Lucio Crusca's questions

I need to authorize my application (named "Logic" from now on) to manage users of a Keycloak realm. "Logic" already authenticates itself against that realm with a client credentials grant access type, so the code is already working.

Now, in the Keycloak administration console, I need to add the correct role to my client so that "Logic" is authorized to call whatever API endpoint Keycloak provides to manage the realm users.

In the realm clients list there is a client named realm-management, which Keycloak provides by default for each realm. This client can manage the whole realm, not just its users, and it has a list of client roles for that reason. manage-users is one of the roles in that list and it is the role I need to assign to my other client (that I named logic in Keycloak). In other words, my "Logic" application uses the keycloak client-id logic to authenticate itself and I need to add the manage-users role to the logic client.

The problem is that in my client (logic) roles settings, those same roles, listed under realm-management client, are not listed at all, and the list only has uma_protection role:

If I searched for "manage-users" by typing it in the search box, it wouldn't show up. Meanwhile, if I click that role in the roles list of the realm-management client, it shows that no users have that role and it lets me add the role to users, but not to clients, even if that role is actually listed in a client (realm-management).

Creating a new role in my logic client, by the same name of manage-users, is possible, but I'm not sure that's the way to go. I mean, why should I duplicate an existing role? It smells of wrong.

Can you please tell me the correct way to add the manage-users role to a client in Keycloak 23?

I have a USB hard drive attached to a Debian GNU/Linux server. I'm trying to format it (NTFS), with this command:

# mkntfs -v /dev/sdd1

which takes a few hours, because it checks the disk too. While checking, dmesg -T shows the following:

[Wed Jan 12 15:22:53 2022] sd 9:0:0:0: [sdd] Attached SCSI disk
[Wed Jan 12 18:03:26 2022] usb 1-4: USB disconnect, device number 5
[Wed Jan 12 18:03:26 2022] blk_update_request: I/O error, dev sdd, sector 621745808 op 0x1:(WRITE) flags 0x104000 phys_seg 240 prio class 0
[Wed Jan 12 18:03:26 2022] Buffer I/O error on dev sdd1, logical block 621743760, lost async page write
[Wed Jan 12 18:03:26 2022] Buffer I/O error on dev sdd1, logical block 621743761, lost async page write
   (...and so on for a few lines, then)
[Wed Jan 12 18:03:26 2022] blk_update_request: I/O error, dev sdd, sector 621746048 op 0x1:(WRITE) flags 0x104000 phys_seg 240 prio class 0
[Wed Jan 12 18:03:26 2022] blk_update_request: I/O error, dev sdd, sector 621746288 op 0x1:(WRITE) flags 0x100000 phys_seg 8 prio class 0
[Wed Jan 12 18:03:26 2022] blk_update_request: I/O error, dev sdd, sector 621746296 op 0x1:(WRITE) flags 0x800 phys_seg 16 prio class 0
   (...and so on for a few lines, then)
[Wed Jan 12 18:03:31 2022] buffer_io_error: 9015384 callbacks suppressed
   (...other errors...)

Looking at the sheer amount of error messages I'd say the HDD is almost dead, but attaching it to a Windows PC it seems to work. Moreover the first error (usb 1-4: USB disconnect, device number 5) that comes in dmesg before the other errors, makes me suspect the problem is not the HDD itself, but something else that causes the HDD to disconnect in the first place, and subsequent errors could be the obvious consequence of the disconnect.

However I'm not very experienced in dmesg output, so it's very possible that I'm reading it wrong.

EDIT: as requested by NiKiZe, here is the output of smartctl -a /dev/sdd:

# smartctl -a /dev/sdd
smartctl 6.6 2017-11-05 r4594 [x86_64-linux-5.10.0-3-amd64] (local build)
Copyright (C) 2002-17, Bruce Allen, Christian Franke, www.smartmontools.org

=== START OF INFORMATION SECTION ===
Model Family:     Western Digital Blue Mobile
Device Model:     WDC WD10SPCX-00KHST0
Serial Number:    WD-WXF1A95F0J3X
LU WWN Device Id: 5 0014ee 65b7e0332
Firmware Version: 01.01A01
User Capacity:    1.000.204.886.016 bytes [1,00 TB]
Sector Sizes:     512 bytes logical, 4096 bytes physical
Rotation Rate:    5400 rpm
Device is:        In smartctl database [for details use: -P show]
ATA Version is:   ACS-2 (minor revision not indicated)
SATA Version is:  SATA 3.0, 6.0 Gb/s (current: 1.5 Gb/s)
Local Time is:    Thu Jan 13 11:04:19 2022 CET
SMART support is: Available - device has SMART capability.
SMART support is: Enabled

=== START OF READ SMART DATA SECTION ===
SMART Status not supported: Incomplete response, ATA output registers missing
SMART overall-health self-assessment test result: PASSED
Warning: This result is based on an Attribute check.

General SMART Values:
Offline data collection status:  (0x00) Offline data collection activity
                    was never started.
                    Auto Offline Data Collection: Disabled.
Self-test execution status:      (   0) The previous self-test routine completed
                    without error or no self-test has ever 
                    been run.
Total time to complete Offline 
data collection:        (16080) seconds.
Offline data collection
capabilities:            (0x7b) SMART execute Offline immediate.
                    Auto Offline data collection on/off support.
                    Suspend Offline collection upon new
                    command.
                    Offline surface scan supported.
                    Self-test supported.
                    Conveyance Self-test supported.
                    Selective Self-test supported.
SMART capabilities:            (0x0003) Saves SMART data before entering
                    power-saving mode.
                    Supports SMART auto save timer.
Error logging capability:        (0x01) Error logging supported.
                    General Purpose Logging supported.
Short self-test routine 
recommended polling time:    (   2) minutes.
Extended self-test routine
recommended polling time:    ( 184) minutes.
Conveyance self-test routine
recommended polling time:    (   5) minutes.
SCT capabilities:          (0x7035) SCT Status supported.
                    SCT Feature Control supported.
                    SCT Data Table supported.

