Olivier's questions

I recently reinstalled a kubernetes cluster using kubeadm, and trying some helm charts I encountered a strange behavior that I don't understand.

ClusterIP services are supposed to accessible only from the cluster, and so far all services used to work that way. But trying kube-prometheus from bitnami, I end up with a few ClusterIP services that somehow highjack the host IP and are publicly exposed. Did not think it was possible without any Ingress/NodePort/etc.

Here is the actual service:

kind: Service
apiVersion: v1
metadata:
  name: kube-prometheus-node-exporter
  namespace: kube-prometheus
  selfLink: /api/v1/namespaces/kube-prometheus/services/kube-prometheus-node-exporter
  uid: 0c4cd5a1-4849-4635-a656-238a5c3b4b78
  resourceVersion: '20388'
  creationTimestamp: '2020-09-08T18:08:17Z'
  labels:
    app.kubernetes.io/instance: kube-prometheus
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: node-exporter
    app.kubernetes.io/version: 1.0.1
    helm.sh/chart: node-exporter-1.1.0
    jobLabel: node-exporter
  annotations:
    meta.helm.sh/release-name: kube-prometheus
    meta.helm.sh/release-namespace: kube-prometheus
    prometheus.io/scrape: 'true'
  managedFields:
    - manager: Go-http-client
      operation: Update
      apiVersion: v1
      time: '2020-09-08T18:08:17Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:metadata':
          'f:annotations':
            .: {}
            'f:meta.helm.sh/release-name': {}
            'f:meta.helm.sh/release-namespace': {}
            'f:prometheus.io/scrape': {}
          'f:labels':
            .: {}
            'f:app.kubernetes.io/instance': {}
            'f:app.kubernetes.io/managed-by': {}
            'f:app.kubernetes.io/name': {}
            'f:app.kubernetes.io/version': {}
            'f:helm.sh/chart': {}
            'f:jobLabel': {}
        'f:spec':
          'f:ports':
            .: {}
            'k:{"port":9100,"protocol":"TCP"}':
              .: {}
              'f:name': {}
              'f:port': {}
              'f:protocol': {}
              'f:targetPort': {}
          'f:selector':
            .: {}
            'f:app.kubernetes.io/instance': {}
            'f:app.kubernetes.io/name': {}
          'f:sessionAffinity': {}
          'f:type': {}
spec:
  ports:
    - name: metrics
      protocol: TCP
      port: 9100
      targetPort: metrics
  selector:
    app.kubernetes.io/instance: kube-prometheus
    app.kubernetes.io/name: node-exporter
  clusterIP: 10.107.104.65
  type: ClusterIP
  sessionAffinity: None
status:
  loadBalancer: {}

Nothing stands out as to why this one would end up public (eg. can access using host IP like: http://xx.yy.150.105:9100/metrics).

Any idea what I could be missing?

I'm trying to setup a cron job to reboot devices daily. With a safe callback to a SysRq reset if for some reason the reboot does hang (issue being that SSH gets killed and the device never reboots so it is lost and requires costly human intervention to restart).

The script that used to work for a while:

5 5 * * * root /sbin/reboot -f; sleep 30; /bin/echo `date -u +'\%Y-\%m-\%dT\%H:\%M:\%SZ'` >> /var/log/player-reboot.error.log; echo 1 > /proc/sys/kernel/sysrq; sync; echo b > /proc/sysrq-trigger

However it's pretty brutal (hard reboot -f) and some of our devices did not recover recently (a couple over thousands every day).

Not sure what hangs (looks like the file is never written so I'd say either the reboot itself or the echo hangs?

Was looking to use ampersands & to never "lock" and be sure that a proper reset will happen eventually, however it does not seem to work at all (no more reboots):

5 5 * * * root /sbin/shutdown -r +2 &; sleep 240; /bin/echo `date -u +'\%Y-\%m-\%dT\%H:\%M:\%SZ'` >> /var/log/player-reboot.error.log &; echo 1 > /proc/sys/kernel/sysrq; sleep 1; echo b > /proc/sysrq-trigger

Can I use the ampersand in a cron script? Do you know another smarter way to achieve the desired results? Thanks!

