From systemctl status foo. I have both a foo.service and a foo.timer:
Active: activating (auto-restart) (thawing) since Fri 2020-10-09 21:32:56 UTC; 3min 1s ago
I can't find the word "thaw" anywhere in the docs. This is systemd 246.6.
Looking into my /etc/shadow file of a fairly new box today (running Arch), I see some passwords as * (disabled) but some others as !*, !! and as !. Presumably that means "disabled", too, but why is the value different?
Is there some convention that I haven't heard of? :-) and if so where would that be documented?
Excerpt:
root:*:14871::::::
dbus:!!:18407::::::
dnsmasq:!*:18499::::::
shepherd:!:18502:0:99999:7:::
My systemd-networkd-wait-online.service fails. When I take a look:
% networkctl
IDX LINK TYPE OPERATIONAL SETUP
1 lo loopback carrier unmanaged
2 eth0 ether routable configuring
% ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 0a:e9:d9:16:22:4e brd ff:ff:ff:ff:ff:ff
inet xx.xx.xx.xx/24 brd xx.xx.xx.255 scope global dynamic eth0
valid_lft 2794sec preferred_lft 2794sec
It seems to be stuck at that state configuring but everything seems to work just fine. What does this state mean, and how do I get it out of it?
Added: Content of /etc/systemd/network/50-ubos-eth0.network:
[Match]
Name=eth0
[Network]
DHCP=yes
Systemd defines a bunch of special targets that all relate to shutting down a system, like the ones listed in the title of this post. There seem to be more.
man systemd.special gives definitions for them, but does not attempt to differentiate between them.
Just under which circumstances am I supposed to use which of those targets?
I need to archive and compress a large number of files but some of those files may have extended attributes whose content I don't want to lose.
My understanding is that zip doesn't do that. Is there something that does?
I believe that some versions of tar support extended attributes, but I'd prefer being able to access individuals files in the archive without having to decompress the entire archive as I have to with tar.
This is Linux only.
I'm attempting to use a loop device inside a container, to mount some image file:
> sudo losetup /dev/loop0 test.img
losetup: /dev/loop0: failed to set up loop device: No such file or directory
/dev/loop0 indeed doesn't exist, and
> sudo mknod /dev/loop0 b 7 0
mknod: ‘/dev/loop0’: Operation not permitted
How can I make this work? Does the container need some cgroup permission that it might not have?
I have been doing a lot of work using Linux containers, and I keep forgetting which of the terminals on my screen is running inside which container, particularly when I leave them open overnight.
How can I change the shell prompt, or the terminal title based on the container that the shell runs in?
This is a general question, but it'd be great if it worked for systemd-nspawn and kde on Arch.
I'm trying to create a user on a Linux box that can only log on via ssh with a key specified in authorized_keys. The user should not be able to log on via password, neither via ssh nor locally at the console. How would I do this?
Currently I do:
useradd -m myuser
passwd myuser
vi /etc/shadow
and replace the password field with '*'. There must be a better way? If I don't set the passwd first, ssh won't work either saying in the log "User myuser not allowed because account is locked"
I have a download directory with different versions of the same file, plus a "latest" that is a symlink to the most recent version, like this:
foo-1.0.tar.gz
foo-1.1.tar.gz
foo-2.0.tar.gz
foo-latest.tar.gz -> foo-2.0.tar.gz
I'd like to point my users to download http://example.com/.../foo-latest.tar.gz, but when I do this, browsers will save the file as foo-latest.tar.gz, so the user doesn't actually know which version they downloaded. Instead, I'd like the browser to save it as foo-2.0.tar.gz.
I understand that the HTTP Content-Disposition header can be used for that. Is there a way to configure Apache so it sends that header with the target of the symlink as the filename, without me having to write a custom download script?
When setting up a VPN, clients (say client1 and client2) usually authenticate to a server, and together the three constitute the VPN. When client1 wishes to send a packet to client2, this packet usually gets routed by way of server.
Are there products / configuration blueprints for products where it is possible to send packets directly from client1 to client2 without going though server? (if the underlying network topology permits it, e.g. no firewalls in the way)
If not, is there a way by which client1 can send a packet to client2 by way of server, without the server being able to snoop on the content of the packet? (E.g. because the packet is encrypted with the public key of client2)
I just asked in the OpenVPN forum, and the answer I got was "not with OpenVPN". So my question is: are there other products with which this is possible? Open-source preferred ...
One use case: client1 and client2, typically in separate offices, find themselves both at headquarters. Do they still need to talk to each other via the public internet?
Links appreciated. Thank you.
