sbrattla's questions

I'm setting up an MQ broker in an AWS environment.

The MQ broker will be used by both services running in that AWS environment as well as services running in other locations.

All other services deployed in the AWS environment run in private subnets, so I'm leaning towards deploying the MQ broker in a private subnet and set up a network load balancer to pass external traffic to the MQ broker.

However, for practical purposes I could also just deploy the MQ broker to a public subnet. That way, I would be able to expose the broker to the public internet by just configuring a security group (and skip the network load balancer).

I'm leaning towards a private subnet deployment, but I not entirely sure if the added configuration overhead (network load balancer) gives any real benefit.

What is the benefit of doing a private subnet deployment of the MQ broker?

When I look at disk (block device) storage options from various cloud hosting providers, I usually see numbers such as :

• Google Cloud (Zonal SSD) : 15.000 - 100.000 read IOPS
• OVH Cloud : (High Speed / SSD ) : Up to 3.000 IOPS
• AWS : (io1 / SSD) : Up to 64.000 IOPS

I do not know anything about the underlying technology.

Even if these cloud providers would use some of the slower SSD options available (regular consumer SATA SSDs), some of these disks comes with IOPS specifications for reads and writes in the range of 90.0000 and up (looking at 860 EVO SSD 2.5). An NVMe SSD would give far better throughput. Even if these cloud providers would stack these SSD disks into some sort of storage cluster, I'd still be surprised to see that the IOPS would fall from 90.000 to 3.000.

I have the feeling that these numbers are not comparable, even though the same metric (IOPS) are used.

How should I interpret the disk IOPS listed by cloud providers vs. the disk IOPS listed by disk manufacturers?

When I look at the docker_gwbridge, I see that all containers on that host are members of the bridge.

bridge name         bridge id           STP enabled  interfaces
docker_gwbridge     8000.0242e581b3f5   no           veth0987748
                                                     veth21aa5ea
                                                     veth358d367
                                                     veth473e3a5
                                                     vetha199713
                                                     vethf482f5f
                                                     vethf4ceab6

However, how can it be that a physical interface on the host is not a member of that bridge? The documentation describes this network as the egress bridge for traffic leaving a Docker swarm cluster. That is, traffic which most likely will leave the host. What mechanism is ensuring that packets entering the docker_gwbridge (from any given container) eventually leaves the host on a physical interface when no physical interface takes part in the bridge?

I'm having a hard time figuring out what HEALTHCHECK really is used for when running Docker in swarm mode.

One place suggests that Docker will restart a task which is considered unhealthy. Another place explains that Docker will stop sending traffic to tasks that are unhealthy. The Docker documentation itself only explains what the HEALTHCHECK directive is, and how to configure it. It makes no attempt to explain what happens when a task goes unhealthy.

In other words, I'm struggling to find a clear and trustworthy explanation of what HEALTCHECK really does.

Furthermore, looking at the Docker REST API, this particular piece of data (is a task healthy or not) is not even exposed for tasks (it is exposed for containers though). This makes it hard to use this metric for monitoring a Docker Swarm, so it doesn't seem to me that this is the primary purpose of the metric either.

What really happens when a task becomes unhealthy when running Docker in swarm mode?

Let's assume a 3 node Docker cluster. One one of these nodes, resources are tight. A couple of services which can be quite greedy in terms of CPU or RAM happened to start on the same host.

Will Docker at any point check if the other nodes have less work to do, and migrate one or more services from the pressured node to one of the less pressured nodes?

Is there any built-in functionality in Docker to handle this, or will a migration eventually be a result of e.g. an OOM killer taking out a container?

I've finally been able to get a tunnel between my computer (strongswan) and a Zyxel Zywall 110 up and running.

I'm connecting using certificates, and judging from the logs the actual VPN connection seems to get established.