I've recently setup watchdog using Intel hardware TCO that does automatically reboot the system it crashes (using Ubuntu LTS).

In watchdog.conf you can configure a timeout before reboot.

Defaults to 60secs.

Since my devices are playing audio in store which can be really problematic when there is a crash (sound gets stuck in a loop!). I'd like to know how low I could go?

I've used the default in_memory=true and realtime=true.

Thanks!

I'm using Nginx to act as an SSL proxy inside a docker container listening on port 443. The proxy correctly works and properly routes trafic to another Nginx instance upstream on port 80 (that lives inside another container).

I'm encountering mixed content issues, and I'm not sure what would be the proper fix:

A request aimed at a folder (but without the trailing slash) like: https://example.com/mediafiles/bar gets properly routed to the second NginX instance.

However it gets a 301 to an http url (response headers):

$ curl -IL https://example.com/mediafiles/bar

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Mon, 15 Jun 2015 15:16:29 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: http://example.com/mediafiles/bar/
X-UA-Compatible: IE=Edge,chrome=1

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Mon, 15 Jun 2015 15:16:29 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://example.com/mediafiles/bar/

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 15 Jun 2015 15:16:29 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1786
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Wed, 18 Mar 2015 23:09:35 GMT
Vary: Accept-Encoding
ETag: "550a05af-6fa"
Accept-Ranges: bytes
X-UA-Compatible: IE=Edge,chrome=1

Probably caused by this common try_files config (EDIT: apparently it's not issuing redirects).

location / {
    # First attempt to serve request as file, then
    # as directory, then fall back to displaying a 404.
    try_files $uri $uri/ /index.php?$args;
}

I've posted the full upstream config here: https://gist.github.com/mgcrea/f149d0481ad1fa1c2207

And the relevant proxy config here: https://gist.github.com/mgcrea/26ef92026a20ccc22226

This 301 to an http resource triggers a mixed content error:

Mixed Content: The page at 'https://example.com' was loaded over HTTPS, but requested an insecure resource 'http://example.com/mediafiles/bar/'. This request has been blocked; the content must be served over HTTPS.

Any ideas?

Seems to be related: https://stackoverflow.com/questions/15555428/nginx-causes-301-redirect-if-theres-no-trailing-slash

I do configure ufw to deny outgoing trafic by default. On a fresh Ubuntu 12.04 install, I always get some random-like UDP trafic.

I am curious to what generates this & how should I allow it (if I should).