My server connects to the public internet via eth0 (50.131.xxx.xxx). The same server connects to the LAN via eth1 (192.168.138.1 on 192.168.138.0/24) On the same server, I run libvirt, which created another subnet at 192.168.122.0/24. The currently only guest is at 192.168.122.10.
I'm trying to get routing on the server set up, and I'm stuck.
From my laptop on the LAN (192.168.138.18), I can ssh into the guest, the server, and the public internet. However, I can only partially do the reverse: From my guest, I can ssh into the server but I cannot ssh into the laptop, or reach the public internet.
This is Ubuntu 12.04 LTS on the server, and 13.04 on the guest.
On the guest:
guest> traceroute serverfault.com
1 192.168.122.1 (192.168.122.1) 0.644 ms 0.577 ms 0.564 ms
2 * * *
(and so forth)
Here's some data that hopefully helps somebody more knowledgeable than me.
guest> ip r
default via 192.168.122.1 dev eth0
192.168.122.0/24 dev eth0 proto kernel scope link src 192.168.122.10
server> cat /proc/sys/net/ipv4/ip_forward
1
server> ifconfig
eth0 Link encap:Ethernet HWaddr 6c:f0:49:0e:09:b2
inet addr:50.131.xxx.xxx Bcast:255.255.255.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:576 Metric:1
RX packets:670219 errors:0 dropped:0 overruns:0 frame:0
TX packets:532895 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:271653035 (271.6 MB) TX bytes:70403086 (70.4 MB)
Interrupt:41
eth1 Link encap:Ethernet HWaddr 00:c0:49:fa:1f:da
inet addr:192.168.138.1 Bcast:192.168.138.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:539044 errors:0 dropped:0 overruns:0 frame:0
TX packets:563204 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:72237497 (72.2 MB) TX bytes:272391132 (272.3 MB)
Interrupt:19 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:14143 errors:0 dropped:0 overruns:0 frame:0
TX packets:14143 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8000728 (8.0 MB) TX bytes:8000728 (8.0 MB)
virbr0 Link encap:Ethernet HWaddr 52:54:00:9e:51:10
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1655 errors:0 dropped:0 overruns:0 frame:0
TX packets:2067 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:188811 (188.8 KB) TX bytes:242584 (242.5 KB)
vnet0 Link encap:Ethernet HWaddr fe:54:00:cf:1f:41
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1655 errors:0 dropped:0 overruns:0 frame:0
TX packets:4105 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:211981 (211.9 KB) TX bytes:348362 (348.3 KB)
server> brctl show
bridge name bridge id STP enabled interfaces
virbr0 8000.5254009e5110 yes virbr0-nic
vnet0
server> ip route
default via 50.131.xxx.1 dev eth0 metric 100
50.131.xxx.0/22 dev eth0 proto kernel scope link src 50.131.xxx.xxx
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
192.168.138.0/24 dev eth1 proto kernel scope link src 192.168.138.1
server> virsh net-list
Name State Autostart
-----------------------------------------
default active yes
server> virsh net-edit default
<network>
<name>default</name>
<uuid>ddc855bf-8794-f4de-f1f9-7480edf9f419</uuid>
<forward mode='route'/>
<bridge name='virbr0' stp='on' delay='20' />
<mac address='52:54:00:9E:51:10'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.100' end='192.168.122.254' />
<host mac='52:54:00:cf:1f:41' name='guest.example.com' ip='192.168.122.10' />
</dhcp>
</ip>
</network>
server> tail /etc/sysctl.conf
...
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
I also run ufw. It says:
server> ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
53/tcp ALLOW 192.168.138.0/24
53/udp ALLOW 192.168.138.0/24
21 ALLOW 192.168.138.0/24
192.168.138.0/24 ALLOW 192.168.138.0/24
192.168.122.0/24 ALLOW 192.168.138.0/24
192.168.138.0/24 ALLOW 192.168.122.0/24
192.168.122.0/24 ALLOW 192.168.122.0/24
To me, it sounds like something really obvious, but then, not to me it seems ...