SMART Attributes Data Structure revision number: 16
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME          FLAG     VALUE WORST THRESH TYPE      UPDATED  WHEN_FAILED RAW_VALUE
  1 Raw_Read_Error_Rate     0x002f   200   200   051    Pre-fail  Always       -       0
  3 Spin_Up_Time            0x0027   190   184   021    Pre-fail  Always       -       1500
  4 Start_Stop_Count        0x0032   081   081   000    Old_age   Always       -       19048
  5 Reallocated_Sector_Ct   0x0033   200   200   140    Pre-fail  Always       -       0
  7 Seek_Error_Rate         0x002e   200   200   000    Old_age   Always       -       0
  9 Power_On_Hours          0x0032   073   073   000    Old_age   Always       -       20415
 10 Spin_Retry_Count        0x0032   100   100   000    Old_age   Always       -       0
 11 Calibration_Retry_Count 0x0032   100   100   000    Old_age   Always       -       0
 12 Power_Cycle_Count       0x0032   100   100   000    Old_age   Always       -       188
192 Power-Off_Retract_Count 0x0032   200   200   000    Old_age   Always       -       43
193 Load_Cycle_Count        0x0032   187   187   000    Old_age   Always       -       41054
194 Temperature_Celsius     0x0022   119   095   000    Old_age   Always       -       28
196 Reallocated_Event_Count 0x0032   200   200   000    Old_age   Always       -       0
197 Current_Pending_Sector  0x0032   200   200   000    Old_age   Always       -       0
198 Offline_Uncorrectable   0x0030   100   253   000    Old_age   Offline      -       0
199 UDMA_CRC_Error_Count    0x0032   200   200   000    Old_age   Always       -       0
200 Multi_Zone_Error_Rate   0x0008   100   253   000    Old_age   Offline      -       0

SMART Error Log Version: 1
No Errors Logged

SMART Self-test log structure revision number 1
No self-tests have been logged.  [To run self-tests, use: smartctl -t]

SMART Selective self-test log data structure revision number 1
 SPAN  MIN_LBA  MAX_LBA  CURRENT_TEST_STATUS
    1        0        0  Not_testing
    2        0        0  Not_testing
    3        0        0  Not_testing
    4        0        0  Not_testing
    5        0        0  Not_testing
Selective self-test flags (0x0):
  After scanning selected spans, do NOT read-scan remainder of disk.
If Selective self-test is pending on power-up, resume after 0 minute delay.

Assuming this HDD is really failing and that those error messages in dmesg are there for real bad sectors, why does dmesg show a disconnect before the bad sectors messages rather than after?

I'm trying to decrypt the Private directory inside a user $HOME automatically at system startup. The system is a Debian GNU/Linux 10 (actually a Raspbian, but I assume it's no different to this end) that uses NoDM to start Xorg.

EDIT 1: I've now tried installing a clean Debian 11 with Nodm in a virtual machine and I face exactly the same problem described here below.

Nodm automatically logs the unprivileged user in, and it runs the $HOME/.xsession startup script.

I have the following script, that is being called by .xsession:

#!/bin/bash -x
# Original by Michael Halcrow, IBM
# Extracted to a stand-alone script by Dustin Kirkland
# Edited on 2021-10-28 by Lucio Crusca

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PD="Private"    
WPF="$HOME/.ecryptfs/wrapped-passphrase"
MPSF="$HOME/.ecryptfs/$PD.sig"

if /sbin/mount.ecryptfs_private ; then
    exit 0
fi

if [ -f "$WPF" -a -f "$MPSF" ]; then
        if [ $(wc -l < "$MPSF") = "1" ]; then
            if printf "%s\0" "$LP" | ecryptfs-unwrap-passphrase "$WPF" - | ecryptfs-add-passphrase -; then
                echo Ok
            else
                echo incorrect LP
                exit 1
            fi
        else
            if printf "%s\0" "$LP" | ecryptfs-insert-wrapped-passphrase-into-keyring "$WPF" - ; then
                echo Ok
            else
                echo incorrect LP
                exit 1
            fi
        fi
    /sbin/mount.ecryptfs_private
else
    echo Setup error
    exit 1
fi
exit 0

It is a stripped down version of /usr/bin/ecryptfs-mount-private. It executes just the same commands, but it expects the LP environment variable to contain the passphrase instead of asking for the passphrase interactively.

I saved this script as $HOME/el-mount.sh. When my system boots and NoDM starts, it executes .xsession that in turn calls my script, redirecting stdout and stderr to a logfile for debug. The thing does not work, in that it outputs this:

...
+ /sbin/mount.ecryptfs_private
mount: No such file or directory

However if I connect to the system via ssh and run the same el-mount.sh script, logged in as the same user configured in NoDM, the script flawlessy works. Just in case you wonder, the LP variable is correctly set in both cases (already checked in the logfile).

I've already tried switching from NoDM to lightdm-autologin-greeter, but I get just the same outcome.

How do I make mount.ecryptfs_private work when called during autologin?

I know how to check how many PCI slots are not used yet on my server, by using dmidecode and looking for Available slots:

# dmidecode
[...]
Handle 0x0014, DMI type 9, 13 bytes
System Slot Information
    Designation: PCI1
    Type: 32-bit PCI
    Current Usage: Available
    Length: Long
    ID: 2
    Characteristics:
        5.0 V is provided
        PME signal is supported

and I also know how to check what PCI type and version are all the slots in the server (available and used), by using lspci -vvv and looking for LnkCap data:

# lspci -vvv
[...]
00:1f.0 PCI bridge: Silicon Integrated Systems [SiS] PCI-to-PCI bridge (prog-if 00 [Normal decode])
    [...]
    LnkCap: Port #0, Speed 2.5GT/s, Width x1, ...

where the speed of 2.5GT/s and the 1x suggest it's a PCI-e 1x slot. That's fine, but how do I relate these outputs to deduce what PCI type and version are the free slots in my server?

I initially tried to assume the Handle numbers of dmidecode matched the first column values in lspci output, but they don't. Any ideas?

EDIT

As per Mark Wagner's comment, the numbers between lspci and dmidecode do not match because lspci shows informations about a bridge, not a slot, and lspci doesn't show anything for unused slots. That means lspci is not useful in my case, my question is still the same, but likely the answer will not use lspci.

I've just installed Ubuntu 20.10 and I enabled Active Directory integration during setup. It asked me AD user and password, I provided those and the setup showed green thicks and went on.

After completing setup, I tried to login with a domain user (ufficio.lan\lucio), but it failed as if the password was incorrect (which was not, I tried several times and I'm sure about my password). I then logged in with the local user I created during setup and checked the machine was effectively joined to the domain:

# realm join -U Administrator ufficio.lan
realm: already joined to this domain

Please note that after trying to login with my AD user, gdm added my real name and surname to the list of available users, so it actually managed to contact my AD server and obtain some information about me. However it didn't create the home directory, nor it mounted my home directory that the server shares (this would be my final goal) and it didn't let me in, as described above.

