:<br />
<br />
<br />
milter_protocol = 2<br />
milter_default_action = accept<br />
smtpd_milters = inet:localhost:8891<br />
non_smtpd_milters = inet:localhost:8891<br />
<br />
TODO using unix socket instead, see https://unix.stackexchange.com/questions/74477/postfix-smtpd-warning-connect-to-milter-service-unix-var-run-opendkim-opendkim :<br />
blabla<br />
usermod -a -G opendkim postfix<br />
<br />
= Checking =<br />
<br />
opendkim-testkey -d domain.name -s selectorname -vv -k keys/keyname.private<br />
<br />
This will try to fetch the key published in DNS, so "record not found" means DNS record not found. No output is good output.<br />
<br />
*[https://www.dmarcanalyzer.com/nl/dkim-record-validatie/ https://www.dmarcanalyzer.com/nl/dkim-record-validatie/]<br />
Ignore "opendkim-testkey: key not secure", that just means you're not using DNSSEC<br />
<br />
==WARNING:Unsafe permissions==<br />
make readable for user opendkim only<br />
<br />
<br />
==keys do not match==<br />
Try<br />
opendkim-testkey -d domain.name -s selectorname -vv<br />
<br />
<br />
==Check if keys match==<br />
<br />
<pre><br />
#!/bin/bash<br />
<br />
<br />
PRIV=$1<br />
PUB=$2<br />
TEMP64=/tmp/public.key.b64<br />
TEMP=/tmp/public.key<br />
<br />
cat $PUB |grep _domainkey |grep -v ^\;| sed 's/.*\"p=\(.*\)/\1/'| sed 's/[\" ]//g' > $TEMP64<br />
<br />
openssl enc -base64 -d -in $TEMP64 -out $TEMP<br />
OUTPUB=`openssl rsa -pubin -inform DER -in $TEMP -noout -modulus`<br />
OUTPRIV=`openssl rsa -in $PRIV -noout -modulus`<br />
<br />
<br />
echo -n "Keys $PRIV and $PUB "<br />
if [ "$OUTPUB" == "$OUTPRIV" ]<br />
then<br />
echo "match"<br />
else<br />
echo "don't match"<br />
fi<br />
rm -f $TEMP $TEMP64<br />
</pre><br />
<br />
= FAQ =<br />
<br />
==debugging opendkim==<br />
journalctl --follow --unit postfix.service --unit opendkim.service<br />
<br />
<br />
== opendkim: no signing table match for ==<br />
<br />
In opendkim.conf check:<br />
<br />
refile:/etc/opendkim/SigningTable<br />
<br />
it seems CRLF can also cause this problem.<br />
<br />
<br />
== opendkim: signing table references unknown key ==<br />
check keytable<br />
<br />
==opendkim-testkey==<br />
<br />
===Usage===<br />
opendkim-testkey -s myselector -d mydomain.com<br />
<br />
=== opendkim-testkey key not secure ===<br />
<br />
Probably means you have no DNSSEC<br />
<br />
===opendkim-testkey: keys do not match===<br />
probably means double check Keytable<br />
<br />
===opendkim-testkey: invalid data set type===<br />
bad dns record?<br />
===opendkim-testkey: multiple DNS replies ===<br />
bad dns record?<br />
<br />
===opendkim: no signature data===<br />
Maybe forgot to define KeyTable/SigningTable paths?<br />
<br />
== opendkim: /etc/opendkim.conf: /etc/opendkim/keys/default.private: open(): No such file or directory ==<br />
<br />
Means it's defined in opendkim.conf, and you're not using KeyTable<br />
<br />
&nbsp;<br />
<br />
== This doesn't seem to be a valid RSA public key: RSA.xs:178: OpenSSL error: bad base64 decode ==<br />
<br />
??<br />
<br />
== opendkim.service: Start request repeated too quickly. ==<br />
Probably rights somewhere, try<br />
opendkim -v<br />
or check syslog<br />
<br />
<br />
<br />
[[Category:Mail]]</div>
Tony
https://wiki.dhits.nl/index.php?title=Tips_and_tricks&diff=8793
Tips and tricks
2024-03-22T08:55:19Z
<p>Tony: /* Find your public IP */</p>
<hr />
<div>=Clone disk over ssh=<br />
On remotehost:<br />
*have a user 'someuser' you can ssh to with key, so without password. This user must NOT be in wheel/sudoers/admin group!!!<br />
add a line "someuser ALL=(ALL) NOPASSWD: /bin/dd<br />
<br />
Then you can run<br />
ssh -C -t someuser@remotehost "dd if=/dev/sdXX" | dd of=/dev/sdXY<br />
<br />
<br />
Note the "-t" which is required, otherwise you get "sudo: no tty present and no askpass program specified"<br />
<br />
=Generate random mac address=<br />
#!/usr/bin/python<br />
# macgen.py script to generate a MAC address for guest virtual machines<br />
#<br />
import random<br />
#<br />
def randomMAC():<br />
mac = [ 0x00, 0x16, 0x3e,<br />
random.randint(0x00, 0x7f),<br />
random.randint(0x00, 0xff),<br />
random.randint(0x00, 0xff) ]<br />
return ':'.join(map(lambda x: "%02x" % x, mac))<br />
#<br />
print randomMAC()<br />
<br />
<br />
=Add disk to VM=<br />
cat /proc/scsi/scsi <br />
Attached devices:<br />
Host: scsi7 Channel: 00 Id: 00 Lun: 00<br />
Vendor: VMware Model: Virtual disk Rev: 1.0 <br />
Type: Direct-Access ANSI SCSI revision: 02<br />
<br />
In this case your scsi device is 7, so <br />
echo "- - -" > /sys/class/scsi_host/host7/scan<br />
<br />
=Find your public IP=<br />
curl icanhazip.com<br />
or<br />
curl my.ip.fi<br />
and https://ifconfig.co/</div>
Tony
https://wiki.dhits.nl/index.php?title=Tips_and_tricks&diff=8792
Tips and tricks
2024-03-22T08:53:13Z
<p>Tony: /* Find your public IP */</p>
<hr />
<div>=Clone disk over ssh=<br />
On remotehost:<br />
*have a user 'someuser' you can ssh to with key, so without password. This user must NOT be in wheel/sudoers/admin group!!!<br />
add a line "someuser ALL=(ALL) NOPASSWD: /bin/dd<br />
<br />
Then you can run<br />
ssh -C -t someuser@remotehost "dd if=/dev/sdXX" | dd of=/dev/sdXY<br />
<br />
<br />
Note the "-t" which is required, otherwise you get "sudo: no tty present and no askpass program specified"<br />
<br />
=Generate random mac address=<br />
#!/usr/bin/python<br />
# macgen.py script to generate a MAC address for guest virtual machines<br />
#<br />
import random<br />
#<br />
def randomMAC():<br />
mac = [ 0x00, 0x16, 0x3e,<br />
random.randint(0x00, 0x7f),<br />
random.randint(0x00, 0xff),<br />
random.randint(0x00, 0xff) ]<br />
return ':'.join(map(lambda x: "%02x" % x, mac))<br />
#<br />
print randomMAC()<br />
<br />
<br />
=Add disk to VM=<br />
cat /proc/scsi/scsi <br />
Attached devices:<br />
Host: scsi7 Channel: 00 Id: 00 Lun: 00<br />
Vendor: VMware Model: Virtual disk Rev: 1.0 <br />
Type: Direct-Access ANSI SCSI revision: 02<br />
<br />
In this case your scsi device is 7, so <br />
echo "- - -" > /sys/class/scsi_host/host7/scan<br />
<br />
=Find your public IP=<br />
curl icanhazip.com<br />
or<br />
curl my.ip.fi</div>
Tony
https://wiki.dhits.nl/index.php?title=Esx&diff=8791
Esx
2024-03-21T13:38:03Z
<p>Tony: /* HOWTO */</p>
<hr />
<div><br />
<br />
<br />
= Links =<br />
<br />
*[https://pubs.vmware.com/vsphere-51/topic/com.vmware.vcli.examples.doc/cli_manage_storage.6.6.html NFS on ESX] <br />
*[https://www.rootusers.com/how-to-increase-the-size-of-a-linux-lvm-by-adding-a-new-disk/ Adding a disk] <br />
<br />
*[https://www.vmwareblog.org/disk-mode-esxi-vm-use/ Disk modes]<br />
<br />
=Storage sense codes=<br />
*[https://kb.vmware.com/s/article/289902?src=vmw_so_vex_rvand_702 interpreting scsi sense codes] <br />
*[https://www.virten.net/vmware/vmware-esxi-scsi-sense-code-decoder-v2/ esxi scsi sense decoder]<br />
Example: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x24 0x0<br />
*H: host status<br />
*D: device status<br />
*P: plugin status<br />
Sense data:<br />
*Sense key<br />
*Additional sense data<br />
<br />
<br />
= Tools =<br />
<br />
== esxtop ==<br />
<br />
=== Links ===<br />
<br />
*[https://communities.vmware.com/docs/DOC-11812 Interpreting esxtop statistics] <br />
*[https://kb.vmware.com/s/article/1027901 Checking the queue depth of the storage adapter and the storage device]<br />
<br />
=HOWTO=<br />
==memory usage==<br />
vsish -e get /memory/comprehensive<br />
<br />
memstats -r group-stats -g0 -l5 -s gid:name:parGid:nChild:min:max:minLimit:conResv:availResv:memSize -u mb 2> /dev/null | sed -n '/^-\+/,/.*\n/p' | awk 'NR == 2 || $2 ~ /(vim|vimuser|terminal|ssh)$/ {print $0}'<br />
<br />
<br />
vsish -e get /sched/groups/767/memAllocationInMB<br />
<br />
Set new limit<br />
vsish -e set /sched/groups/767/memAllocationInMB max=1200<br />
<br />
<br />
==list installed vibs==<br />
esxcli software vib list<br />
<br />
= FAQ =<br />
<br />
== start VM ==<br />
<br />
=== List all vms ===<br />
<br />
vim-cmd vmsvc/getallvms<br />
<br />
vim-cmd vmsvc/power.getstate [vmid]<br />
vim-cmd vmsvc/power.off [vmid]<br />
vim-cmd vmsvc/power.on [vmid]<br />
<br />
== root account locked ==<br />
<br />
pam_tally2 --user root --reset<br />
<br />
== show hardware info ==<br />
<br />
esxcfg-info<br />
<br />
<br />
== Identify disks in Linux guest==<br />
<br />
lsscsi<br />
<br />
== Check if vmdk is in use ==<br />
<br />
grep vmdk some.vmx<br />
<br />
https://blah.cloud/infrastructure/safely-checkremove-orphaned-vmdk-files-from-esxi/<br />
vmkfstools -D foo.vmdk<br />
<br />
<br />
<br />
&nbsp;<br />
<br />
== list modules ==<br />
<br />
esxcli system module list<br />
<br />
<br />
==ESXi login locked==<br />
pam_tally2 --user root<br />
and <br />
pam_tally2 --user root --reset</div>
Tony
https://wiki.dhits.nl/index.php?title=Esx&diff=8790
Esx
2024-03-21T13:29:17Z
<p>Tony: /* Get memory usage */</p>
<hr />
<div><br />
<br />
<br />
= Links =<br />
<br />
*[https://pubs.vmware.com/vsphere-51/topic/com.vmware.vcli.examples.doc/cli_manage_storage.6.6.html NFS on ESX] <br />
*[https://www.rootusers.com/how-to-increase-the-size-of-a-linux-lvm-by-adding-a-new-disk/ Adding a disk] <br />
<br />
*[https://www.vmwareblog.org/disk-mode-esxi-vm-use/ Disk modes]<br />
<br />
=Storage sense codes=<br />
*[https://kb.vmware.com/s/article/289902?src=vmw_so_vex_rvand_702 interpreting scsi sense codes] <br />
*[https://www.virten.net/vmware/vmware-esxi-scsi-sense-code-decoder-v2/ esxi scsi sense decoder]<br />
Example: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x24 0x0<br />
*H: host status<br />
*D: device status<br />
*P: plugin status<br />
Sense data:<br />
*Sense key<br />
*Additional sense data<br />
<br />
<br />
= Tools =<br />
<br />
== esxtop ==<br />
<br />
=== Links ===<br />
<br />
*[https://communities.vmware.com/docs/DOC-11812 Interpreting esxtop statistics] <br />
*[https://kb.vmware.com/s/article/1027901 Checking the queue depth of the storage adapter and the storage device]<br />
<br />
=HOWTO=<br />
==memory usage==<br />
vsish -e get /memory/comprehensive<br />
<br />
memstats -r group-stats -g0 -l5 -s gid:name:parGid:nChild:min:max:minLimit:conResv:availResv:memSize -u mb 2> /dev/null | sed -n '/^-\+/,/.*\n/p' | awk 'NR == 2 || $2 ~ /(vim|vimuser|terminal|ssh)$/ {print $0}'<br />
<br />
<br />
vsish -e get /sched/groups/767/memAllocationInMB<br />
<br />
Set new limit<br />
vsish -e set /sched/groups/767/memAllocationInMB max=1200<br />
<br />
= FAQ =<br />
<br />
== start VM ==<br />
<br />
=== List all vms ===<br />
<br />
vim-cmd vmsvc/getallvms<br />
<br />
vim-cmd vmsvc/power.getstate [vmid]<br />
vim-cmd vmsvc/power.off [vmid]<br />
vim-cmd vmsvc/power.on [vmid]<br />
<br />
== root account locked ==<br />
<br />
pam_tally2 --user root --reset<br />
<br />
== show hardware info ==<br />
<br />
esxcfg-info<br />
<br />
<br />
== Identify disks in Linux guest==<br />
<br />
lsscsi<br />
<br />
== Check if vmdk is in use ==<br />
<br />
grep vmdk some.vmx<br />
<br />
https://blah.cloud/infrastructure/safely-checkremove-orphaned-vmdk-files-from-esxi/<br />
vmkfstools -D foo.vmdk<br />
<br />
<br />
<br />
&nbsp;<br />
<br />
== list modules ==<br />
<br />
esxcli system module list<br />
<br />
<br />
==ESXi login locked==<br />
pam_tally2 --user root<br />
and <br />
pam_tally2 --user root --reset</div>
Tony
https://wiki.dhits.nl/index.php?title=Esx&diff=8789
Esx
2024-03-21T13:27:09Z
<p>Tony: </p>
<hr />
<div><br />
<br />
<br />
= Links =<br />
<br />
*[https://pubs.vmware.com/vsphere-51/topic/com.vmware.vcli.examples.doc/cli_manage_storage.6.6.html NFS on ESX] <br />
*[https://www.rootusers.com/how-to-increase-the-size-of-a-linux-lvm-by-adding-a-new-disk/ Adding a disk] <br />
<br />
*[https://www.vmwareblog.org/disk-mode-esxi-vm-use/ Disk modes]<br />
<br />
=Storage sense codes=<br />
*[https://kb.vmware.com/s/article/289902?src=vmw_so_vex_rvand_702 interpreting scsi sense codes] <br />
*[https://www.virten.net/vmware/vmware-esxi-scsi-sense-code-decoder-v2/ esxi scsi sense decoder]<br />
Example: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x24 0x0<br />
*H: host status<br />
*D: device status<br />
*P: plugin status<br />
Sense data:<br />
*Sense key<br />
*Additional sense data<br />
<br />
<br />
= Tools =<br />
<br />
== esxtop ==<br />
<br />
=== Links ===<br />
<br />
*[https://communities.vmware.com/docs/DOC-11812 Interpreting esxtop statistics] <br />
*[https://kb.vmware.com/s/article/1027901 Checking the queue depth of the storage adapter and the storage device]<br />
<br />
=HOWTO=<br />
==Get memory usage==<br />
vsish -e get /memory/comprehensive<br />
<br />
memstats -r group-stats -g0 -l5 -s gid:name:parGid:nChild:min:max:minLimit:conResv:availResv:memSize -u mb 2> /dev/null | sed -n '/^-\+/,/.*\n/p' | awk 'NR == 2 || $2 ~ /(vim|vimuser|terminal|ssh)$/ {print $0}'<br />
<br />
<br />
vsish -e get /sched/groups/767/memAllocationInMB<br />
<br />
Set new limit<br />
vsish -e set /sched/groups/767/memAllocationInMB max=1200<br />
<br />
<br />
= FAQ =<br />
<br />
== start VM ==<br />
<br />
=== List all vms ===<br />
<br />
vim-cmd vmsvc/getallvms<br />
<br />
vim-cmd vmsvc/power.getstate [vmid]<br />
vim-cmd vmsvc/power.off [vmid]<br />
vim-cmd vmsvc/power.on [vmid]<br />
<br />
== root account locked ==<br />
<br />
pam_tally2 --user root --reset<br />
<br />
== show hardware info ==<br />
<br />
esxcfg-info<br />
<br />
<br />
== Identify disks in Linux guest==<br />
<br />
lsscsi<br />
<br />
== Check if vmdk is in use ==<br />
<br />
grep vmdk some.vmx<br />
<br />
https://blah.cloud/infrastructure/safely-checkremove-orphaned-vmdk-files-from-esxi/<br />
vmkfstools -D foo.vmdk<br />
<br />
<br />
<br />
&nbsp;<br />
<br />
== list modules ==<br />
<br />
esxcli system module list<br />
<br />
<br />
==ESXi login locked==<br />
pam_tally2 --user root<br />
and <br />
pam_tally2 --user root --reset</div>
Tony
https://wiki.dhits.nl/index.php?title=Esx&diff=8788
Esx
2024-03-21T12:14:06Z
<p>Tony: </p>
<hr />
<div><br />
<br />
<br />
= Links =<br />
<br />
*[https://pubs.vmware.com/vsphere-51/topic/com.vmware.vcli.examples.doc/cli_manage_storage.6.6.html NFS on ESX] <br />
*[https://www.rootusers.com/how-to-increase-the-size-of-a-linux-lvm-by-adding-a-new-disk/ Adding a disk] <br />
<br />
*[https://www.vmwareblog.org/disk-mode-esxi-vm-use/ Disk modes]<br />
<br />
=Storage sense codes=<br />
*[https://kb.vmware.com/s/article/289902?src=vmw_so_vex_rvand_702 interpreting scsi sense codes] <br />
*[https://www.virten.net/vmware/vmware-esxi-scsi-sense-code-decoder-v2/ esxi scsi sense decoder]<br />
Example: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x24 0x0<br />
*H: host status<br />
*D: device status<br />
*P: plugin status<br />
Sense data:<br />
*Sense key<br />
*Additional sense data<br />
<br />
<br />
= Tools =<br />
<br />
== esxtop ==<br />
<br />
=== Links ===<br />
<br />
*[https://communities.vmware.com/docs/DOC-11812 Interpreting esxtop statistics] <br />
*[https://kb.vmware.com/s/article/1027901 Checking the queue depth of the storage adapter and the storage device]<br />
<br />
<br />
<br />
<br />
= FAQ =<br />
<br />
== start VM ==<br />
<br />
=== List all vms ===<br />
<br />
vim-cmd vmsvc/getallvms<br />
<br />
vim-cmd vmsvc/power.getstate [vmid]<br />
vim-cmd vmsvc/power.off [vmid]<br />
vim-cmd vmsvc/power.on [vmid]<br />
<br />
== root account locked ==<br />