-- Added: The behavior is the same even if I disable ufw. But here is the output of iptables-save:
# Generated by iptables-save v1.4.12 on Mon Jul 29 08:57:10 2013
*mangle
:PREROUTING ACCEPT [4511095:1341076448]
:INPUT ACCEPT [79374:20510726]
:FORWARD ACCEPT [4428917:1318506209]
:OUTPUT ACCEPT [72504:23698077]
:POSTROUTING ACCEPT [4501421:1342204286]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Mon Jul 29 08:57:10 2013
# Generated by iptables-save v1.4.12 on Mon Jul 29 08:57:10 2013
*nat
:PREROUTING ACCEPT [33012:2764507]
:INPUT ACCEPT [16436:1476129]
:OUTPUT ACCEPT [10423:864202]
:POSTROUTING ACCEPT [10487:868042]
-A POSTROUTING -s 192.168.138.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.138.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jul 29 08:57:10 2013
# Generated by iptables-save v1.4.12 on Mon Jul 29 08:57:10 2013
*filter
:INPUT DROP [1335:71456]
:FORWARD ACCEPT [3360867:988924571]
:OUTPUT ACCEPT [18:936]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -d 192.168.122.0/24 -o virbr0 -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j ACCEPT
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m state --state NEW -j ACCEPT
-A ufw-track-output -p udp -m state --state NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -m comment --comment "\'dapp_OpenSSH\'" -j ACCEPT
-A ufw-user-input -s 192.168.138.0/24 -p tcp -m tcp --dport 53 -j ACCEPT
-A ufw-user-input -s 192.168.138.0/24 -p udp -m udp --dport 53 -j ACCEPT
-A ufw-user-input -s 192.168.138.0/24 -p tcp -m tcp --dport 21 -j ACCEPT
-A ufw-user-input -s 192.168.138.0/24 -p udp -m udp --dport 21 -j ACCEPT
-A ufw-user-input -s 192.168.138.0/24 -d 192.168.138.0/24 -j ACCEPT
-A ufw-user-input -s 192.168.138.0/24 -d 192.168.122.0/24 -j ACCEPT
-A ufw-user-input -s 192.168.122.0/24 -d 192.168.138.0/24 -j ACCEPT
-A ufw-user-input -s 192.168.122.0/24 -d 192.168.122.0/24 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Mon Jul 29 08:57:10 2013
The mountall man page says "this is a temporary tool until init(8) itself" can do it, basically. Why not just use mount -a? Is there a difference between the two, and if so, which should I use for what?
I'd like to know what my local postfix says to the Amazon SES smtpd after the STARTTLS. In plain text, so I can understand it. Amazon SES requires TLS, so I can't temporarily turn it off.
I currently log both legs of the traffic with this trick:
mkfifo proxypipe
cat proxypipe | nc -l 11111 | tee -a inflow | nc email-smtp.us-east-1.amazonaws.com smtp | tee -a outflow 1>proxypipe
and then I have postfix talk to localhost:11111 instead of email-smtp.us-east-1.amazonaws.com:25. This produces a nice transcript, as long as they are talking in clear text. As soon as STARTTLS shows up, everything turns gibberish of course.
Is there some trick I can route this through openssl, or post-process using openssl or something like that, to figure out what exactly they said to each other? Googling has not produced any answer.
I'm trying to use Amazon SES as an SMTP gateway for my EC2 Ubuntu 'precise' server, using different SES accounts for different originating e-mail domains. The postfix documentation seems to imply that is possible, but SES always claims I'm using the wrong credentials ("535 Authentication Credentials Invalid"). The credentials work if I route all e-mail via the relayhost directive to the same SES account.
Here's what I have.
main.cf (relevant sections):
relayhost =
sender_dependent_relayhost_maps = regexp:/etc/postfix/sender_dependent_relayhost_map
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = regexp:/etc/postfix/smtp_sasl_password_map
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
sender_dependent_relayhost_map:
/.*@example\.com/ [email-smtp.us-east-1.amazonaws.com]:25
smtp_sasl_password_map:
/.*@example\.com/ AK...:34.../...
where AK... is the AWSAccessKeyId and 34.../... is the AWSSecretKey.
The error message in /var/log/mail.log is:
Aug 20 21:47:39 example postfix/smtp[18496]: DE1E14218D: SASL authentication failed; server email-smtp.us-east-1.amazonaws.com[23.23.139.32] said: 535 Authentication Credentials Invalid
Is there some way I can see what credentials it is attempting to use?
--
Update: To debug, I have replaced my regexp maps with mysql maps, and switched on SQL query logging. This way I can see how those maps are evaluated. It's sort of interesting. First, I'm getting:
SELECT host FROM sender_dependent_relayhost_map WHERE sender='[email protected]'
If this returns localhost:11111, I can run netcat at that port, and get an incoming SMTP connection. So that part seems to be working fine.
Then, I'm getting repeated queries of the type:
SELECT userpass FROM smtp_sasl_password_map WHERE sender=...
first evaluated with '[email protected]', then (if not found) with '@example.com' (not something I found in the docs), and then, surprisingly, with the smtp server found from the previous sender_dependent_relayhost_map query. and finally with '<>' (presumably the global default).
