GioMac's questions

Have several sites, one of them acts as intermediary router between two:

1. AWS VPC (10.10.0.0/24)
2. Libreswan VPN Server (10.20.0.0/24)
3. Mikrotik VPN Router (10.30.0.0/24)

host1 resides at AWS VPC, host2 is connected to Mikrotik

VPN's are up, each connection is working separately, statuses look fine.

host2 pings host1, packets arrive through libreswan to host1, host1 replies, all packets arrive at libreswan, but are not passed to host2. Also, packets initiated from host2 are able to reach libreswan, but are not passed to host1. I suppose, that all is stateless for ipsec and is the same problem.

iptables nat (manual config):

-A POSTROUTING -j ACCEPT -d 10.10.0.0/24
-A POSTROUTING -j ACCEPT -d 10.20.0.0/24

iptables filter (manual config):

-A FORWARD -j ACCEPT

routing table @ libreswan (ip route, added by libreswan):

10.10.0.0/24 dev eth0 scope link mtu 1436
10.20.0.0/24 dev eth0 scope link mtu 1436

Similar connections with many combinations to other sites works fine in any way - difference is in AWS-Libreswan VPN connection.

Is there something i am missing? Where should i look?

Well, RHEL 7.5 released with important add-on, VDO, which basically adds thin provisioned compressed and de-duplicated volumes, which is great and we'll get these benefits with derivatives and other distros too, as technology was acquired from Permabit and is open source.

According to official docs (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/vdo-qs-requirements), there are some considerations ("Placement of VDO in the Storage Stack" section of the doc):

As a general rule, you should place certain storage layers under VDO and others on top of VDO:

• Under VDO: DM-Multipath, DM-Crypt, and software RAID (LVM or mdraid).
• On top of VDO: LVM cache, LVM Logical Volumes, LVM snapshots, and LVM Thin Provisioning.

Well, because it's "general" rule - i see no problem with that and everything is fine. Next we see following:

The following configurations are not supported:

• VDO on top of VDO volumes: storage → VDO → LVM → VDO
• VDO on top of LVM Snapshots
• VDO on top of LVM Cache
• VDO on top of the loopback device
• VDO on top of LVM Thin Provisioning
• Encrypted volumes on top of VDO: storage → VDO → DM-Crypt
• Partitions on a VDO volume: fdisk, parted, and similar partitions
• RAID (LVM, MD, or any other type) on top of a VDO volume

This is kinda "scary" and we should be carefully in design, because looks like following won't be "supported:"

storage -> LVM PV -> LVM VG -> LVM Thin -> LVM LV -> Storage (in VM) -> VDO (in VM) -> EXT4 (in VM)

Note, that VDO/EXT4, final result is in the VM, LVM LV is directly attached to the VM and it's similar to:

storage -> LVM PV -> LVM VG -> LVM Thin -> LVM LV -> VDO -> Storage (in VM) -> EXT4 (in VM)

1. Is that really problematic or dangerous and not supported?
2. Why?

Creating everything on underlying device is not always good option, but I don't see a clear explanation why we have these limitations.

Maybe because these VDO volumes will be exposed to both Host and Guest?

I've got Varnish in front of multiple webservers, I can run them as native to varnish or through upstream checks via nginx, but only static content is cached (no surprise), also respecting query strings i.e.

/main.css?v=1 and /main.css?=v2 are cached separately

I update servers one by one, in fact, all this cannot be done at exactly the same time without downtime, general deployment thing.

If main.css gets updated on one backend and I send request according to the new webpage version to the varnish and request /main.css?=v2, it may still look for file on the machine which has old version and where main.css hasn't been updated yet, so, now I am getting v1 in the cache as v2 and there is nothing I can do, unless TTL expires (which is too late).

I can manually invalidate cache via requests, that's ok.

Is there any automated solution without manual interfering on rewriting software for feedback to varnish? like:

1. Is it possible, to expire cache when backend comes up, after probe is good?
2. anything else?

Thanks

Is it possible to display Service Availability (%) for metric i have on AWS, I am able to get graphs, but can't get availability for period selected.

As in subs - I want to start/restart b.service after a.service is started/restarted.

Is there a nice way to accomplish this?

Thanks

Is it possible for systemd to not log data from particular service, but to still forward it to the syslog?

StandardOutput=syslog
StandardError=syslog

Recently I've faced situation, when "standard" disk space monitoring failed - Zabbix uses vfs.fs.size item for checking disk usage, which is documented and preconfigured in bundled templates.

The Problem:

When files are deleted, but file descriptor/handle is still open - disk might be filled, but Zabbix will report no usage in this case.

How can one monitor disk space in this case?

I want to allow a range of ip addresses - two /24 subnets, which don't fall under /23. I have two options:

1. Use two rules with /24 masks and -s option
2. Use single rule with -m iprange and specify whole range of ip's

Which is fastest, more optimal way for performance?