http://www.cloudshark.org/captures/84a949429ebf

Apr 13 16:46:01 ksxxxxxx kernel: [ 5789.789257] [UFW BLOCK] IN= OUT=eth0 SRC=91.xxx.136.127 DST=91.xxx.136.251 LEN=217 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53787 DPT=6122 LEN=197 
Apr 13 16:46:01 ksxxxxxx kernel: [ 5789.793820] [UFW BLOCK] IN= OUT=eth0 SRC=91.xxx.136.127 DST=91.xxx.136.251 LEN=221 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=47086 DPT=6193 LEN=201 
Apr 13 16:46:01 ksxxxxxx kernel: [ 5789.799648] [UFW BLOCK] IN= OUT=eth0 SRC=91.xxx.136.127 DST=91.xxx.136.251 LEN=194 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=48428 DPT=6157 LEN=174 
Apr 13 16:46:01 ksxxxxxx kernel: [ 5789.799752] [UFW BLOCK] IN= OUT=eth0 SRC=91.xxx.136.127 DST=91.xxx.136.251 LEN=225 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=57981 DPT=6151 LEN=205 
Apr 13 16:47:01 ksxxxxxx kernel: [ 5849.760034] [UFW BLOCK] IN= OUT=eth0 SRC=91.xxx.136.127 DST=91.xxx.136.251 LEN=227 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=54342 DPT=6161 LEN=207 
Apr 13 16:47:01 ksxxxxxx kernel: [ 5849.767767] [UFW BLOCK] IN= OUT=eth0 SRC=91.xxx.136.127 DST=91.xxx.136.251 LEN=211 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=55225 DPT=6131 LEN=191 
Apr 13 16:47:01 ksxxxxxx kernel: [ 5849.769004] [UFW BLOCK] IN= OUT=eth0 SRC=91.xxx.136.127 DST=91.xxx.136.251 LEN=194 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=40362 DPT=6184 LEN=174 
Apr 13 16:47:01 ksxxxxxx kernel: [ 5849.769114] [UFW BLOCK] IN= OUT=eth0 SRC=91.xxx.136.127 DST=91.xxx.136.251 LEN=225 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=52239 DPT=6122 LEN=205 
Apr 13 16:48:01 ksxxxxxx kernel: [ 5909.723448] [UFW BLOCK] IN= OUT=eth0 SRC=91.xxx.136.127 DST=91.xxx.136.251 LEN=227 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=48456 DPT=6179 LEN=207 
Apr 13 16:48:01 ksxxxxxx kernel: [ 5909.733470] [UFW BLOCK] IN= OUT=eth0 SRC=91.xxx.136.127 DST=91.xxx.136.251 LEN=195 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=59141 DPT=6113 LEN=175 
Apr 13 16:48:01 ksxxxxxx kernel: [ 5909.739756] [UFW BLOCK] IN= OUT=eth0 SRC=91.xxx.136.127 DST=91.xxx.136.251 LEN=210 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=40221 DPT=6100 LEN=190 
Apr 13 16:48:01 ksxxxxxx kernel: [ 5909.739860] [UFW BLOCK] IN= OUT=eth0 SRC=91.xxx.136.127 DST=91.xxx.136.251 LEN=225 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=57698 DPT=6197 LEN=205 
Apr 13 16:49:01 ksxxxxxx kernel: [ 5969.701304] [UFW BLOCK] IN= OUT=eth0 SRC=91.xxx.136.127 DST=91.xxx.136.251 LEN=227 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=37077 DPT=6127 LEN=207 
Apr 13 16:49:01 ksxxxxxx kernel: [ 5969.709773] [UFW BLOCK] IN= OUT=eth0 SRC=91.xxx.136.127 DST=91.xxx.136.251 LEN=211 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=45619 DPT=6149 LEN=191 
Apr 13 16:49:01 ksxxxxxx kernel: [ 5969.714111] [UFW BLOCK] IN= OUT=eth0 SRC=91.xxx.136.127 DST=91.xxx.136.251 LEN=194 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=41899 DPT=6106 LEN=174 
Apr 13 16:49:01 ksxxxxxx kernel: [ 5969.714278] [UFW BLOCK] IN= OUT=eth0 SRC=91.xxx.136.127 DST=91.xxx.136.251 LEN=225 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=56039 DPT=6163 LEN=205 

When I setup a new webserver (apache/mysql/nodejs/mongodb), I have the habit of storing every www-related asset (apache www-files, node js-apps, mysql/mongodb db files) into /srv/www that I symlink to /home/srv.

Did this in order to easily backup everything (since everything is in /home) and to store everything in a large isolated partition (usually 50G for / & everything else except swap to /home).

I've read that I could encounter some mounting issues doing this.

Is this considered bad practice?

mkdir --mode=0755 /home/srv; rm -rf /srv; ln -s /home/srv /srv && chown root:root /home/srv
mkdir --mode=0770 /srv/www; chown www-data:www-data /srv/www

I've got two local files, one config.sh that contains variable definitions, another script.sh that contains a bash script.

Locally, I can do:

source config.sh; bash script.sh

I'm looking for the same thing via ssh, so far I got this working:

ssh user@host 'bash -s' < script.sh

But I'm not sure if I should use cat or some input pipes <(...) to get both config.sh & script.sh to be executed.

What would be the best, clean way to execute multiple commands that require some content to be piped in with ssh?

I did thought the following commands where equivalent, but they produce different checksums:

tar -cvzf ... and tar -cvf ...; gzip ... does not produce the same output.

sha1sumdiffers.

What would be the gzip command that would perfectly match the tar -cvzf behavior?