<br />
pam_tally2 --user root --reset<br />
<br />
== show hardware info ==<br />
<br />
esxcfg-info<br />
<br />
<br />
== Identify disks in Linux guest==<br />
<br />
lsscsi<br />
<br />
== Check if vmdk is in use ==<br />
<br />
grep vmdk some.vmx<br />
<br />
https://blah.cloud/infrastructure/safely-checkremove-orphaned-vmdk-files-from-esxi/<br />
vmkfstools -D foo.vmdk<br />
<br />
<br />
<br />
&nbsp;<br />
<br />
== list modules ==<br />
<br />
esxcli system module list<br />
<br />
<br />
==ESXi login locked==<br />
pam_tally2 --user root<br />
and <br />
pam_tally2 --user root --reset</div>
Tony
https://wiki.dhits.nl/index.php?title=Varnish&diff=8787
Varnish
2024-03-21T10:12:05Z
<p>Tony: </p>
<hr />
<div><big>Varnish caching proxy</big> <br />
<br />
=Links=<br />
*[https://varnish-cache.org/ Varnish homepage]<br />
*[https://varnish-cache.org/docs/4.1/users-guide/operation-statistics.html Varnish Statistics]<br />
*[https://www.datadoghq.com/blog/top-varnish-performance-metrics/ Top Varnish performance metrics]<br />
=HOWTO=<br />
*[https://varnish-cache.org/docs/trunk/users-guide/params.html Parameters]<br />
<br />
==View varnish statistics==<br />
varnishstat<br />
varnishtop<br />
<br />
===Hit rate===<br />
https://info.varnish-software.com/blog/high-hit-rate-with-varnish<br />
<br />
==View varnish logs==<br />
varnishlog<br />
<br />
<br />
==Documentation==<br />
*[https://varnish-cache.org/docs/ Varnish documentation]<br />
*[http://www.mediawiki.org/wiki/Manual:Varnish_caching Manual]<br />
<br />
=FAQ=<br />
==clear cache==<br />
#old way?<br />
varnishadm -S /etc/varnish/secret -T 127.0.0.1:6082 url.purge .<br />
<br />
varnishadm -T 127.0.0.1:6082 url.purge .</div>
Tony
https://wiki.dhits.nl/index.php?title=Nginx&diff=8786
Nginx
2024-03-21T10:09:45Z
<p>Tony: /* FAQ */</p>
<hr />
<div>HTTP server, proxy, reverse proxy etc<br />
<br />
=Links=<br />
*[http://nginx.org/ Homepage]<br />
*[https://deliciousbrains.com/page-caching-varnish-vs-nginx-fastcgi-cache/ Varnish vs nginx]<br />
==Documentation==<br />
*[https://www.nginx.com/resources/wiki/start/ Getting started]<br />
<br />
==Nginx and php-fpm==<br />
*[https://www.digitalocean.com/community/tutorials/how-to-host-multiple-websites-securely-with-nginx-and-php-fpm-on-ubuntu-14-04 How To Host Multiple Websites Securely With Nginx And Php-fpm On Ubuntu 14.04]<br />
===Monitoring php-fpm under nginx===<br />
Create /etc/nginx/site-enabled/fpmstatus<br />
server {<br />
listen 89;<br />
listen [::]:89;<br />
server_name localhost;<br />
location = /fpm-status {<br />
access_log off;<br />
<br />
allow 127.0.0.1;<br />
deny all;<br />
<br />
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;<br />
include fastcgi_params;<br />
fastcgi_pass unix:/run/php/php-fpm.sock;<br />
# fastcgi_pass 127.0.0.1:9001;<br />
}<br />
location = /fpm-ping {<br />
access_log off;<br />
<br />
allow 127.0.0.1;<br />
deny all;<br />
<br />
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;<br />
include fastcgi_params;<br />
fastcgi_pass unix:/run/php/php-fpm.sock;<br />
}<br />
}<br />
<br />
TODO find out why monitoring via tcp socket 127.0.0.1:9001 doesn't work<br />
<br />
=Notes=<br />
<br />
==SSL certificates==<br />
The host.crt goes first in the bundle<br />
<br />
<br />
server {<br />
listen 443;<br />
ssl on;<br />
ssl_certificate /etc/ssl/your_domain_name.pem; (or bundle.crt)<br />
ssl_certificate_key /etc/ssl/your_domain_name.key;<br />
server_name your.domain.com;<br />
access_log /var/log/nginx/nginx.vhost.access.log;<br />
error_log /var/log/nginx/nginx.vhost.error.log;<br />
location / {<br />
root /home/www/public_html/your.domain.com/public/;<br />
index index.html;<br />
}<br />
}<br />
<br />
=HOWTO=<br />
==Get configuration items==<br />
getconf PAGESIZE<br />
<br />
==Redirecting in nginx==<br />
https://www.liquidweb.com/kb/redirecting-urls-using-nginx/<br />
<br />
==enable ipv6==<br />
In server section add<br />
listen [::]:443;<br />
<br />
==Configure buffer sizes==<br />
See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size<br />
<br />
<br />
==Rate limiting==<br />
*[https://www.nginx.com/blog/rate-limiting-nginx/ NGINX Rate limiting]<br />
<br />
=FAQ=<br />
==nginx serving wrong page==<br />
Forgot to tell it to listen on ipv6?<br />
Like<br />
listen [::]:443 ssl;l<br />
<br />
==Conflicting server name XXX on 0.0.0.0:80==<br />
<br />
==FastCGI sent in stderr: "Primary script unknown" ==<br />
Usually means the php script just isn't there<br />
<br />
==Error messages==<br />
<br />
===nginx: [emerg] unknown log format===<br />
Define log_format in '''http''' section before the includes.<br />
<br />
<br />
=== upstream prematurely closed connection while reading upstream ===<br />
Maybe trying to fetch a large file, like jpg?<br />
<br />
=== client intended to send too large body ===<br />
server {<br />
# default 1m<br />
client_max_body_size 4m;<br />
<br />
<br />
<br />
===no live upstreams while connecting to upstream===<br />
can't connect to whatever backend?<br />
<br />
<br />
===upstream sent too big header while reading response header from upstream===<br />
*[https://techglimpse.com/upstream-sent-too-big-header-while-reading-response-header-from-upstream-nginx/ Upstream sent too big header]<br />
*[https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx Tuning proxy_buffer_size in NGINX]<br />
<br />
<br />
===an upstream response is buffered to a temporary file===<br />
<br />
<br />
===(SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking===<br />
Usually just a bad client or a scan.<br />
<br />
===cannot load certificate "/etc/ssl/certs/ssl-cert-snakeoil.pem===<br />
Probably ubuntu?<br />
apt install ssl-cert<br />
<br />
===access forbidden by rule===<br />
look for allow or deny lines<br />
<br />
===a client request body is buffered to a temporary file===<br />
PLay some with<br />
client_body_buffer_size 10M;<br />
client_max_body_size 10M;<br />
<br />
TODO check, this doesn't seem to apply<br />
If all else fails just set:<br />
proxy_max_temp_file_size 0;<br />
and see if you get some feedback :)<br />
<br />
===upstream timed out===<br />
Look for proxy_pass<br />
<br />
<br />
===failed (104: Unknown error) while reading response header from upstream===<br />
<br />
<br />
==Logging==<br />
<br />
===Log level===<br />
Doesn't seem to be documented, defaults to log all?<br />
<br />
[[Category: Proxy]]</div>
Tony
https://wiki.dhits.nl/index.php?title=Storcli&diff=8785
Storcli
2024-03-20T16:01:53Z
<p>Tony: /* Drive mappings */</p>
<hr />
<div><br />
= Links =<br />
<br />
*[https://www.thomas-krenn.com/en/wiki/StorCLI_commands StorCLI commands] <br />
*[https://www.virtualizationhowto.com/2017/10/change-bbu-and-raid-cache-settings-with-avago-lsi-storcli/ Cache settings] <br />
*[https://titanwolf.org/Network/Articles/Article?AID=486e3967-1b44-4e90-bd28-f7e271586ba1 Conversion between raid levels]<br />
*[https://www.broadcom.com/site-search?q=storcli Download storcli]<br />
<br />
=HOWTO=<br />
==Add new/replacement disk==<br />
Show all should tell you s(Slot), dg, array and row, then:<br />
<br />
storcli /c0/e32/s12 insert dg=0 array=0 row=0<br />
storcli /c0/e32/s12 start rebuild<br />
<br />
<br />
==Locate a disk==<br />
storcli /c0/e8/s2 start locate<br />
<br />
<br />
==Show rebuild status==<br />
storcli /c0 /eall /sall show rebuild<br />
<br />
==Drive mappings==<br />
sg_map -x<br />
Output: /dev/sgXX <host_number> <bus> <scsi_id> <lun> <scsi_type> <disk><br />
<br />
/dev/sg11 7 0 1 0 0 /dev/sdl<br />
<br />
<scsi_id> is VD(DID?) in storcli output, this is not always same as DG :)<br />
<br />
TODO find out where that '7' comes from<br />
<br />
==Alarm==<br />
===Silence alarm===<br />
storcli /c0 set alarm=off<br />
<br />
<br />
==BBU==<br />
===Show time===<br />
storcli /c0 show time<br />
<br />
===Get BBU status===<br />
*https://support.siliconmechanics.com/portal/en/kb/articles/bbu-commands-for-storcli<br />
<br />
storcli /cx/bbu show all<br />
===BBU start learn===<br />
storcli /cx/bbu start learn<br />
<br />
===BBU status values===<br />
Check [https://github.com/prometheus-community/node-exporter-textfile-collector-scripts/issues/27 here] for more confusion<br />
*0: OK <br />
*8: charging or not full, unclear<br />
*16: cachevault? <br />
*32: manual learn requested<br />
<br />
<br />
==Get smart status of disk==<br />
/dev/bus/0 -d sat+megaraid,14<br />
Where '''14''' is disk ID, not Slot number<br />
<br />
==Set disk to JBOD==<br />
If disk still in an array, first delete that :)<br />
Looks like disks should be in state '''UGood'''<br />
<br />
storcli /cx[/ex]/sx set jbod<br />
<br />
If that fails try:<br />
storcli /c0 set jbod=on<br />
this might/should set all unused drives to jbod<br />
<br />
Else look at:<br />
storcli /c0/e9/s0 start erase simple<br />
or if that fails<br />
storcli /c0/e9/s0 start erase<br />
this takes a while, check with<br />
storcli /c0/e9/s0 show erase<br />
<br />
==FAQ==<br />
===Failure 255 Operation not allowed.===<br />
Disk still in an array?<br />
<br />
=Output=<br />
==UGood F==<br />
Disk contains foreign config, clear with<br />
storcli /c0/fall del<br />
<br />
= Virtual Devices =<br />
<br />
== NRWBD ==<br />
<br />
NR=No Read Ahead WB = Write Back D = Direct IO<br />
<br />
&nbsp;<br />
<br />
== Cache settings ==<br />
<br />
=== read ahead ===<br />
<br />
usually on, pointless i reads are very random<br />
<br />
=== write back ===<br />
Faster, assumes you have BBU<br />
<br />
= FAQ =<br />
<br />
==List controllers==<br />
storcli show all<br />
<br />
== VD settings with SSD ==<br />
<br />
==Set bootable == <br />
storcli /c0/e10/s0 set bootdrive= on|off<br />
<br />
NO read ahead, write through<br />
<br />
storcli /c0 /v2 set wrcache=wt<br />
<br />
<br />
No read ahead<br />
<br />
storcli /c0 /v2 set rdcache=nora<br />
<br />
== Changing cache settings ==<br />
<br />
storcli /c0 /v1 set wrcache=wt|wb|awb<br />
storcli /c0 /v1 set rdcache=ra|nora<br />
<br />
<br />
<br />
<br />
=== ErrMsg: use /cx/cv ===<br />
There migh be a "cachevault"?<br />
storcli /c0/cv show status</div>
Tony
https://wiki.dhits.nl/index.php?title=Storcli&diff=8784
Storcli
2024-03-20T15:57:00Z
<p>Tony: /* Drive mappings */</p>
<hr />
<div><br />
= Links =<br />
<br />
*[https://www.thomas-krenn.com/en/wiki/StorCLI_commands StorCLI commands] <br />
*[https://www.virtualizationhowto.com/2017/10/change-bbu-and-raid-cache-settings-with-avago-lsi-storcli/ Cache settings] <br />
*[https://titanwolf.org/Network/Articles/Article?AID=486e3967-1b44-4e90-bd28-f7e271586ba1 Conversion between raid levels]<br />
*[https://www.broadcom.com/site-search?q=storcli Download storcli]<br />
<br />
=HOWTO=<br />
==Add new/replacement disk==<br />
Show all should tell you s(Slot), dg, array and row, then:<br />
<br />
storcli /c0/e32/s12 insert dg=0 array=0 row=0<br />
storcli /c0/e32/s12 start rebuild<br />
<br />
<br />
==Locate a disk==<br />
storcli /c0/e8/s2 start locate<br />
<br />
<br />
==Show rebuild status==<br />
storcli /c0 /eall /sall show rebuild<br />
<br />
==Drive mappings==<br />
sg_map -x<br />
Output: /dev/sgXX <host_number> <bus> <scsi_id> <lun> <scsi_type> <disk><br />
<br />
/dev/sg11 7 0 1 0 0 /dev/sdl<br />
<br />
<scsi_id> is VD in storcli output, this is not always same as DG :)<br />
<br />
TODO find out where that '7' comes from<br />
<br />
==Alarm==<br />
===Silence alarm===<br />
storcli /c0 set alarm=off<br />
<br />
<br />
==BBU==<br />
===Show time===<br />
storcli /c0 show time<br />
<br />
===Get BBU status===<br />
*https://support.siliconmechanics.com/portal/en/kb/articles/bbu-commands-for-storcli<br />
<br />
storcli /cx/bbu show all<br />
===BBU start learn===<br />
storcli /cx/bbu start learn<br />
<br />
===BBU status values===<br />
Check [https://github.com/prometheus-community/node-exporter-textfile-collector-scripts/issues/27 here] for more confusion<br />
*0: OK <br />
*8: charging or not full, unclear<br />
*16: cachevault? <br />
*32: manual learn requested<br />
<br />
<br />
==Get smart status of disk==<br />
/dev/bus/0 -d sat+megaraid,14<br />
Where '''14''' is disk ID, not Slot number<br />
<br />
==Set disk to JBOD==<br />
If disk still in an array, first delete that :)<br />
Looks like disks should be in state '''UGood'''<br />
<br />
storcli /cx[/ex]/sx set jbod<br />
<br />
If that fails try:<br />
storcli /c0 set jbod=on<br />
this might/should set all unused drives to jbod<br />
<br />
Else look at:<br />
storcli /c0/e9/s0 start erase simple<br />
or if that fails<br />
storcli /c0/e9/s0 start erase<br />
this takes a while, check with<br />
storcli /c0/e9/s0 show erase<br />
<br />
==FAQ==<br />
===Failure 255 Operation not allowed.===<br />
Disk still in an array?<br />
<br />
=Output=<br />
==UGood F==<br />
Disk contains foreign config, clear with<br />
storcli /c0/fall del<br />
<br />
= Virtual Devices =<br />
<br />
== NRWBD ==<br />
<br />
NR=No Read Ahead WB = Write Back D = Direct IO<br />
<br />
&nbsp;<br />
<br />
== Cache settings ==<br />
<br />
=== read ahead ===<br />
<br />
usually on, pointless i reads are very random<br />
<br />
=== write back ===<br />
Faster, assumes you have BBU<br />
<br />
= FAQ =<br />
<br />
==List controllers==<br />
storcli show all<br />
<br />
== VD settings with SSD ==<br />
<br />
==Set bootable == <br />
storcli /c0/e10/s0 set bootdrive= on|off<br />
<br />
NO read ahead, write through<br />
<br />
storcli /c0 /v2 set wrcache=wt<br />
<br />
<br />
No read ahead<br />
<br />
storcli /c0 /v2 set rdcache=nora<br />
<br />
== Changing cache settings ==<br />
<br />
storcli /c0 /v1 set wrcache=wt|wb|awb<br />
storcli /c0 /v1 set rdcache=ra|nora<br />
<br />
<br />
<br />
<br />
=== ErrMsg: use /cx/cv ===<br />
There migh be a "cachevault"?<br />
storcli /c0/cv show status</div>
Tony
https://wiki.dhits.nl/index.php?title=ZFS&diff=8783
ZFS
2024-03-20T15:55:32Z
<p>Tony: /* Replace disk in zfs */</p>
<hr />
<div><br />
= Links =<br />
*[http://open-zfs.org http://open-zfs.org] <br />
*[http://www.edplese.com/samba-with-zfs.html http://www.edplese.com/samba-with-zfs.html] <br />
*[http://wintelguy.com/zfs-calc.pl ZFS calculator] <br />
*[https://www.raidz-calculator.com/default.aspx another zfs calculator]<br />
*[https://bm-stor.com/index.php/blog/Linux-cluster-with-ZFS-on-Cluster-in-a-Box/ ZFS clustering] <br />
*[https://jrs-s.net/2015/02/03/will-zfs-and-non-ecc-ram-kill-your-data/ https://jrs-s.net/2015/02/03/will-zfs-and-non-ecc-ram-kill-your-data/] ZFS and ECC] <br />
*[https://docs.joyent.com/private-cloud/troubleshooting/disk-replacement ZFS troubleshooting/disk replacement] <br />
*[https://www.high-availability.com/docs/Quickstart-ZFS-Cluster/ Creating a ZFS HA Cluster using shared or shared-nothing storage]<br />
*[https://arstechnica.com/information-technology/2020/05/zfs-101-understanding-zfs-storage-and-performance/ ZFS 101]<br />
*[https://arstechnica.com/gadgets/2021/06/raidz-expansion-code-lands-in-openzfs-master/ Raidz expansion]<br />
*[https://somedudesays.com/2021/08/the-basic-guide-to-working-with-zfs/ Basic guide to working with zfs]<br />
*[https://wiki.archlinux.org/title/ZFS Archlinux page on ZFS]<br />
*[https://openzfs.github.io/openzfs-docs/Basic%20Concepts/RAIDZ.html Raidz basic concepts]<br />
<br />
=Documentation=<br />
*[https://openzfs.github.io/openzfs-docs/man/4/zfs.4.html zfs manpage]<br />
*[http://zfsonlinux.org/ ZFS on Linux] <br />
