viraptor's questions

I'd like to send a systemd notification with readiness and main pid. Unfortunately, it seems like systemd doesn't cope with translating pids from different namespaces. (Just a guess...)

Specifically, I'm staring a service with:

ExecStart=podman run --rm --cgroups=disabled -v /run/systemd:/run/systemd ... script.sh

And the started script does:

echo "MAINPID=$$" | nc -uUN -w0 /run/systemd/notify

This doesn't seem to change anything. The MAINPID is set to either conman (default) or podman (--sdnotify=ignore). Then again, I'm effectively sending MAINPID=1 from inside the running container.

Is there some workaround here to ensure a specific process inside the service/container becomes the MAINPID instead?

I'm trying to use pretty much the default installation of libvirt / kvm on Fedora 32.

After installing libvirt, I'm trying to start up the default network: virsh net-start default.

But for some reason, there's a number of chains which are missing, so it fails. For example the new rules which libvirt tries to load start with:

-A IN_libvirt_allow -p udp --dport 67 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT

But there's no IN_libvirt_allow (or IN_libvirt_post, FORWARD_OUT_ZONES, ...).

I do have some libvirt related chains like LIBVIRT_INP / LIBVIRT_OUT, but I'm not sure which ones belong to libvirt and which ones to firewalld and how they're supposed to work together.

What piece of setup am I missing?

I'd like to redirect incoming external traffic to a service which listens on 127.0.0.1. The redirection is easy - just:

iptables -t nat -A PREROUTING \
    -d local_ip --dport 80 \
    -j DNAT --to-destination 127.0.0.1:port

but this leaves the packet on eth0 and it's just logged as martian and dropped by default. I can enable route_localnet on eth0 to fix this, but that exposes the whole interface to weird routing tricks.

How do I forward it correctly without route_localnet?

Is there any way to configure strongswan to automatically start encryption to a given subnet rather than specific host? For example, if I know that my hosts at w.x.y.z/28 will be have the same PSK configured. I'd like to configure all of them in one go with:

conn protected
    left=%any
    right=%any
    rightsubnet=w.x.y.z/28
    auto=route
    forceencaps=no
    type=transport
    mobike=no
    authby=psk

or similar. I want to avoid specifying each one separately. I expected the trap on routes to do the required startup as needed. But strongswan refuses to work this way and claims that installing trap failed, remote address unknown.

Is this scenario possible in any way?

I'd like to set up nginx location match but only for a specific source address. Unfortunately if I already match a location, but not the condition I can't fall through to the next location. What's the way to solve it nicely?

server {
    ...
    location / {
        index app.php;
        try_files $uri @rewriteapp;
    }
    location @rewriteapp {
        rewrite ^(.*)$ /app.php/$1 last;
    }
    ...
    location ~ ^/admin {
        if ($source_trusted = "UNKNOWN") {
            return 403;
        }
    }
    ...
    location ~ ^/... {
        fcgi_pass ...
        ...
    }
}

With this config going to /admin from a source that sets $source_trusted = OK (via geo module) results in a 404, rather than the page loading.

I'd like to download a grains file from external source during the state.highstate is run. The file is not supposed to change usually - I'm only using this mainly for the initial provisioning.

So it seems like I just want a file.managed state that will put the right contents into _grains (I'm using a standalone client) and then call saltutil.sync_grains. But how do I call a function? It's going to be a state with watch configured, but I don't see a state that would help me do that.

I'm trying to speed up a standup of virtual machines used for development / automated test environments and wanted to verify some assumptions about disk writes caching.

I'm using ext4 for the root filesystem in the VM and I don't really care about power-loss scenarios. If there's a power loss and disk gets corrupted, the whole machine can be rebuilt in a couple of minutes. For me that means the following options can be safely applied and it should make no difference to the applications - they will just affect how the buffered data is written to the disk itself, but the cached in-memory representation will be always accurate:

• nobarrier
• data=writeback
• nobh
• commit=3600

Is this correct? And are there any other ext4 parameters I should look at for performance improvements?

I run into an issue with upstart where I want to update an init config, but just restarting the job doesn't apply the changes.

For example:

• I've got job xyz running
• I modify the /etc/init/xyz.conf to do something in pre-stop.
• The job gets restarted with restart xyz
• pre-stop part is not executed

I tried reloading the config with initctl reload-configuration, but it didn't have any effect. If I manually stop and start the job in two separate steps, things work as expected.

I'm looking for something similar to vagrant, but working with KVM. I'd like to setup a couple of machines with packages I point at using a single command, but I don't really want to write the whole script from scratch. The things which are required:

• setting up a single network between those machines and a nat for the world
• setting up groups of servers separately (for example I want a separate group of database-like servers and a group of app servers so that i can redeploy one of them)
• some interaction with chef, so that I can push the right config at the beginning and spawn some machines only after another machine finished its first chef-client run
• extensibility so that I can easily add missing functionality (I'd like a package rebuild / apt repository update as a part of the deployment)

I'm trying to configure zabbix with email notifications. I read many docs about it already, but I must be missing something still, because it doesn't work...