I can't explain why, but somehow during the night, one of my MySQL running on an Ubuntu 12.04.1 box broke. The service is running but I can't login anymore (to SQL), the previous password is not working anymore.

It does not looks like the server has been compromised (nothing in /var/auth.log)

It looks like some automatic security upgrade (server is configured to perform those) has occured and broke something. The MySQL server has restarted a couple of times in the logs at the time errors started to happen (I get email when CRON task fail).

In the logs it complains about an unset root password (I do have cron job running all day using SQL so the password was set & working for months). Anyway I can't login without password either!

Do you have any idea of what could have happened? How do I get my databases back?

This line looks strange :

Nov  6 06:36:12 ns398758 mysqld_safe[6676]: ERROR: 1064  You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ALTER TABLE user ADD column Show_view_priv enum('N','Y') CHARACTER SET utf8 NOT ' at line 1

Here is the full log below :

Nov  6 06:36:06 ns398758 mysqld_safe[6586]: 
Nov  6 06:36:06 ns398758 mysqld_safe[6586]: PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
Nov  6 06:36:06 ns398758 mysqld_safe[6586]: To do so, start the server, then issue the following commands:
Nov  6 06:36:06 ns398758 mysqld_safe[6586]: 
Nov  6 06:36:06 ns398758 mysqld_safe[6586]: /usr/bin/mysqladmin -u root password 'new-password'
Nov  6 06:36:06 ns398758 mysqld_safe[6586]: /usr/bin/mysqladmin -u root -h ns398758.ovh.net password 'new-password'
Nov  6 06:36:06 ns398758 mysqld_safe[6586]: 
Nov  6 06:36:06 ns398758 mysqld_safe[6586]: Alternatively you can run:
Nov  6 06:36:06 ns398758 mysqld_safe[6586]: /usr/bin/mysql_secure_installation
Nov  6 06:36:06 ns398758 mysqld_safe[6586]: 
Nov  6 06:36:06 ns398758 mysqld_safe[6586]: which will also give you the option of removing the test
Nov  6 06:36:06 ns398758 mysqld_safe[6586]: databases and anonymous user created by default.  This is
Nov  6 06:36:06 ns398758 mysqld_safe[6586]: strongly recommended for production servers.
Nov  6 06:36:06 ns398758 mysqld_safe[6586]: 
Nov  6 06:36:06 ns398758 mysqld_safe[6586]: See the manual for more instructions.
Nov  6 06:36:06 ns398758 mysqld_safe[6586]: 
Nov  6 06:36:06 ns398758 mysqld_safe[6586]: Please report any problems with the /usr/scripts/mysqlbug script!
Nov  6 06:36:06 ns398758 mysqld_safe[6586]: 
Nov  6 06:36:06 ns398758 mysqld_safe[6632]: 121106  6:36:06 [Note] Plugin 'FEDERATED' is disabled.
Nov  6 06:36:06 ns398758 mysqld_safe[6632]: 121106  6:36:06 InnoDB: The InnoDB memory heap is disabled
Nov  6 06:36:06 ns398758 mysqld_safe[6632]: 121106  6:36:06 InnoDB: Mutexes and rw_locks use GCC atomic builtins
Nov  6 06:36:06 ns398758 mysqld_safe[6632]: 121106  6:36:06 InnoDB: Compressed tables use zlib 1.2.3.4
Nov  6 06:36:06 ns398758 mysqld_safe[6632]: 121106  6:36:06 InnoDB: Initializing buffer pool, size = 128.0M
Nov  6 06:36:06 ns398758 mysqld_safe[6632]: 121106  6:36:06 InnoDB: Completed initialization of buffer pool