I tried to install Ubuntu 20.10 from scratch again, just in case I made some mistakes the first time, but I got the same results.

The server is a Zentyal Community Edition 6.2 and other Linux computers in the LAN manage to login with AD credentials, but those are old Fedora or Ubuntu 14.04 setups that were manually joined to the AD domain back then, so I can't just copy /etc/ over and hope for the best: it won't work.

EDIT after Sturban's answer:

Before reinstalling from scratch I had already tried to follow the guide linked in the answer, but it did not solve the problem. It was precisely that guide that, in Step 5, suggested me the command

# realm join -U Administrator ufficio.lan

to check if the system was already joined to the domain. Despite being already joined, I tried following that guide anyway (even from its Step 1), but at the end of Step 5 the id command did not find my domain user and gdm kept refusing my domain login and not creating my home directory.

Anyway, I suspect the point is quite different, and that's why I did not mention these trials before: Ubuntu 20.10 has AD integration option during setup and it's a new feature that up to 20.04 included did not exist, so I suspect something different is needed on Ubuntu 20.10, while that guide assumes Ubuntu 20.04.

EDIT #2

I've tried starting from fresh Zentyal 6.2 + Ubuntu 20.04 (mind it, not 20.10) virtual machines in a virtual LAN and then following the guide linked in Sturban's answer, which is supposed to be valid for Ubuntu 20.04. It didn't work just the same way as with Ubuntu 20.10.

To be honest, I did NOT follow the guide verbatim (never did that), but I always assumed I had to adapt Step 1 to the actual OS I was using. Step 1 suggests to add Ubuntu 18.04 repositories to /etc/apt/sources.list, but I always assumed it actually means I have to add my distro repositories that contain the packages to be installed in Step 3. Besides, I think adding bionic repos to a focal or buster setup and then installing old packages from there would wreck the OS of its own, right? Or do I really have to go through the hassle of adding outdated repos to a current OS in order to have AD authentication working?

Other than that, I followed the guide verbatim, but at the end of step 5 the id command still could not find AD users.

So now I assume my question is applicable to Ubuntu 20.04 too, and that guide is more outdated than I thought. That means if you know the solution to have AD users authentication working on Ubuntu 20.04 I assume it will work on Ubuntu 20.10 too, but that guide is missing something and it's not enough as solution.

I have a wireguard tunnel mostly working between two Debian systems, but I had to workaround a ISP firewall (firewall X in the diagram below) that blocks everything inbound and prevents Server B from listenting for wireguard UDP packets directly.

In order to workaround the ISP firewall, I used a server of mine (Server A) on a public static IP address. Server B is protected behind the ISP firewall X, which allows only outbound connections. Server B does not have any public static IP addresses either, so it initiates a SSH connection to Server A in order to establish the reverse forwarding TCP tunnel from A to B. Server A then needs to act as simulated UDP endpoint for the wireguard connection, but wireguard is not installed there. The UDP packets need to travel from Server A to Server B using the SSH reverse forwarding tunnel established beforehand by Server B.

Implementation wise, I keep socat running on Server A and listening on 0.0.0.0:12345/udp. The idea is to make it forward packets to the real wireguard server (on Server B) wrapping the UDP packets it receives into the SSH TCP reverse forwarding tunnel.

That said, Server B is actually a bare metal server and it runs serveral VMs with libvirt. The real wireguard server is one of those VMs. Server B uses another socat process to unwrap the TCP-tunneled UDP packets and deliver them to the correct virtual machine running wireguard.

From what I get, UDP is unreliable of its own over the internet, and I've even added a few layers of encapsulation, but:

1. the reverse ssh tunnel is a TCP tunnel, which should be reliable instead
2. the two socat tunnels are both inside a single computer, so I can assume they are reliable
3. wireguard uses UDP and it should bundle all the reliability checks within itself

However from my client I get high packet loss percentages over my wireguard tunnel. The same ping test over other wireguard tunnels that do not need this ssh+socat workaround do work with 0% packet loss.

My question is: how do I debug this solution to find out where ping packets are being lost?

EDIT: after a few tests, I noticed that I get way higher packet loss percentages when I try to use the vpn tunnel more heavily than with the ping command alone, e.g. if I open a browser on my client pointing to one of the VMs. The ping command alone actually works nearly 100% reliable, e.g. it looses a packet in a blue moon, but with a browser loading a page it starts loosing a lot of packets (and the browser never finishes loading the page).

I see socat does have some buffers size options, but I don't know what numbers I should try, so I suspect throwing numbers in the dark won't lead me to a fast solution of the problem... anyway, while waiting for someone to chime in with an answer, I'm going to try big and small random numbers and report back: it just takes a while for each test.

I have two Debian GNU/Linux systems (bullseye/sid), both running wireguard on port 23456, both behind NAT. Both run a kernel version > 5.6 (wireguard mainlined).

System A is the server, and it dynamically updates a dedicated "A record" in the authoritative nameserver for its internet domain, with the correct public IP address its internet facing router A (ZyWALL USG 100 firewall) is assigned with. It does so once every minute, but the public IP address actually changes only on reboot of the router/firewall, which basically never happens.

System B is behind VDSL router B and it acts as wireguard client, pointing to the dynamically updated "A record" and port 33456. Router B is a consumer grade VDSL router and it allows everything in outbound direction, only replies inbound.

Router/firewall A (ZyWALL USG 100) is configured to allow UDP packets on port 23456 through it and forwards them to server A. Here is the relevant configuration screen:

Here is the server A wireguard configuration file (keys in this snippet, despite being valid, aren't the real ones):

[Interface]
Address = 10.31.33.100/24, fc00:31:33::1/64
ListenPort = 23456
PrivateKey = iJE/5Qy4uO55uUQg8nnDKQ/dFT1MEq+tDfFXrGNj3GY=
# PreUp = iptables -t nat -A POSTROUTING -s 10.31.33.0/24  -o enp1s0 -j MASQUERADE; ip6tables -t nat -A POSTROUTING -s fc00:31:33::/64 -o enp1s0 -j MASQUERADE
# PostDown = iptables -t nat -D POSTROUTING -s 10.31.33.0/24  -o enp1s0 -j MASQUERADE; ip6tables -t nat -D POSTROUTING -s fc00:31:33::/64 -o enp1s0 -j MASQUERADE

