RandomInsano's questions

I seem to be having a problem where Ansible isn't using my SSH agent cache. I've run the following:

eval `ssh-agent`
ssh-add /tmp/key

Then I successfully log into one of the hosts from my inventory just fine:

ssh -i /tmp/key [email protected]

When using ansible on my Windows machine within WSL, the following ends with a weird single-line, triple ask (one for each in my inventory)

ansible --key-file /tmp/key -i ./hosts all -m ping

Output:

Enter passphrase for key '/tmp/key': Enter passphrase for key '/tmp/key': Enter passphrase for key '/tmp/key':
repo | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).",
    "unreachable": true
}


follower | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).",
    "unreachable": true
}


leader | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).",
    "unreachable": true
}

I believe Ansible should be using Paramiko for SSH but I assume it would talk with my SSH agent anyway. Any guesses why this isn't working?

This is also running on WSL on Windows 10 if that matters.

Here is the output with "-vvv":

ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/tmp/key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/mnt/c/Users/me/.ansible/cp/58691c2f88 1.2.3.4 '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''

This times out when run from the command line

TL;DR: How do you isolate php-fpm for different websites running on the same web host?

I'm hosting a Dockerized deployment of Wordpress and it's going well enough that I want to host a few more Wordpress installs. The problem is that I don't like the idea of all sites sharing the same running instance of PHP on the same web root. I'm trying to avoid one bad plugin compromising all websites hosted on the machine.

The deployment looks something like this:

• Docker Compose
  • nginx (virtual servers, read only mounts of web roots)
  • mariadb
  • php-fpm (full read/write of web root)

My current plan is to just start up independent php-fpm instances per Wordpress install and have them mount a sub-directory of the web root. That'll work but it brought up the question of how do traditional sysadmins who don't need to trust their clients deal with multiple virtual hosts?

I'm working with a tool that runs programs on behalf of hundreds users on multiple machines. This works fine on Linux because I can just run as "root" and use su or sudo to impersonate them without a password.

On Windows, runas has the "/savecred" option, but that won't help if there are hundreds of machines and hundreds of users. Typing 10,000 passwords that I should not know just isn't going to happen.

On the accounting side, this work should be done by the user who requested it so becoming their account is the right thing to do.

Now, I was under the impression that there was an ACL that could be applied to an account that would allow it to run a process as another user without requiring a password. Has anyone heard of this? I've dug around here already and no such luck.

If there is, how do you set it up and can I make use of runas or do I have to write a C/C++ app to make my own tool?

Thanks!

So, I'm playing with a couple of QLogic QLA2340s connected directly together. I've got options here to either have them act as a loop, or in point to point mode.

What's the difference if I'm only going to have two machines connected together? Is point-to-point more efficient? The firmware has an option to prefer loop, then fall back to p2p.

Anyone have any idea if there are performance benefits or drawbacks? It's pretty hard to find that information.

[edit] It also turns out my borrowed fiber cable has a break on one of the channels, so I can't actually do real-world tests to figure out which is better. Not until I find someone who's willing to split the shipping from the cheap-cables website.

So, we may have some sort of zainy leak in our software. We're using Mono and spawning many processes over the course of weeks/months. Eventually, we can't spawn anymore on our clients machines. It usually take ~20 hours for things to stop. Closing and re-opening our application fixes it.

When spawning fails, There are fewer than 500 total processes running, and fewer than 1000 file handles over the entire system. ulimits on files are set to high-ish levels, process limit is around 8K I believe. We're running CentOS 6.2.

If we are leaking these PIDs or handles and somehow the standard ps and lsof commands just aren't showing them (neither is /proc), I need a way to tap into the Kernel or something else to see what the current values are that these limits test against.

Once we confirm that's the problem, I get the fun task of trying to decipher what's causing it... But that's for another day.

This application works on many many many other Linux machines with no problems as far as we know (other clients haven't reported this problem to us).

Any ideas how I could find the value of the metrics that ulimit sets bounds for? I'm desperately hoping I don't have to write C programs myself, but I'm not above doing it if necessary.

Alright, so I've made a user and a group using dscl as follows:

dscl . -create /Users/deadline
dscl . -create /Groups/deadline
dscl . -append /Groups/deadline GroupMembership deadline

Now I'm trying to chown things like so:

mkdir /tmp/stuff
chown deadline:deadline /tmp/stuff

But the problem is that it sets the user and group to nobody instead of this user 'deadline'. What magic voodoo property do I need to add to the user and group to have it set the unix permissions properly?

Also, why must Apple hate me and my Unix background :(

Is this even possible anymore? I've seen tutorials which use niutil (not available on my Mac) and dscl.

My output from dscl is the following though, kind of odd:

neutron:~ username$ sudo dscl / -create /Users/deadline
Data source (/) is not valid.

