DenCowboy's questions

We have some hybrid environment where some applications are running in our own datacenter and other services are running on AWS cloud.

Now we have some application which needs to write files to S3. In our current solution we have created a IAM user (with access keys) who has an inline policy to write/list/delete objects on a certain bucket.

This works but it isn't that secure probably because the security credentials are permanent. One of the main advantages of using AWS roles is that the credentials are rotated in a specific time interval and stored as metadata.

I know you can assign a role to an EC2 and so the EC2 can securely connect to (for example) an S3 bucket and do their allowed stuff. But how do we have to handle this for applications which are NOT running on AWS but need a connection to an AWS service?

I have an nginx.conf:

worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    server {
      listen 80 default_server;
      listen [::]:80 default_server ipv6only=on;
      server_name localhost;
      resolver 172.31.0.2;
      set $proxy_pass_url https://my-url.com;

      # redirect /kibana
      location = /kibana {
          rewrite ^ /_plugin/kibana redirect;
      }

      location / {
          proxy_pass $proxy_pass_url;
          auth_basic "Username and Password are required";
          auth_basic_user_file /etc/nginx/.htpasswd;

          proxy_set_header Authorization "";
          proxy_hide_header Authorization;

      }
      include /etc/nginx/conf.d/*.conf;
  }
}

I try to set an proxy_pass_url to use it later in the conf file. Why I'm using the set is explained here.

But I keep getting:

invalid number of arguments in "set" directive in /etc/nginx/nginx.conf

What am I doing wrong? How can I set a variable in nginx? I also tried set $proxy_pass_url "https://my-url.com";

We want to install an on premise Kubernetes cluster. We have a license for RHEL and RHEL atomic. I know Red Hat has its own Kubernetes based platform called OpenShift. OpenShift can be installed on Centos7/RHEL7 but I read it's the best to install it on RHEL7 Atomic because this OS is optimized for containerization.

Now we don't really want OpenShift but we prefer Kubernetes. Is it possible/supported to install Kubernetes on RHEL 7 Atomic?

Kubernetes is showing as prerequisites:

One or more machines running one of:

    Ubuntu 16.04+
    Debian 9
    CentOS 7
    RHEL 7
    Fedora 25/26 (best-effort)
    HypriotOS v1.0.1+
    Container Linux (tested with 1576.4.0)

Does RHEL7 include RHEL7 atomic?

I'm using pointDNS

I have an alias: xxx.com to the xxx.herokudns.com. Now I have added a CNAME www.xxx.com and redirected it to xxx.herokudns.com (also tried xxx.com with the same result).

What I want is that the www disappears in the URL bar in the browser and I only see xxx.com

nslookup xxx.com
OK

nslookup www.xxx.com
Non-authoritative answer:
www.xxx.com canonical name = xxx.com.
..

The above seems really fine to me, but why is the www still in my browser? Or do I have to handle this somewhere else? I configured it as described here: https://support.dnsimple.com/articles/redirect-heroku/

I have an oracle 12c (1.0.2) running in Docker. I'm using a script which is executed during container startup:

TESTER IDENTIFIED BY TESTER; 

This fails with this error:

ORA-65096: invalid common user or role name 

When I alter my script it works fine:

alter session set "_ORACLE_SCRIPT"=true;
TESTER IDENTIFIED BY TESTER;

But I don't want to add this to every script. Is there a way you can persist this setting in the database?

Also in this doc they need to alter the session.

I'm trying to configure a nginx reverse proxy. I'm using htpasswd but it's unrelated in my case.

I want the following: when visit https://public-nginx/kibana I want that it redirects to the proxied url (to my private kibana), but it keeps the public-nginx URL.

My nginx.conf looks pretty basic:

worker_processes 1;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    server_names_hash_bucket_size 128;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    include /etc/nginx/conf.d/*.conf;
    index   index.html index.htm;
    server {
        listen       8080 default_server;
        listen       [::]:8080 default_server;
        server_name  localhost;
        root         /usr/share/nginx/html;
        include /etc/nginx/default.d/*.conf;
        location / {
        }
        error_page 404 /404.html;
            location = /40x.html {
        }
        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
}

my conf.d/kibana.conf looks like:

server {
    listen 80;
    server_name _;
    location / {
        proxy_pass https://private-url/kibana/;
        proxy_redirect https://private-url/kibana/ /;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Authorization "";
        proxy_hide_header Authorization;
        auth_basic "Username and Password are required";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }
}

When I check it seems that the /kibana url is redirecting me to the right path (/kibana/app/..). But I see a 404.