# Simon
[Peer]
PublicKey = QnkTJ+Qd9G5EybA2lAx2rPNRkxiQl1W6hHeEFWgJ0zc=
AllowedIPs = 10.31.33.211/32, fc00:31:33::3/128

And here is client B wireguard configuration (again, keys and domain aren't the real ones):

[Interface]
PrivateKey = YA9cRlF4DgfUojqz6pK89poB71UFoHPM6pdMQabWf1I=
Address = 10.31.33.211/32

[Peer]
PublicKey = p62kU3HoXLJACI4G+9jg0PyTeKAOFIIcY5eeNy31cVs=
AllowedIPs = 10.31.33.0/24, 172.31.33.0/24
Endpoint = wgsrv.example.com:33456
PersistentKeepalive = 25

Here is a dirty diagram that depicts the situation:

Client B -> LAN B -> VDSL Router B (NAT) -> the internet -> ZyWALL (NAT) -> LAN A -> Server A

Starting wireguard on both systems does not establish the VPN connection. Activating debug messages on the client and adding a LOG rule into iptables, that logs OUTPUT packets, I get lots of these:

[414414.454367] IN= OUT=wlp4s0 SRC=10.150.44.32 DST=1.2.3.4 LEN=176 TOS=0x08 PREC=0x80 TTL=64 ID=2797 PROTO=UDP SPT=36883 DPT=33456 LEN=156 
[414419.821744] wireguard: wg0-simon: Handshake for peer 3 (1.2.3.4:33456) did not complete after 5 seconds, retrying (try 2)
[414419.821786] wireguard: wg0-simon: Sending handshake initiation to peer 3 (1.2.3.4:33456)

I've added a LOG iptables rule to the server, in order to diagnose router configuration problems.

root@wgserver ~ # iptables -t nat -I INPUT 1 -p udp --dport 23456 -j LOG

It logs the wireguard packets received from the client (but I can't tell if they are somehow invalid or incomplete):

[ 1412.380826] IN=enp1s0 OUT= MAC=6c:62:6d:a6:5a:8e:d4:60:e3:e0:23:30:08:00 SRC=37.161.119.20 DST=10.150.44.188 LEN=176 TOS=0x08 PREC=0x00 TTL=48 ID=60479 PROTO=UDP SPT=8567 DPT=23456 LEN=156 
[ 1417.509702] IN=enp1s0 OUT= MAC=6c:62:6d:a6:5a:8e:d4:60:e3:e0:23:30:08:00 SRC=37.161.119.20 DST=10.150.44.188 LEN=176 TOS=0x08 PREC=0x00 TTL=48 ID=61002 PROTO=UDP SPT=8567 DPT=23456 LEN=156 

so I'm inclined to assume the A router (ZyWALL USG 100) was correctly configured to let the packets come into the server local network. To confirm that assumption, I've even tried replacing the ZyWALL with another consumer grade router and moving the server over a different internet connection, but the problem is still there, so I'm sure the problem is not the firewall, nor its specific internet connection.

Here is the server network configuration, just in case it matters:

auto lo
iface lo inet loopback

auto enp1s0
iface enp1s0 inet static
    address 10.150.44.188/24
    gateway 10.150.44.1

On top of that, other wireguard VPN tunnels DO work correctly using the same client, same VDSL router (client-side), same internet connection, similar server configuration (obviouisly different keys and domain), similar firewall configuration (server-side, different firewall model).

I need to clone a failing 2TB disk that contains a NTFS partition, using Debian GNU/Linux. The disk has a number of non-relocatable bad sectors, so I know that part of the data is already lost; however I need to clone the the disk in order to try to recover the rest using testdisk.

The command I issued to clone it is:

dd if=/dev/sdc of=/dev/md2 bs=512 conv=noerror status=progress

and it took about 2 days to complete, during which it found bad sectors at about 3GB, 66GB and 88GB. The failing disk is quite old and it isn't Advanced Format, so I know its sectors are 512 bytes each for sure.

The problem is that trying testdisk /dev/sdc it reads the directory (but then fails to recover the files, because of bad sectors), while tryng testdisk /dev/md2 does not even list the directory contents. The disk contains only the NTFS partition, that spans the whole available space. Why the clone is not the same as the original, at least on the sectors that aren't damaged? Am I cloning in a bad way and I should clone it some other way, e.g. different command or options?

I'm on Debian Buster/Sid, but I like to compile new vanilla kernels myself, just to try them out. However I face a recurring problem: if I use a Debian packaged kernel, Wake On Lan works correctly and I can wake my pc by sending the magic packet to it. If I use a vanilla kernel I compile myself, it doesn't.

Here is the procedure I use:

$ wget 'https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.0.2.tar.xz'
$ tar xJf linux-5.0.2.tar.xz 
$ cd linux-5.0.2/
linux-5.0.2 $ cp /boot/config-4.19.0-2-amd64 .config
linux-5.0.2 $ make oldconfig

[KCONFIG questions omitted] I eventually add something, but I never remove anything

linux-5.0.2 $ CONCURRENCY_LEVEL=20 fakeroot make-kpkg --initrd binary-arch
[...]
linux-5.0.2 $ cd..
$ su -
# dpkg -i linux-image-*.deb linux-headers-*.deb
# reboot

[... the new kernel boots ...]

# init 0

Now I try to send the magic WoL packet from another networked device, but my PC does not start. If I boot it with a Debian packaged kernel (4.19.0-2 which corresponds to upstream 4.19.16) and then shutdown it, then the WoL packet works as expected and my PC starts up.

Here is the output of lsmod, because I've been asked for it:

$ lsmod 
Module                  Size  Used by
nft_chain_route_ipv4    16384  1
xt_CHECKSUM            16384  1
nft_chain_nat_ipv4     16384  4
ipt_MASQUERADE         20480  1
xt_conntrack           16384  1
ipt_REJECT             16384  1
nf_reject_ipv4         16384  1 ipt_REJECT
nft_counter            16384  34
xt_tcpudp              20480  2
nft_compat             20480  27
devlink                73728  0
nf_tables             147456  188 nft_chain_route_ipv4,nft_compat,nft_chain_nat_ipv4,nft_counter
nfnetlink              16384  2 nft_compat,nf_tables
tun                    57344  5
bridge                188416  0
stp                    16384  1 bridge
llc                    16384  2 bridge,stp
binfmt_misc            24576  1
nls_ascii              16384  1
nls_cp437              20480  1
vfat                   24576  1
fat                    81920  1 vfat
edac_mce_amd           28672  0
kvm_amd               102400  0
ccp                    94208  1 kvm_amd
rng_core               16384  1 ccp
snd_hda_codec_realtek   122880  1
snd_hda_codec_hdmi     61440  1
kvm                   733184  1 kvm_amd
snd_hda_codec_generic    90112  1 snd_hda_codec_realtek
ledtrig_audio          16384  2 snd_hda_codec_generic,snd_hda_codec_realtek
irqbypass              16384  1 kvm
crct10dif_pclmul       16384  1
snd_hda_intel          45056  6
amdgpu               3928064  17
crc32_pclmul           16384  0
ghash_clmulni_intel    16384  0
snd_hda_codec         155648  4 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec_realtek
joydev                 28672  0
aesni_intel           372736  0
aes_x86_64             20480  1 aesni_intel
snd_hda_core           98304  5 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec,snd_hda_codec_realtek
crypto_simd            16384  1 aesni_intel
chash                  16384  1 amdgpu
cryptd                 24576  3 crypto_simd,ghash_clmulni_intel,aesni_intel
eeepc_wmi              16384  0
asus_wmi               32768  1 eeepc_wmi
snd_hwdep              20480  1 snd_hda_codec
sparse_keymap          16384  1 asus_wmi
snd_pcm               118784  4 snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec,snd_hda_core
rfkill                 32768  2 asus_wmi
gpu_sched              36864  1 amdgpu
glue_helper            16384  1 aesni_intel
ttm                   114688  1 amdgpu
snd_timer              45056  1 snd_pcm
drm_kms_helper        204800  1 amdgpu
video                  49152  1 asus_wmi
pcc_cpufreq            20480  0
pcspkr                 16384  0
snd                    98304  20 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hwdep,snd_hda_intel,snd_hda_codec,snd_hda_codec_realtek,snd_timer,snd_pcm
drm                   487424  12 gpu_sched,drm_kms_helper,amdgpu,ttm
evdev                  24576  31
sg                     36864  0
soundcore              16384  1 snd
i2c_algo_bit           16384  1 amdgpu
sp5100_tco             20480  0
efi_pstore             16384  0
k10temp                16384  0
efivars                20480  1 efi_pstore
fam15h_power           16384  0
button                 16384  0
acpi_cpufreq           28672  0
wmi_bmof               16384  0
mxm_wmi                16384  0
iptable_nat            16384  0
nf_nat_ipv4            16384  3 ipt_MASQUERADE,nft_chain_nat_ipv4,iptable_nat
nf_nat                 36864  1 nf_nat_ipv4
nf_conntrack          159744  4 xt_conntrack,nf_nat,ipt_MASQUERADE,nf_nat_ipv4
nf_defrag_ipv6         24576  1 nf_conntrack
nf_defrag_ipv4         16384  1 nf_conntrack
ecryptfs              122880  0
parport_pc             32768  0
ppdev                  24576  0
nfsd                  425984  13
lp                     20480  0
auth_rpcgss            69632  1 nfsd
nfs_acl                16384  1 nfsd
lockd                 118784  1 nfsd
parport                61440  3 parport_pc,lp,ppdev
grace                  16384  2 nfsd,lockd
sunrpc                421888  18 nfsd,auth_rpcgss,lockd,nfs_acl
efivarfs               16384  1
ip_tables              28672  1 iptable_nat
x_tables               49152  7 xt_conntrack,nft_compat,xt_tcpudp,ipt_MASQUERADE,xt_CHECKSUM,ipt_REJECT,ip_tables
autofs4                49152  2
ext4                  733184  2
crc16                  16384  1 ext4
mbcache                16384  1 ext4
jbd2                  126976  1 ext4
fscrypto               36864  1 ext4
dm_mod                151552  3
hid_generic            16384  0
usbhid                 61440  0
hid                   147456  2 usbhid,hid_generic
raid10                 65536  1
sd_mod                 53248  13
raid456               176128  0
async_raid6_recov      24576  1 raid456
async_memcpy           20480  2 raid456,async_raid6_recov
async_pq               20480  2 raid456,async_raid6_recov
async_xor              20480  3 async_pq,raid456,async_raid6_recov
async_tx               20480  5 async_pq,async_memcpy,async_xor,raid456,async_raid6_recov
xor                    24576  1 async_xor
raid6_pq              122880  3 async_pq,raid456,async_raid6_recov
libcrc32c              16384  3 nf_conntrack,nf_nat,raid456
crc32c_generic         16384  0
raid1                  49152  1
raid0                  24576  1
multipath              20480  0
linear                 20480  0
md_mod                167936  8 raid1,raid10,raid0,linear,raid456,multipath
ohci_pci               20480  0
ahci                   40960  9
libahci                40960  1 ahci
xhci_pci               20480  0
ohci_hcd               57344  1 ohci_pci
ehci_pci               20480  0
libata                278528  2 libahci,ahci
crc32c_intel           24576  3
r8169                  90112  0
xhci_hcd              258048  1 xhci_pci
realtek                20480  1
ehci_hcd               94208  1 ehci_pci
libphy                 86016  2 r8169,realtek
i2c_piix4              28672  0
usbcore               286720  7 xhci_hcd,ohci_hcd,ehci_pci,usbhid,ehci_hcd,xhci_pci,ohci_pci
scsi_mod              241664  3 sd_mod,libata,sg
wmi                    36864  3 asus_wmi,wmi_bmof,mxm_wmi

And here are the modules configurations in /etc/modprobe.d/:

blacklist microcode
blacklist radeon
options md_mod start_ro=1
options cirrus modeset=1
options mgag200 modeset=1

What am I missing?

I've configured a Ubuntu Bionic Beaver client to authenticate against a Samba ADS (Zentyal), using sssd. This guide was more or less all it took to get there. EDIT: see my answer to get a quote of the meaning of that "more or less". EDIT2: mentioned guide has been (re?)moved, but it couldn't work on Ubuntu 20.04 and newer anyway.

Then I configured pam_mount so that home directories are kept on the server, and my client mounts those for logging in users. It seems to work, with a few issues that show up only when logging in with an AD account. When logging in with a local account, all works as expected (but no pam_mount is involved in that case).