*[https://openzfs.org/wiki/ openzfs wiki]<br />
*[https://wiki.gentoo.org/wiki/ZFS https://wiki.gentoo.org/wiki/ZFS] <br />
*[https://blog.programster.org/zfs-cheatsheet ZFS cheatsheet] <br />
*[http://wiki.freebsd.org/ZFSQuickStartGuide http://wiki.freebsd.org/ZFSQuickStartGuide] <br />
*[http://www.opensolaris.org/os/community/zfs/intro/ Opensolaris ZFS intro]<br />
*[http://www.raidz-calculator.com/raidz-types-reference.aspx raidz types reference]<br />
*[https://utcc.utoronto.ca/~cks/space/blog/solaris/ZFSZpoolFragmentationMeaning ZFS fragmentation]<br />
*[https://openzfs.github.io/openzfs-docs/Basic%20Concepts/RAIDZ.html raidz]<br />
<br />
==ARC/Caching==<br />
*[https://linuxhint.com/configure-zfs-cache-high-speed-io/ Configuring ZFS Cache for High-Speed IO]<br />
*[https://utcc.utoronto.ca/~cks/space/blog/solaris/ZFSARCItsVariousSizes ZFS Arc various sizes]<br />
*[http://dtrace.org/blogs/brendan/2012/01/09/activity-of-the-zfs-arc/ Activity of the ZFS ARC]<br />
*[https://utcc.utoronto.ca/~cks/space/blog/solaris/ZFSUnderstandingARCHits Understanding ARC hits]<br />
*[https://www.45drives.com/community/articles/zfs-caching/ ZFS Caching]<br />
*[https://zfs-discuss.opensolaris.narkive.com/D7v2YmjF/raidz-what-is-stored-in-parity What is stored in parity]<br />
<br />
===L2ARC===<br />
*[https://klarasystems.com/articles/openzfs-all-about-l2arc/ OpenZFS: All about the cache vdev or L2ARC]<br />
<br />
sysctl kstat.zfs.misc.arcstats | egrep 'l2_(hits|misses)'<br />
and<br />
egrep 'l2_(hits|misses)' /proc/spl/kstat/zfs/arcstats<br />
<br />
==Tuning ZFS==<br />
*[https://openzfs.github.io/openzfs-docs/Performance%20and%20Tuning/index.html ZFS Performance and Tuning]<br />
*[https://linuxhint.com/configure-zfs-cache-high-speed-io/ Configuring ZFS Cache for High-Speed IO]<br />
*[https://www.high-availability.com/docs/ZFS-Tuning-Guide/ ZFS Tuning and Optimisation]<br />
([https://forums.oracle.com/ords/apexds/post/part-10-monitoring-and-tuning-zfs-performance-4977 Monitoring and Tuning ZFS Performance]<br />
<br />
==ARC statistics==<br />
*[https://openzfs.github.io/openzfs-docs/Performance%20and%20Tuning/Module%20Parameters.html Tuning module parameters]<br />
*[https://openzfs.github.io/openzfs-docs/man/master/4/zfs.4.html ZFS]<br />
<br />
===ZFS module parameters===<br />
/sys/module/zfs/parameters/<br />
cat /proc/spl/kstat/zfs/arcstats<br />
===data_size===<br />
size of cached user data<br />
<br />
===dnode_size===<br />
<br />
===hdr_size===<br />
size of L2ARC headers stored in main ARC<br />
<br />
===metadata_size===<br />
size of cached metadata<br />
<br />
=Tools=<br />
*[https://github.com/asomers/ztop ztop]<br />
*[https://github.com/jimsalterjrs/ioztat iozstat]<br />
*[https://cuddletech.com/2008/10/explore-your-zfs-adaptive-replacement-cache-arc/ arc_summary]<br />
*[https://github.com/richardelling/zfs-linux-tools zfs-linux-tools] kstat-analyzer is rather helpful<br />
<br />
<br />
==kstat-analyzer==<br />
<br />
===prefetch hit rate is low, consider tuning prefetcher===<br />
Check:<br />
<br />
Supposed to leave that at 0:<br />
cat /sys/module/zfs/parameters/zfs_vdev_cache_size<br />
<br />
<br />
Code: <br />
if (float(kstats['hits']) / accesses) < PREFETCH_RATIO_OK<br />
<br />
Relevant links:<br />
*https://www.truenas.com/community/threads/notes-on-zfs-prefetch.1076/<br />
<br />
*https://www.phoronix.com/news/OpenZFS-Uncached-Prefetch<br />
<br />
=Processes=<br />
==arc_evict==<br />
Evict buffers from list until we've removed the specified number of<br />
bytes. Move the removed buffers to the appropriate evict state.<br />
If the recycle flag is set, then attempt to "recycle" a buffer:<br />
- look for a buffer to evict that is `bytes' long.<br />
- return the data block from this buffer rather than freeing it.<br />
This flag is used by callers that are trying to make space for a<br />
new buffer in a full arc cache.<br />
<br />
<br />
This function makes a "best effort". It skips over any buffers<br />
it can't get a hash_lock on, and so may not catch all candidates.<br />
It may also return without evicting as much space as requested.<br />
<br />
==arc_prune==<br />
<br />
=Commands=<br />
<br />
==Getting arc statistics==<br />
arcstat<br />
<br />
arc_summary<br />
Tip, for details use<br />
arc_summary -d<br />
There is also<br />
cat /proc/spl/kstat/zfs/arcstats<br />
<br />
and<br />
zfetchstat + kstat-analyzer from zfs-linux-tools<br />
<br />
<br />
===zil/slog statistics===<br />
arc_summary -s zil<br />
<br />
===l2arc statistics===<br />
arc_summary -s l2arc<br />
<br />
==Getting IO statistics==<br />
zpool iostat -v 300<br />
<br />
=Terms and acronyms=<br />
==vdev==<br />
'''V'''irtual '''Dev'''ice.<br />
<br />
*[https://wiki.archlinux.org/title/ZFS/Virtual_disks ZFS Virtual disks]<br />
==ARC==<br />
'''A'''daptive '''R'''eplacement '''C'''ache<br />
<br />
Portion of RAM used to cache data to speed up read performance<br />
<br />
==L2ARC==<br />
'''L'''evel '''2''' '''A'''daptive Replacement '''C'''ache'''<br />
<br />
"L2ARC is usually considered if hit rate for the ARC is below 90% while having 64+ GB of RAM"<br />
<br />
SSD cache<br />
<br />
==DMU==<br />
Data Management Unit<br />
<br />
<br />
==MFU==<br />
Most Frequently Used<br />
<br />
==MRU==<br />
Most Recently Used<br />
<br />
==zvol==<br />
kind of block device whose space is allocated from the pool, useful for iscsi targets<br />
<br />
==Scrubbing==<br />
Checking disks/data integrity<br />
zpool status <poolname | grep scrub<br />
<br />
and<br />
zpool scrub <poolname><br />
probably taken care of by cron.<br />
<br />
<br />
==SLOG==<br />
See [ZIL]<br />
<br />
==ZIL==<br />
[https://constantin.glez.de/2010/07/20/solaris-zfs-synchronous-writes-and-zil-explained/ ZIL explained]<br />
<br />
the space synchronous writes are logged before the confirmation is sent back to the client<br />
<br />
==prefetch==<br />
See /proc/spl/kstat/zfs/zfetchstats<br />
<br />
*[https://cuddletech.com/2009/05/understanding-zfs-prefetch/ Understanding ZFS prefetch]<br />
*[https://svennd.be/tuning-of-zfs-module/ Tuning of the ZFS module]<br />
*[https://cuddletech.com/2009/05/understanding-zfs-prefetch/ Understanding ZFS prefetch]<br />
*[https://utcc.utoronto.ca/~cks/space/blog/solaris/ZFSARCStatsAndPrefetch Some basic ZFS ARC statistics and prefetching]<br />
*[https://utcc.utoronto.ca/~cks/space/blog/solaris/ZFSPrefetchStatsNotes Some notes on ZFS prefetch related stats]<br />
*[http://dtrace.org/blogs/brendan/2012/01/09/activity-of-the-zfs-arc/ Activity of the ZFS ARC]<br />
<br />
= HOWTO =<br />
==Caching==<br />
===Add log/cache===<br />
zpool add rpool cache sdf<br />
<br />
===Add ZIL/SLOG write cache===<br />
<br />
zpool add rpool log mirror sdk sdl<br />
<br />
===Remove ZIl/SLOG mirrored cache===<br />
zpool remove mypool mirror-4 sdn1 sdo1<br />
<br />
==Getting statistics==<br />
<br />
===Show cache activity===<br />
dstat --zfs-arc --zfs-l2arc --zfs-zil -d 5<br />
<br />
===zpool===<br />
zpool iostat<br />
====More statistics, every 5 seconds====<br />
zpool -v iostat 5<br />
<br />
===Flush linux caches===<br />
echo 3 > /proc/sys/vm/drop_caches<br />
<br />
===arc statistics===<br />
===l2arc statistics===<br />
<br />
===ZIL statistics===<br />
cat /proc/spl/kstat/zfs/zil<br />
<br />
==Create zfs filesystem==<br />
zfs create poolname/fsname<br />
this also creates mountpoint<br />
<br />
<br />
==Add vdev to pool==<br />
zpool add mypool raidz1 sdg sdh sdi<br />
<br />
== Replace disk in zfs ==<br />
<br />
=== Some links ===<br />
<br />
*[https://itectec.com/ubuntu/ubuntu-replacing-a-dead-disk-in-a-zpool/ https://itectec.com/ubuntu/ubuntu-replacing-a-dead-disk-in-a-zpool/] <br />
<br />
Get information first:<br />
<br />
Name of disk<br />
<br />
zpool status<br />
<br />
<br />
Find uid of disk to replace<br />
<br />
take it offline<br />
<br />
zpool offline poolname ata-WDC_WD20EFRX-68EUZN0_WD-WCC4M5RLZC6V<br />
<br />
Get the disk guid:<br />
<br />
zdb<br />
<br />
guid: 15233236897831806877<br />
<br />
Get list of disk by id:<br />
<br />
ls -al /dev/disk/by-id<br />
<br />
Save the id, shutdown, replace disk, boot:<br />
<br />
Find the new disk:<br />
<br />
ls -al /dev/disk/by-id<br />
<br />
Run replace command. The id is the guid of the old disk, name is of the new disk<br />
<br />
zpool replace tank /dev/disk/by-id/13450850036953119346 /dev/disk/by-id/ata-ST4000VN000-1H4168_Z302FQVZ<br />
<br />
<br />
===If disk is shown as '''UNAVAIL'''===<br />
zpool offline tank sdi<br />
<br />
==Showing information about ZFS pools and datasets==<br />
===Show pools with sizes===<br />
zpool list <br />
or<br />
zpool list -H -o name,size<br />
<br />
<br />
===Show reservations on datasets===<br />
zfs list -o name,reservations<br />
<br />
==Swap on zfs==<br />
https://askubuntu.com/questions/228149/zfs-partition-as-swap<br />
<br />
==vdevs==<br />
===multiple vdevs===<br />
Multiple vdevs in a zpool get striped.<br />
What about balance?<br />
<br />
===invalid vdev specification===<br />
Probably means you need -f<br />
<br />
===show balance between vdevs===<br />
zpool iostat -v 'pool' [interval in seconds]<br />
orjust<br />
zpool iostat -vc 'pool'<br />
<br />
== Tuning arc settings ==<br />
See [https://openzfs.github.io/openzfs-docs/Performance%20and%20Tuning/Module%20Parameters.html Tuning ZFS modules parameters]<br />
===zfs_arc_max===<br />
Linux defaults to giving 50% of RAM to arc, this is when:<br />
cat /sys/module/zfs/parameters/zfs_arc_max<br />
0<br />
grep c_max /proc/spl/kstat/zfs/arcstats<br />
To change this:<br />
echo 5368709120 > /sys/module/zfs/parameters/zfs_arc_max<br />
and add to /etc/modprobe.d/zfs.conf<br />
options zfs zfs_arc_max=5368709120<br />
<br />
'''NOTE you might need to run''' <br />
update-initramfs -u <br />
<br />
and perhaps clear caches and reset counters:<br />
<br />
echo 3 > /proc/sys/vm/drop_caches<br />
<br />
===Tune zfs_arc_dnode_limit_percent===<br />
Assuming zfs_arc_dnode_limit = 0: <br />
<br />
echo 20 > /sys/module/zfs/parameters/zfs_arc_dnode_limit_percent<br />
<br />
In /etc/modprobe.d/zfs.conf: <br />
<br />
<br />
options zfs zfs_arc_dnode_limit_percent=20<br />
<br />
<br />
===export iscsi===<br />
https://linuxhint.com/share-zfs-volumes-via-iscsi/<br />
<br />
= FAQ =<br />
==arc_summary==<br />
===VDEV cache disabled, skipping section===<br />
This is normal, vdev caching is considered bad<br />
<br />
<br />
==Arc metadata size exceeds maximum==<br />
So '''arc_meta_used''' > '''arc_meta_limit'''<br />
<br />
<br />
==increasing feed rate==<br />
<br />
<br />
== show status and disks ==<br />
<br />
zpool status<br />
<br />
== show drives/pools ==<br />
<br />
zfs list<br />
<br />
<br />
== check raid level ==<br />
<br />
zfs list -a<br />
<br />
<br />
==Estimate raidz speeds==<br />
raidz1: N/(N-1) * IOPS<br />
raidz2: N/(N-2) * IOPS<br />
raidz3: N/(N-3) * IOPS<br />
<br />
<br />
==VDEV cache disabled, skipping section==<br />
Looks like you just don't have l2arc cache<br />
<br />
<br />
==cannot export 'tank': pool is busy==<br />
After checking stuff like nfs etc try:<br />
zfs unshare -a<br />
zfs umount -a -f<br />
zpool export -f tank</div>
Tony
https://wiki.dhits.nl/index.php?title=Extended_File_System&diff=8782
Extended File System
2024-03-20T11:44:01Z
<p>Tony: </p>
<hr />
<div>=Links=<br />
*[https://ext4.wiki.kernel.org ext4.wiki.kernel.org]<br />
<br />
=FAQ=<br />
==Reserved space==<br />
*https://ma.ttias.be/change-reserved-blocks-ext3-ext4-filesystem-linux/<br />
<br />
===Check reserved space===<br />
tune2fs -l /dev/partition | grep 'Reserved'<br />
<br />
===Remove reserved space===<br />
tune2fs -r 0 /dev/sdd1<br />
<br />
===Reduce reserved space===<br />
Set to 1%<br />
tune2fs -m 1 /dev/sdd1<br />
<br />
==Grow to partition size==<br />
Simply<br />
resize2fs /dev/sdc1<br />
<br />
<br />
=Check minimum size for resize2fs=<br />
resize2fs -P /dev/sdc1<br />
gives you the number of (usually 4096 byte) blocks</div>
Tony
https://wiki.dhits.nl/index.php?title=Centos&diff=8781
Centos
2024-03-19T11:43:55Z
<p>Tony: /* FAQ */</p>
<hr />
<div>To make it do anything at all:<br />
yum install epel-release<br />
<br />
<br />
=HOWTO=<br />
== Locales ==<br />
localectl status<br />
localectl list-locales<br />
<br />
localectl set-locale LANG=locale_name<br />
<br />
Package: glibc-langpack-*<br />
<br />
=FAQ=<br />
==network install url==<br />
http://mirror.centos.org/centos/7/os/x86_64<br />
==reset root password==<br />
http://www.tecmint.com/reset-forgotten-root-password-in-rhel-centos-and-fedora/<br />
<br />
<br />
==add module on 7==<br />
modprobe --first-time foo<br />
<br />
<br />
==Failed to validate GPG signature for mysql-community-common==<br />
Check https://dev.mysql.com/doc/refman/8.0/en/checking-rpm-signature.html<br />
<br />
And try<br />
rpm --import https://repo.mysql.com/RPM-GPG-KEY-mysql-2023</div>
Tony
https://wiki.dhits.nl/index.php?title=ZFS&diff=8780
ZFS
2024-03-19T10:35:50Z
<p>Tony: /* Tuning arc settings */</p>
<hr />
<div><br />
= Links =<br />
*[http://open-zfs.org http://open-zfs.org] <br />
*[http://www.edplese.com/samba-with-zfs.html http://www.edplese.com/samba-with-zfs.html] <br />
*[http://wintelguy.com/zfs-calc.pl ZFS calculator] <br />
*[https://www.raidz-calculator.com/default.aspx another zfs calculator]<br />
*[https://bm-stor.com/index.php/blog/Linux-cluster-with-ZFS-on-Cluster-in-a-Box/ ZFS clustering] <br />
*[https://jrs-s.net/2015/02/03/will-zfs-and-non-ecc-ram-kill-your-data/ https://jrs-s.net/2015/02/03/will-zfs-and-non-ecc-ram-kill-your-data/] ZFS and ECC] <br />
*[https://docs.joyent.com/private-cloud/troubleshooting/disk-replacement ZFS troubleshooting/disk replacement] <br />
*[https://www.high-availability.com/docs/Quickstart-ZFS-Cluster/ Creating a ZFS HA Cluster using shared or shared-nothing storage]<br />
*[https://arstechnica.com/information-technology/2020/05/zfs-101-understanding-zfs-storage-and-performance/ ZFS 101]<br />
*[https://arstechnica.com/gadgets/2021/06/raidz-expansion-code-lands-in-openzfs-master/ Raidz expansion]<br />
*[https://somedudesays.com/2021/08/the-basic-guide-to-working-with-zfs/ Basic guide to working with zfs]<br />
*[https://wiki.archlinux.org/title/ZFS Archlinux page on ZFS]<br />
*[https://openzfs.github.io/openzfs-docs/Basic%20Concepts/RAIDZ.html Raidz basic concepts]<br />
<br />
=Documentation=<br />
*[https://openzfs.github.io/openzfs-docs/man/4/zfs.4.html zfs manpage]<br />
*[http://zfsonlinux.org/ ZFS on Linux] <br />
*[https://openzfs.org/wiki/ openzfs wiki]<br />
*[https://wiki.gentoo.org/wiki/ZFS https://wiki.gentoo.org/wiki/ZFS] <br />
*[https://blog.programster.org/zfs-cheatsheet ZFS cheatsheet] <br />
*[http://wiki.freebsd.org/ZFSQuickStartGuide http://wiki.freebsd.org/ZFSQuickStartGuide] <br />
*[http://www.opensolaris.org/os/community/zfs/intro/ Opensolaris ZFS intro]<br />
*[http://www.raidz-calculator.com/raidz-types-reference.aspx raidz types reference]<br />
*[https://utcc.utoronto.ca/~cks/space/blog/solaris/ZFSZpoolFragmentationMeaning ZFS fragmentation]<br />
*[https://openzfs.github.io/openzfs-docs/Basic%20Concepts/RAIDZ.html raidz]<br />
<br />
==ARC/Caching==<br />
*[https://linuxhint.com/configure-zfs-cache-high-speed-io/ Configuring ZFS Cache for High-Speed IO]<br />
*[https://utcc.utoronto.ca/~cks/space/blog/solaris/ZFSARCItsVariousSizes ZFS Arc various sizes]<br />
*[http://dtrace.org/blogs/brendan/2012/01/09/activity-of-the-zfs-arc/ Activity of the ZFS ARC]<br />