But if I return 'AK...:34.../...' (the Amazon SES credential) from that second table, I still get the same authentication error from Amazon. So there is progress, but no resolution yet.
I'm trying to create a script that formats an Amazon EC2 EBS volume, so I can mount it.
From the command-line, it looks like this:
> mkfs -q -t ext4 /dev/sdf
/dev/sdf is entire device, not just one partition!
Proceed anyway? (y,n)
(The command is correct; no need to create a partition table for my purpose)
My problem: because this command is supposed to be run in an automated script, I can't have that question on the terminal; nobody will be answering and the script will hang. How do I avoid this?
I tried:
> echo y | mkfs -q -t ext4 /dev/sdf
but that doesn't do the trick. The -q option makes no difference either.
I'm trying to understand the difference between the following two terms:
*:80
_default_:80
in the Apache configuration file. The documentation here is unclear to me, and the only mailing list conversation that I could find here does not shed any (comprehensible, to me) light on the matter either.
I have a bunch of name-based virtual hosts declared like this:
<VirtualHost *:80>
ServerName example.com
...
and I'd like to have an entry that fires when none of those match, i.e. when a request comes in without a virtual host name, or with a virtual host name that has not been declared. Should I use *:80 or _default_:80?
I have a mysql user that currently has the following privileges:
mysql> show grants;
+--...--+
| Grants for debian sys-maint@localhost
+--...--+
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER ON *.* TO 'debian-sys-maint'@'localhost' IDENTIFIED BY PASSWORD '*DA604C65D4EFF216D1F61FCD42726FA881FB6562' WITH GRANT OPTION |
+--...--+
I'd like it to be able to do that to another user:
mysql> grant all privileges on *.* to 'foo'@'%' identified by 'bar';
ERROR 1045 (28000): Access denied for user 'debian-sys-maint'@'localhost' (using password: YES)
What am I doing wrong?
We have a bunch of SSH, GPG, SSL and other private keys that, obviously:
- must only be available to the smallest number of people possible
- can't be "lost" if a hard drive dies or the building burns down (because a lot of data would otherwise be undecipherable)
- must be recoverable even if the guy in charge is out sick or gets hit by the bus or holds out for a million-dollar raise
What are the best practices here? Do you store them on a bunch of flash USB sticks in a safe? Do you make copies? How many copies, and how do make sure they stay in sync (keys expire, get replaced, new keys are added etc.) Do you encrypt them? (with what, and how do you bootstrap?)
I've failed to turn up any useful practical info, so I'm interested in all experiences, good, bad, etc. from which we could learn.
Also, is there any open-source software that helps with this?
In a .htaccess file, I have something like this to proxy Apache to Tomcat:
RewriteRule (.*) http://localhost:8080/tomcat-app/$1 [P]
All the redirects as well as internal links in HTML files are going to the Tomcat app directly, rather than to Apache.
So I would use ProxyPassReverse and the like to translate correctly, but apparently I'm not allowed to use that directive in a .htaccess file. I don't really want to put them into the master Apache configuration because that means rebooting Apache every time there is a change. Which is why I like the RewriteRole [P]: unlike ProxyPass, it can be put into .htaccess.
What can I do to simulate ProxyPassReverse in a .htaccess file? Or more specifically, without requiring reboots on any change?
I noticed that dig google.com produces four distinct IP addresses. What does that mean? It could be
- use any, doesn't matter
- try the first, if it doesn't respond, try the next (and so forth)
- or ...?
Or is this just supposed to be round-robin? (If so, why would it return 4 values, instead of just 1?)
I'm sort of hoping it means that browsers would try all four in sequence until they got one that works.
Here's what I'm getting: dig google.com:
;; QUESTION SECTION:`
;google.com. IN A
;; ANSWER SECTION:
google.com. 293 IN A 74.125.19.99
google.com. 293 IN A 74.125.19.103
google.com. 293 IN A 74.125.19.104
google.com. 293 IN A 74.125.19.147
;; AUTHORITY SECTION:
google.com. 81797 IN NS ns2.google.com.
google.com. 81797 IN NS ns4.google.com.
google.com. 81797 IN NS ns1.google.com.
google.com. 81797 IN NS ns3.google.com.
;; ADDITIONAL SECTION:
ns1.google.com. 255049 IN A 216.239.32.10
ns2.google.com. 230304 IN A 216.239.34.10
ns3.google.com. 231860 IN A 216.239.36.10
ns4.google.com. 58735 IN A 216.239.38.10`