user35042's questions

I am writing an AWS Lambda function to trigger an ECS Fargate task. I am following the example provided at Run tasks with AWS Fargate and Lambda. While my setup works, there is one of the parts involving IAM roles that I do not understand.

One of the steps is to create an ECS task. I create that task with its "Task execution IAM role" left at ecsTaskExecutionRole. According to the info on the ECS task setup page, the "Task execution IAM role" is

The role that authorizes Amazon ECS to pull private images and publish logs for your task. This takes the place of the EC2 Instance role when running tasks.

Next, I create the Lambda function. Part of that Lambda function setup is the creation of another IAM role because, according to the "Run tasks with AWS Fargate and Lambda" page,

The Lambda would need IAM role with 2 policies - one to run the task, and second to pass the ecsTaskExecutionRole to the task.

The role looks like this (I have compressed the white-space to save space):

{   "Version": "2012-10-17",
    "Statement": [
        {   "Sid": "Stmt1512361420000",
            "Effect": "Allow",
            "Action": [
                "ecs:RunTask"
                 ],
            "Resource": [ "*" ]
        },
        {   "Sid": "Stmt1512361593000",
            "Effect": "Allow",
            "Action": [ "iam:PassRole" ],
            "Resource": [ "arn:aws:iam::************:role/ecsTaskExecutionRole" ]
        }
    ]
}

What I don't understand is why the Lambda function has to have this iam:PassRole permission. Why does the Lambda function have to "pass the ecsTaskExecutionRole to the task"? Doesn't the ECS task get that role assigned automatically when it runs due to the fact that I set "Task execution IAM role" to ecsTaskExecutionRole? If not, then what is the point of the "Task execution IAM role" setting?

I am running Debian Linux jessie with OpenSSH version 6.7. I use the AuthenticationMethods directive in /etc/ssh/sshd_config. I know that these strings are recognized by AuthenticationMethods:

keyboard-interactive
gssapi-with-mic
password
publickey

Where can I find a list of all the valid strings that can be used with AuthenticationMethods? (Such a list is not in the man page for sshd_config.)

I am having trouble with the prerotate script in logrotate 3.12.2. The script I specify in the prerotate/endscript section is not receiving the name of the file to be rotated as the first argument ($1).

Here is the logrotate configuration:

compress
/external-logs/syslog {
  daily
  rotate 3
  olddir OLD
  missingok
  prerotate
    /root/filter-syslog.sh
  endscript
}

Here is /root/filter-syslog.sh:

#!/bin/sh 
echo "log file subject to prerotate: $1"

Finally, here is the verbose output of the logrotate run:

reading config file /external-config/logrotate.conf
olddir is now OLD
Reading state from file: /external-logs/logrotate.state
Allocating hash table for state file, size 64 entries
Creating new state

Handling 1 logs

rotating pattern: /external-logs/syslog  after 1 days (3 rotations)
olddir is OLD, empty log files are rotated, old logs are removed
considering log /external-logs/syslog
  Now: 2017-09-24 13:35
  Last rotated at 2017-09-23 12:50
  log needs rotating
rotating log /external-logs/syslog, log->rotateCount is 3
dateext suffix '-20170924'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
renaming /external-logs/OLD/syslog.3.gz to /external-logs/OLD/syslog.4.gz (rotatecount 3, logstart 1, i 3), 
old log /external-logs/OLD/syslog.3.gz does not exist
renaming /external-logs/OLD/syslog.2.gz to /external-logs/OLD/syslog.3.gz (rotatecount 3, logstart 1, i 2), 
old log /external-logs/OLD/syslog.2.gz does not exist
renaming /external-logs/OLD/syslog.1.gz to /external-logs/OLD/syslog.2.gz (rotatecount 3, logstart 1, i 1), 
old log /external-logs/OLD/syslog.1.gz does not exist
renaming /external-logs/OLD/syslog.0.gz to /external-logs/OLD/syslog.1.gz (rotatecount 3, logstart 1, i 0), 
old log /external-logs/OLD/syslog.0.gz does not exist
log /external-logs/OLD/syslog.4.gz doesn't exist -- won't try to dispose of it
running prerotate script
log file subject to prerotate: 
renaming /external-logs/syslog to /external-logs/OLD/syslog.1
compressing log with: /bin/gzip

Note the line "log file subject to prerotate:" in the above output. Why isn't the line output "log file subject to prerotate: /external-logs/syslog" instead?