*[https://utcc.utoronto.ca/~cks/space/blog/solaris/ZFSUnderstandingARCHits Understanding ARC hits]<br />
*[https://www.45drives.com/community/articles/zfs-caching/ ZFS Caching]<br />
*[https://zfs-discuss.opensolaris.narkive.com/D7v2YmjF/raidz-what-is-stored-in-parity What is stored in parity]<br />
<br />
===L2ARC===<br />
*[https://klarasystems.com/articles/openzfs-all-about-l2arc/ OpenZFS: All about the cache vdev or L2ARC]<br />
<br />
sysctl kstat.zfs.misc.arcstats | egrep 'l2_(hits|misses)'<br />
and<br />
egrep 'l2_(hits|misses)' /proc/spl/kstat/zfs/arcstats<br />
<br />
==Tuning ZFS==<br />
*[https://openzfs.github.io/openzfs-docs/Performance%20and%20Tuning/index.html ZFS Performance and Tuning]<br />
*[https://linuxhint.com/configure-zfs-cache-high-speed-io/ Configuring ZFS Cache for High-Speed IO]<br />
*[https://www.high-availability.com/docs/ZFS-Tuning-Guide/ ZFS Tuning and Optimisation]<br />
([https://forums.oracle.com/ords/apexds/post/part-10-monitoring-and-tuning-zfs-performance-4977 Monitoring and Tuning ZFS Performance]<br />
<br />
==ARC statistics==<br />
*[https://openzfs.github.io/openzfs-docs/Performance%20and%20Tuning/Module%20Parameters.html Tuning module parameters]<br />
*[https://openzfs.github.io/openzfs-docs/man/master/4/zfs.4.html ZFS]<br />
<br />
===ZFS module parameters===<br />
/sys/module/zfs/parameters/<br />
cat /proc/spl/kstat/zfs/arcstats<br />
===data_size===<br />
size of cached user data<br />
<br />
===dnode_size===<br />
<br />
===hdr_size===<br />
size of L2ARC headers stored in main ARC<br />
<br />
===metadata_size===<br />
size of cached metadata<br />
<br />
=Tools=<br />
*[https://github.com/asomers/ztop ztop]<br />
*[https://github.com/jimsalterjrs/ioztat iozstat]<br />
*[https://cuddletech.com/2008/10/explore-your-zfs-adaptive-replacement-cache-arc/ arc_summary]<br />
*[https://github.com/richardelling/zfs-linux-tools zfs-linux-tools] kstat-analyzer is rather helpful<br />
<br />
<br />
==kstat-analyzer==<br />
<br />
===prefetch hit rate is low, consider tuning prefetcher===<br />
Check:<br />
<br />
Supposed to leave that at 0:<br />
cat /sys/module/zfs/parameters/zfs_vdev_cache_size<br />
<br />
<br />
Code: <br />
if (float(kstats['hits']) / accesses) < PREFETCH_RATIO_OK<br />
<br />
Relevant links:<br />
*https://www.truenas.com/community/threads/notes-on-zfs-prefetch.1076/<br />
<br />
*https://www.phoronix.com/news/OpenZFS-Uncached-Prefetch<br />
<br />
=Processes=<br />
==arc_evict==<br />
Evict buffers from list until we've removed the specified number of<br />
bytes. Move the removed buffers to the appropriate evict state.<br />
If the recycle flag is set, then attempt to "recycle" a buffer:<br />
- look for a buffer to evict that is `bytes' long.<br />
- return the data block from this buffer rather than freeing it.<br />
This flag is used by callers that are trying to make space for a<br />
new buffer in a full arc cache.<br />
<br />
<br />
This function makes a "best effort". It skips over any buffers<br />
it can't get a hash_lock on, and so may not catch all candidates.<br />
It may also return without evicting as much space as requested.<br />
<br />
==arc_prune==<br />
<br />
=Commands=<br />
<br />
==Getting arc statistics==<br />
arcstat<br />
<br />
arc_summary<br />
Tip, for details use<br />
arc_summary -d<br />
There is also<br />
cat /proc/spl/kstat/zfs/arcstats<br />
<br />
and<br />
zfetchstat + kstat-analyzer from zfs-linux-tools<br />
<br />
<br />
===zil/slog statistics===<br />
arc_summary -s zil<br />
<br />
===l2arc statistics===<br />
arc_summary -s l2arc<br />
<br />
==Getting IO statistics==<br />
zpool iostat -v 300<br />
<br />
=Terms and acronyms=<br />
==vdev==<br />
'''V'''irtual '''Dev'''ice.<br />
<br />
*[https://wiki.archlinux.org/title/ZFS/Virtual_disks ZFS Virtual disks]<br />
==ARC==<br />
'''A'''daptive '''R'''eplacement '''C'''ache<br />
<br />
Portion of RAM used to cache data to speed up read performance<br />
<br />
==L2ARC==<br />
'''L'''evel '''2''' '''A'''daptive Replacement '''C'''ache'''<br />
<br />
"L2ARC is usually considered if hit rate for the ARC is below 90% while having 64+ GB of RAM"<br />
<br />
SSD cache<br />
<br />
==DMU==<br />
Data Management Unit<br />
<br />
<br />
==MFU==<br />
Most Frequently Used<br />
<br />
==MRU==<br />
Most Recently Used<br />
<br />
==zvol==<br />
kind of block device whose space is allocated from the pool, useful for iscsi targets<br />
<br />
==Scrubbing==<br />
Checking disks/data integrity<br />
zpool status <poolname | grep scrub<br />
<br />
and<br />
zpool scrub <poolname><br />
probably taken care of by cron.<br />
<br />
<br />
==SLOG==<br />
See [ZIL]<br />
<br />
==ZIL==<br />
[https://constantin.glez.de/2010/07/20/solaris-zfs-synchronous-writes-and-zil-explained/ ZIL explained]<br />
<br />
the space synchronous writes are logged before the confirmation is sent back to the client<br />
<br />
==prefetch==<br />
See /proc/spl/kstat/zfs/zfetchstats<br />
<br />
*[https://cuddletech.com/2009/05/understanding-zfs-prefetch/ Understanding ZFS prefetch]<br />
*[https://svennd.be/tuning-of-zfs-module/ Tuning of the ZFS module]<br />
*[https://cuddletech.com/2009/05/understanding-zfs-prefetch/ Understanding ZFS prefetch]<br />
*[https://utcc.utoronto.ca/~cks/space/blog/solaris/ZFSARCStatsAndPrefetch Some basic ZFS ARC statistics and prefetching]<br />
*[https://utcc.utoronto.ca/~cks/space/blog/solaris/ZFSPrefetchStatsNotes Some notes on ZFS prefetch related stats]<br />
*[http://dtrace.org/blogs/brendan/2012/01/09/activity-of-the-zfs-arc/ Activity of the ZFS ARC]<br />
<br />
= HOWTO =<br />
==Caching==<br />
===Add log/cache===<br />
zpool add rpool cache sdf<br />
<br />
===Add ZIL/SLOG write cache===<br />
<br />
zpool add rpool log mirror sdk sdl<br />
<br />
===Remove ZIl/SLOG mirrored cache===<br />
zpool remove mypool mirror-4 sdn1 sdo1<br />
<br />
==Getting statistics==<br />
<br />
===Show cache activity===<br />
dstat --zfs-arc --zfs-l2arc --zfs-zil -d 5<br />
<br />
===zpool===<br />
zpool iostat<br />
====More statistics, every 5 seconds====<br />
zpool -v iostat 5<br />
<br />
===Flush linux caches===<br />
echo 3 > /proc/sys/vm/drop_caches<br />
<br />
===arc statistics===<br />
===l2arc statistics===<br />
<br />
===ZIL statistics===<br />
cat /proc/spl/kstat/zfs/zil<br />
<br />
==Create zfs filesystem==<br />
zfs create poolname/fsname<br />
this also creates mountpoint<br />
<br />
<br />
==Add vdev to pool==<br />
zpool add mypool raidz1 sdg sdh sdi<br />
<br />
== Replace disk in zfs ==<br />
<br />
=== Some links ===<br />
<br />
*[https://itectec.com/ubuntu/ubuntu-replacing-a-dead-disk-in-a-zpool/ https://itectec.com/ubuntu/ubuntu-replacing-a-dead-disk-in-a-zpool/] <br />
<br />
Get information first:<br />
<br />
Name of disk<br />
<br />
zpool status<br />
<br />
<br />
Find uid of disk to replace<br />
<br />
take it offline<br />
<br />
zpool offline poolname ata-WDC_WD20EFRX-68EUZN0_WD-WCC4M5RLZC6V<br />
<br />
Get the disk guid:<br />
<br />
zdb<br />
<br />
guid: 15233236897831806877<br />
<br />
Get list of disk by id:<br />
<br />
ls -al /dev/disk/by-id<br />
<br />
Save the id, shutdown, replace disk, boot:<br />
<br />
Find the new disk:<br />
<br />
ls -al /dev/disk/by-id<br />
<br />
Run replace command. The id is the guid of the old disk, name is of the new disk<br />
<br />
zpool replace tank /dev/disk/by-id/13450850036953119346 /dev/disk/by-id/ata-ST4000VN000-1H4168_Z302FQVZ<br />
<br />
==Showing information about ZFS pools and datasets==<br />
===Show pools with sizes===<br />
zpool list <br />
or<br />
zpool list -H -o name,size<br />
<br />
<br />
===Show reservations on datasets===<br />
zfs list -o name,reservations<br />
<br />
==Swap on zfs==<br />
https://askubuntu.com/questions/228149/zfs-partition-as-swap<br />
<br />
==vdevs==<br />
===multiple vdevs===<br />
Multiple vdevs in a zpool get striped.<br />
What about balance?<br />
<br />
===invalid vdev specification===<br />
Probably means you need -f<br />
<br />
===show balance between vdevs===<br />
zpool iostat -v 'pool' [interval in seconds]<br />
orjust<br />
zpool iostat -vc 'pool'<br />
<br />
== Tuning arc settings ==<br />
See [https://openzfs.github.io/openzfs-docs/Performance%20and%20Tuning/Module%20Parameters.html Tuning ZFS modules parameters]<br />
===zfs_arc_max===<br />
Linux defaults to giving 50% of RAM to arc, this is when:<br />
cat /sys/module/zfs/parameters/zfs_arc_max<br />
0<br />
grep c_max /proc/spl/kstat/zfs/arcstats<br />
To change this:<br />
echo 5368709120 > /sys/module/zfs/parameters/zfs_arc_max<br />
and add to /etc/modprobe.d/zfs.conf<br />
options zfs zfs_arc_max=5368709120<br />
<br />
'''NOTE you might need to run''' <br />
update-initramfs -u <br />
<br />
and perhaps clear caches and reset counters:<br />
<br />
echo 3 > /proc/sys/vm/drop_caches<br />
<br />
===Tune zfs_arc_dnode_limit_percent===<br />
Assuming zfs_arc_dnode_limit = 0: <br />
<br />
echo 20 > /sys/module/zfs/parameters/zfs_arc_dnode_limit_percent<br />
<br />
In /etc/modprobe.d/zfs.conf: <br />
<br />
<br />
options zfs zfs_arc_dnode_limit_percent=20<br />
<br />
<br />
===export iscsi===<br />
https://linuxhint.com/share-zfs-volumes-via-iscsi/<br />
<br />
= FAQ =<br />
==arc_summary==<br />
===VDEV cache disabled, skipping section===<br />
This is normal, vdev caching is considered bad<br />
<br />
<br />
==Arc metadata size exceeds maximum==<br />
So '''arc_meta_used''' > '''arc_meta_limit'''<br />
<br />
<br />
==increasing feed rate==<br />
<br />
<br />
== show status and disks ==<br />
<br />
zpool status<br />
<br />
== show drives/pools ==<br />
<br />
zfs list<br />
<br />
<br />
== check raid level ==<br />
<br />
zfs list -a<br />
<br />
<br />
==Estimate raidz speeds==<br />
raidz1: N/(N-1) * IOPS<br />
raidz2: N/(N-2) * IOPS<br />
raidz3: N/(N-3) * IOPS<br />
<br />
<br />
==VDEV cache disabled, skipping section==<br />
Looks like you just don't have l2arc cache<br />
<br />
<br />
==cannot export 'tank': pool is busy==<br />
After checking stuff like nfs etc try:<br />
zfs unshare -a<br />
zfs umount -a -f<br />
zpool export -f tank</div>
Tony
https://wiki.dhits.nl/index.php?title=Ansible_snippets&diff=8779
Ansible snippets
2024-03-18T14:29:36Z
<p>Tony: /* Lineinfile */</p>
<hr />
<div>=Systemd=<br />
==Randomize timer==<br />
Create '''/var/ansible/files/systemd/fstrim.conf'''<br />
[Timer]<br />
RandomizedDelaySec=3h<br />
<br />
'''Playbook''': <br />
<br />
tasks: <br />
<br />
- name: check if /etc/systemd/system/fstrim.timer.d/ exists<br />
stat:<br />
path: /etc/systemd/system/fstrim.timer.d/<br />
register: override_dir<br />
<br />
- name: create /etc/systemd/system/fstrim.timer.d/<br />
file:<br />
path: /etc/systemd/system/fstrim.timer.d/<br />
state: directory<br />
when: override_dir.stat.exists == False<br />
<br />
- name: add fstrim.timer override<br />
copy:<br />
src: /var/ansible/files/systemd/fstrim.conf<br />
dest: /etc/systemd/system/fstrim.timer.d/override.conf<br />
notify: daemon-reload<br />
<br />
handlers:<br />
<br />
- name: daemon-reload<br />
systemd:<br />
daemon_reload: yes<br />
<br />
=Lineinfile=<br />
*[https://docs.ansible.com/ansible/latest/collections/ansible/builtin/lineinfile_module.html Lineinfile documentation]<br />
<br />
==Quoting fun with lineinfile regex==<br />
- name: fix the needrestart config<br />
lineinfile:<br />
dest: /etc/needrestart/needrestart.conf<br />
state: present<br />
regexp: '^#\$nrconf{restart}'<br />
line: '$nrconf{restart} = '&#39;a&#39;&#39;'<br />
when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version == '22'<br />
<br />
==Comment out a line==<br />
- name: comment out a line<br />
lineinfile:<br />
dest: /etc/needrestart/needrestart.conf<br />
state: present<br />
backrefs: true<br />
regexp: '^(foo.*)'<br />
line: '# \1'<br />
<br />
<br />
==Check for string in file==<br />
- name: Check for rotate setting<br />
lineinfile:<br />
path: "{{ rotatepath }}"<br />
regex: '^ *rotate 180$'<br />
state: absent<br />
register: result<br />
<br />
- debug: msg="{{ inventory_hostname }} {{ result.found }}"<br />
<br />
=Files=<br />
==Check if a file exists==<br />
- name: check for a file<br />
stat:<br />
path: /etc/fstab<br />
register: fstab<br />
<br />
- name: print message if exists<br />
ansible.builtin.debug:<br />
msg: "File /etc/fstab exists"<br />
when: fstab.stat.exists<br />
<br />
=Check if a command exists=<br />
- name: check if mysqld is installed<br />
shell: which mysqld > /dev/null 2>&1 <br />
ignore_errors: true<br />
changed_when: false<br />
register: mysqld<br />
failed_when: mysqld.rc == 2</div>
Tony
https://wiki.dhits.nl/index.php?title=Debian&diff=8778
Debian
2024-03-18T09:08:12Z
<p>Tony: </p>
<hr />
<div>=Sites=<br />
*[http://www.debian.org/ Homepage]<br />
*[http://wiki.debian.org/ Wiki]<br />
*[http://www.debian.org/doc/manuals/reference/index.en.html Debian Reference]<br />
*[http://www.debian-administration.org/ debian-administration.org]<br />
*[http://www.debianadmin.com/ http://www.debianadmin.com/]<br />
<br />
=Security=<br />
*http://lists.debian.org/debian-security-announce/<br />
*debsecan<br />
*debsum<br />
<br />
=Links=<br />
*[[debconf]]<br />
<br />
=Netboot/PXE=<br />
*https://wiki.debian.org/DebianInstaller/NetbootAssistant<br />
*[https://wiki.debian.org/DebianInstaller/Preseed Preseed]<br />
*[https://www.howtoforge.com/tutorial/install-debian-9-stretch-via-pxe-network-boot-server/ Install Debian 9 (Stretch) via PXE Network Boot Server]<br />
<br />
=Documentation=<br />
<br />
*[http://www.debian.org/releases/stable/i386/ch08s05.html.en Compiling kernels the Debian way]<br />
*aptitude is often nicer than apt-get, but be careful<br />
*apt-file to find package providing a certain file<br />
<br />
<br />
==Networking on Debian==<br />
===Bonding===<br />
* https://wiki.debian.org/Bonding<br />
*[https://enterprise-support.nvidia.com/s/article/howto-create-linux-bond--lag--interface-over-infiniband-network Bonding on Infiniband]<br />
<br />
<br />
==https==<br />
<br />
*http://www.tuxick.net/docs/apache_ssl.html<br />
<br />
https on debian testing is a mess, ignore: <br />
<br />
*make-ssl-cert<br />
*apache2-ssl-certificate in apache2.2-common only?<br />
*http://www.debian-administration.org/articles/349<br />
<br />
http://www.eclectica.ca/howto/ssl-cert-howto.php looks promising<br />
<br />
==Handling packages==<br />
*[[Compiling Debian Packages]]<br />
===Pinning===<br />
*[http://jaqque.sbih.org/kplug/apt-pinning.html Pinning]<br />
*[http://www.argon.org/~roderick/apt-pinning.html Using APT with more than 2 sources]<br />
*http://wiki.debian.org/AptPinning<br />
<br />
=HOWTO=<br />
==Modules==<br />
===Set module parameters===<br />
in '''/etc/modprobe.d/somename.conf'''<br />
options somemodule paramname=2<br />
<br />
= FAQ =<br />
==APT==<br />
===Repository changed its 'Version' value===<br />
Try <br />
apt-get --allow-releaseinfo-change update<br />
<br />
<br />
== the following packages have been kept back: ==<br />
<br />
Time to apt-get dist-upgrade. But it could be different things.<br />
See https://askubuntu.com/questions/601/the-following-packages-have-been-kept-back-why-and-how-do-i-solve-it<br />
Perhaps:<br />
apt-get upgrade package-that-is-kept-back<br />
<br />
== change default editor ==<br />
<br />
update-alternatives --config editor<br />
<br />
== change timezone ==<br />
<br />
