user705142's questions

I'm trying to connect a client's network to our AWS data-centre, to allow access to a (previously publicly available) internal web-application.

At the moment we've got the VPN set up with dynamic routing to a new, empty VPC with a CIDR which doesn't conflict with the client's network, as our main VPC conflicts.

A few questions:

1) Does that CIDR need to be advertised or propagated to the client network, and how do I do that?

2) How I forward a client accessible IP address in that range to the internal IP address in the VPC containing the web-application?

3) And once done, how can I apply a security group to that VPN connection to limit access to that IP?

Or, am I going about this the wrong way?

I've got jetty set up to boot on login using the standard init script in CentOS 6.3 - my problem is that it decides to log a few messages to the console before redirecting it to it's own log files, which ends up printing out on the login screen.

It ends up with:

login: 20120-07-13 19:53:09.039:INFO::Redirecting stderr/stdout to /opt/jetty/logs/2012_07_13.stderrout.log

Which is rather ugly, is there any way to get rid of this?

I've got a database number that increments in real time with certain page views.

I want to make a Munin chart which charts not the total, but how it's changed from minute to minute. I know it's possible but I can't seem to figure out how from the docs, any ideas?

This seems like a simple question, but one I can't seem to find the answer for despite going over the pacemaker documentation multiple times.

I've got corosync set up with pacemaker to share a virtual IP. All I want to do is to set a timeout value before the backup node takes over the resource. With network outages of <1-2 minutes I'd like pacemaker to just continue on as normal instead of triggering failover, but switch it over if the outage is over a certain number.

There is a timeout for a resource - but this seems to be a the timeout waiting for the resource to start, not for the cluster as a whole.

This probably has a simple explanation, but I certainly can't think of it.

I've got corosync installed (via yum), with it's default init script. Something is strange on this particular CentOS installation as I often need to manually link /etc/rc.d/init.d/ to /etc/init.d.

The issue is that it fails when run via it's symbolic link, yet it runs fine through /etc/rc.d/init.d

What's even weirder is it fails to run if run using the full path, and only if actually run in the /etc/rc.d/init.d directory.

Example:

[~]# /etc/rc.d/init.d/corosync start
     Starting Corosync Cluster Engine (corosync):               [FAILED]
[~]# service corosync status
     corosync is stopped
[~]# cd /etc/rc.d/init.d/
[init.d]# /etc/rc.d/init.d/corosync start
          Starting Corosync Cluster Engine (corosync):          [FAILED]
[init.d]# corosync start
[init.d]# service corosync status
          corosync (pid  1985) is running...

Any explanation?

Edit:

Not sure what I've changed exactly, but it now works when started from /rc.d/init.d, but not with service corosync start.

[root@server2 mirror]# /etc/rc.d/init.d/corosync start
Starting Corosync Cluster Engine (corosync):               [  OK  ]

[root@server2 mirror]# /etc/init.d/corosync start
Starting Corosync Cluster Engine (corosync):               [FAILED]

[root@server2 mirror]# service corosync start
Starting Corosync Cluster Engine (corosync):               [FAILED]

edit 2:

Made a symbolic link from /etc/rc.d/init.d to /etc/init.d .. and now it works when run via service corosync start.. yet doesn't start on boot, argh.

Edit 3:

It's working with every command except on boot.

I've changed the run level to 99, which it still fails on, and I've changed the path inside the script to the absolute path : /usr/sbin/corosync

I've also done diffs of the environmental variables:

On service corosync start:

_=/bin/env
LANG=en_US.UTF-8
PATH=/sbin:/usr/sbin:/bin:/usr/bin
PWD=/
SHLVL=1
TERM=xterm

On boot:

_=/bin/env
LANG=en_US.UTF-8
PATH=/sbin:/usr/sbin:/bin:/usr/bin
PWD=/
SHLVL=2
TERM=linux
CONSOLETYPE=vt
LANGSH_SOURCED=1
previous=N
PREVLEVEL=N
runlevel=3
RUNLEVEL=3
UPSTART_EVENTS=runlevel
UPSTART_INSTANCE=
UPSTART_JOB=rc

Boot log:

Starting Corosync Cluster Engine (corosync):    [FAILED]

I've got two servers set up with PG Pool to create a HA setup for a webapp.

PGPool and postgres run on both servers, using streaming replication from server 1 to server 2. The webapp on each machine connects to PgPool which then sends the request to the current master. It's set up to automatically failover should a database connection be interrupted, which runs a custom failover script to demote server 1 to slave and promote server 2 to master.

What happened this morning is that for 2 minutes the network went down, which means neither PGPool instance could talk to each other - so each PGPool thought the other machine was down.

Server 1 - Continued on as master, disconnecting server 2
Server 2 - Initated failover, disconnecting server 1 and making itself the master

Since the network was down the failover command couldn't get through to server 1 to make it the slave, and visa versa. So when the network came back up 2 minutes later what I had was two servers who both thought they were the master.