We access our Debian Linux servers with ssh using GSSAPI. The servers run OpenSSH and take advantage of the pam-stack. In particular, they use pam_afs_session.

Every once in a while I see the following messages in the system log:

sshd[31799]: pam_afs_session(sshd:session): PAG apparently lost, recreating

What are the likely causes of this message?

With Apache 2.4 httpd I am starting to see log messages like this:

[mpm_prefork:notice] [pid 1521] AH00163: Apache/2.4.10 ...
[core:notice] [pid 1521] AH00094: Command line: '/usr/sbin/apache2'

I can infer the meaning of those two, but I would like to have a source that lists all these "AH" codes and their meanings. Where is that source?

Puppet supports the concept of resource dependencies where one resource will not by synced until another is synced first. For example, the following Puppet fragment will create the user user1 and the group group1 but it will create the group first:

group { 'group1': 
  ensure => present
}

user { 'user1':
  ensure  => present,
  gid     => 'group1',
  require => Group['group1']
}

My question is: how do dependencies work when the ensure parameter is changed from "present" to "absent":

group { 'group1': 
  ensure => absent
}

user { 'user1':
  ensure  => absent,
  gid     => 'group1',
  require => Group['group1']
}

What does Puppet do in a case like this? Does it remove the group first, or the user first? Or perhaps the order is not defined?

In general, how would you ensure that one resource is not present only when some other resource is already not present.

I have a server pmaster-dev that is a puppet client (its master is pmaster). The server pmaster-dev itself acts as a puppet master for several clients.

When pmaster-dev checks in with pmaster it is caching its facts to a local sqlite3 database file /var/lib/puppet/state/clientconfigs.sqlite. On every subsequent check-in pmaster-dev never updates this local cache. Thus, its facts are always stale. Other clients of pmaster (including pmaster itself) never cache.

How do we either tell it to update the cache or disable caching of the facts? Why is it caching while other clients of pmaster are not?

We are running 2.7.18 on a Debian squeeze system.

Here is the /etc/puppet/puppet.conf file for pmaster-dev:

[agent]
server = pmaster.example.org
environment = master
configtimeout = 300

logdir = /var/log/puppet
vardir = /var/lib/puppet
ssldir = /etc/puppet/ssl
rundir = /var/run/puppet

ca_server = puppetca.example.org
ca_port = 8141

graph = true
report = true
pluginsync = true

classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
diff_args = '-u'
show_diff = true


[master]
certname = pmaster-dev.example.org
syslogfacility = local2

logdir = /var/log/puppet
vardir = /var/lib/puppet
rundir = /var/run/puppet
ssldir = /srv/puppetmaster/ssl

reports = tagmail,lastcheck,logcache
manifest = /srv/puppet/$environment/manifests/site.pp
graph = true
modulepath = /srv/puppet/$environment/modules:/srv/puppet/$environment/services:/srv/puppet/$environment/clients
cacrl = /srv/puppetmaster/ssl/crl.pem
ca = false

manifestdir = /srv/puppet/$environment/manifests
queue_source = stomp://pupqueue-dev.example.org:61613/
async_storeconfigs = true
storeconfigs = false
dbadapter = mysql
dbuser = puppet
dbpassword = secret
dbserver = pupqueue-dev.example.org
dbname = puppet

ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY

I have an Apache 2.2 server that works but I am getting the NameVirtualHost *:443 has no VirtualHosts warnings when restarting. But I do have VirtualHosts that match *:443.