dpkg-reconfigure tzdata<br />
<br />
== kernel packages ==<br />
<br />
*kernel-image <br />
*kernel-source <br />
<br />
volatile<br />
<br />
&nbsp;<br />
<br />
== clean cache ==<br />
<br />
apt-get clean<br />
<br />
<br />
== E: Unable to correct problems, you have held broken packages. ==<br />
<br />
First try<br />
<br />
dpkg --get-selections | grep hold<br />
<br />
==reportbug: The following newer release(s) are available in the Debian archive:==<br />
Ignore than and just continue ( see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900254 )<br />
<br />
<br />
==apt-get update throwing KEYEXPIRED==<br />
Ignore that, it updated just fine. You migh run into the usual warnings when installing packaged. To Be Documented.<br />
For example:<br />
deb [trusted=yes]<br />
<br />
=Show more package information=<br />
apt-cache show packagename*<br />
<br />
<br />
== W: GPG error: ==<br />
<br />
[http://ftp2.de.debian.org http://ftp2.de.debian.org] etch/volatile Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EC61E0B0BBE55AB3<br />
<br />
gpg --keyserver wwwkeys.eu.pgp.net --recv-keys EC61E0B0BBE55AB3<br />
#and that other thing<br />
<br />
Or just:<br />
<br />
apt-get --allow-unauthenticated install debian-archive-keyring<br />
<br />
Or<br />
apt-key adv --keyserver pgp.mit.edu --recv-keys 8B48AD6246925553<br />
<br />
Or<br />
gpg --keyserver keyserver.ubuntu.com --recv-key 03BBF595D4DFD35C<br />
gpg -a --export 03BBF595D4DFD35C | apt-key add -<br />
<br />
==show dependency tree==<br />
apt-cache dotty<br />
apt-rdepends<br />
<br />
==show dependencies==<br />
apt-cache rdepends<br />
aptitude why<br />
<br />
==What package does a file belong to?==<br />
dpkg -S /path/to/file</div>
Tony
https://wiki.dhits.nl/index.php?title=Ssh&diff=8777
Ssh
2024-03-11T09:56:57Z
<p>Tony: /* no matching host key type found */</p>
<hr />
<div><br />
= Links =<br />
<br />
*[http://blog.joncairns.com/2013/12/understanding-ssh-agent-and-ssh-add/ Understanding ssh-agent and ssh-add] <br />
*[https://www.ssh.com/ssh/key/ https://www.ssh.com/ssh/key/]<br />
<br />
<br />
<br />
<br />
=HOWTO=<br />
== chrooted sftp ==<br />
<br />
Homedir as defined in /etc/passwd /home/someuser<br />
<br />
chmod 755 /home/someuser<br />
chown root.root /home/someuser<br />
<br />
And then create writable dir for user:<br />
<br />
mkdir /home/someuser/downloads<br />
chown someuser.someuser /home/someuser/downloads<br />
<br />
&nbsp;<br />
<br />
Subsystem sftp internal-sftp<br />
<br />
'''Per group:'''<br />
<br />
/etc/ssh/sshd_config<br />
<br />
Match Group sftponly<br />
ChrootDirectory %h<br />
ForceCommand internal-sftp<br />
AllowTcpForwarding no<br />
PermitTunnel no<br />
X11Forwarding no<br />
<br />
#Remember this one to close Match block!<br />
Match all<br />
<br />
'''Per user:'''<br />
<br />
Match User username<br />
ChrootDirectory %h<br />
ForceCommand internal-sftp<br />
AllowTcpForwarding no<br />
PermitTunnel no<br />
X11Forwarding no<br />
#Remember this one to close Match block!<br />
Match all<br />
<br />
The ChrootDirectory must be owned by root.root with permissons 755. If you want group based access rights, you can do that in subdirectories.<br />
<br />
&nbsp;<br />
<br />
== ssh tunnels ==<br />
<br />
===Simple tunnel to port on remote host===<br />
<br />
ssh -L 1234:192.168.100.2:80 remotehost<br />
<br />
And then connect to localhost:1234<br />
<br />
&nbsp;<br />
<br />
===Simple reverse tunnel===<br />
Give a host access to port on system you're on:<br />
ssh -R 1234:localhost:22 you@the.other.host<br />
<br />
===Provide access to a server you can only reach from your desktop===<br />
Where '''S''' is the server you have firewall access on, and 192.168.150.223 the server you can only reach from office.<br />
ssh -R '''S''':1234:192.168.150.223:22 '''S'''<br />
Remember to enable '''GatewayPorts''' on '''S''' and to allow access to port 1234<br />
<br />
<br />
==Copy public key to authorized_keys==<br />
ssh-copy-id<br />
<br />
==Run command on another system==<br />
ssh remotehost 'some command'<br />
<br />
==Open ssh url in firefox==<br />
Create script ~/runssh<br />
#!/bin/bash<br />
# open ssh url<br />
url=$1<br />
protocol=${url//:*/}<br />
machine=${url//*:\/\//}<br />
machine=${machine%/}<br />
konsole -e "$protocol $machine"<br />
# or for gnome:<br />
#/usr/bin/gnome-terminal -e "$protocol $machine"<br />
In about:config set network.protocol-handler.app.ssh to ~/runssh<br />
<br />
<br />
==scp via intermediate host==<br />
scp -oProxyJump=intermediate thefile user@destination:/tmp<br />
<br />
= FAQ =<br />
==Server side==<br />
===key type ssh-rsa not in PubkeyAcceptedAlgorithms===<br />
PubkeyAcceptedKeyTypes +ssh-rsa<br />
<br />
<br />
==ssh multiplexing==<br />
https://www.cyberciti.biz/faq/linux-unix-reuse-openssh-connection<br />
<br />
== remember key passphrase ==<br />
<br />
ssh-agent bash<br />
ssh-add ~/.ssh/id_rsa<br />
<br />
== root access from single host ==<br />
<br />
Match Address 192.168.1.100<br />
PermitRootLogin yes<br />
<br />
== multihop tunnel ==<br />
<br />
ssh -A -t -l user jump-host \<br />
-L 8080:localhost:8080 \<br />
ssh -A -t -l user webserver.dmz \<br />
-L 8080:localhost:8080<br />
<br />
OR<br />
in .ssh/config define<br />
Host targethost<br />
ProxyCommand ssh jumphost -W %h:%p<br />
and then just<br />
ssh -L 1234:<LAN address>:<port> targethost<br />
<br />
== SSH tunnel with putty ==<br />
<br />
[https://www.skyverge.com/blog/how-to-set-up-an-ssh-tunnel-with-putty/ https://www.skyverge.com/blog/how-to-set-up-an-ssh-tunnel-with-putty/]<br />
<br />
== Failed publickey ==<br />
<br />
*acccess rights? <br />
<br />
== 14: No supported authentication methods available [preauth] ==<br />
<br />
Putty not configured to look at correct private key?<br />
<br />
&nbsp;<br />
<br />
<br />
=== bind Cannot assign requested address ===<br />
<br />
Maybe try ssh -4, also check firewall<br />
<br />
== Unable to negotiate with 192.168.100.4 port 22: no matching cipher found. ==<br />
<br />
passing old cipher, like -o arcfour??<br />
<br />
==no matching host key type found. their offer: ssh-rsa:<br />
In your ~/ssh/config try <br />
HostkeyAlgorithms +ssh-rsa<br />
and maybe<br />
PubkeyAcceptedAlgorithms +ssh-rsa<br />
<br />
in .ssh/config<br />
<br />
== rsync only as root ==<br />
<br />
== scp: no matching key exchange method found. ==<br />
<br />
scp seems to ignore .ssh/config, so use<br />
<br />
scp -o Ciphers=xxx<br />
<br />
&nbsp;<br />
<br />
== kex_exchange_identification: read: Connection reset by peer ==<br />
<br />
only way to find out about that is look on server<br />
<br />
== Reverse tunnel with autossh ==<br />
# https://superuser.com/questions/37738/how-to-reliably-keep-an-ssh-tunnel-open<br />
autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -fgNR :10023:localhost:22 the.server<br />
<br />
And in the.server:/etc/ssh/sshd_config<br />
<br />
GatewayPorts clientspecified<br />
<br />
to allow connecting to 10023 from outside<br />
<br />
As systemd service:<br />
In /etc/systemd/system/sshtunnel.service<br />
<br />
[Unit]<br />
Description=SSH Tunnel<br />
After=network.target<br />
<br />
[Service]<br />
Restart=always<br />
RestartSec=20<br />
User=root<br />
ExecStart=/bin/ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=6 -gNR :10023:localhost:22 user@ssh.example.com<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
<br />
==The RSA host key for host has changed==<br />
If you're migrating to a new server: copy /etc/ssh/ssh_host_rsa_key* to the new server<br />
<br />
<br />
== ssh require both key and user password ==<br />
In sshd_config<br />
AuthenticationMethods "publickey,password"<br />
# do not just set to no!<br />
#PasswordAuthentication yes<br />
<br />
== add your key to remote authorized_keys ==<br />
ssh-copy-id remotehost<br />
or, if not installed:<br />
cat ~/.ssh/rsa_pub.id | ssh remotehost "cat >> ~/.ssh/authorized_keys"<br />
<br />
== Show key fingerprint ==<br />
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub<br />
<br />
<br />
== SSH Client side ==<br />
===no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1===<br />
<br />
===kex_exchange_identification: banner line contains invalid characters===<br />
Sure you're talking to an ssh service?<br />
<br />
===ssh_exchange_identification: Connection closed by remote host===<br />
<br />
<br />
===Force password prompt===<br />
When using pubkey:<br />
ssh -o PubkeyAuthentication=no -o PreferredAuthentications=password<br />
<br />
<br />
==Permission denied (publickey).==<br />
Not much you can do on client side, server will probably have <br />
PasswordAuthentication yes<br />
so find an allowed key</div>
Tony
https://wiki.dhits.nl/index.php?title=Yum&diff=8776
Yum
2024-03-07T12:53:06Z
<p>Tony: /* FAQ */</p>
<hr />
<div>=Links=<br />
*[https://www.cyberciti.biz/faq/rhel-centos-fedora-linux-yum-command-howto/ How to use yum command on CentOS/RHEL]<br />
*[http://xmodulo.com/how-to-fix-yum-errors-on-centos-rhel-or-fedora.html Fix yum errors]<br />
*[https://www.thegeekdiary.com/centos-rhel-67-how-to-recover-an-interrupted-yum-package-installation/ Recover an interrupted yum package installation]<br />
<br />
<br />
=HOWTO=<br />
==Yum==<br />
===Exclude packages===<br />
In /etc/yum.conf:<br />
exclude=package1 package2<br />
=== Show installed packages ===<br />
<br />
yum list installed<br />
<br />
=== Show installed packages from epel ===<br />
<br />
yum list installed | grep @epel<br />
<br />
==Show active repositories==<br />
yum repolist<br />
or<br />
yum repolist enabled<br />
<br />
=== Disable repository ===<br />
<br />
yum-config-manager --disable reponame<br />
<br />
<br />
= FAQ =<br />
<br />
<br />
===Yum keeps trying '''Importing GPG key 0x51312F3F'''===<br />
yum clean all<br />
yum makecache<br />
<br />
<br />
===Exclamationmarks?===<br />
Repository has expired metadata, try<br />
yum clean expire-cache<br />
<br />
== What provides a certain file ==<br />
<br />
yum whatprovides<br />
<br />
&nbsp;<br />
<br />
== Which package does a file belong to? ==<br />
<br />
rpm -qf /bin/bash<br />
<br />
&nbsp;<br />
<br />
== Which packages depend on a package ==<br />
<br />
??<br />
<br />
== what files depend on package?? ==<br />
<br />
repoquery --requires --resolve <package><br />
<br />
== Show dependencies for a package ==<br />
<br />
yum deplist <packagename><br />
<br />
=== Installed package x.y.z (from anaconda) not available ===<br />
<br />
Package not found on mirror<br />
<br />
== Check updates ==<br />
<br />
yum check-update -q<br />
<br />
== Check security updates ==<br />
<br />
HAHA GOTCHA! no security metadata on CentOS! There is for EPEL though. see [https://access.redhat.com/solutions/10021 https://access.redhat.com/solutions/10021] On CentOS 6 first install<br />
<br />
yum install yum-plugin-security<br />
<br />
yum list-security -q --errorlevel=0<br />
<br />
== Which repository is a package from? ==<br />
<br />
repoquery <packagename><br />
or perhaps better<br />
yum info packagename<br />
<br />
== Clear cache ==<br />
<br />
yum clean all<br />
<br />
or<br />
<br />
yum clean all --enablerepo='*'<br />
<br />
&nbsp;<br />
<br />
== List files from package ==<br />
rpm -ql packagename<br />
dnf repoquery -l somepackage<br />
<br />
== Updateinfo file is not valid XML ==<br />
<br />
remove yum-cron<br />
<br />
== Warning: RPMDB altered outside of yum. ==<br />
<br />
Happens when you install something using rpm, what usually works is:<br />
<br />
yum history sync<br />
<br />
&nbsp;<br />
<br />
== Not using downloaded remi/repomd.xml because it is older than what we have ==<br />
<br />
Try<br />
<br />
yum clean all<br />
<br />
&nbsp;<br />
<br />
<br />
<br />
== yum-daily ==<br />
<br />
==Yum error messages==<br />
<br />
=== Public key for *.rpm is not installed ===<br />
<br />
Some stuff to try:<br />
<br />
rpm --checksig -v /var/cache/yum/<channel-name>/packages/device-mapper-multipath-0.4.7-34.el5.x86_64.rpm<br />
rm -rfv /var/cache/yum/* <br />
yum clean all<br />
<br />
<br />
===75 packages excluded due to repository priority protections===<br />
Try<br />
yum list updates -d3<br />
<br />
===Error: rpmdb open failed===<br />
mkdir /tmp/rpm/<br />
mv /var/lib/rpm/__db* /tmp/rpm<br />
yum clean all<br />
and then try again:<br />
yum check-update<br />
<br />
<br />
=== Multilib version problems found ===<br />
Try<br />
package-cleanup --cleandupes<br />
Long version:<br />
yum clean all <br />
yum list all --showduplicates<br />
# NOTE: this one takes forever!<br />
yum check<br />
yum list all --showduplicates<br />
<br />
===/var/tmp/rpm-tmp.y7ZaM4: line 1: fg: no job control===<br />
Try<br />
rpm -e --noscripts <packagename></div>
Tony
https://wiki.dhits.nl/index.php?title=Git&diff=8775
Git
2024-03-07T10:53:27Z
<p>Tony: /* Documentation */</p>
<hr />
<div>=Links=<br />
*[http://git-scm.com/ Homepage]<br />
*[https://try.github.io Online git tutorial]<br />
*[https://www.atlassian.com/git/tutorials Git tutorial at atlassian]<br />
<br />
==Documentation==<br />
*[https://git-scm.com/book/en/v1/Getting-Started-First-Time-Git-Setup Getting Started in the Pro Git Book]<br />
*[https://www.inmotionhosting.com/support/website/git/setting-up-your-remote-repository-with-git/ Setting Up Your Remote Repository With Git]<br />
*[https://git-scm.com/book/uz/v2/Customizing-Git-Git-Attributes Dealing with binary files]<br />
*http://gitref.org/basic/<br />
*http://git-scm.com/book/en<br />
*https://www.atlassian.com/git/tutorials<br />
*http://thelucid.com/2008/12/02/git-setting-up-a-remote-repository-and-doing-an-initial-<br />
*[https://git-scm.com/book/en/v2/Git-Basics-Recording-Changes-to-the-Repository Recording Changes to the Repository]<br />
*[https://raymii.org/s/tutorials/Shared_Git_repository_via_ssh_for_multiple_users.html Shared Git repository over ssh for multiple users]<br />
<br />
=Cheat sheet=<br />
<br />
==Create repository on server==<br />
mkdir -p git/myproject<br />
cd git/project<br />
git init --bare<br />
<br />
<br />
==browse local repository==<br />
git ls-tree --full-tree -r HEAD<br />
<br />
==push as different user==<br />
check .git/config and replace username<br />
<br />
<br />
==Switch to particular branch==<br />
git branch -a<br />
git checkout remote/releases/6.4<br />
and to get back<br />
git checkout master<br />
or was it<br />
git checkout<br />
<br />
= FAQ =<br />
==git pull==<br />
===You are not currently on a branch.===<br />
<br />
<br />
==Restore single file==<br />
Move the file away and<br />
git restore yourfile<br />
<br />
<br />
==git checkout==<br />
===error: pathspec 'master' did not match any file(s) known to git===<br />
then you get that from <br />
git checkout master<br />
try<br />
git checkout -<br />
<br />
<br />
<br />
==Automatic merge failed; fix conflicts and then commit the result.==<br />
<br />
Try<br />
git mergetool<br />
<br />
== error: src refspec master does not match any. ==<br />
<br />
ye well, screw you. you did something wrong!<br />
<br />
&nbsp;<br />
<br />
== error: Merging is not possible because you have unmerged files. ==<br />
<br />
This is not a joke!<br />
<br />
== fatal: cannot do a partial commit during a merge. ==<br />
<br />
git commit -i<br />
<br />
== error: Pulling is not possible because you have unmerged files ==<br />
<br />
== error: Your local changes to the following files would be overwritten by merge:==<br />
