Paul's questions

Maybe I'm looking at this the wrong way, but I'm trying to setup my gitlab ci to be able to autodeploy code on push. Seems like a fairly simple process, and I've successfully gotten most of it working. I may be completely misunderstanding how systemd works, also, as I'm fairly new to it.

I have a node application that I'm pushing to gitlab, and that will successfully kick off deploy logic, but the last step I'm doing is to restart the application in order to make sure I'm actually pulling in all the code changes (as I understand it, changes to modules would not happen w/o restarting the service, as the npm cache keeps modules in memory once required).

My gitlab ci yaml file looks like this:

stages:
  - deploy

deploy-prod:
  stage: deploy
  variables:
    BRANCH_REF: master
  script:
    - git fetch
    - git checkout $BRANCH_REF
    - git pull origin $BRANCH_REF
    - npm install
    - rm -rf /opt/my-app/www
    - ln -s $CI_PROJECT_DIR /opt/my-app/www
    - sh /home/gitlab-runner/restart.sh
  tags:
    - production

I probably don't need the indirection of the symlink, but that doesn't matter for this question. I made that restart.sh file because I was getting the error sudo: sorry, you must have a tty to run sudo, and I thought I could wrap it in a shell file. But that didn't change things.

So, how do I let my gitlab-runner user restart the service when it updates the files?

My systemd config looks like this:

[Unit]
After=mongod.service

[Service]
ExecStart=/usr/bin/node /opt/my-app/www/server
Restart=always
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=my-app
User=my-app
Group=my-app
Environment=NODE_ENV=production

And my visudo is setup to allow the git-runner user to run systemctl restart my-app.service without a password, and I've tested that successfully by su'ing to gitlab-runner and running the command without error but again the error indicates I should not even be allowed to use the keyword sudo at all. Here's the relevant sudoers entry:

gitlab-runner ALL=(ALL) NOPASSWD: /bin/systemctl restart my-app

Thanks

Just getting started with a new ELK setup (never used it before, just trying to learn it). I have Logstash 2.2.4 running on ubuntu 14.04 LTS.

After putting a yaml file down with my monitor user's AWS credentials (policy configured as per the documentation via copy/paste), I created the following .conf file in /etc/logstash/conf.d:

input {
  cloudwatch {
   metrics => ["CPUUtilization"]
   filters => { "tag:Monitoring" => "Yes" }
   region => "us-east-1"
   namespace => "AWS/EC2"
   aws_credentials_file => "/var/opt/aws.yaml"
  }
}
output {
  elasticsearch {
    hosts => ["localhost:9200"]
  }
}

I have three servers in us-east-1 with the tag "Monitoring" set to "Yes", but when I tail my logstash logs it is erroring out that there are no metrics to query. An example error entry (formatted for readability):

{
  :timestamp=>"2016-10-31T13:38:06.314000-0400", 
  :message=>"A plugin had an unrecoverable error. Will restart this plugin.\n  
  Plugin: <LogStash::Inputs::CloudWatch 
              metrics=>[\"CPUUtilization\"], 
              filters=>{\"tag:Monitoring\"=>\"Yes\"}, 
              region=>\"us-east-1\", 
              namespace=>\"AWS/EC2\",  
              aws_credentials_file=>\"/var/opt/aws.yaml\", 
              codec=><LogStash::Codecs::Plain charset=>\"UTF-8\">, 
                     use_ssl=>true, 
                     statistics=>[\"SampleCount\", \"Average\", \"Minimum\", \"Maximum\", \"Sum\"], 
                     interval=>900, 
                     period=>300, 
                     combined=>false>\n  Error: No metrics to query", :level=>:error}

EDIT

Based on the comment, I updated my policy for the service user whose credentials are in the above mentioned .yaml file. This did not change the behavior, here is what my policy currently looks like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1444715676000",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Stmt1444716576170",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeTags"
            ],
            "Resource": "*"
        }
    ]
}

In checking that I had actually assigned the policy to the user correctly, I noticed that at some point in debugging I also assigned the 'CloudWatchReadOnlyAccess' policy, which looks like this (in case it breaks something):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "autoscaling:Describe*",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "logs:Get*",
        "logs:Describe*",
        "logs:TestMetricFilter",
        "sns:Get*",
        "sns:List*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

This is actually my first time using something other than the pre-defined policies, so I'm thinking perhaps I missed something in the writing of it.