May  4 14:14:49 user charon-nm: 10[IKE] authentication of 'remote.company.com' with RSA signature successful
May  4 14:14:49 user charon-nm: 10[IKE] IKE_SA Company[1] established between 192.168.43.101[C=NO, CN=user]...X.X.X.X[remote.company.com]
May  4 14:14:49 user charon-nm: 10[IKE] scheduling rekeying in 35793s
May  4 14:14:49 user charon-nm: 10[IKE] maximum IKE_SA lifetime 36393s
May  4 14:14:49 user charon-nm: 10[CFG] handling INTERNAL_IP4_NETMASK attribute failed
May  4 14:14:49 user charon-nm: 10[IKE] installing new virtual IP 192.168.100.6
May  4 14:14:49 user charon: 14[KNL] 192.168.100.6 appeared on wlan0
May  4 14:14:49 user avahi-daemon[645]: Registering new address record for 192.168.100.6 on wlan0.IPv4.
May  4 14:14:49 user charon-nm: 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
May  4 14:14:49 user charon-nm: 10[IKE] CHILD_SA Company{1} established with SPIs c71e085c_i 46449091_o and TS 192.168.100.6/32 === X.X.X.X/32 
May  4 14:14:49 user NetworkManager[1076]: <info> VPN connection 'Company' (IP4 Config Get) reply received from old-style plugin.
May  4 14:14:49 user NetworkManager[1076]: nm_ip4_config_add_nameserver: assertion 'nameserver > 0' failed
May  4 14:14:49 user NetworkManager[1076]: nm_ip4_config_add_wins: assertion 'wins > 0' failed
May  4 14:14:49 user NetworkManager[1076]: nm_ip4_config_add_wins: assertion 'wins > 0' failed
May  4 14:14:49 user NetworkManager[1076]: <info> Tunnel Device: tun0
May  4 14:14:49 user NetworkManager[1076]: <info> IPv4 configuration:
May  4 14:14:49 user NetworkManager[1076]: <info>   Internal Address: 192.168.100.6
May  4 14:14:49 user NetworkManager[1076]: <info>   Internal Prefix: 32
May  4 14:14:49 user NetworkManager[1076]: <info>   Internal Point-to-Point Address: 0.0.0.0
May  4 14:14:49 user NetworkManager[1076]: <info>   Maximum Segment Size (MSS): 0
May  4 14:14:49 user NetworkManager[1076]: <info>   Forbid Default Route: yes
May  4 14:14:49 user NetworkManager[1076]: <info>   Internal DNS: 192.168.16.2
May  4 14:14:49 user NetworkManager[1076]: <info>   DNS Domain: '(none)'
May  4 14:14:49 user NetworkManager[1076]: <info> No IPv6 configuration
May  4 14:14:49 user charon-nm: 14[KNL] interface tun0 activated
May  4 14:14:49 user charon: 07[KNL] interface tun0 activated
May  4 14:14:49 user kernel: [15417.710286] brcmsmac bcma0:1: brcms_ops_bss_info_changed: arp filtering: 2 addresses (implement)
May  4 14:14:49 user charon-nm: 05[KNL] 192.168.100.6 appeared on tun0
May  4 14:14:49 user charon: 11[KNL] 192.168.100.6 appeared on tun0
May  4 14:14:50 user NetworkManager[1076]: <info> VPN connection 'Company' (IP Config Get) complete.

However, even though the VPN seems to be established it seems that the output of ipsec statusall does not agree.

Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.19.0-33-generic, x86_64):
  uptime: 4 hours, since May 04 09:57:53 2016
  malloc: sbrk 2568192, mmap 0, used 330496, free 2237696
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock
Listening IP addresses:
  192.168.43.101
  192.168.100.6
  10.0.3.1
  192.168.100.6
Connections:
Security Associations (0 up, 0 connecting):
  none

Last, the output of ip route show gives me the following.

default via 192.168.43.1 dev wlan0  proto static 
10.0.3.0/24 dev lxcbr0  proto kernel  scope link  src 10.0.3.1 
192.168.43.0/24 dev wlan0  proto kernel  scope link  src 192.168.43.101  metric 9 

The VPN connection has been configured with Network Manager, and I'm using certificates to establish the connection. I am unable to reach any resources on the network which I've established the VPN connection to.

Am I missing something in the configuration? What could I be missing?

I'd like to compile Nginx 1.9.8 from source and install it on a Ubuntu 14.04 server. However, and this goes for any software, how do I figure out which dependencies I need to install on my local system in order to build the software?

Say I'd like to compile Nginx. I can always do aptitude show nginx to get dependencies for the current package available through a repository. On the other hand, this may not be a correct list as the repository may offer an old version where dependencies are different from the new version I'd like to compile.

In general, how do I collect the list of dependencies I need to have installed on a system for a given piece of software?

Given that the dependencies may differ based on the compilation options I provide, is this a matter of "trial and error". That is, should I attempt to compile, then wait for the first error, see what it complains about, add that dependency, and do the same iteration again?