move the file away and try again?<br />
<br />
<br />
<br />
<br />
== list untracked files ==<br />
<br />
git status<br />
<br />
== Changes not staged for commit: ==<br />
<br />
File has to be added again<br />
<br />
&nbsp;<br />
<br />
== error: gpg failed to sign the data ==<br />
<br />
try<br />
<br />
GIT_TRACE=1 commit ...<br />
<br />
and run the command it suggests<br />
<br />
but your problably forgot to<br />
<br />
&nbsp;git config --global user.signingkey&nbsp; XXXXX<br />
<br />
==You have divergent branches and need to specify how to reconcile them.==<br />
First try:<br />
git merge</div>
Tony
https://wiki.dhits.nl/index.php?title=Serial_console&diff=8774
Serial console
2024-03-06T09:46:43Z
<p>Tony: /* Enabling serial console */</p>
<hr />
<div><br />
*[http://0pointer.de/blog/projects/serial-console.html Serial and systemd] <br />
*[https://help.ubuntu.com/community/SerialConsoleHowto https://help.ubuntu.com/community/SerialConsoleHowto] <br />
<br />
=Enabling serial console=<br />
In /etc/default/grub append:<br />
GRUB_CMDLINE_LINUX="..... console=ttyS0,115200"<br />
<br />
and then<br />
==On Debioids==<br />
update-grub<br />
==On CentOS==<br />
grub2-mkconfig -o /boot/grub2/grub.cfg</div>
Tony
https://wiki.dhits.nl/index.php?title=Serial_console&diff=8773
Serial console
2024-03-06T09:45:56Z
<p>Tony: </p>
<hr />
<div><br />
*[http://0pointer.de/blog/projects/serial-console.html Serial and systemd] <br />
*[https://help.ubuntu.com/community/SerialConsoleHowto https://help.ubuntu.com/community/SerialConsoleHowto] <br />
<br />
=Enabling serial console=<br />
In /etc/default/grub set:<br />
GRUB_CMDLINE_LINUX="console=ttyS0,115200"<br />
<br />
and then<br />
==On Debioids==<br />
update-grub<br />
==On CentOS==<br />
grub2-mkconfig -o /boot/grub2/grub.cfg</div>
Tony
https://wiki.dhits.nl/index.php?title=Wget&diff=8772
Wget
2024-03-01T13:02:33Z
<p>Tony: /* FAQ */</p>
<hr />
<div>=HOWTO=<br />
==Mirror entire site==<br />
wget --mirror --convert-links --adjust-extension --page-requisites --no-parent https://site-to-download.com<br />
<br />
<br />
=FAQ=<br />
==Will not follow any links on this page==<br />
Try '''-e robots=off'''<br />
==Output to stdout==<br />
wget -q -O - http://example.com</div>
Tony
https://wiki.dhits.nl/index.php?title=Elasticsearch&diff=8771
Elasticsearch
2024-03-01T12:59:54Z
<p>Tony: /* FAQ */</p>
<hr />
<div>=Links=<br />
<br />
<br />
<br />
<br />
=Documentation=<br />
==Configuration==<br />
*http://jprante.github.io/2012/11/28/Elasticsearch-Java-Virtual-Machine-settings-explained.html<br />
==Heap==<br />
*https://www.elastic.co/blog/a-heap-of-trouble<br />
==Garbage collection==<br />
*[https://docs.oracle.com/cd/E13150_01/jrockit_jvm/jrockit/geninfo/diagnos/garbage_collect.html Garbage collect]<br />
*[https://sematext.com/blog/java-garbage-collection/#how-does-java-garbage-collection-work Garbage collection]<br />
*[https://opster.com/guides/elasticsearch/capacity-planning/elasticsearch-heap-size-usage/ Elasticsearch Heap Size Usage and JVM Garbage Collection]<br />
<br />
Ideally:<br />
*Young GC is processed quickly (within 50 ms).<br />
*Young GC is not frequently executed (about 10 seconds).<br />
*Old GC is processed quickly (within 1 second).<br />
*Old GC is not frequently executed (once per 10 minutes or more).<br />
<br />
=HOWTO=<br />
==Adjust log rotation==<br />
Is done in '''/etc/elasticsearch/log4j.properties'''<br />
<br />
===Number of logfiles to keep===<br />
appender.rolling.strategy.max <br />
<br />
=Monitoring elasticsearch=<br />
<br />
== Things to monitor ==<br />
=== heap size ===<br />
*node jvm.mem.heap_used_percent<br />
<br />
=== garbage collection ===<br />
Something like<br />
node.jvm.uptime_in_millis/node.jvm.gc.collectors.young.collection_count<br />
<br />
*[https://www.datadoghq.com/blog/monitor-elasticsearch-performance-metrics/ How to monitor Elasticsearch performance]<br />
*[https://sematext.com/blog/top-10-elasticsearch-metrics-to-watch/ Top 10 Elasticsearch Metrics to Monitor]<br />
*[https://www.datadoghq.com/blog/monitor-elasticsearch-performance-metrics/#key-elasticsearch-performance-metrics-to-monitor Performance metrics to monitor]<br />
*[https://opster.com/guides/elasticsearch/capacity-planning/elasticsearch-heap-size-usage/ Heap Size Usage]<br />
<br />
==Query the web interface==<br />
*'cluster': 'http://localhost:9200/_cluster/stats',<br />
* 'nodes' : 'http://localhost:9200/_nodes/stats',<br />
* 'indices': 'http://localhost:9200/_stats',<br />
* 'health' : 'http://localhost:9200/_cluster/health'<br />
<br />
=Installing Elasticsearch=<br />
==On Debian==<br />
deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main<br />
packages is called elasticsearch-oss now?<br />
<br />
=Terminology=<br />
==shards==<br />
"blocks" of index data distributed over the nodes<br />
<br />
==Percolation==<br />
https://spinscale.de/posts/2021-09-15-understanding-elasticsearch-percolate-query.html<br />
<br />
<br />
==now throttling indexing for shard: segment writing can't keep up==<br />
*[https://opster.com/analysis/elasticsearch-now-throttling-indexing-for-shard-segment-writing-can-t-keep-up/ one doc about this]<br />
<br />
=FAQ=<br />
==Status is yellow==<br />
*[http://chrissimpson.co.uk/elasticsearch-yellow-cluster-status-explained.html Yellow cluster status explained]<br />
and look for [https://www.datadoghq.com/blog/elasticsearch-unassigned-shards/ unassigned shards]<br />
<br />
==Update ingest-attachment==<br />
/usr/share/elasticsearch/bin/elasticsearch-plugin remove ingest-attachment<br />
/usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-attachment<br />
<br />
<br />
==Get version of active elasticsearch==<br />
wget -q -O - http://localhost:9200/_cluster/stats</div>
Tony
https://wiki.dhits.nl/index.php?title=Cargo&diff=8770
Cargo
2024-03-01T12:59:13Z
<p>Tony: </p>
<hr />
<div>Rust thing<br />
<br />
=Links=<br />
*[https://opensource.com/article/20/3/rust-cargo Getting started with the Rust package manager, Cargo]<br />
<br />
=FAQ=<br />
==this version of Cargo is older than the `2021` edition, and only supports `2015` and `2018` editions.==<br />
TODO</div>
Tony
https://wiki.dhits.nl/index.php?title=Openssl&diff=8769
Openssl
2024-03-01T09:12:49Z
<p>Tony: /* HOWTO */</p>
<hr />
<div>=Links=<br />
*[https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/ Why you don't want EV certificate]<br />
*[https://mozilla.github.io/server-side-tls/ssl-config-generator/ SSL confg generator]<br />
*[http://www.openssl.org/ openssl homepage]<br />
*[http://gagravarr.org/writing/openssl-certs/index.shtml http://gagravarr.org/writing/openssl-certs/index.shtml]<br />
<br />
<br />
<br />
= Tools =<br />
*openssl<br />
*sslscan <br />
*sclient<br />
*[[gnutls-cli]]<br />
<br />
= Documentation and HOWTOs =<br />
<br />
*[http://sial.org/howto/openssl/ca/ OpenSSL Certificate Authority Setup] <br />
*[http://www.herongyang.com/Cryptography/OpenSSL-Certificate-Path-Validation-Tests.html Validating a Certificate Path with OpenSSL] <br />
*[http://www.techradar.com/news/software/how-ssl-and-tls-works-1047412 How SSL and TLS work] <br />
*[https://jamielinux.com/docs/openssl-certificate-authority/index.html OpenSSL Certificate Authority] <br />
*[http://dataslinger.com/index.php?/archives/5-Configuring-SSL-certificates-for-Apache,-Dovecot,-Sendmail,-and-IIS.html http://dataslinger.com/index.php?/archives/5-Configuring-SSL-certificates-for-Apache,-Dovecot,-Sendmail,-and-IIS.html] <br />
*[http://www.eclectica.ca/howto/ssl-cert-howto.php ssl cert HOWTO] <br />
*[http://www.madboa.com/geek/openssl/ OpenSSL Command-Line HOWTO] <br />
*[http://wiki.cacert.org/wiki/VhostTaskForce#head-f7f4c7599aef8b22de373b0922b39f4e75e95db4 1. Way: SubjectAltName Only] <br />
*[http://www.madboa.com/geek/openssl/ OpenSSL Command-Line HOWTO] <br />
*[http://www.digicert.com/ssl-support/pem-ssl-creation.htm How to Create a .PEM file for SSL Certificate Installation] <br />
*[http://www.tc.umn.edu/~brams006/selfsign.html http://www.tc.umn.edu/~brams006/selfsign.html] <br />
*[https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce Getting your certificate chain right] <br />
*[https://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify Verify certificate chain] <br />
*[https://whatsmychaincert.com What is my certificate chain?]<br />
*[https://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/ Checking A Remote Certificate Chain With OpenSSL]<br />
<br />
*[https://www.howtouselinux.com/post/certificate-chain Check SSL Certificate Chain with OpenSSL Examples]<br />
=== Dovecot and ssl ===<br />
<br />
Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)<br />
<br />
cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.pem<br />
<br />
<br />
In dovecot.conf:<br />
<br />
ssl_cert_file = /usr/local/etc/IMAP.EXAMPLE.COM.crt<br />
ssl_key_file = /usr/local/etc/myserver.key<br />
#optional, only if you want to require client to provide cert<br />
#ssl_ca_file = /usr/local/etc/intermediate.pem<br />
<br />
== Courier-imap and ssl ==<br />
<br />
*[http://linsec.ca/Using_Courier-IMAP_and_SSL http://linsec.ca/Using_Courier-IMAP_and_SSL] <br />
*[http://linux.seindal.dk/2005/12/04/making-a-courier-imap-ssl-sertificate/ http://linux.seindal.dk/2005/12/04/making-a-courier-imap-ssl-sertificate/] <br />
<br />
Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)<br />
<br />
cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt > intermediate.pem<br />
cat myserver.key >> IMAP.EXAMPLE.COM.crt<br />
<br />
In imapd-ssl:<br />
<br />
TLS_CERTFILE=/usr/local/etc/courier-certs/IMAP.EXAMPLE.COM.crt<br />
TLS_TRUSTCERTS=/usr/local/etc/courier-certs/intermediate.pem<br />
<br />
== Network Solutions certificates bundle ==<br />
<br />
See [http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/ http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/]<br />
<br />
cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.txt<br />
<br />
=== Comodo bundle order ===<br />
<br />
COMODORSAOrganizationValidationSecureServerCA. + COMODO rsa add trust ca ( + addtrustexternalcaroot )<br />
<br />
=== Generate a signing request ===<br />
<br />
openssl req -nodes -newkey rsa:2048 -keyout my.domain.key -out my.domain.csr<br />
<br />
The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root!<br />
<br />
= HOWTO =<br />
<br />
===Generate PSK ===<br />
openssl rand -hex 32<br />
<br />
===Converting certificates===<br />
https://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key<br />
<br />
=== Create private key (using config file) ===<br />
<br />
openssl req (-config /etc/pki/tls/www.example.com.cnf) -newkey rsa:2048 -nodes -keyout domain.key<br />
<br />
=== Create CSR using config file ===<br />
<br />
openssl req -config /etc/pki/tls/www.example.com.cnf -new -newkey rsa:2048 -nodes -keyout example.com.key -out www.example.com.csr<br />
<br />
=== Convert der to pem ===<br />
<br />
openssl x509 -inform der -in certificate.cer -out certificate.pem<br />
<br />
=== Creating CSR for multiple hosts ===<br />
<br />
For example [http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html]<br />
<br />
=== Remove password from private key ===<br />
<br />
[https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase]<br />
<br />
=== Examining certificates ===<br />
<br />
*[http://www.madboa.com/geek/openssl/#verify-standard http://www.madboa.com/geek/openssl/#verify-standard] <br />
<br />
openssl verify cert.pem<br />
<br />
openssl x509 -in cacert.pem -noout -text<br />
openssl x509 -in foo.pem -inform pem -noout -text <br />
<br />
openssl rsa -noout -text -in server.key<br />
openssl req -noout -text -in server.csr<br />
openssl rsa -noout -text -in ca.key<br />
openssl x509 -noout -text -in ca.crt<br />
<br />
with expiration date:<br />
<br />
openssl x509 -noout -text -enddate -in ca.crt<br />
<br />
#to check CN <br />
<br />
openssl x509 -in server.crt -noout -subject<br />
<br />
openssl pkcs12 -info -in keyStore.p12<br />
openssl pkcs12 -info -in keyStore.pfx<br />
<br />
<br />
<br />
=== Checking a service ===<br />
<br />
#Note -CApath should point to your local collection of public CA certs <br />
<br />
openssl s_client -connect -CApath /etc/ssl/certs host:pop3 -starttls pop3<br />
openssl s_client -port 443 -CApath /etc/ssl/certs -host webmail.example.com -prexit<br />
openssl s_client -connect imap.example.com:143 -starttls imap<br />
openssl s_client -connect web.server:443 -showcerts<br />
openssl s_client -connect webmail.example.com:443 -servername vhost.example.com<br />
<br />
Just check expiration date:<br />
<br />
openssl s_client -connect imap.example.com:143 -starttls imap 2>/dev/null | openssl x509 -noout -dates<br />
<br />
&nbsp;<br />
<br />
=== Check your site ===<br />
<br />
*[https://www.ssllabs.com/ssltest https://www.ssllabs.com/ssltest] <br />
*[https://www.sslcheck.nl/ https://www.sslcheck.nl/] <br />
<br />
<br />
===gnutls-cli ===<br />
echo quit | gnutls-cli --starttls-proto smtp --port 25 servac.skk | grep Status<br />
echo quit | gnutls-cli --port 465 servac.skk | grep Status<br />
<br />
=== check if certs match ===<br />
<br />
TODO: -clr_check too<br />
<br />
openssl pkey -in privateKey.key -pubout -outform pem | sha256sum <br />
openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum <br />
openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum<br />
<br />
These values show match Also:<br />
<br />
openssl verify -CAfile ca-bundle foo_bar.crt<br />
<br />
A script to do these checks: [[https://www.tuxick.net/sslcheck sslcheck]]<br />
<br />
=== Creating your own CA and signing with it===<br />
(based on http://www.eclectica.ca/howto/ssl-cert-howto.php#rootc)<br />
<br />
cd /etc/ssl<br />
mkdir newcerts<br />
(perform secret rituals)<br />
<br />
<br />
=== Check which ciphers and tls versions your openssl supports===<br />
openssl ciphers -v<br />
<br />
= FAQ =<br />
==Error messages==<br />
===OpenSSL: error:0A000102:SSL routines::unsupported protocol===<br />
This could becaure you're trying to an older version of TLS, check '''openssl.cnf''' for<br />
CipherString = DEFAULT:@SECLEVEL=2<br />
which means it enforces minimum of TLSv1.2<br />
<br />
You might now get<br />
===OpenSSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled===<br />
which means add below the CipherString line:<br />
Options = UnsafeLegacyRenegotiation<br />
<br />
==Get issuer==<br />
openssl s_client -showcerts -connect <YOURHOST>:443 < /dev/null 2>/dev/null |grep -i issuer<br />
== Order of certificates in bundle==<br />
Root CA comes last<br />
<br />
<br />
== using s_client ==<br />
<br />
=== no client certificate sent ===<br />
<br />
try adding -cert<br />
<br />
&nbsp;<br />
<br />
=== Secure Renegotiation IS NOT supported ===<br />
<br />
Probably using wrong TLS version<br />
<br />
=== Can't use SSL_get_servername ===<br />
<br />
Try using hostname instead of IP address<br />
<br />
=== write:errno=104 ===<br />
<br />
server reset the connection<br />
<br />
===no peer certificate available===<br />
Could be trying to talk tls to ssl?<br />
<br />
== unable to load client certificate private key file ==<br />
<br />
== Verification error: unable to verify the first certificate ==<br />
<br />
problem missing CA cert<br />
<br />
== error 20 at 0 depth lookup: unable to get local issuer certificate ==<br />
<br />
you probably need to provide the right -CAfile maybe self signed?<br />
<br />
&nbsp;<br />
<br />