I've migrated my zfs pool back into Solaris 11. I'd been happily sharing files on linux with ZFS-fuse and samba before, and FreeBSD 8.1 using samba before that.

I have some data sets within data sets in ZFS something like the following:
tank/home/share/
tank/home/share/Photos
tank/home/share/Music

because Photos and Music needed different properties than the base share. Now using

zfs set sharesmb=name=Share tank/home/share

will share the base files in tank/home/share just fine, but it won't allow clients to view Photos or Music. This is a HUGE problem. I can't seem to get it working with sharemgr either. Is this some horrible oversight by SnOracle? Is there anything I can do to have my datasets shared under Share? I don't want to have Share_Photos and Share_Music on my clients.

Should I just go back to using samba on Solaris 11? It seems terribly redundant to have two systems installed.

I need a way to identify users that won't change if our e-mail or username naming conventions change; they have in the past. We use LDAP, but our international offices use Active Directory, so I'm a little green here.

I've noticed from a dump that all users have a unique value assigned to uSNCreated. Is this globally unique for a user? Will it change if any of their properties change? Is this my holy grail of unique identifiers for AD?!

Half of my ZFS filesystems are hidden in ZFS-fuse. Here's my story:

So, I love ZFS. I used it for about six months on FreeBSD, but due to it crashing the kernel during heavy inter-filesystem IO load, I tried switching to Solaris 5.10.

That was good, but when I attempted to do an import of my Version 13 pool into its Version 4 version of ZFS, there were some heafty problems. It may have tried to correct the filesystem definitions, I don't know.

Since that version wasn't compatible with my pool, I've now switched to Ubuntu Server 10.4. That version more than supports that of my pool, but I can only see half of my filesystems. The filesystems I can see are the same as those Solaris could see.

Now, despite those filesystems not being preset in a 'zfs list' command, I can still set properties on them and I can even still mount them and read and write files, but they just plain don't show up in 'zfs list'.

I've mounted the major ones, but I'm not sure what other filesystems there are anymore (I have about eight that I can't see).

Anyone have any idea what the heck is going on? I think I might try booting back into FreeBSD 8 (I still have the main boot drive laying around for that) and see if at least it is able to view the filesystems.

I've also done a scrub while in Linux, and it found no errors with any of the data. Oddly, DMA read errors which caused problems on FreeBSD ZFS are reported by Linux, but ZFS-fuse doesn't find an error. That's a topic for another post however.

I'm going to try this anyway right now, but since it's a decent question I thought I should throw it on Server Fault. I'd like a reason why they shouldn't work since the Kernel is so old.

I have two servers, one in production and one for development.

The production server is Solaris, dev is FreeBSD. Because of this, python is installed in different directories.

I'm using Python right now for making CGI scripts, and needing to remember to swap my hashbangs when I copy from dev to production is a little annoying (Same issue for SVN updates depending on which server I'm comitting from).

Is there a way to configure apache so that I no longer need to hashbangs? Like, if it would lauch python and supply the CGI script for it? Might be a bit of a stretch, but no harm in asking

I'm going to build a ZFS file server from FreeBSD. I learned recently that I can't expand a RAIDZ udev once it's part of the pool. That's a problem since I'm a home user and will probably add one disk a year tops.

But what if I set copies=3 against my entire pool and just throw individual drives into the pool separated? I've read somewheres that the copies will try and distribute across drives if possible. Is there a guarantee there? I really just want protection from bit rot and drive failure on the cheap. Speed's not an issue since it'll go over a 1Gb network and at MOST stream 720p podcasts.

Would my data be guaranteed safe from a single drive failure? Are there things I'm not considering? Any and all input is appreciated.

So fun times this weekend trying to build a simple OpenBSD bridge for my XBox360. I want my ural network card to be bridged with my re network card to forward some traffic. Bleh.

I essentially cloned everything from http://www.openbsd.org/faq/faq6.html#Bridge but changed the device names and the fancy wireless setup.

The system connects to my Wifi router, grabs an IP, the bridge is up as far as I can tell (pftop says packets are getting through from one interface to another), all is wonderfulish.

Problem is, I get NO response from DHCP, or anything for that matter comming back into the bridge. Why am I getting no responses (including telnet into my router's web interface)?

Configs are as follows (or close anyhow, doing this from memory):

bridgename.bridge0:

re0
ural0
up

hostname.ural0: (Names and passworkds have been changed to protect the innocent)

dhcp              \
nwid   'blah'     \
wpapsk 'passverd' \

hostname.re0:

up

pf.conf:

pass in  quick on ural0 all
pass out quick on ural0 all
pass in  quick on re0   all
pass out quick on re0   all

rc.conf:

Some stuff about routing is turned on (this was after failure, and really routing shouldn't need to be done on a bridge anyway).

I mean, it should be brain-dead simple. Why is this thing being such a huge pain?! I've done this in Linux once and that worked fine. Stupid everything...