I have a newly configured (not by me) NetApp FAS-2040 running OnTAP 8.0.2. It's spewing a log message every 15 seconds:

[perf.archive.file.close.fail:warning]: Performance archiver failed to close file: /etc/log/stats/archive/stats_archive_data_{numbers}.gz. (11079)

My Googlefu is not strong enough to find a relevant answer to how to fix the issue, or even how to troubleshoot it.

As the title says, I have an SELinux instance on EC2 that I haven't used for a while. I have been unable to access it via ssh since firing it back up. I have accessed it from this machine in the past, and the security group stuff on AWS is setup to allow ssh access.

I can't login to the machine at all, so all my fixes have been limited to what I can do by mounting the root volume to a new EC2 instance and doing what I can that way.

Here's what I've tried so far:

1) Tried copying my ssh key into the ssh user's authorized_keys file. Password prompt is still presented when I try to SSH.

2) Verified that sshd_config has PasswordAuthentication no

3) Used chroot to set the mounted volume as root and then reset the password of the user I'm trying to login as. There's no error from this, but the new password doesnt work at the prompt over ssh.

4) There's no password on the ssh key I'm using, so that's not what I'm being prompted for.

5) Again using chroot, I tried using the 'restorecon' command on the .ssh folder for the user in question

6) Ensured the user's .ssh directory has permissions set to 700 and the .ssh/authorized_keys file has them set to 600

So far, still no joy. What else can I try?

Trying to debug a problem with a classic asp app that I have to get running on some internal servers.

Running IIS 7.5 on Server 2008 R2, I'm getting most pages working OK, but one page (so far) that is supposed to lookup a file location in the DB, then stream that file from the file system to the client is not working. It's immediately (15ms) losing the connection; the server HTTPERR logs report the request coming in and say dropped_connection.

It happens on all the files that use that download url, and I've verified that the database has the correct paths and the files are located in the right paths. I've also checked permissions, and the app pool identity has Full Control permissions on the file location.

NOt really sure what else to check, any ideas?

Trying to push Flash 11 to my domain's Windows 7 machines (which all have IE 9) through GPO was not working, so as a debug step I decided to install it manually and see if perhaps it was a rights thing or whatever.

Turns out that installing it manually doesn't work correctly either. Running the adobe-provided installer results in Flash player 11 showing up in the Programs and Features list, but it does not show up in IE 9's addon manager, even after restarting flash and rebooting the computer. Perhaps not surprisingly, flash content also doesn't work and I get the usual notice from the object tag snippet that Flash recommends folks to use that asks me to install the latest version of flash player.

Not really sure how to debug this. I'm not seeing errors on the install or in the event viewer, and all the online advice I can find tells me to use the add-on manager to unblock the flash object and similiar; none of which can I do since it's not showing up in the add-on manager.

Not sure what I'm missing, but my current company machine is unable to SSH to an AWS instance we have running for a project. Here are the particulars:

• Other folks in my organization (and from my office) can SSH to it, using their hardware
• I have done so in the past, as recently as a week and a half ago
• I can SSH to internal servers (ie ones inside our firewall)
• All other traffic that has to go through the firewall seems to work fine (e.g. I can curl from the command line to the AWS server in question w/o problem)
• Mac version is OS X 10.7.4

Running ssh with the -vvv command yields little to help me:

$ ssh -vvv [email protected]
OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /etc/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to myserver.com [**.**.**.**] port 22.
debug1: connect to address **.**.**.** port 22: Operation timed out
ssh: connect to host **.**.**.** port 22: Operation timed out

Not sure where else to look. I thought it might be a proxy thing, but a) I haven't changed proxy settings afaik, and b) others w/ the same proxy settings aren't having the same problem.

I have a lab(ish) environment where I have a single domain in a single forest. I have a Windows 7 image for the clients that was given to my by my organization (I didn't build it, not entirely sure who did) and I'm finding that there are a number of items that users (even admin users, even domain admin users) can't change in the Windows 7 environment, including but not limited to Trusted Sites in IE, Power Options (specifically, configuring when to lock the display), etc. Those are the main two that I want to affect, but am presented the message that "some settings are controlled by your administrator.." that I've seen about a million posts about.