I'm trying to understand a bit more about Kubernetes networking. That's why I've deployed a cluster in google cloud and checked the networking:

gcloud container clusters describe cluster0 | grep -i cidr

clusterIpv4Cidr: 10.20.0.0/14        # --cluster-cidr
nodeIpv4CidrSize: 24
servicesIpv4Cidr: 10.23.240.0/20     # --service-cluster-ip-range

So the first is for pod IPs:

First IP: 10.20.0.1
Last IP: 10.23.255.254

Service

First IP: 10.23.240.1
Last IP: 10.23.255.254

Is it always like this that the pod range contains the service IP range? Are they using the same network layer?

I'm on my home network. I've installed a VPN server using Raspberry Pi. I've connected my laptop with 4G (using my phone). I had a different IP. After connecting to my VPN server I had my IP from home. So this seems to work.

But now I want to create a VPC on Google Cloud from which I can only connect from my home network.

I was looking to this blog, but I'm not sure if this will work for me, or if this is the setup I need to follow? I want to connect to a fully private GKE network. (vpc)

My general goal is to create something like here.

I want to deploy a fully private Kubernetes cluster in google cloud from which I can connect from home OR using my VPN to my home.

I have an apache server (I didn't do the setup). The httpd.conf is default and I see nothing about logging.

in conf.d/vhost_xxx I see some config for my vhost. I add the LogLevel debug:

<VirtualHost _default_:80>

        ServerName xx
        ServerAdmin xx
        DocumentRoot "/srv/www/html/"


        LogLevel debug
        ErrorLog logs/xx
        CustomLog logs/xx


</VirtualHost>

I reload (also restarted) my apache:

service httpd restart

But my logs aren't in debug mode. It's just the basic logging. What am I missing here?

I have a lot of data in /var/www/html. It's more than 2GB. Now I have the possibility to host the website on the host (nginx is using /var/www/html) or I can use docker.

For the user of docker I am copying the content of /var/www/html to another folder (src/) and I mount src/ inside my container:

Steps:

stop nginx
copy files /var/www/html --> xxx/src/
start docker

The copy takes some minutes so there is some downtime. Is it a bad idea to do the following:

copy files /var/www/html --> xxx/src/ (while nginx is running)
stop nginx
start docker

Can there be an issue?

I'm running a heavy java process on my rhel. It had 8GB of RAM and 1 core for CPU. With the help top and htop I saw there was not enough CPU available for this process.

I added 3 extra cores in VMware and rebooted. If I execute nproc I see 4 so there are now 4 cores on the server.

I restart the java process but it's not going faster. I read that top could show till 400% if you have 4 cores. (each core till 100%). When I execute top I see 100%. I suspect one core is in full use and the 3 other ones aren't doing anything.

Is there a way to let this process or my server use all the cores available? I'm on a RHEL 7.2

I need to install ansible-2.1.0.0-1.el7. It was always in the epel repo and it was the latest release I just had to do:

yum -y --enablerepo=epel install ansible

It was all fine. But now the this ansible is version 2.2 which I can't use. So I need to find another way to install it. The old version is not in the epel repo anymore. I saw the package here on pbone.net. Now my question is: Which command do I need to perform to download & install this rpm package from here?

We are using a VPN to connect with our Oracle Database. We use vpnc and start it with: vpnc /etc/vpnc/our.conf After that we execute our firewall script. We use sqlplus64 to verify the connection and this is working fine. We launch some apps to get some data from the database. It all works well. But now we're a couple of houres later and the connection seems to be gone. The "solution" for us was to find the pid of our vpnc and kill it. After that we restart vpnc and it all works fine again for a couple of houres.

The Oracle code we got when it fails is a timeout: ORA-12170: TNS:Connect timeout occurred

We also checked our tunnel (which is tun1) for us and it still exist. We also took a look to the logs which were only displaying some things when we were manually killing and restarting vpnc.

Someone who has any experience with this issue?

I'm using a server of OVH with OS centos7. OVH has its own linux kernel:

3.14.32-xxxx-grs-ipv6-64

Now I try to configure another Centos7 kernel. I installed the other kernel(s).

yum install kernel

ls /boot shows me

System.map-3.10.0-327.22.2.el7.x86_64  bzImage-3.14.32-xxxx-grs-ipv6-64   efi   grub2                                     symvers-3.10.0-327.22.2.el7.x86_64.gz
System.map-3.14.32-xxxx-grs-ipv6-64    config-3.10.0-327.22.2.el7.x86_64  grub  initramfs-3.10.0-327.22.2.el7.x86_64.img  vmlinuz-3.10.0-327.22.2.el7.x86_64

Now I want to configure to use 3.10.0-327.22.2.el7.x86_64. On some tutorials I found to edit grub.conf but this doesn't exist. I found grub.cfg in the grub2 folder. What do I have to edit inside that .cfg to configure my new kernel? All the tutorials are showing configurations for the older grub.conf.