I'm using OpenConnect to connect to my workplace via VPN. This works fine, but I'd like to use Ubuntu's network manager to establish connections. I guess it's a matter of having all connections managed by the network manager, and have connections available by a couple of clicks.

Now, the network-manager-openconnect allows me to provide a few configuration details. However, there's a great deal of options I can't provide through the UI to configure an openconnect connection. Is there a way I can control this, either through the UI or through the connection's profile file (physical file).

Examples of arguments are the --no-xmlpost and --csd-wrapper arguments.

I've got 2 webservers, with the chance of having to add more servers along the way. Right now I keep these servers in synch using lsyncd + csync2. It works well performance wise because all files are on both servers (no network access required to open files locally), but not so well in other cases.

One example of this is if I delete a file on server 1 and immediately uploads a new file to server 1 which has the same name. The file would then be deleted from server 2 in the meantime, causing the newly uploaded file on server 1 to be deleted as server 2 sends the delete event on to server 1 to complete the "update circle".

I can't help thinking that there must be a better way to keep servers in synch. I've been looking at GlusterFS, and I see that a setup where all files are replicated to all servers are discouraged. However, I'm running CMS systems like Drupal on these servers. Such CMS systems often opens quite a few files, and I'm worried that too much network traffic to get hold of these files will slow down the requests.

Would it be an idea to look into replacing lsyncd + csync2 with GlusterFS set up to replicate all files to all nodes, or is that a bad idea?

I'm new to SAS expanders and I'm trying to get things right. I understand that SAS expanders, when used with SAS controllers which supports expanders, allows you to utilise the full capacity of supported drives on a controller.

However, say I've got a SAS controller with 4 x SSF-8087 ports, which by itself would support 16 disks. I could then, as far as I understand, instead connect each of these ports to an expander to increase disk capacity.

However, will the SAS controller "see" all disks as if they were connected directly to the controller and not through an expander. Could I look at controllers as switches in a network? Would I be able to create a RAID from a disk on expander 1 and expander 3?

UPDATE:

I don't really have a specific project where I need to use SAS expanders. I'm just curious about how they work, and was thinking about how it would work if I used one or more SAS expanders with a LSI MegaRAID controller (9260-16i) which is running in one of our servers. However, I haven't really put any thought into the distinction between "local" disks and disks in another enclosure. The LSI MegaRAID controller has 4 SFF-8087 ports, which makes it capable of accomodating 16 drives.

When making a backup with rsnapshot, "[...] we first replicate the previous backup into a parallel directory structure, creating all the directories and making hard links to all the files.". This is all good.

I assume this implies that the initial backup will be retained forever? The "newer" backups will only point (through hardlinks) to the older backup, so I'm assuming that the actual file which any given hardlink points to needs to be retained forever to not break things?

Is this assumption right?

I've set up a server with Nginx and PHP5-FPM, and things are running fine. However, as I add more and more sites to the server I see that the memory usage steadily increases, and I've come to the conclusion that PHP5-FPM is to "blame".

What I currently do is that I set up a separate PHP5-FPM pool for each site, and configure that pool according to expected traffic. However, with enough sites, I will in the end have a server which just sists on a rather large number of PHP5-FPM "children" which are just waiting for work.

I just found out about the ondemand PHP5-FPM mode, which allows me to configure PHP5-FPM in a way so that child processes are forked only when actually needed, and then kept alive for a given duration to process.

However, I can't really find too much details on this. What I'm most curious about is how the variables pm.max_children and pm.max_requests affect the ondemand mode (if at all). I assume that the variables pm.start_servers, pm.min_spare_servers, pm.max_spare_servers not apply to the ondemand mode.

I'm looking at a MegaRAID SAS 9240-4i Sgl card which has a single X4 Mini-SAS SFF8087 connector. As far as I know, such a connector can be expanded to 4 SATA disks. So, I would know how to connect 4 SATA disks. However, the documentation says it supports up to 16 disks in a RAID volume. My question is then; how do I physically connect these 16 disks to the card which only has a single connector?

Is this where backplanes come in (I've tried to find information on that, but can't really figure out how they work together with the RAID controller). ?

I've got multiple servers which all need to have the same content in /home. In other words, if the file /home/user1/test.txt is updated on server A, this needs to be replicated to all other servers in the cluster.

Is it possible to use GlusterFS for this purpose? That is, let each server have a full copy of all data locally - which that server will be working on - and solely use GlusterFS to take care of replicating this data to the other servers?

I'm not intersted in a combined storage, but rather have all data on all machines only to have GlusterFS to replicate it to the other machines.