== Verify return code: 21 (unable to verify the first certificate) ==<br />
<br />
Probably requires bundle<br />
<br />
&nbsp;<br />
<br />
== Bad certificate (code 42) ==<br />
<br />
Means the server demands you authenticate with a certificate, and you did not do so, and that caused the handshake failure.<br />
<br />
&nbsp;<br />
<br />
== check certificate chain ==<br />
<br />
openssl s_client -connect www.example.com:443 -showcerts<br />
<br />
<br />
&nbsp;<br />
<br />
=== Some of the output ===<br />
<br />
Certificate chain<br />
<br />
0 s:CN = foo.local<br />
i:CN = foo.local-CA<br />
<br />
0: first in chain<br />
<br />
s: subject&nbsp; ( openssl x509 -noout -in foo.crt -subject )<br />
<br />
i: issuer ( openssl x509 -noout -in foo.crt -issuer )<br />
<br />
<br />
OR<br />
openssl s_client -showcerts -verify 5 -connect ldap.example.com:636 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/) {a++}; out="bluePage-cert"a".pem"; print >out}' <br />
or<br />
openssl s_client -showcerts -verify 5 -connect ldap.example.com:389 starttls ldap < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/) {a++}; out="bluePage-cert"a".pem"; print >out}'<br />
<br />
== check expiration date ==<br />
<br />
echo | openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates<br />
<br />
<br />
<br />
openssl x509 -enddate -noout -in file.pem<br />
<br />
== 139814102202256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE ==<br />
<br />
i've seen this happen when someone deleted the BEGIN/END CERTIFICATE lines<br />
<br />
or a file is in DER format<br />
<br />
== SSL CTX certificate file error: error:0906D06C:PEM routines:PEM_read_bio:no start line ==<br />
<br />
??<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
== check if webserver supports old tls ==<br />
<br />
openssl s_client -connect www.example.com:443 -tls1<br />
openssl s_client -connect www.example.com:443 -tls1_1<br />
<br />
or when vhost:<br />
<br />
openssl s_client -servername vhost.example.com -connect www.example.com:443 -tls1_1<br />
<br />
&nbsp;<br />
<br />
== ERROR: Certificate verification: Not trusted ==<br />
<br />
seems to be an lftp issue<br />
<br />
== unsupported certificate purpose ==<br />
<br />
??<br />
<br />
&nbsp;<br />
<br />
== ssllabs checks ==<br />
<br />
=== Chain issues: Incorrect order, Contains anchor ===<br />
<br />
Could be the topmost cert in the bundle provided, try removing it<br />
<br />
&nbsp;<br />
<br />
=== Chain issues: Contains anchor ===<br />
<br />
Seems to mean there's a root ca in the bundle<br />
<br />
== check smtp submission ==<br />
<br />
echo -n "username" | base64<br />
echo -n "password" | base64<br />
<br />
openssl s_client -connect mail.host.com:587 -starttls smtp -crlf<br />
<br />
EHLO foo.bar<br />
AUTH LOGIN<br />
<br />
base64username<br />
<br />
base64password<br />
<br />
OR<br />
<br />
echo -ne '\0username\0password'| base64<br />
AUTH LOGIN output_of_that_echo<br />
<br />
===Peer's Certificate issuer is not recognized.===<br />
<br />
=p12 / pkcs12=<br />
https://fileinfo.com/extension/p12<br />
<br />
openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem<br />
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem<br />
<br />
<br />
<br />
===server certificate does NOT include an ID which matches the server name===<br />
todo</div>
Tony
https://wiki.dhits.nl/index.php?title=DNS&diff=8768
DNS
2024-02-28T11:03:05Z
<p>Tony: /* Tools */</p>
<hr />
<div><br />
= Links =<br />
<br />
*[http://www.oreilly.com/catalog/dns4/toc.html The O'Reilly Bind Book] <br />
*[http://en.tldp.org/HOWTO/DNS-HOWTO.html DNS Howto] <br />
*[http://www.dnsreport.com DNS Check] <br />
*[http://www.dns.net/dnsrd/ http://www.dns.net/dnsrd/] <br />
*[http://www.madboa.com/geek/dig/ Dig HOWTO] <br />
*[http://www.dns.net/dnsrd/trick.html DNS tips&tricks] <br />
*[https://www.dns-oarc.net/oarc/services/dnsentropy DNS entropy] <br />
*[https://www.ripe.net/manage-ips-and-asns/db/support/configuring-reverse-dns Configuring reverse dns] <br />
*[https://docstore.mik.ua/orelly/networking_2ndEd/dns/ch09_04.htm DNS subdomains]<br />
*[https://dnsinstitute.com/documentation/dnssec-guide/ch03s05.html What's EDNS All About (And Why Should I Care)?]<br />
<br />
==DNS chcecks==<br />
*[http://www.webdnstools.com/dnstools/domain_check Domain Check]<br />
*[https://mxtoolbox.com/dnscheck.aspx mtoolbox dns check]<br />
*[https://dnsviz.net/ dnviz]<br />
<br />
=Documentation=<br />
==Zone files==<br />
*[https://arstechnica.com/gadgets/2020/08/understanding-dns-anatomy-of-a-bind-zone-file/ Anatomy of a bind zone file]<br />
==Glue records==<br />
*[https://ns1.com/blog/glue-records-and-dedicated-dns Glue Records and Dedicated DNS]<br />
<br />
= Software =<br />
<br />
== BIND ==<br />
<br />
*[http://www.vix.com/isc/bind/ Bind homepage] <br />
<br />
== Maradns ==<br />
<br />
A nice caching DNS.<br />
<br />
*[http://www.maradns.org/ http://www.maradns.org/]<br />
<br />
= Tools =<br />
==dnstop==<br />
Show what is being looked up<br />
dnstop -l 3 eth0<br />
and then hit '''3'''<br />
*[[Dig]]<br />
*dnsping<br />
*dnsdiag<br />
*[https://dnsviz.net dnzviz]<br />
<br />
= FAQ =<br />
<br />
== Get hints file ==<br />
<br />
dig @m.root-servers.net. ns .<br />
<br />
== Find server handling reverse ==<br />
<br />
dig -x 10.11.12.13<br />
<br />
== Wildcard record ==<br />
<br />
;seems unwise to use CNAMES for this<br />
@ IN A 10.0.0.1<br />
* IN A 10.0.0.1<br />
<br />
&nbsp;<br />
<br />
== DNS amplification test ==<br />
<br />
dig +short +tries=1 +time=2 test.openresolver.com TXT @$ip<br />
<br />
<br />
==Local NS list does not match Parent NS list==<br />
Probably a slave/secundary server out of sync<br />
<br />
= Terms =<br />
<br />
== SOA ==<br />
<br />
Start Of Authority<br />
<br />
*[https://bobcares.com/blog/understanding-soa-records/ Understanding SOA records]<br />
<br />
[[Category:Networking]]</div>
Tony
https://wiki.dhits.nl/index.php?title=DNS&diff=8767
DNS
2024-02-28T11:01:20Z
<p>Tony: /* Tools */</p>
<hr />
<div><br />
= Links =<br />
<br />
*[http://www.oreilly.com/catalog/dns4/toc.html The O'Reilly Bind Book] <br />
*[http://en.tldp.org/HOWTO/DNS-HOWTO.html DNS Howto] <br />
*[http://www.dnsreport.com DNS Check] <br />
*[http://www.dns.net/dnsrd/ http://www.dns.net/dnsrd/] <br />
*[http://www.madboa.com/geek/dig/ Dig HOWTO] <br />
*[http://www.dns.net/dnsrd/trick.html DNS tips&tricks] <br />
*[https://www.dns-oarc.net/oarc/services/dnsentropy DNS entropy] <br />
*[https://www.ripe.net/manage-ips-and-asns/db/support/configuring-reverse-dns Configuring reverse dns] <br />
*[https://docstore.mik.ua/orelly/networking_2ndEd/dns/ch09_04.htm DNS subdomains]<br />
*[https://dnsinstitute.com/documentation/dnssec-guide/ch03s05.html What's EDNS All About (And Why Should I Care)?]<br />
<br />
==DNS chcecks==<br />
*[http://www.webdnstools.com/dnstools/domain_check Domain Check]<br />
*[https://mxtoolbox.com/dnscheck.aspx mtoolbox dns check]<br />
*[https://dnsviz.net/ dnviz]<br />
<br />
=Documentation=<br />
==Zone files==<br />
*[https://arstechnica.com/gadgets/2020/08/understanding-dns-anatomy-of-a-bind-zone-file/ Anatomy of a bind zone file]<br />
==Glue records==<br />
*[https://ns1.com/blog/glue-records-and-dedicated-dns Glue Records and Dedicated DNS]<br />
<br />
= Software =<br />
<br />
== BIND ==<br />
<br />
*[http://www.vix.com/isc/bind/ Bind homepage] <br />
<br />
== Maradns ==<br />
<br />
A nice caching DNS.<br />
<br />
*[http://www.maradns.org/ http://www.maradns.org/]<br />
<br />
= Tools =<br />
==dnstop==<br />
Show what is being looked up<br />
dnstop -l 3 eth0<br />
and then hit '''3'''<br />
*[[Dig]]<br />
*dnsping<br />
*dnsdiag<br />
*dnzviz<br />
<br />
= FAQ =<br />
<br />
== Get hints file ==<br />
<br />
dig @m.root-servers.net. ns .<br />
<br />
== Find server handling reverse ==<br />
<br />
dig -x 10.11.12.13<br />
<br />
== Wildcard record ==<br />
<br />
;seems unwise to use CNAMES for this<br />
@ IN A 10.0.0.1<br />
* IN A 10.0.0.1<br />
<br />
&nbsp;<br />
<br />
== DNS amplification test ==<br />
<br />
dig +short +tries=1 +time=2 test.openresolver.com TXT @$ip<br />
<br />
<br />
==Local NS list does not match Parent NS list==<br />
Probably a slave/secundary server out of sync<br />
<br />
= Terms =<br />
<br />
== SOA ==<br />
<br />
Start Of Authority<br />
<br />
*[https://bobcares.com/blog/understanding-soa-records/ Understanding SOA records]<br />
<br />
[[Category:Networking]]</div>
Tony
https://wiki.dhits.nl/index.php?title=Ansible_snippets&diff=8766
Ansible snippets
2024-02-26T15:27:17Z
<p>Tony: /* Comment out a line */</p>
<hr />
<div>=Systemd=<br />
==Randomize timer==<br />
Create '''/var/ansible/files/systemd/fstrim.conf'''<br />
[Timer]<br />
RandomizedDelaySec=3h<br />
<br />
'''Playbook''': <br />
<br />
tasks: <br />
<br />
- name: check if /etc/systemd/system/fstrim.timer.d/ exists<br />
stat:<br />
path: /etc/systemd/system/fstrim.timer.d/<br />
register: override_dir<br />
<br />
- name: create /etc/systemd/system/fstrim.timer.d/<br />
file:<br />
path: /etc/systemd/system/fstrim.timer.d/<br />
state: directory<br />
when: override_dir.stat.exists == False<br />
<br />
- name: add fstrim.timer override<br />
copy:<br />
src: /var/ansible/files/systemd/fstrim.conf<br />
dest: /etc/systemd/system/fstrim.timer.d/override.conf<br />
notify: daemon-reload<br />
<br />
handlers:<br />
<br />
- name: daemon-reload<br />
systemd:<br />
daemon_reload: yes<br />
<br />
=Lineinfile=<br />
*[https://docs.ansible.com/ansible/latest/collections/ansible/builtin/lineinfile_module.html Lininfile documentation]<br />
<br />
==Quoting fun with lineinfile regex==<br />
- name: fix the needrestart config<br />
lineinfile:<br />
dest: /etc/needrestart/needrestart.conf<br />
state: present<br />
regexp: '^#\$nrconf{restart}'<br />
line: '$nrconf{restart} = '&#39;a&#39;&#39;'<br />
when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version == '22'<br />
<br />
==Comment out a line==<br />
- name: comment out a line<br />
lineinfile:<br />
dest: /etc/needrestart/needrestart.conf<br />
state: present<br />
backrefs: true<br />
regexp: '^(foo.*)'<br />
line: '# \1'<br />
<br />
=Files=<br />
==Check if a file exists==<br />
- name: check for a file<br />
stat:<br />
path: /etc/fstab<br />
register: fstab<br />
<br />
- name: print message if exists<br />
ansible.builtin.debug:<br />
msg: "File /etc/fstab exists"<br />
when: fstab.stat.exists<br />
<br />
=Check if a command exists=<br />
- name: check if mysqld is installed<br />
shell: which mysqld > /dev/null 2>&1 <br />
ignore_errors: true<br />
changed_when: false<br />
register: mysqld<br />
failed_when: mysqld.rc == 2</div>
Tony
https://wiki.dhits.nl/index.php?title=Ansible_snippets&diff=8765
Ansible snippets
2024-02-26T15:06:35Z
<p>Tony: /* Lineinfile */</p>
<hr />
<div>=Systemd=<br />
==Randomize timer==<br />
Create '''/var/ansible/files/systemd/fstrim.conf'''<br />
[Timer]<br />
RandomizedDelaySec=3h<br />
<br />
'''Playbook''': <br />
<br />
tasks: <br />
<br />
- name: check if /etc/systemd/system/fstrim.timer.d/ exists<br />
stat:<br />
path: /etc/systemd/system/fstrim.timer.d/<br />
register: override_dir<br />
<br />
- name: create /etc/systemd/system/fstrim.timer.d/<br />
file:<br />
path: /etc/systemd/system/fstrim.timer.d/<br />
state: directory<br />
when: override_dir.stat.exists == False<br />
<br />
- name: add fstrim.timer override<br />
copy:<br />
src: /var/ansible/files/systemd/fstrim.conf<br />
dest: /etc/systemd/system/fstrim.timer.d/override.conf<br />
notify: daemon-reload<br />
<br />
handlers:<br />
<br />
- name: daemon-reload<br />
systemd:<br />
daemon_reload: yes<br />
<br />
=Lineinfile=<br />
*[https://docs.ansible.com/ansible/latest/collections/ansible/builtin/lineinfile_module.html Lininfile documentation]<br />
<br />
==Quoting fun with lineinfile regex==<br />
- name: fix the needrestart config<br />
lineinfile:<br />
dest: /etc/needrestart/needrestart.conf<br />
state: present<br />
regexp: '^#\$nrconf{restart}'<br />
line: '$nrconf{restart} = '&#39;a&#39;&#39;'<br />
when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version == '22'<br />
<br />
==Comment out a line==<br />
- name: comment out a line<br />
lineinfile:<br />
dest: /etc/needrestart/needrestart.conf<br />
state: present<br />
regexp: '^(foo.*)'<br />
replace: '# \1'<br />
<br />
=Files=<br />
==Check if a file exists==<br />
- name: check for a file<br />
stat:<br />
path: /etc/fstab<br />
register: fstab<br />
<br />
- name: print message if exists<br />
ansible.builtin.debug:<br />
msg: "File /etc/fstab exists"<br />
when: fstab.stat.exists<br />
<br />
=Check if a command exists=<br />
- name: check if mysqld is installed<br />
shell: which mysqld > /dev/null 2>&1 <br />
ignore_errors: true<br />
changed_when: false<br />
register: mysqld<br />
failed_when: mysqld.rc == 2</div>
Tony
https://wiki.dhits.nl/index.php?title=Ubuntu&diff=8764
Ubuntu
2024-02-26T14:46:54Z
<p>Tony: /* FAQ */</p>
<hr />
<div><br />
<br />
= Links =<br />
<br />
*[http://ubuntu.com http://ubuntu.com] <br />
*https://linuxize.com/post/how-to-add-apt-repository-in-ubuntu/<br />
<br />
= Installation =<br />
*[https://ubuntu.com/server/docs/install/netboot-amd64 Ubuntu Netboot/PXE installation]<br />
<br />
== Ubuntu 20.04 LTS ==<br />
<br />
=== Storage configuration ===<br />
<br />
First create a boot partition!<br />
<br />
Remember to umount cdrom before rebooting<br />
<br />
<br />
<br />
<br />
== Automatic install ==<br />
<br />
*[https://ubuntu.com/server/docs/install/autoinstall https://ubuntu.com/server/docs/install/autoinstall] <br />
*[https://tlhakhan.medium.com/ubuntu-server-20-04-autoinstall-2e5f772b655a Ubuntu Server 20.04 autoinstall] <br />
*[https://louwrentius.com/understanding-the-ubuntu-2004-lts-server-autoinstaller.html Understanding the Ubuntu 20.04 LTS Server Autoinstaller] <br />
*[https://discourse.ubuntu.com/t/please-test-autoinstalls-for-20-04/15250/166 Discourse - Please test autoinstalls for 20.04] <br />
*[https://cloudinit.readthedocs.io/en/latest/topics/examples.html Cloudconfig examples]<br />
&nbsp;<br />
<br />
=== Snags ===<br />
<br />
= HOWTO =<br />
== Change nameservers ==<br />
===If using systemd-resolved===<br />
Show nameservers<br />
resolvectl status<br />
Edit /etc/netplan/00-installer-config.yaml<br />
netplan apply<br />
<br />
= FAQ =<br />
==Installing Ubuntu==<br />
https://ubuntu.com/server/docs/install/storage<br />
===Select a boot disk===<br />
<br />
==Set timezone==<br />
dpkg-reconfigure tzdata<br />
<br />
== Get ubuntu version ==<br />
<br />
cat /etc/lsb-release<br />
<br />
==The repository 'http://packages.ros.org/ros/ubuntu cosmic Release' does not have a Release file.==<br />
Switch path to repositories to old-releases.ubuntu.com<br />
== disable ipv6 ==<br />
<br />
sysctl:<br />
<br />
net.ipv6.conf.default.disable_ipv6=1<br />
net.ipv6.conf.all.disable_ipv6=1<br />
<br />
== changing locale ==<br />
<br />
/etc/default/locale<br />
<br />
locale-gen<br />
<br />
dpkg-reconfigure keyboard-configuration<br />
<br />
setupcon<br />
<br />
loadkeys us<br />
<br />
and lots more<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
== mail: command not found ==<br />
<br />
install heirloom-mailx<br />
<br />
OR<br />
<br />
install mailutils<br />
<br />
REMEMBER: to fix sender domain<br />
<br />
create /etc/mailutils.conf containing<br />
<br />
address {<br />
email-domain yourdom.ain;<br />