The system is Debian squeeze. The ports.conf file looks like this:

NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
   NameVirtualHost *:443
   Listen 443
</IfModule>

Here is the output when running the -S option with apache2ctl:

% /usr/sbin/apache2ctl -S 
[Sat Mar 06 10:07:11 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server q2a-dev.example.org (/etc/apache2/sites-enabled/q2a:1)
         port 443 namevhost q2a-dev.example.org (/etc/apache2/sites-enabled/q2a:1)
         port 443 namevhost tcert-dev.example.org (/etc/apache2/sites-enabled/tcert-dev:1)
*:80                   is a NameVirtualHost
         default server emailtest-dev.example.org (/etc/apache2/sites-enabled/emailtest:1)
         port 80 namevhost emailtest-dev.example.org (/etc/apache2/sites-enabled/emailtest:1)
Syntax OK

The two virtual hosts are defined in files living in /etc/apache2/sites-enabled:

# /etc/apache2/sites-enabled/q2a
<VirtualHost *:443>
  DocumentRoot /usr/share/question2answer
  ServerName q2a-dev.example.org
  ServerAlias q2a-dev

  SSLEngine on
  SSLCertificateFile /etc/ssl/certs/q2a-dev.pem
  SSLCertificateKeyFile /etc/ssl/private/q2a-dev.key

  DirectoryIndex index.php
</VirtualHost>

and here is the another one:

# /etc/apache2/sites-enabled/tcert-dev
<VirtualHost *:443>
  DocumentRoot /srv/www/tools
  ServerName tcert-dev.example.org
  ServerAlias tcert-dev

  SSLEngine on
  SSLCertificateFile /etc/ssl/certs/tcert-dev.pem
  SSLCertificateKeyFile /etc/ssl/private/tcert-dev.key

  <Directory "/">
    AllowOverride None
  </Directory>
</VirtualHost>

My Debian squeeze server is running mysqld version 5.1. How do I determine if the SSL libraries it is using are OpenSSL or yaSSL?

(I am pretty sure this MySQL supports SSL as the User table has the ssl_type column.)

Let's say I have just done an aptitude safe-upgrade on a Debian system, but I was not paying attention so I did not notice if the kernel was updated or not.

How can I now determine if there was a kernel upgrade and a reboot is in order?

The VPN I use on my home Windows computer to connect to my company's servers is a Cisco client. The client is configured to use "IPSec over UDP (NAT/PAT)".

Why would you use UDP, an "unreliable" protocol, for a secure tunnel? Wouldn't the unreliability of the protocol cause problems when UDP packets are dropped?

Or is the protocol using UDP but adding reliability at the application layer?

This was in a recent Tripwire report of a Debian Linux (virtual) server:

### Attr        Observed (what it is)         Expected (what it should be)
### =========== ============================= =============================
/dev/char/253:0
    md5 (sig1): 3cArKelJk8b0VTK4Q80.nV        3Z4Cv6zdER0tKfg3lDqPM3

First of all, what is /dev/char/253:0? Secondly, should I be concerned that it changed?

UPDATE. One of my colleagues said that this can happen with a server reboot, which, since I had rebooted the server the previous day, is probably what triggered the Tripwire alert.

My organization would like to better understand the Amazon RDS architecture. In particular, my managers would like to understand RDS's "tenancy" model, that is, how the service accommodates multiple customers and how an Amazon RDS DB Instance works.

Here are a few possibilities listed in order of offering the most to the least isolation:

1. A DB instance is on a single and exclusive VM running MySQL; no other DB instance runs on this VM
2. A DB instance is just one of several that runs on a given VM, but each DB instance gets its own MySQL instance
3. Multiple DB instances can connect to a single MySQL server on a single VM but special software makes the connection look we are connecting to our own dedicated MySQL instance.