What I've tried so far - Group Policies - Registry settings - Local Security Policies - Unlocking the 'hidden' admin & using them - Adding the users to the 'restricted group'

None of these seem to have an effect. The Group policies are applied, and GPResult show the as I would expect. As an example, I see a custom power profile that I applied in a GPO, and it even sets all the settings as I had it, except the 'disable display' setting, which is still set to what it was w/o my policy, and is still grayed out to prevent change.

Is there anything else I can look at to regain control over my client machines?

**** UPDATE **** I didn't call it out before explicitly, but I have moved the computer into a new OU that doesn't inherit the GPO, and per suggestion I removed the machine from the domain. The settings remained in place. When that failed, I re-enabled the local admin and logged on as same to see if that would solve the issue, it did not. I suspected from the beginning that whatever the issue is was done at the image level, since all the workstations are built off the same image and (as demonstrated) it seems to be a setting that's neither set by the domain nor ignorable via group policies (at least not by means that I'm aware of)

So I'm setting up a virtual path when pointing at a node.js app in my nginx conf. the relevant section looks like so:

location /app {
  rewrite /app/(.*) /$1 break;
  proxy_pass http://localhost:3000;
  proxy_redirect off;
  proxy_set_header Host $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Works great, except that when my node.js app (an express app) calls a redirect.

As an example, the dev box is running nginx on port 8080, and so the url's to the root of the node app looks like:

http://localhost:8080/app

When I call a redirect to '/app' from node, the actual redirect goes to:

http://localhost/app

Got a weird one. I have one user in my domain of several hundred who is experiencing this problem. His account can send and receive just fine when using OWA, but he can only receive (not send) when using Outlook. All traffic is for internal recipients.

I have tried setting him up w/ a fresh install of Outlook, I've tried using a new computer w/ a fresh install of Outlook as well. I have likewise tried removing the exchange features from his account and re-adding them (he's a new user, so losing the MB wasn't a big hit). No joy on any of this.

On the Exchange server, I see the messages in the queue that's got the fully qualified name of the primary exchange server, and they're all listed as state of Retry.

Any ideas?

I have a stand-alone active directory forest that's not on the internet at all. I want to know if it's possible to create a second lookup zone in DNS that serves DNS records for a second domain, or if I need to actually create a full-up second domain in order to do so.

Every method I've tried winds up appending my new domain name to the other one for the FQDN.

To be clear, I want my AD DNS to serve records for both:

example.com and myOtherExample.com

but I don't want myOtherExample.com to be a subdomain in the DNS tree. Is there any way to do that?

I'm trying to setup a git repository on an existing Windows 2008 (R2) server. I have successfully installed Cygwin & added git and ssh to the packages, and everything works perfectly (thanks to Mark for his article on it).

I can ssh to localhost on the server, and I can do git operations locally on the server. When I try to do either from the client, however, I get the "port 22, Bad file number" error. Detailed SSH output is limited to this:

OpenSSH_4.6p1, OpenSSL 0.9.8e 23 Feb 2007
debug1: Connecting to {myserver} [{myserver}] port 22.
debug1: connect to address {myserver} port 22: Attempt to connect timed out without establishing
        a connection
ssh: connect to host {myserver} port 22: Bad file number

Google tells me that this means I'm being blocked, usually, by a firewall. So, double-checked the firewall settings on the server, rule is there allowing port 22 traffic. I even tried turning off the firewall briefly, no change in behavior. I can ssh just fine from that client to other servers. The hosting company swears that there's no other firewalls blocking that server on port 22 (or any other port, they claim, but I find that hard to believe). I have another trouble ticket into them, just in case the first support person was full of it, but meanwhile I wanted to see if anyone could think of anything else it can be.

Thanks, Paul

I have a friend who purchased a domain name recently that he found out (after buying it) is apparently blocked by many corporate firewalls or proxies b/c it's been tagged as porn by the blacklist db they're using.

Are there any common agencies he can appeal to in order to get the domain name off the black lists?

It's not just one corporation, either, he's looking at marketing a subscription-based service to a certain industry, so any contacting a particular firewall/proxy admin and have them manually update the blacklist won't scale well.

Thanks in advance. Paul