};<br />
<br />
and check out<br />
<br />
mail --config-help<br />
<br />
== failed unmounting /var ==<br />
<br />
ignore it? it's a journald issue<br />
<br />
== multipathd[667]: sda: failed to get sgio uid: No such file or directory ==<br />
<br />
Seems to be vmware setting: disk.EnableUUID = true<br />
<br />
CHECK!<br />
<br />
&nbsp;<br />
<br />
==The following signatures couldn't be verified because the public key is not available:==<br />
gpg --keyserver keyserver.ubuntu.com --recv-keys 9D6D8F6BC857C906<br />
<br />
<br />
==Upgrade to 22.04 (impish Release no longer has a Release file)==<br />
That sucks, now what?<br />
Check https://help.ubuntu.com/community/EOLUpgrades<br />
<br />
When apt-get update fails, set your repositories to old-releases.ubuntu.com<br />
<br />
<br />
==Upgrades to the development release are only available from the latest supported release==<br />
More obscure mess. Check https://linuxconfig.org/how-to-upgrade-ubuntu-to-20-04-lts-focal-fossa<br />
<br />
<br />
==Not all translations for this language are installed. Use the Install<br />
Missing Packages button to download and install all missing packages==<br />
<br />
Instead of trying to find that mysterious button, try<br />
check-language-support<br />
which will list missing packages<br />
<br />
==Release file not valid yet==<br />
Mirror not up to date?</div>
Tony
https://wiki.dhits.nl/index.php?title=Openvpn&diff=8763
Openvpn
2024-02-26T09:51:05Z
<p>Tony: /* HOWTO */</p>
<hr />
<div>*http://www.openvpn.net/<br />
*[http://openvpn.net/INSTALL-win32.html Openvpn on windows]<br />
*[http://forums.gentoo.org/viewtopic.php?t=233080 Openvpn howto]<br />
*[https://www.thegeekpub.com/271035/openvpn-mtu-finding-the-correct-settings/ Fixing MTU settings for Openvpn]<br />
<br />
=HOWTO=<br />
==Using easyrsa==<br />
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto<br />
===Revoke certificate===<br />
https://openvpn.net/community-resources/revoking-certificates/<br />
<br />
If you don't want to restart openvpn after revoking a cert add to server config:<br />
crl-verify crl.pem <br />
<br />
./easyrsa revoke someclient<br />
./easyrsa gen-crl <br />
<br />
Check crl (TODO this is incorrect)<br />
openssl crl -in -text pki/crl.pem<br />
<br />
Check the serial numbers of the revoke certs<br />
grep ^R pki/index.txt<br />
<br />
You might need to copy crl.pem to /etc/openvpn/<br />
cp ~/easy-rsa/pki/crl.pem /etc/openvpn<br />
<br />
===Renew expiry dates using easyrsa===<br />
./easyrsa gen-crl<br />
and most likely<br />
cp ~/easy-rsa/pki/crl.pem /etc/openvpn/<br />
<br />
==Push DNS to linux clients==<br />
http://blog.milford.io/2011/02/setting-up-an-openvpn-client-for-ubuntudebianmint-cli-edition/<br />
echo "up /etc/openvpn/update-resolv-conf" >> ~/client/client.conf <br />
echo "down /etc/openvpn/update-resolv-conf" >> ~/client/client.conf<br />
<br />
<br />
==Openvpn and systemd==<br />
https://ubuntu.com/server/docs/service-openvpn<br />
<br />
<br />
==Update crl==<br />
openssl ca -gencrl -keyfile keys/ca.key -cert keys/ca.crt -out keys/crl.pem -config ./openssl.cnf<br />
<br />
=FAQ=<br />
==NOTE: FlushIpNetTable failed on interface==<br />
This happens on windows, ignore it.<br />
<br />
<br />
==TLS Error: local/remote TLS keys are out of sync==<br />
First give it some time<br />
<br />
<br />
==WARNING: 'link-mtu' is used inconsistently==<br />
?<br />
<br />
==VERIFY ERROR: depth=0, error=CRL has expired==<br />
easyrsa gen-crl<br />
and copy that to /etc/openvpn</div>
Tony
https://wiki.dhits.nl/index.php?title=Openvpn&diff=8762
Openvpn
2024-02-26T09:50:35Z
<p>Tony: /* Renew expiry dates */</p>
<hr />
<div>*http://www.openvpn.net/<br />
*[http://openvpn.net/INSTALL-win32.html Openvpn on windows]<br />
*[http://forums.gentoo.org/viewtopic.php?t=233080 Openvpn howto]<br />
*[https://www.thegeekpub.com/271035/openvpn-mtu-finding-the-correct-settings/ Fixing MTU settings for Openvpn]<br />
<br />
=HOWTO=<br />
==Using easyrsa==<br />
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto<br />
===Revoke certificate===<br />
https://openvpn.net/community-resources/revoking-certificates/<br />
<br />
If you don't want to restart openvpn after revoking a cert add to server config:<br />
crl-verify crl.pem <br />
<br />
./easyrsa revoke someclient<br />
./easyrsa gen-crl <br />
<br />
Check crl (TODO this is incorrect)<br />
openssl crl -in -text pki/crl.pem<br />
<br />
Check the serial numbers of the revoke certs<br />
grep ^R pki/index.txt<br />
<br />
You might need to copy crl.pem to /etc/openvpn/<br />
cp ~/easy-rsa/pki/crl.pem /etc/openvpn<br />
<br />
===Renew expiry dates using easyrsa===<br />
./easyrsa gen-crl<br />
and most likely<br />
cp ~/easy-rsa/pki/crl.pem /etc/openvpn/<br />
<br />
==Push DNS to linux clients==<br />
http://blog.milford.io/2011/02/setting-up-an-openvpn-client-for-ubuntudebianmint-cli-edition/<br />
echo "up /etc/openvpn/update-resolv-conf" >> ~/client/client.conf <br />
echo "down /etc/openvpn/update-resolv-conf" >> ~/client/client.conf<br />
<br />
<br />
==Openvpn and systemd==<br />
https://ubuntu.com/server/docs/service-openvpn<br />
<br />
=FAQ=<br />
==NOTE: FlushIpNetTable failed on interface==<br />
This happens on windows, ignore it.<br />
<br />
<br />
==TLS Error: local/remote TLS keys are out of sync==<br />
First give it some time<br />
<br />
<br />
==WARNING: 'link-mtu' is used inconsistently==<br />
?<br />
<br />
==VERIFY ERROR: depth=0, error=CRL has expired==<br />
easyrsa gen-crl<br />
and copy that to /etc/openvpn</div>
Tony
https://wiki.dhits.nl/index.php?title=Openvpn&diff=8761
Openvpn
2024-02-26T09:49:04Z
<p>Tony: /* HOWTO */</p>
<hr />
<div>*http://www.openvpn.net/<br />
*[http://openvpn.net/INSTALL-win32.html Openvpn on windows]<br />
*[http://forums.gentoo.org/viewtopic.php?t=233080 Openvpn howto]<br />
*[https://www.thegeekpub.com/271035/openvpn-mtu-finding-the-correct-settings/ Fixing MTU settings for Openvpn]<br />
<br />
=HOWTO=<br />
==Using easyrsa==<br />
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto<br />
===Revoke certificate===<br />
https://openvpn.net/community-resources/revoking-certificates/<br />
<br />
If you don't want to restart openvpn after revoking a cert add to server config:<br />
crl-verify crl.pem <br />
<br />
./easyrsa revoke someclient<br />
./easyrsa gen-crl <br />
<br />
Check crl (TODO this is incorrect)<br />
openssl crl -in -text pki/crl.pem<br />
<br />
Check the serial numbers of the revoke certs<br />
grep ^R pki/index.txt<br />
<br />
You might need to copy crl.pem to /etc/openvpn/<br />
cp ~/easy-rsa/pki/crl.pem /etc/openvpn<br />
<br />
===Renew expiry dates===<br />
./easyrsa gen-crl<br />
and most likely<br />
cp ~/easy-rsa/pki/crl.pem /etc/openvpn/<br />
<br />
<br />
==Push DNS to linux clients==<br />
http://blog.milford.io/2011/02/setting-up-an-openvpn-client-for-ubuntudebianmint-cli-edition/<br />
echo "up /etc/openvpn/update-resolv-conf" >> ~/client/client.conf <br />
echo "down /etc/openvpn/update-resolv-conf" >> ~/client/client.conf<br />
<br />
<br />
==Openvpn and systemd==<br />
https://ubuntu.com/server/docs/service-openvpn<br />
<br />
=FAQ=<br />
==NOTE: FlushIpNetTable failed on interface==<br />
This happens on windows, ignore it.<br />
<br />
<br />
==TLS Error: local/remote TLS keys are out of sync==<br />
First give it some time<br />
<br />
<br />
==WARNING: 'link-mtu' is used inconsistently==<br />
?<br />
<br />
==VERIFY ERROR: depth=0, error=CRL has expired==<br />
easyrsa gen-crl<br />
and copy that to /etc/openvpn</div>
Tony
https://wiki.dhits.nl/index.php?title=Ansible-lint&diff=8760
Ansible-lint
2024-02-23T15:46:21Z
<p>Tony: /* FAQ */</p>
<hr />
<div>=FAQ=<br />
==Don't compare to empty string==<br />
* Use `when: var | length > 0` instead of `when: var != ""`.<br />
* Use `when: var | length == 0` instead of `when: var == ""`.<br />
<br />
==Don't compare to literal True/False==<br />
Instead of <br />
when: (foo == 1 and bar == 0) == false<br />
use<br />
when: not (foo == 1 and bar == 0) <br />
<br />
==Commands should not change things if nothing needs doing==<br />
Sometimes fixed by adding<br />
changed_when: false<br />
<br />
<br />
==Lines should be no longer than 160 chars==<br />
ignore for now?<br />
<br />
<br />
==Shells that use pipes should set the pipefail option==<br />
shell: set -o pipefail && ...</div>
Tony
https://wiki.dhits.nl/index.php?title=Ansible_snippets&diff=8759
Ansible snippets
2024-02-23T14:04:05Z
<p>Tony: /* Lineinfile */</p>
<hr />
<div>=Systemd=<br />
==Randomize timer==<br />
Create '''/var/ansible/files/systemd/fstrim.conf'''<br />
[Timer]<br />
RandomizedDelaySec=3h<br />
<br />
'''Playbook''': <br />
<br />
tasks: <br />
<br />
- name: check if /etc/systemd/system/fstrim.timer.d/ exists<br />
stat:<br />
path: /etc/systemd/system/fstrim.timer.d/<br />
register: override_dir<br />
<br />
- name: create /etc/systemd/system/fstrim.timer.d/<br />
file:<br />
path: /etc/systemd/system/fstrim.timer.d/<br />
state: directory<br />
when: override_dir.stat.exists == False<br />
<br />
- name: add fstrim.timer override<br />
copy:<br />
src: /var/ansible/files/systemd/fstrim.conf<br />
dest: /etc/systemd/system/fstrim.timer.d/override.conf<br />
notify: daemon-reload<br />
<br />
handlers:<br />
<br />
- name: daemon-reload<br />
systemd:<br />
daemon_reload: yes<br />
<br />
=Lineinfile=<br />
*[https://docs.ansible.com/ansible/latest/collections/ansible/builtin/lineinfile_module.html Lininfile documentation]<br />
<br />
==Quoting fun with lineinfile regex==<br />
- name: fix the needrestart config<br />
lineinfile:<br />
dest: /etc/needrestart/needrestart.conf<br />
state: present<br />
regexp: '^#\$nrconf{restart}'<br />
line: '$nrconf{restart} = '&#39;a&#39;&#39;'<br />
when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version == '22'<br />
<br />
=Files=<br />
==Check if a file exists==<br />
- name: check for a file<br />
stat:<br />
path: /etc/fstab<br />
register: fstab<br />
<br />
- name: print message if exists<br />
ansible.builtin.debug:<br />
msg: "File /etc/fstab exists"<br />
when: fstab.stat.exists<br />
<br />
=Check if a command exists=<br />
- name: check if mysqld is installed<br />
shell: which mysqld > /dev/null 2>&1 <br />
ignore_errors: true<br />
changed_when: false<br />
register: mysqld<br />
failed_when: mysqld.rc == 2</div>
Tony
https://wiki.dhits.nl/index.php?title=Nginx&diff=8758
Nginx
2024-02-23T11:49:03Z
<p>Tony: /* Error messages */</p>
<hr />
<div>HTTP server, proxy, reverse proxy etc<br />
<br />
=Links=<br />
*[http://nginx.org/ Homepage]<br />
*[https://deliciousbrains.com/page-caching-varnish-vs-nginx-fastcgi-cache/ Varnish vs nginx]<br />
==Documentation==<br />
*[https://www.nginx.com/resources/wiki/start/ Getting started]<br />
<br />
==Nginx and php-fpm==<br />
*[https://www.digitalocean.com/community/tutorials/how-to-host-multiple-websites-securely-with-nginx-and-php-fpm-on-ubuntu-14-04 How To Host Multiple Websites Securely With Nginx And Php-fpm On Ubuntu 14.04]<br />
===Monitoring php-fpm under nginx===<br />
Create /etc/nginx/site-enabled/fpmstatus<br />
server {<br />
listen 89;<br />
listen [::]:89;<br />
server_name localhost;<br />
location = /fpm-status {<br />
access_log off;<br />
<br />
allow 127.0.0.1;<br />
deny all;<br />
<br />
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;<br />
include fastcgi_params;<br />
fastcgi_pass unix:/run/php/php-fpm.sock;<br />
# fastcgi_pass 127.0.0.1:9001;<br />
}<br />
location = /fpm-ping {<br />
access_log off;<br />
<br />
allow 127.0.0.1;<br />
deny all;<br />
<br />
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;<br />
include fastcgi_params;<br />
fastcgi_pass unix:/run/php/php-fpm.sock;<br />
}<br />
}<br />
<br />
TODO find out why monitoring via tcp socket 127.0.0.1:9001 doesn't work<br />
<br />
=Notes=<br />
<br />
==SSL certificates==<br />
The host.crt goes first in the bundle<br />
<br />
<br />
server {<br />
listen 443;<br />
ssl on;<br />
ssl_certificate /etc/ssl/your_domain_name.pem; (or bundle.crt)<br />
ssl_certificate_key /etc/ssl/your_domain_name.key;<br />
server_name your.domain.com;<br />
access_log /var/log/nginx/nginx.vhost.access.log;<br />
error_log /var/log/nginx/nginx.vhost.error.log;<br />
location / {<br />
root /home/www/public_html/your.domain.com/public/;<br />
index index.html;<br />
}<br />
}<br />
<br />
=HOWTO=<br />
==Get configuration items==<br />
getconf PAGESIZE<br />
<br />
==Redirecting in nginx==<br />
https://www.liquidweb.com/kb/redirecting-urls-using-nginx/<br />
<br />
==enable ipv6==<br />
In server section add<br />
listen [::]:443;<br />
<br />
==Configure buffer sizes==<br />
See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size<br />
<br />
<br />
==Rate limiting==<br />
*[https://www.nginx.com/blog/rate-limiting-nginx/ NGINX Rate limiting]<br />
<br />
=FAQ=<br />
==nginx serving wrong page==<br />
Forgot to tell it to listen on ipv6?<br />
Like<br />
listen [::]:443 ssl;l<br />
<br />
==Conflicting server name XXX on 0.0.0.0:80==<br />
<br />
==FastCGI sent in stderr: "Primary script unknown" ==<br />
Usually means the php script just isn't there<br />
<br />
==Error messages==<br />
<br />
===nginx: [emerg] unknown log format===<br />
Define log_format in '''http''' section before the includes.<br />
<br />
<br />
=== upstream prematurely closed connection while reading upstream ===<br />
Maybe trying to fetch a large file, like jpg?<br />
<br />
=== client intended to send too large body ===<br />
server {<br />
# default 1m<br />
client_max_body_size 4m;<br />
<br />
<br />
<br />
===no live upstreams while connecting to upstream===<br />
can't connect to whatever backend?<br />
<br />
<br />
===upstream sent too big header while reading response header from upstream===<br />
*[https://techglimpse.com/upstream-sent-too-big-header-while-reading-response-header-from-upstream-nginx/ Upstream sent too big header]<br />
*[https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx Tuning proxy_buffer_size in NGINX]<br />
<br />
<br />
===an upstream response is buffered to a temporary file===<br />
<br />
<br />
===(SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking===<br />
Usually just a bad client or a scan.<br />
<br />
===cannot load certificate "/etc/ssl/certs/ssl-cert-snakeoil.pem===<br />
Probably ubuntu?<br />
apt install ssl-cert<br />
<br />
===access forbidden by rule===<br />
look for allow or deny lines<br />
<br />
===a client request body is buffered to a temporary file===<br />
PLay some with<br />
client_body_buffer_size 10M;<br />
client_max_body_size 10M;<br />
<br />
TODO check, this doesn't seem to apply<br />
If all else fails just set:<br />
proxy_max_temp_file_size 0;<br />
and see if you get some feedback :)<br />
<br />
===upstream timed out===<br />
Look for proxy_pass<br />
<br />
==Logging==<br />
<br />
===Log level===<br />
Doesn't seem to be documented, defaults to log all?<br />
<br />
[[Category: Proxy]]</div>
Tony
https://wiki.dhits.nl/index.php?title=Nmap&diff=8757
Nmap
2024-02-22T12:58:21Z
<p>Tony: /* HOWTO */</p>
<hr />
<div>=Links=<br />
*[https://nmap.org/ Homepage]<br />
*[https://securitytrails.com/blog/top-15-nmap-commands-to-scan-remote-hosts nmap examples]<br />
<br />
=HOWTO=<br />
<br />
==Scan subnet for port==<br />
nmap -p 80 192.168.1.0/24<br />
<br />
==ping IP range==<br />
nmap -sP 192.168.11.10-20<br />
<br />
==OS scan==<br />
nmap -O</div>
Tony