I am running Dell PE 815 servers with two 16-core Opteron's, with four memory modules on each, OS - RHEL6, when I've started optimizing it for NUMA operation, found, that all cores are shown as bound to node0:

[root@node1 ~]# numactl --show
policy: default
preferred node: current
physcpubind: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
cpubind: 0
nodebind: 0
membind: 0
[root@node1 ~]# numactl --hardware
available: 1 nodes (0)
node 0 cpus: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
node 0 size: 65462 MB
node 0 free: 5889 MB
node distances:
node   0
  0:  10
[root@node1 ~]# numastat
                           node0
numa_hit              2661443864
numa_miss                      0
numa_foreign                   0
interleave_hit             43010
local_node            2661443864
other_node                     0
[root@node1 ~]#

According to physical configuration, there must be at least two nodes. What can be the reason?

I am running java apps via systemd:

[Unit]
Description=test service

[Service]
Type=simple
EnvironmentFile=/etc/sysconfig/testserver
WorkingDirectory=/opt/testserver
ExecStart=/usr/bin/java -jar /opt/testserver/test.jar
StandardOutput=syslog
StandardError=syslog
User=testserver
Group=testserver
SyslogIdentifier=testserver

[Install]
WantedBy=multi-user.target

I want to get stdout in /opt/testserver/stdout.log and stderr in /opt/testserver/stderr.log - any working options are acceptable (i.e. if possible to do through syslog). If possible I want to avoid logging at least one of these in journald log.

Thanks...

Since Apache 2.4 I've started using mod_remoteip instead of mod_extract_forwarded for rewriting client address from x-forwarded-for provided by frontend servers (varnish, squid, apache etc).

So far everything works fine with the modules, i.e. php, cgi, wsgi etc... - client addresses are shown as they should be, but I couldn't write client address in access logs (%a, %h, %{c}a). No luck - I'm always getting 127.0.0.1 (localhost forward ex.).

How to log client's ip address when using mod_remoteip?

Update: IT WORKS O_O - see answer below

At first, I want to say: I know, it was done initially wrong and I want to avoid doing everything again from the scratch because of general downtime.

I am running libvirt/KVM on RHEL. I've got VM which runs with NAT networking profile (default one). I've set up port forwarding etc from host via sysconfig/iptables, everything is fine.

But if libvird daemon reloads for some internal reason, or receives SIGHUP - it reloads iptables configuration and adds rules from it's filtering profiles i.e. everything works as designed and documented (libvirt and firewall + libvirt nwfilter documentation) - there is no problem with SW, this is configuration issue.

But some rules introduce REJECTs before i need it and I can't connect to the machine via forwarded ports as seen below:

after running service iptables restart - everything will work as before.

Is there a way to force libvirt to change order of these two or disable these particular ones?

Maybe someone faced exactly the same issue and has answer ready.

Thanks

I am using Zabbix for monitoring log files. I've got trigger, which is activated when errors are written to the log:

{Test:log["/opt/test/log.out","^ERROR.*$","UTF-8",100].diff(0)}>0

So, now I acknowledge that, problems are solved, but trigger stays on.

How can one handle this?

Is there a way to assign custom SELinux context to the application despite the context that is assigned to it's binary?

My Dell servers with Perc H700 Controller are automatically performing periodic Patrol Reads.

Is there a way to set schedule for these checks?

I use proftpd for virtual FTP hosting with MySQL.

I've started writing fine-grained SELinux policies and found that it's trying to access my.cnf files.

Question is what for and why?

type=AVC msg=audit(1378191337.059:153431): avc:  denied  { getattr } for  pid= comm="proftpd" path="/etc/my.cnf" dev="dm-1" ino=1180081 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file
type=AVC msg=audit(1378191337.059:153432): avc:  denied  { read } for  pid=50590 comm="proftpd" name="my.cnf" dev="dm-1" ino=1180081 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file
type=AVC msg=audit(1378191337.059:153432): avc:  denied  { open } for  pid=50590 comm="proftpd" path="/etc/my.cnf" dev="dm-1" ino=1180081 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file

Output of ps auxwf|grep 50590 is empty now - process doesn't exist anymore. Looks like it's trying to do that on every login attempt.

Update: Filed bug/feature request, patch submitted by developer: http://bugs.proftpd.org/show_bug.cgi?id=3971

When I'm initiating "reboot" or "poweroff", systemd is killing all the processes, but I need it to wait for one particular application to finish before stopping other services.

Actually, I want Virtualbox vm clean shutdown/savestate. Have no problem of doing it manually with this service file, but during the shutdown - processes are killed. How can I control it?

I've read docs, but didn't find clear solution for this kind of dependency.

[Unit]
Description=virtualbox vm1 vm control service
After=vboxweb-service.service
Before=shutdown.target

[Service]
Type=oneshot
ExecStart=/usr/bin/VBoxManage startvm vm1 -type vrdp
ExecStop=/usr/bin/VBoxManage controlvm vm1 savestate
RemainAfterExit=true

I've got 389 Directory Server running on RHEL 5 with groups, users, posix etc. RHEL clients are authenticating users with LDAP - no problems, everything works perfect, but passwords are sent in plaintext and are visible with network sniffer. So, decided to run with SSL:

1. Created CA - got both private and public CA certificates
2. Using CA certs: generated both of private and public certificates and combined (1st file) for 389DS according to 389DS certificate request, imported with CA public cert to 389DS from graphical console (2nd file).
3. Enabled SSL in 389DS
4. On the client, using authconfig-gtk enabled SSL for LDAP, specified only CA public certificate

Doesn't work.

Howto? What is the best way to integrate safely?