The issues are:

1. keyboard layout is english even if the system is all italian, and the input method is configured as italian.
2. I can't add launchers to the Ubuntu Dock (it says it has been added, but it does not show up)
3. (which seems to be 1+2) I can't add any new languages, much like I can't add launchers to the Dock

Here is my /etc/security/pam_mount.conf.xml:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
    <debug enable="0" />
    <volume user="*" fstype="cifs" server="zentyal" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlmssp,nodev,nosuid,mfsymlinks,nobrl" />
    <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
    <mntoptions require="nosuid,nodev" />
    <logout wait="0" hup="no" term="no" kill="no" />
    <mkmountpoint enable="1" remove="true" />
</pam_mount>

Any clues?

I need to mirror a website and deploy the copy under a different domain name. The mirroring procedure should be all automatic, so that I can update the copy on a regular basis with cron.

The mirror MUST NOT be a real mirror, but it MUST be static copy, e.g. a snaphot of the site at a specific time, so I think wget might fit.

As of now, I've come up with the following script to get a copy of the original site:

#!/bin/bash

DOMAIN="example.com"

cd /srv/mirrors
TMPDIR=$(mktemp -p . -d)
cd "${TMPDIR}"

wget -m -p -E --tries=10 --convert-links --retry-connrefused "${DOMAIN}"

cd ..
rm -rf oldcopy
mv "${DOMAIN}" oldcopy
mv "${TMPDIR}/${DOMAIN}" "${DOMAIN}"
rmdir "${TMPDIR}"

The resulting copy is then brought to you by Nginx under the new domain name, with a simple configuration for a local static site, and it seems to work.

Problem is the origin server produces web pages with absolute links in them, even when the links point to internal resources. E.g. a page at https://example.com/page1 contains

<link rel="stylesheet" href="https://example.com/style.css">
<script src="https://example.com/ui.js"/>

and so on (it's WordPress). No way I can change that behavior. wget then does not convert those links for local browsing, because they are absolute (or, at least, I think that's the cause).

EDIT: the real domain name is assodigitale.it, though I need a script that works regardless of the particular domain, because I will need it for a few other domains too.

Can I make wget convert those links to the new domain name?

I'm trying to configure Nginx as a caching reverse proxy. The origin server is Apache and it hosts a WordPress instance, if that matters.

The reverse proxy functionality is working as expected, but the cache does not seem to work. If I get the same static resource twice in a row, I get x-proxy-cache: MISS twice.

assodigitale.it is the domain, 138.201.87.123 the origin server IP address and 138.201.87.124 the Nginx proxy IP address.

The origin server seems to reply allowing proxy to cache the resource:

$ curl --connect-to ::138.201.87.123:443 --http2 -I https://assodigitale.it/wp-content/uploads/2018/03/aereo.jpg
HTTP/2 200 
date: Sun, 11 Mar 2018 20:59:39 GMT
server: Apache/2.4.25 (Debian)
content-length: 32989
strict-transport-security: max-age=31536000; includeSubdomains; preload
last-modified: Wed, 07 Mar 2018 09:34:41 GMT
etag: "80dd-566cf44ca2952"
accept-ranges: bytes
vary: Accept-Encoding
cache-control: max-age=1209600, public
x-content-type-options: nosniff
content-type: image/jpeg

The first request to the proxy server results in a MISS, as expected:

$ curl --connect-to ::138.201.87.124:443 --http2 -I https://assodigitale.it/wp-content/uploads/2018/03/aereo.jpg
HTTP/2 200 
server: nginx/1.13.9
date: Sun, 11 Mar 2018 21:04:00 GMT
content-type: image/jpeg
content-length: 32989
strict-transport-security: max-age=31536000; includeSubdomains; preload
last-modified: Wed, 07 Mar 2018 09:34:41 GMT
etag: "80dd-566cf44ca2952"
vary: Accept-Encoding
cache-control: max-age=1209600, public
x-content-type-options: nosniff
x-proxy-cache: MISS
strict-transport-security: max-age=4838400; includeSubDomains; preload
accept-ranges: bytes

The second request to the Nginx proxy shoud result in a HIT, but it results in another MISS:

$ curl --connect-to ::138.201.87.124:443 --http2 -I https://assodigitale.it/wp-content/uploads/2018/03/aereo.jpg
HTTP/2 200 
server: nginx/1.13.9
date: Sun, 11 Mar 2018 21:05:52 GMT
content-type: image/jpeg
content-length: 32989
strict-transport-security: max-age=31536000; includeSubdomains; preload
last-modified: Wed, 07 Mar 2018 09:34:41 GMT
etag: "80dd-566cf44ca2952"
vary: Accept-Encoding
cache-control: max-age=1209600, public
x-content-type-options: nosniff
x-proxy-cache: MISS
strict-transport-security: max-age=4838400; includeSubDomains; preload
accept-ranges: bytes

Here is the relevant part of my nginx config:

proxy_cache_path /srv/cache/nginx levels=1:2 keys_zone=revproxy:2000m inactive=2880m use_temp_path=off;
proxy_cache_key "$scheme$request_method$host$request_uri";
proxy_cache_methods GET HEAD;
proxy_cache_valid any 1m;
proxy_cache_valid 200 1440m;

server {
    listen 443 ssl http2;
    ssl on;
    server_name assodigitale.it;

    ssl_certificate /etc/letsencrypt/live/assodigitale.it/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/assodigitale.it/privkey.pem;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    location / {
        proxy_cache revproxy;
        add_header X-Proxy-Cache $upstream_cache_status;
        add_header Strict-Transport-Security "max-age=4838400; includeSubDomains; preload";

        proxy_pass  https://138.201.87.123;
        proxy_cache_use_stale updating error timeout http_500 http_502 http_503 http_504;
        proxy_cache_bypass $http_x_forceflushcacheurl;
        proxy_cache_lock on;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_hide_header Upgrade;
        proxy_buffering off;
        proxy_connect_timeout       600;
        proxy_send_timeout          600;
        proxy_read_timeout          600;
        send_timeout                600;
        proxy_ignore_headers Set-Cookie;

        http2_push_preload on;
        client_max_body_size 64M;
    }
}

The /srv/cache/nginx directory has 755 permissions and www-data owner, and Nginx runs as www-data. In fact Nginx does write its folders in there, namely 0 1 2 3 4 5 6 7 8 9 a b c d e f, but the overall space taken is now 344Kb, for a site that is quite large and that has much more than casual traffic.

Trying the same curl commands above, but with pages instead of images, yelds just the same result, it's always a MISS.

Why is Nginx refusing to cache resources?

I need to login into several remote ssh servers during my admin work. I work with three different computers client side, all of them are Debian GNU/Linux systems. I keep a workspace directory where I put everything I need to do my job, and that directory contains, among other things, a bashrc file and a ssh_config file.