Nov  6 06:36:06 ns398758 mysqld_safe[6632]: 121106  6:36:06 InnoDB: highest supported file format is Barracuda.
Nov  6 06:36:07 ns398758 mysqld_safe[6632]: 121106  6:36:07  InnoDB: Waiting for the background threads to start
Nov  6 06:36:08 ns398758 mysqld_safe[6632]: 121106  6:36:08 InnoDB: 1.1.8 started; log sequence number 29276459701
Nov  6 06:36:08 ns398758 mysqld_safe[6632]: 121106  6:36:08  InnoDB: Starting shutdown...
Nov  6 06:36:09 ns398758 mysqld_safe[6632]: 121106  6:36:09  InnoDB: Shutdown completed; log sequence number 29276459701
Nov  6 06:36:11 ns398758 mysqld_safe[6676]: 121106  6:36:11 [Note] Plugin 'FEDERATED' is disabled.
Nov  6 06:36:11 ns398758 mysqld_safe[6676]: 121106  6:36:11 InnoDB: The InnoDB memory heap is disabled
Nov  6 06:36:11 ns398758 mysqld_safe[6676]: 121106  6:36:11 InnoDB: Mutexes and rw_locks use GCC atomic builtins
Nov  6 06:36:11 ns398758 mysqld_safe[6676]: 121106  6:36:11 InnoDB: Compressed tables use zlib 1.2.3.4
Nov  6 06:36:11 ns398758 mysqld_safe[6676]: 121106  6:36:11 InnoDB: Initializing buffer pool, size = 128.0M
Nov  6 06:36:11 ns398758 mysqld_safe[6676]: 121106  6:36:11 InnoDB: Completed initialization of buffer pool
Nov  6 06:36:11 ns398758 mysqld_safe[6676]: 121106  6:36:11 InnoDB: highest supported file format is Barracuda.
Nov  6 06:36:11 ns398758 mysqld_safe[6676]: 121106  6:36:11  InnoDB: Waiting for the background threads to start
Nov  6 06:36:12 ns398758 mysqld_safe[6676]: 121106  6:36:12 InnoDB: 1.1.8 started; log sequence number 29276459701
Nov  6 06:36:12 ns398758 mysqld_safe[6676]: ERROR: 1064  You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ALTER TABLE user ADD column Show_view_priv enum('N','Y') CHARACTER SET utf8 NOT ' at line 1
Nov  6 06:36:12 ns398758 mysqld_safe[6676]: 121106  6:36:12 [ERROR] Aborting
Nov  6 06:36:12 ns398758 mysqld_safe[6676]: 
Nov  6 06:36:12 ns398758 mysqld_safe[6676]: 121106  6:36:12  InnoDB: Starting shutdown...
Nov  6 06:36:13 ns398758 mysqld_safe[6676]: 121106  6:36:13  InnoDB: Shutdown completed; log sequence number 29276459701
Nov  6 06:36:13 ns398758 mysqld_safe[6676]: 121106  6:36:13 [Note] /usr/sbin/mysqld: Shutdown complete
Nov  6 06:36:13 ns398758 mysqld_safe[6676]: 
Nov  6 06:36:13 ns398758 mysqld_safe[6697]: 121106  6:36:13 [Note] Plugin 'FEDERATED' is disabled.
Nov  6 06:36:13 ns398758 mysqld_safe[6697]: 121106  6:36:13 InnoDB: The InnoDB memory heap is disabled
Nov  6 06:36:13 ns398758 mysqld_safe[6697]: 121106  6:36:13 InnoDB: Mutexes and rw_locks use GCC atomic builtins
Nov  6 06:36:13 ns398758 mysqld_safe[6697]: 121106  6:36:13 InnoDB: Compressed tables use zlib 1.2.3.4
Nov  6 06:36:13 ns398758 mysqld_safe[6697]: 121106  6:36:13 InnoDB: Initializing buffer pool, size = 128.0M
Nov  6 06:36:13 ns398758 mysqld_safe[6697]: 121106  6:36:13 InnoDB: Completed initialization of buffer pool
Nov  6 06:36:13 ns398758 mysqld_safe[6697]: 121106  6:36:13 InnoDB: highest supported file format is Barracuda.
Nov  6 06:36:13 ns398758 mysqld_safe[6697]: 121106  6:36:13  InnoDB: Waiting for the background threads to start