What I have configured at the moment:

• media type: email, with host=localhost, helo=localhost, email=[email protected]
• user with email assigned for all events apart from "not classified"
• sendmail is running on the host
• one remote host is monitored through zabbix_agent - I'm turning it off to cause a trigger to fire
• zabbix panel "beeps" and show the failing check correctly
• nothing is written to the sendmail logs (it does write a message if I try connecting with telnet, so it works in general)
• nothing related seems to be written to the zabbix_server log

What else can I check?

I'd like to manually change some entries in a Bind server via the dynamic update. I couldn't find any specific tool to do that however. Is there any cli application where I can specify the record to add/remove and send the specific request?

I'd like to create a character device which has the same properties as a standard pseudo-terminal, but that can be named in a specific name.

Basically I'd like to have /dev/pts/my-unique-name instead of the numbers which can be reused. Is there a way to do that? Can mknod for example create arbitrarily connected char-devices?

I'm trying to figure out why is kjournald going crazy on my machine. It's an 8-core box with loads of memory. It's got ~50% cpu load.

The iotop doesn't seem to point at any specific processes - some bursts of writes here and there (mostly cron starting, some monitoring stats generated, etc.) When I used sys/vm/block_dump to gather the write statistics, I got lists like this:

kjournald(1352): 1909
sendmail(28934): 13
cron(28910): 12
cron(28912): 11
munin-node(29015): 3
cron(28913): 3
check_asterisk_(28917): 3
sh(28917): 2
munin-node(29022): 2
munin-node(29021): 2

Where kjournald actions are just WRITEs.

Why is that happening? What else should I look at to limit the kjournald activity a bit? It seems disproportionate to what's actually being written.

I'm looking for a distributed filesystem which I could use for storing lots of small files (<1MB usually). What I want to get is:

• 2 servers which have the fs mounted themselves and mirror the data
• locking support (among reachable nodes)
• some kind of best-effort automatic resynchronisation after one node goes down and comes back again

What I mean by the resync is that, I'm ok with both servers doing read/write operations even if they split-brain. I'm also ok if a local process obtains a lock if the other host is not reachable. From the resync I expect only a file-level consistent view after a while - that is - if file x is modified on both nodes during a split-brain, I don't really care which one is available after they join again, as long as it's full file, not one block coming from node1 and another block from node2.

Is there a solution like that out there? I see that gluster has some problems with file locks (even in 3.1). I also noticed that OCFS2 will panic if both nodes split-brain. What other filesystem would allow me to do what I want?

how can I enable logging of haproxy check results (or failures only)? I've seen some mailing list posts suggesting this is possible:

Server LDAPSFarm/LDAPS1 is DOWN, reason: Socket error, check duration: 277ms. 1 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.

but I don't get the same results. My config is more of less this:

global
        log 127.0.0.1 local0
        user haproxy
        group haproxy
        spread-checks 5

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        retries 3
        redispatch
        maxconn 2000

        stats enable
        stats hide-version

        option allbackups

listen XXX YYY
        mode tcp
        balance roundrobin
        option httpchk /

        server XXX-1 ZZZ1 check port 8080 inter 2s rise 15 slowstart 10s
        server XXX-2 ZZZ2 check port 8080 inter 2s rise 15 slowstart 10s

If I enable statistics page and look at it, I can see that sometimes server lines go yellow/red which suggests monitoring failures, but currently I don't see anything related in the log files. How can I get this information?

I know I can list the .deb's dependencies using dpkg --info, but is there any automated way to check those dependencies against the current system? What I'm interested in, the status: whether the package will be cleanly installed, or will it fail.

I'm looking for an easy method to run N selected processes at the same time with one command. It should put all the output on my terminal and shut down all of them when I exit with ctrl+c. Is there any existing app that does this?

I'm thinking of some thing like exec_many 10 foo - it should keep 10 foos running and respawn any that dies.

I've got a problem with running a FastCgiServer under apache2. When I define a virtual host with a static fcgi server configured, I get an error from suexec:

command not in docroot (/var/www-blah/dispatcher.fcgi)

Which is correct, because docroot is /var/www. But when I use a dynamic fastcgi generated by AddHandler magic, I'm also using suexec and the same problem doesn't occur - even though the script lives in /home/.../public_html/dispatcher.fcgi.

What causes suexec to run correctly there? And how can I replicate that behaviour on the virtual host?

Update: Actually, I moved my stuff from /var/www-blah to /var/www/blah, so it's under docroot and it works. I guess suexec has some public_html detection.

What still doesn't work though is dynamic fastcgi with suexec under /var/www/.... Even though the script is owned by the correct user, suexec doesn't show any errors and doesn't seem to run (script works as www-data)

I'm interested in the current usage of cpu - precisely cpu% and wait% - for each thread in a specific application. Is it possible to get that information from somewhere?

I know that top can split information per real thread (ones with pid), but it doesn't show the system/user/wait cpu usage split for each of them. I would also like some way to log that info. Do you know any apps (or apis) that can do that?

I'd like to restrict a range of udp ports to a single application (or a user). What I'd like to achieve is not simply blocking a bind() from other uids, but also remove the range from a pool that can be auto-assigned.

For example, if someone tries to explicitly bind 12345, but doesn't run the specified app, they should get EPERM. If someone tries to bind an unspecified port, they should never try to bind 12345 at random.

Is there any system that can help here? I tried browsing apparmor / selinux docs, but they seem to do the blocking part only.