PgPool doesn't seem to have an automatic failback command, which could be used to force server 1 to become the master again when the network reconnects, which is the only real solution I can think of.

My question is how am I supposed to deal with this situation? Is this even the correct architecture for this setup? Surely this is a common scenario, I can't get my head around how this kind of this could be fixed.

Edit: Would it be advisable to have pgpool run under a virtual ip under linux-ha ? That could solve things, and I already have that up and running for the public IP - that way only one pgpool instance gets accessed by either machine.

I'm trying to run pgpoolAdmin through nginx - it seems to be working properly, at least initially.

I've gone through the initial set-up, which works fine, but now after logging in every link takes me straight back to the login page. It also shows japanese text instead of english, despite picking english in the installation.

It seems to me just as if it was unable to save any user data, session information etc.

I have javascript/cookies enabled, so it's not that. The ownership of the folder is nginx, and so too is pgmgt.conf.php, so it shouldn't be a problem with permissions. One potential issue is that I can't seem to see any confirmation that php postgresql support is enabled in the php info screen, despite the correct package installed and in the config line.

Any ideas as to what's happening here?

The nginx rules are pretty standard:

server {

    # pg-pool admin

   listen       997;
   server_name  localhost;
   root      /opt/pgpooladmin;
   index     index.php;

   location ~ .php$ {
         fastcgi_pass_header Set-Cookie;
         fastcgi_pass   127.0.0.1:9000;
         fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
         fastcgi_param  PATH_INFO $fastcgi_script_name;
         fastcgi_index  index.php;
         include        fastcgi_params;
   }

}

I'm unsure what's going on here:

I've got a backup script which runs fine under root. It produces a >300kb database dump in the proper directory.

When running it as a cron job with exactly the same command however, an empty gzip file appears with nothing in it.

The cron log shows no error, just that the command has been run.

This is the script:

#! /bin/bash

DIR="/opt/backup"
YMD=$(date "+%Y-%m-%d")
su -c "pg_dump -U postgres mydatabasename | gzip -6 > "$DIR/database_backup.$YMD.gz" " postgres

# delete backup files older than 60 days
OLD=$(find $DIR -type d -mtime +60)
if [ -n "$OLD" ] ; then
    echo deleting old backup files: $OLD
    echo $OLD | xargs rm -rfv
fi

When changed to:

 pg_dump -U postgres mydatabasename | gzip -6 > "$DIR/database_backup.$YMD.gz"

The same thing happens.

And the cron job:

01 10 * * * root sh /opt/daily_backup_script.sh

It produces a database_backup file, just an empty one. Anyone know what's going on here?

edit:

Ok, simplified to this but it's still not working via cron

#! /bin/bash

DIR="/opt/backup"
YMD=$(date "+%Y-%m-%d")

pg_dumpall -U postgres > "$DIR/database_backup.$YMD"

And

01 10 * * * root /opt/daily_backup_script.sh

I'm running CentOS 6.2 - I've just migrated some applications over to a failover server, and copied their init scripts into /etc/init.d.

I've made them executable, added them to chkconfig, with chkconfig -add, set their levels, made sure they're residing in /etc/rc.d/ - made sure I can execute them from rc2.d etc. The permissions are the same on both servers. They're also running in the same order as on the primary server

Yet on reboot they don't start. Any ideas?

The offenders are these:

jetty           0:off   1:off   2:on    3:on    4:on    5:on    6:off
smart           0:off   1:off   2:on    3:on    4:on    5:on    6:off

/etc/init.d:
-rwxr-xr-x. 1 root root 14456 Mar 13 20:21 jetty
-rwxrwxrwx. 1 root root  5829 Mar 29 09:58 smart

/etc/rc.d/rc3.d
lrwxrwxrwx. 1 root root 15 Mar 29 19:21 S99jetty -> ../init.d/jetty
lrwxrwxrwx. 1 root root 11 Mar 26 17:12 S99local -> ../rc.local
lrwxrwxrwx. 1 root root 15 Mar 29 19:21 S99smart -> ../init.d/smart

I've checked, and I'm in run level 3. I've checked their logs, and there's no indication that that they've been started. I can start them manually easily - and other services are starting normally.

I'm completely out of ideas really.

I've got OpenVPN set up between my windows 7 client and linux server. The goal is that I'll get secure access to a webapp running on the server from any computer on the client LAN.

I'm using ccd to assign static ip addresses to each client connection, with key authentication. It's working on my client machine (10.83.41.9), and when you go to the gateway IP address (10.83.41.1), it loads up the webapp.

Now I really need the other computers on the client LAN to be able to connect to the webapp as well, via the windows machine.

The client has a static IP address of 192.168.2.100 on the LAN, and I've enabled IP forwarding in windows (confirmed by ipconfig /all). In my router I've forwarded 10.83.41.1 / 255.255.255.255 to 192.168.2.100.