Nov  6 06:36:14 ns398758 mysqld_safe[6697]: 121106  6:36:14 InnoDB: 1.1.8 started; log sequence number 29276459701
Nov  6 06:36:14 ns398758 mysqld_safe[6697]: 121106  6:36:14  InnoDB: Starting shutdown...
Nov  6 06:36:15 ns398758 mysqld_safe[6697]: 121106  6:36:15  InnoDB: Shutdown completed; log sequence number 29276459701
Nov  6 06:36:15 ns398758 mysqld_safe[6718]: 121106  6:36:15 [Note] Plugin 'FEDERATED' is disabled.
Nov  6 06:36:15 ns398758 mysqld_safe[6718]: 121106  6:36:15 InnoDB: The InnoDB memory heap is disabled
Nov  6 06:36:15 ns398758 mysqld_safe[6718]: 121106  6:36:15 InnoDB: Mutexes and rw_locks use GCC atomic builtins
Nov  6 06:36:15 ns398758 mysqld_safe[6718]: 121106  6:36:15 InnoDB: Compressed tables use zlib 1.2.3.4
Nov  6 06:36:15 ns398758 mysqld_safe[6718]: 121106  6:36:15 InnoDB: Initializing buffer pool, size = 128.0M
Nov  6 06:36:15 ns398758 mysqld_safe[6718]: 121106  6:36:15 InnoDB: Completed initialization of buffer pool
Nov  6 06:36:15 ns398758 mysqld_safe[6718]: 121106  6:36:15 InnoDB: highest supported file format is Barracuda.
Nov  6 06:36:15 ns398758 mysqld_safe[6718]: 121106  6:36:15  InnoDB: Waiting for the background threads to start
Nov  6 06:36:16 ns398758 mysqld_safe[6718]: 121106  6:36:16 InnoDB: 1.1.8 started; log sequence number 29276459701
Nov  6 06:36:16 ns398758 mysqld_safe[6718]: ERROR: 1050  Table 'plugin' already exists
Nov  6 06:36:16 ns398758 mysqld_safe[6718]: 121106  6:36:16 [ERROR] Aborting
Nov  6 06:36:16 ns398758 mysqld_safe[6718]: 
Nov  6 06:36:16 ns398758 mysqld_safe[6718]: 121106  6:36:16  InnoDB: Starting shutdown...
Nov  6 06:36:17 ns398758 mysqld_safe[6718]: 121106  6:36:17  InnoDB: Shutdown completed; log sequence number 29276459701
Nov  6 06:36:17 ns398758 mysqld_safe[6718]: 121106  6:36:17 [Note] /usr/sbin/mysqld: Shutdown complete
Nov  6 06:36:17 ns398758 mysqld_safe[6718]: 
Nov  6 06:36:19 ns398758 /etc/mysql/debian-start[6816]: Upgrading MySQL tables if necessary.
Nov  6 06:36:20 ns398758 /etc/mysql/debian-start[6819]: /usr/bin/mysql_upgrade: the '--basedir' option is always ignored
Nov  6 06:36:20 ns398758 /etc/mysql/debian-start[6819]: Looking for 'mysql' as: /usr/bin/mysql
Nov  6 06:36:20 ns398758 /etc/mysql/debian-start[6819]: Looking for 'mysqlcheck' as: /usr/bin/mysqlcheck
Nov  6 06:36:20 ns398758 /etc/mysql/debian-start[6819]: Running 'mysqlcheck' with connection arguments: '--port=3306' '--socket=/var/run/mysqld/mysqld.sock' '--host=localhost' '--socket=/var/run/mysqld/mysqld.sock' '--host=localhost' '--socket=/var/run/mysqld/mysqld.sock' 
Nov  6 06:36:20 ns398758 /etc/mysql/debian-start[6819]: Running 'mysqlcheck' with connection arguments: '--port=3306' '--socket=/var/run/mysqld/mysqld.sock' '--host=localhost' '--socket=/var/run/mysqld/mysqld.sock' '--host=localhost' '--socket=/var/run/mysqld/mysqld.sock' 
Nov  6 06:36:20 ns398758 /etc/mysql/debian-start[6819]: col_digitas.acos                                   OK
Nov  6 06:36:20 ns398758 /etc/mysql/debian-start[6819]: col_digitas.aros                                   OK
...