I manually sync that directory contents with a script that uses rsync from one client computer to the others as I move and start using a different client.

The local user on each of the three clients needs minimal configuration, so that if I need to create a new local user or reinstall a client, I have only to rsync the workspace and to add a reference to my custom workspace/bashrc in the real user's $HOME/.bashrc. My custom workspace/bashrc creates several aliases and I get my usual environment regardless of the client I'm using.

My custom workspace/bashrc creates aliases to connect to remote servers this way:

alias s1='ssh -F ~/workspace/etc/ssh_config server1.example.com'

and I log into server1 by just typing s1 in a terminal of any client, because my custom ssh_config sets the needed public key authentication options, the correct port server1 is listening on and the correct user.

Now this works like a charm, as long as the ssh command is what I need. Unfortunately, as soon as I need another command that in turn uses ssh, things become more chaotic.

E.g. if I need to rsync anything to one of those servers, I'm forced to write the whole ssh command:

rsync -Pavz --delete -e "ssh -F $HOME/workspace/etc/ssh_config" ...

Similar things happen with other commands such as scp, ssh-copy-id and others.

I'd like to be able to write

rsync -Pavz --delete -e "ssh" ...

instead, and have ssh take it's configuration file name from a environment variable, so that I can set that environment variable in my bashrc and every ssh invocation automagically works.

Is there such environment variable or is there a different solution to the problem?

I have inherited a site (a vbulletin forum) and migrated it from another hosting to mine, by copying everything with scp command. The root directory had the following .htaccess

RewriteOptions inherit

RewriteEngine on
RewriteCond %{HTTP_HOST} ^.*$
RewriteRule ^/?$ "http\:\/\/example\.com\/forums\/content\/" [R=301,L]

I don't know how this was supposed to work, but it worked, regardless of the fact that the /forums/content/ folder did NOT exist. However, once moved to my hosting, it's stopped working, yielding a 404 error. Since the /forums/content.php file exists instead, I've edited the .htaccess like this:

RewriteOptions inherit

RewriteEngine on
RewriteCond %{HTTP_HOST} ^.*$
RewriteRule ^/?$ "http\:\/\/example\.com\/forums\/content.php" [R=301,L]

Now it's working, with a glitch: my browser (and every other forum user browser) is caching the previous 301 redirect, so I can reach and use the forum only if I clear the browser cache (once), or if I enter the content.php URL by hand (every time).

I've tried the workaround to add a redirect from /forums/content/ to /forums/content.php, by adding a RewriteRule to .htaccess:

RewriteOptions inherit

RewriteEngine on
RewriteCond %{HTTP_HOST} ^.*$
RewriteRule ^/forums/content/$ "http\:\/\/example\.com\/forums\/content.php" [R=301,L]
RewriteRule ^/?$ "http\:\/\/example\.com\/forums\/content.php" [R=301,L]

However it seems that rule is ignored, because the browser still gets a 404 error on the /forums/content/ directory and it does not redirect to content.php. What am I doing wrong?

In a virtual server (Debian GNU/Linux 8 amd64) I have the following disks and filesystems:

# pvscan 
  PV /dev/vda1   VG vg0   lvm2 [100.00 GiB / 0    free]
  PV /dev/vdb1   VG vg0   lvm2 [46.56 GiB / 0    free]
  PV /dev/vda2   VG vg0   lvm2 [100.00 GiB / 0    free]
  PV /dev/vdc1   VG vg0   lvm2 [60.00 GiB / 60.00 GiB free]
  Total: 4 [306.55 GiB] / in use: 4 [306.55 GiB] / in no VG: 0 [0   ]

# lvdisplay 
  --- Logical volume ---
  LV Path                /dev/vg0/root
  LV Name                root
  VG Name                vg0
  LV UUID                qpeei3-v1nW-pYVR-lK7Y-4wwy-Y4Y4-c9yQEl
  LV Write Access        read/write
  LV Creation host, time nomos, 2015-03-17 16:34:05 +0100
  LV Status              available
  # open                 1
  LV Size                246.56 GiB
  Current LE             63119
  Segments               3
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:0

# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/dm-0       243G  135G   98G  59% /
[... no other on-disk filesystems]

The root filesystem is ext4.

Since /dev/vda has enough room for all my data, I want to remove /dev/vdb and /dev/vdc. The latter is there as a temporary space only to provide room for the needed maneuvers. The data on /dev/vdb1 should be moved to /dev/vda* before removing /dev/vdb1. However the root filesystem currently spans all three partitions /dev/vda1, /dev/vda2 and /dev/vdb1.

The problem is I can take the virtual machine down only for very short time periods (a few seconds, just reboots), so I can't reduce the size of the root filesystem, because that requires to unmount it and to keep the server down for quite a long time. I can add other disks though, up to 500GB, if needed.

I've run pvmove to move data off the drive:

# pvmove /dev/vdb1 
  Detected pvmove in progress for /dev/vdb1
  /dev/vdb1: Moved: 4.0%

and waited until it reached 100%. However pvmove moved the data to /dev/vdc1.

# pvs
  PV         VG   Fmt  Attr PSize   PFree 
  /dev/vda1  vg0  lvm2 a--  100.00g     0 
  /dev/vda2  vg0  lvm2 a--  100.00g     0 
  /dev/vdb1  vg0  lvm2 a--   46.56g 46.56g
  /dev/vdc1  vg0  lvm2 a--   60.00g 13.43g

And now? I could probably remove /dev/vdb1, but I'm stuck with my data on /dev/vdc1. What I actually need is to move the allocated inodes of the root filesystem off /dev/vdb1 to the free filesystem space in /dev/vda*. Then I dream I can move /dev/vdb1 out of the way because the filesystem moved to /dev/vda*. I realize it does not work that way automatically, but I'm not able to imagine a migration strategy that lets me do that even manually, without shrinking the root filesystem.

Can you help, please?

I pretend I've already tried everything out there, but my Debian 8 keeps creating core dumps when something crashes. It's happening about once or twice in a month. It's a production server for a few websites, with packaged Apache 2.4, php5-fpm and mysql. I suspect it's php5-fpm crashing because I get the dump file in the DocumentRoot folder. The file I get is named "core" and it is somewhere in the order of gigabytes in size.