In server.conf I have..

route 192.168.2.0 255.255.255.0

And in the office ccd..

ifconfig-push 10.83.41.9 10.83.41.10 iroute 192.168.2.0 255.255.255.0

The client log is as follows:

Thu Mar 15 20:19:56 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Thu Mar 15 20:19:56 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Mar 15 20:19:56 2012 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Thu Mar 15 20:19:56 2012 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 15 20:19:56 2012 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 15 20:19:56 2012 LZO compression initialized
Thu Mar 15 20:19:56 2012 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Mar 15 20:19:56 2012 Socket Buffers: R=[8192->8192] S=[64512->64512]
Thu Mar 15 20:19:56 2012 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Mar 15 20:19:56 2012 Local Options hash (VER=V4): '9e7066d2'
Thu Mar 15 20:19:56 2012 Expected Remote Options hash (VER=V4): '162b04de'
Thu Mar 15 20:19:56 2012 UDPv4 link local: [undef]
Thu Mar 15 20:19:56 2012 UDPv4 link remote: 111.65.224.202:1194
Thu Mar 15 20:19:56 2012 TLS: Initial packet from 111.65.224.202:1194, sid=ceb04c22 8cc6d151
Thu Mar 15 20:19:56 2012 VERIFY OK: depth=1, /C=NZ/O=XXX./CN=XXX
Thu Mar 15 20:19:56 2012 VERIFY OK: nsCertType=SERVER
Thu Mar 15 20:19:56 2012 VERIFY OK: depth=0, /C=NZ/O=XXX./CN=XXX
Thu Mar 15 20:19:56 2012 Replay-window backtrack occurred [1]
Thu Mar 15 20:19:56 2012 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Mar 15 20:19:56 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 15 20:19:56 2012 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Mar 15 20:19:56 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 15 20:19:56 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Mar 15 20:19:56 2012 [server] Peer Connection Initiated with 111.65.224.202:1194
Thu Mar 15 20:19:58 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Mar 15 20:19:59 2012 PUSH: Received control message: 'PUSH_REPLY,route 10.83.41.1,topology net30,ping 10,ping-restart 120,ifconfig 10.83.41.9 10.83.41.10'
Thu Mar 15 20:19:59 2012 OPTIONS IMPORT: timers and/or timeouts modified
Thu Mar 15 20:19:59 2012 OPTIONS IMPORT: --ifconfig/up options modified
Thu Mar 15 20:19:59 2012 OPTIONS IMPORT: route options modified
Thu Mar 15 20:19:59 2012 ROUTE default_gateway=192.168.2.1
Thu Mar 15 20:19:59 2012 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{B32D85C9-1942-42E2-80BA-7E0B5BB5185F}.tap
Thu Mar 15 20:19:59 2012 TAP-Win32 Driver Version 9.9
Thu Mar 15 20:19:59 2012 TAP-Win32 MTU=1500
Thu Mar 15 20:19:59 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.83.41.9/255.255.255.252 on interface {B32D85C9-1942-42E2-80BA-7E0B5BB5185F} [DHCP-serv: 10.83.41.10, lease-time: 31536000]
Thu Mar 15 20:19:59 2012 Successful ARP Flush on interface [45] {B32D85C9-1942-42E2-80BA-7E0B5BB5185F}
Thu Mar 15 20:20:04 2012 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Thu Mar 15 20:20:04 2012 C:\WINDOWS\system32\route.exe ADD 10.83.41.1 MASK 255.255.255.255 10.83.41.10
Thu Mar 15 20:20:04 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Thu Mar 15 20:20:04 2012 Route addition via IPAPI succeeded [adaptive]
Thu Mar 15 20:20:04 2012 Initialization Sequence Completed

From the other machines I can ping 192.169.2.100, but not 10.83.41.1.

In the how-to, it mentions "Make sure your network interface is in promiscuous mode." as well. I can't find in the windows network config, so this may or may not be part of it.

Ideally this would be achieved without any special configuration the other LAN computers. Not sure how far I'm going to get on my own at this point, any ideas? Is there something I'm missing, or anything I should need to know?

I'm currently running a CentOS VPS with some simple web/DB/VPN servers, but I'm planning to move to a vmWare Enterprise cloud based machine in the near future to improve availability, and I need to know how I should structure it further to ensure high availability and fail-over.

I'm running postgresql and two simple jetty webservers, one hidden behind OpenVPN - and I'm monitoring it with monit/munin.

Now I believe I should be trying to set up two nodes (? does that mean purchasing two different virtual machines) with fail-overs between them - PostgreSQLs streaming replication seems easy enough, and having a OpenVPN/webserver instance on each machine seems relatively simple - losing session state is probably fine (unless there's a way to share this) - my question is how do these two nodes interface, what sits before them and routes web traffic to each - or do you require a third machine, or is that built into vmWare to begin with?

I've also noticed some Cloud Hosts advertising HA SSL VPN, and I believe OpenVPN AS has a virtual appliance - should this replace my OpenVPN instance/s, or is there no need for this?

I imagine this might become more obvious once I actually get the servers, but for now I'm quite confused.