I'm trying to redirect all HTTP/HTTPS trafic from one server to another (via IP).

I do use the ufw firewall. How can I configure it do to so?

Just installed a new fresh 12.04 ubuntu server.

Always used the boilerplate redirection to remove www but it looked like it did not support https so I started looking around. Tried everything I found & somehow http "www" removal works well but https won't redirect.

Here is what I use (in a bp_rewrite.conf file in /etc/apache2/conf.d) :

# Rewrite "www.example.com -> example.com"

<IfModule mod_rewrite.c>
  RewriteCond %{HTTP_HOST} ^www\.(.+)
  RewriteCond %{HTTPS}s/%1 ^(on(s)|offs)/(.+)
  RewriteRule ^ http%2://%3%{REQUEST_URI} [L,R=301]
</IfModule>

Has anyone experienced this?

Using this devStack guide : Running a Cloud in a VM to test OpenStack.

What would be the steps to get the correct juju configuration from a fresh devStack setup?

EDIT : Found out the first configuration parameters but I still did not succeed in making juju boostrap work, check my answer below.

Looking at this Ask Ubuntu Question :

You just need to explicitly set the right keys in environments.yaml, specifically ec2-uri, s3-uri, access-key, default-image-id and secret-key.

Your keystone bits should be producing the access key ID and secret key that will be used to populate those fields.

So does anyone knows how do you get keystone to provide you the access and secret key? And what would be the ec2-uri, s3-uri?

Usually when I setup a new Ubuntu VM, i keep the eth0 in NAT mode to get the internet & I add a eth1 interface in HostOnly mode so that I can ssh.

But using this devStack guide : Running a Cloud in a VM, it looks like it tried to use eth0 as the public interface (install got stuck because eth0 lost the network).

I know an OpenStack setup usually requires two NICs, so I'm wondering what is the correct configuration for my VM.

Possible Duplicate:
Can you help me with my capacity planning?

Having worked for weeks on a new mobile app product, we are finally preparing a public launch in the coming weeks. However we wonder if our Europe based servers will be good enough (latency, etc.) for american users. Tested on dotcom-monitor.com and we got around 150ms for CA. Is it good enough?

We are exploring EC2 options but it is way more costly than local dedicated hosting, and I've been told that you should not care / work that much on scalability at early stages.

Considering the time&cost it would take to go to a replicated EC2 worldwide setup, we are not sure wether we want to commit on this too soon.

• More info about the BW usage :

On startup, the app performs 3 ajax request to our API (1 login + info & 2 indexes). Typical bw usage would be around 5k (gziped). From europe the biggest request takes 62ms connecting (34ms ssl) & 140ms processing. After that, the app is 100% usable, it will only perform one request at a time on user interaction / push.

I have a website that works perfectly with Chrome & other browser but i get some errors with PHP in CLI mode so i'm investigating it, running this:

openssl s_client -showcerts -verify 32 -connect dev.carlipa-online.com:443

Quite suprisingly my HTTPS appears untrusted with a Verify return code: 27 (certificate not trusted) Here is the raw output :

verify depth is 32
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=27:certificate not trusted
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = khKDXfnS0WtB8DgV0CAdsmWrXl-Ia9wZ, C = FR, O = *.carlipa-online.com, OU = GT44535187, OU = See www.rapidssl.com/resources/cps (c)12, OU = Domain Control Validated - RapidSSL(R), CN = *.carlipa-online.com
verify return:1

So GeoTrust Global CA appears to be not trusted on the system (Ubuntu 11.10). Added Equifax_Secure_CA to try to solve this... But i get in this case Verify return code: 19 (self signed certificate in certificate chain) !

Raw output :

verify depth is 32
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = khKDXfnS0WtB8DgV0CAdsmWrXl-Ia9wZ, C = FR, O = *.carlipa-online.com, OU = GT44535187, OU = See www.rapidssl.com/resources/cps (c)12, OU = Domain Control Validated - RapidSSL(R), CN = *.carlipa-online.com
verify return:1

Edit

Looks like my server does not trust/provide the Equifax Root CA, however i do correctly have the file in /usr/share/ca-certificates/mozilla/Equifax...