Here is what I've already done to disable core dumps, without success:

ln -s /dev/null /etc/systemd/coredump.conf

and then rebooted. No dice.

echo '*               hard    core    0' >> /etc/security/limits.conf
echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf
sysctl -p

and then rebooted. Still no dice. I've NOT set kernel.suid_dumpable to 0, because I found it later but when I found it I also read that zero is its default. These settings should not make any difference anyway, because php5-fpm is not setuid. The same goes for Apache and mysql, just in case it's not php5-fpm crashing.

For the time being there is a script that looks for core dumps and deletes them. Crontab does the rest, but it is not the best solution.

How do I globally and unconditionally disable core dumps in Debian 8?

I'm trying to configure a ZyWALL USG 200 firewall to let Windows XP remote clients (dynamic IP address) to connect to the workplace network with a L2TP VPN. I don't want to use certificates, a common username and password will be enough (and certificate management would be too much).

I'm not a L2TP expert, let alone IPsec, so please bear with me if I ask trivial questions or make blatant mistakes.

I've configured what I think should be a L2TP VPN on the USG200, however I get the following error in its log when I try to connect from the WinXP client:

1 2015-09-25 11:03:33 info IKE Send:[NOTIFY:NO_PROPOSAL_CHOSEN] 192.168.0.1:500 84.223.99.164:500 IKE_LOG
2 2015-09-25 11:03:33 info IKE [SA] : No proposal chosen 192.168.0.1:500 84.223.99.164:500 IKE_LOG
3 2015-09-25 11:03:33 info IKE The cookie pair is : 0x214b5575aaa53052 / 0xa212f247eeebfb4b [count=2] 192.168.0.1:500 84.223.99.164:500 IKE_LOG
4 2015-09-25 11:03:33 info IKE Recv:[SA][VID][VID][VID][VID] 84.223.99.164:500 192.168.0.1:500 IKE_LOG
5 2015-09-25 11:03:33 info IKE The cookie pair is : 0xa212f247eeebfb4b / 0x214b5575aaa53052 84.223.99.164:500 192.168.0.1:500 IKE_LOG
6 2015-09-25 11:03:33 info IKE Recv Main Mode request from [84.223.99.164] 84.223.99.164:500 192.168.0.1:500 IKE_LOG
7 2015-09-25 11:03:33 info IKE The cookie pair is : 0x214b5575aaa53052 / 0x0000000000000000 84.223.99.164:500 192.168.0.1:500 IKE_LOG

(please note that the USG200 shows most recent log entries first). From a Google search I got that the error "No proposal choosen" might be caused by a mismatch between client and server in the IKE Phase 1 proposal configuration. From this document I assume that the following USG200 configuration should work, but it doesn't:

I obviously configred the VPN connection and the L2TP VPN too, but I guess those configuration are not relevant, at least not for the time being. Unfortunately I can't tell why it's not working or if it's the firewall or the client to blame. I can't seem to be able to get any relevant log to diagnose the problem from Windows, so here is how I configured the connection:

Can you please help me understand what I'm doing wrong?

I've inherited the sysadmin role on a server that's running a wordpress website on top of Apache 2.4/Debian. It almost works, but it is issuing "500 internal server error" from time to time. In my error.log file I see:

End of script output before headers: php5, referer: http://www.xxxxxxx.xxx/wp-admin/post-new.php

I think the server is running mod_fcgid system wide, since I have

/etc/apache2/conf-enabled/fcgid.conf 

with the following contents:

<Location />
  AddHandler fcgid-script .php
  Options +ExecCGI +FollowSymLinks
  FcgidWrapper /usr/bin/php-cgi .php
</Location>

<Files ~ (\.php)>
    AddHandler fcgid-script .php
    FCGIWrapper /usr/lib/cgi-bin/php5 .php
    Options  ExecCGI FollowSymLinks
    allow from all 
</Files>

and I've found other questions, here and here, that are about the same error I get and that cite some mod_fcgid misconfiguration as the possible cause (wrong values in PHP_FCGI_CHILDREN and PHP_FCGI_MAX_REQUESTS variables). A reply in this forum also suggests a fcgid misconfiguration and seems to give more details about the problem (a possible bottleneck in number of accepted threads/connections), but it lacks a step-by-step explanation of what to do.

I'm no mod_fcgid expert. Can you help me understand where and how I should set the correct values for PHP_FCGI_CHILDREN and PHP_FCGI_MAX_REQUESTS variables?

I'm trying to configure php and mod_spdy on Apache 2.4, Debian jessie, x64. I've followed this guide and configured Apache following this other guide and installed these packages:

libapache2-mod-fcgid
php-cgi
php5-fpm

I now have problems with php applications: when I try to open them I get a 403 Forbidden. Here is my /etc/apache2/conf-enabled/fcgid.conf

<Location />
  AddHandler fcgid-script .php
  Options +ExecCGI
  FcgidWrapper /usr/bin/php-cgi .php
</Location>

And the error I get in /var/log/apache2/error.log

AH01630: client denied by server configuration: /usr/lib/cgi-bin/php5

I've tried adding

Order allow,deny
Allow from all

to the in the PHP application VirtualHost, but the result is just the same. Why am I getting the 403?

I want to repartition my disk. My current partition table is as follows:

Disk /dev/vda: 1 TiB, 1136018849792 bytes, 2218786816 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x9039e337

Device     Boot     Start       End   Sectors   Size Id Type
/dev/vda1  *         2048 224610303 224608256 107,1G 8e Linux LVM
/dev/vda2       224610304 226490367   1880064   918M 8e Linux LVM

I want to remove /dev/vda2 and extend /dev/vda1 up to fill the whole disk. Here is my current physical volumes status:

--- Physical volume ---
PV Name               /dev/vda1
VG Name               vg0
PV Size               107,10 GiB / not usable 4,00 MiB
Allocatable           yes (but full)
PE Size               4,00 MiB
Total PE              27417
Free PE               0
Allocated PE          27417
PV UUID               XKfnoJ-VBxR-reLg-eE5n-h2yM-W5wt-RTbEcK

--- Physical volume ---
PV Name               /dev/vda2
VG Name               vg0
PV Size               918,00 MiB / not usable 2,00 MiB
Allocatable           yes 
PE Size               4,00 MiB
Total PE              229
Free PE               229
Allocated PE          0
PV UUID               2xT1xt-wYCF-fDzm-f36Q-zeIc-xR0Y-Mf3sCo

Am I correct if I say that I can safely

vgreduce vg0 /dev/vda2

without pvmove-ing /dev/vda2 beforehand, because that physical volume is not being used?