I'm working on a SBS2003 server, and I'm about to clean up on folder permissions. I notice that quite a few folders have the users SYSTEM and CREATOR OWNER set.

Now, I've found descriptions of the CREATOR OWNER user on the Internet, and I understand that this user is related to the creator of the folder/file. However, I'm unable to find any description of the SYSTEM user and what it is for. Can i safely remove it from folders/files? Will services running on the server suddenly not get access to those folders anymore?

I've established a site to site VPN with two Zyxell routers. Site A (LAN: 192.168.16.x) is the main office, and site B (LAN: 192.168.17.x) is a branch office. Both sites are able to reach each other, and things work as they should.

Now, what I don't really understand is how it really works!

How does the router at site A know that requests going to 192.168.17.x should go to site B? I'm thinking that, upon establishing the connection, the router at site A tells the router at site B that it's IP range is within 192.168.16.x and then the router at site B modifies its routing table to reflect this - and vice versa. However, this is just as assumption. Is that really how it works?

Furthermore, what happens if I add more branch offices? Say I'd like to establish a site to site connection between site C (192.168.18.x) and site A. Will machines at site C be able to reach machines at site B through site A? This would of course mean that site C must know about site D. Will I have to create custom routing policies for this, or is this also "automagically" taken care of?

I'm trying to get an overview of how i would go about creating a load balanced web server setup. Setting up the actual load balancer and adding two or more web servers seems fair enough. However, I can't decide what the best setup for files would be.

The web servers will be running a CMS system (in this case Drupal). There might be files uploaded by users which relates to content, and this should be accessible to all web servers. Now, I was thinking of simply having a designated file server and mount a file directory on each web server so that the various web servers could access these "shared" files.

However, would this solution be a bottleneck if we're talking about 4-5 servers? I'd think the mounting would be done over SSH.

All help highly appreciated!

Update (January 15, 2013)

I decided to go with a combination of Csync2 and Lsyncd. I then set up two servers which acts as mirrors. Lsyncd listens for changes in certain directories (and their subdirectories) and invokes Csync2 which takes care of synchronizing files to the other server. If you're interested in knowing more, have a look at this tutorial.

I'm trying to figure out a way to publish my screen using VNC or a similar technology. My intention is to connect a remote PC to a projector/display and connect to that PC so that i can share my screen and have it displayed on the projector.

Ultimately, the solution should support audio as well.

I'm using VNC the 'other way' daily, meaning that i connect to servers and view their screens. However, I'm uncertain as to wether it would be possible to 'reverse' things and publish my screen.

I've got an application (guiformat) which needs to run on clients in a network. However, it seems to require Administrator privileges to run. Clients run either Windows XP or Windows 7, and users log in to their systems as "Standard Users".

Now, I've tried experimenting with Software Restriction Policies. However, this requires me to deny all applications by default and then specify which one that can be run. I rather just want the security checks to be bypassed for this one application (in other words, just have it to be whitelisted).

Any ideas as to how I can achieve that will be higly appreciated!

I'm new to iptables, and i've been trying to put together a firewall which purpose is to protect a web server. The below rules are the ones i've put together so far, and i would like to hear if the rules makes sense - and wether i've left out anything essential?

In addition to port 80, i also need to have port 3306 (mysql) and 22 (ssh) open for external connections.

Any feedback is highly appreciated!

#!/bin/sh

# Clear all existing rules.
iptables -F

# ACCEPT connections for loopback network connection, 127.0.0.1.
iptables -A INPUT -i lo -j ACCEPT

# ALLOW established traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# DROP packets that are NEW but does not have the SYN but set.
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# DROP fragmented packets, as there is no way to tell the source and destination ports of such a packet.
iptables -A INPUT -f -j DROP

# DROP packets with all tcp flags set (XMAS packets).
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# DROP packets with no tcp flags set (NULL packets).
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# ALLOW ssh traffic (and prevent against DoS attacks)
iptables -A INPUT -p tcp --dport ssh -m limit --limit 1/s  -j ACCEPT

# ALLOW http traffic (and prevent against DoS attacks)
iptables -A INPUT -p tcp --dport http -m limit --limit 5/s -j ACCEPT

# ALLOW mysql traffic (and prevent against DoS attacks)
iptables -A INPUT -p tcp --dport mysql -m limit --limit 25/s -j ACCEPT

# DROP any other traffic.
iptables -A INPUT -j DROP