My guess is that number 1 is correct, but my bosses would be happier with something more definitive than just a guess, something like an Amazon white-paper or other document explaining the RDS architecture.

Does anyone have a pointer to such a document?

At the Amazon RDS FAQ there is the question "What is a database instance (DB Instance)?".

The entire answer (as of mid-June 2012) is:

You can think of a DB Instance as a database environment in the cloud with the compute and storage resources you specify. You can create and delete DB Instances, define/refine infrastructure attributes of your DB Instance(s), and control access and security via the AWS Management Console, Amazon RDS APIs, and Command Line Tools. Multiple MySQL databases or SQL Server databases (up to 30) or Oracle database schemas can be created on a given DB Instance.

The last part of that quote, "Multiple MySQL databases or SQL Server databases (up to 30) Oracle database schemas" I interpret to mean that you can have an "unlimited" number of databases on an RDS MySQL or Oracle instance but only 30 databases on an MS SQL Server instance ("unlimited" meaning not limited by the RDS infrastructure itself).

This was asked in the Stackoverflow question Does Amazon RDS support multiple databases per instance?. The answer quoted an older version of the FAQ.

What I am looking for is an Amazon document that clarifies this question, or else someone who has experience using Amazon RDS who can attest what the situation actually is.

In my Apache configuration I have these lines:

SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/random
SSLRandomSeed connect file:/dev/urandom 1024

How, exactly, does Apache interpret this? Does it first try builtin and then move to /dev/random if that fails? If it uses /dev/random, and /dev/random then runs out of entropy, does it automatically switch to /dev/urandom? Is there an Apache document somewhere that explains all this?

I want to display a process's command line (including any arguments) from the command line itself. In other words, I want to show the "Command Line" column in the Task Manager but from a command line. Is this possible?

For example, the output might look something like

C:\java\bin\java.exe -Dhttp.proxyHost=http://localproxy -Dport=8331

I have a Windows service on Windows Server 2008 R2 that I set-up using instsrv on the srvany.exe executable. The three values in the Parameters key are set as follows:

AppDirectory  C:\selenium-grid
Application   C:\ant\bin\ant.bat
AppParameters launch-hub

The service starts fine and two Java processes appear in the Task Manager when it starts (one process is ant and the other is a Java class launched by ant). When I stop the service the status of the service changes to stopped but the two Java processes do not go away.

How do I get the processes to stop when I stop the service?

I am running Windows 7 Professional 64-bit. Two different SSH clients are exhibiting a strange habit of periodically freezing or hanging. I have tried both putty and Van Dyke's SecureCRT SSH clients and in both cases I will get a periodic freeze lasting anywhere from 20 seconds to a few minutes. No key strokes get through during the hang (not Ctrl-C, Ctrl-Z, or anything I have tried).

This happens while connecting to any of a number of servers. Others in my group using non-Windows machines do not seem to be having this problem. So, this is probably not a server-side issue.

I also use RDP to connect to Windows servers without similar freezes, so I don't think it is a networking issue with my machine.

Since this is happening with two different clients it seems like this must be a Windows issue.

Any suggestions?

UPDATE. Paying a little more attention, this only seems to happen when I am using emacs on the remote server. Since the freezing behavior only started when I moved from Windows XP to Windows 7 I attributed it to Windows, but maybe it is due to a more subtle interaction between emacs and Windows 7.

FURTHER UPDATE. My desktop support guy replaced the network cable and the problem seems to have gone away. I cannot explain why I noticed no network issues with my computer other than when working with Emacs through ssh. Perhaps there is something about using Emacs in this fashion that is particularly sensitive to network flakiness.

I have created a new EC2 instance. It got assigned the default security group. I want to change that security group. How?

We have installed the rubygem application (version 1.3.6) on a Debian system by downloading the rubygems tar.gz archive and running the setup.rb command.

What is the best way to uninstall this application?