Antonius Bloch's questions

I've got a HAProxy 1.5.9 server that will serve either a certificate signed by a self signed CA or a Let's Encrypt certificate depending on which 'servername' is provided. This is my configuration file:

defaults
  mode tcp
  option clitcpka

listen ft_app
  bind *:5000 ssl crt /certs/private.pem ca-file /app/certs/self-signed-ca.pem crt /certs/self-signed.pem crt /app/certs/lets-encrypt.pem ciphers AES:ALL:!aNULL:!eNULL:!3DES:!DES:!RC4:!DHE:!EDH:!MD5:!PSK:!aECDH:@STRENGTH no-sslv3 no-tlsv10 no-tlsv11

  mode tcp
  option tcplog
  tcp-request inspect-delay 10s

  use_backend app_http if HTTP
  default_backend app_tcp

backend app_http
  mode http
  option httplog
  balance roundrobin

  reqadd X-Forwarded-Proto:\ https
  cookie SRVID insert indirect nocache
  http-check expect status 200

  server app_4 10.10.10.4:15672 cookie app_4 check inter 10s rise 2 fall 2
  server app_3 10.10.10.3:15672 cookie app_3 check inter 10s rise 2 fall 2
  server app_2 10.10.10.2:15672 cookie app_2 check inter 10s rise 2 fall 2
backend app_tcp
  option tcp-check
  server app_4 10.10.10.4:5672 check inter 10s rise 2 fall 2
  server app_3 10.10.10.3:5672 check inter 10s rise 2 fall 2
  server app_2 10.10.10.2:5672 check inter 10s rise 2 fall 2

It works. What I don't understand here is exactly how HAProxy selects which certificate to serve up. I assume that is grabbing the 'servername' from the certificate metadata. If so exactly which field, and how do I examine it, openssl x509 -in ca.pem -text -noout doesn't seem to have any likely suspects.

I see these constantly in my Elasticsearch 5.6.3 logs. Is this a signal that I should scale up and add more RAM? Or is this just normal operations for ElasticSearch?

    [GC (Allocation Failure) [ParNew
 Desired survivor size 11141120 bytes, new threshold 15 (max 15)
 - age 1: 1761848 bytes, 1761848 total
 - age 2: 126464 bytes, 1888312 total
 - age 3: 165056 bytes, 2053368 total
 - age 4: 50584 bytes, 2103952 total
 - age 5: 105120 bytes, 2209072 total
 - age 6: 99072 bytes, 2308144 total
 - age 7: 2024 bytes, 2310168 total
 - age 8: 95632 bytes, 2405800 total
 - age 9: 24960 bytes, 2430760 total
 - age 10: 62552 bytes, 2493312 total
 - age 11: 95816 bytes, 2589128 total
 - age 12: 54248 bytes, 2643376 total
 - age 13: 50704 bytes, 2694080 total
 - age 14: 856 bytes, 2694936 total
 - age 15: 4736 bytes, 2699672 total
 : 134451K->3691K(152320K), 0.0031179 secs] 375121K->244360K(500480K), 0.0032213 secs] [Times: user=0.02 sys=0.01, real=0.00 secs] 
 [GC (Allocation Failure) [ParNew
 Desired survivor size 11141120 bytes, new threshold 15 (max 15)
 - age 1: 731712 bytes, 731712 total
 - age 2: 447632 bytes, 1179344 total
 - age 3: 120736 bytes, 1300080 total
 - age 4: 165056 bytes, 1465136 total
 - age 5: 50584 bytes, 1515720 total
 - age 6: 105120 bytes, 1620840 total
 - age 7: 98552 bytes, 1719392 total
 - age 8: 1872 bytes, 1721264 total
 - age 9: 94736 bytes, 1816000 total
 - age 10: 24664 bytes, 1840664 total
 - age 11: 62256 bytes, 1902920 total
 - age 12: 95816 bytes, 1998736 total
 - age 13: 53696 bytes, 2052432 total
 - age 14: 4112 bytes, 2056544 total
 - age 15: 856 bytes, 2057400 total
 : 134251K->3308K(152320K), 0.0042321 secs] 374920K->243982K(500480K), 0.0043257 secs] [Times: user=0.02 sys=0.01, real=0.00 secs] 

As I understand it WiredTiger compresses the journal, collections and indexes. Does it also compress them whilst they are stored in RAM?

For example if my compresses index use 10 MiB on disk can I assume that they also use 10 MiB of RAM? Or should I expect a larger uncompressed index in RAM?

I need to be notified when our proxy server goes down. Currently I have a bash script that tests the proxy functionality:

CHECKRESULT=(curl -s --proxy 4.83.58.205:80 checkip.dyndns.com | awk '{print $6}' | sed 's/<\/body><\/html>\r//g';)


if [ "$CHECKRESULT" != "4.83.58.205" ]
                                then
                                echo "FAILED: proxy 4.83.58.205 returned \" $CHECKRESULT\""
                                FAILEDCOUNT=$(($FAILEDCOUNT+1))
                                fi

I would like to use Zabbix to run a similar check, but how?

I'm trying to establish one half of a GRE tunnel, the other being configured by my service provider. I have a Cisco PIX-506-E running Firewall version 6.3(5).

Provider Router Public IP: 8.8.8.8 My PIX Public IP: 7.7.7.7

Provider Tunnel Address: 192.168.99.1/30 My Tunnel Address: 192.168.99.2/30

I have a constantly running script that I output to a log file:

script.sh >> /var/log/logfile

I'd like to add a timestamp before each line that is appended to the log. Like:

Sat Sep 10 21:33:06 UTC 2011 The server has booted up.  Hmmph.

Is there any jujitsu I can use?

I'm trying to tune Snort performance on a Debian based router. I was seeing stuff like:

snort packet recv contents failure: No buffer space available

So I upped the buffers to 8M and when that didn't work I tried 16M, per the tuning guide at http://fasterdata.es.net/fasterdata/host-tuning/linux/:

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
# Increase TCP Buffers to 16 MB
sysctl -w net.core.rmem_default='16777216'
sysctl -w net.core.wmem_default='16777216'
sysctl -w net.core.rmem_max='16777216'
sysctl -w net.core.wmem_max='16777216'
sysctl -w net.ipv4.tcp_wmem='1048576 4194304 16777216'
sysctl -w net.ipv4.tcp_rmem='1048576 4194304 16777216'
sysctl -w net.core.netdev_max_backlog='30000'
exit 0

Now I don't see the "no buffer space" log entry, but I've got a new one:

net_ratelimit: 44 callbacks suppressed

The only other messages from the same time frame are these martians, maybe that's what's being suppressed?

Jun  4 07:09:36 ilium ntpd_intres[3575]: host name not found: 0.us.pool.ntp.org
Jun  4 14:17:36 ilium kernel: [25743.259951] net_ratelimit: 44 callbacks suppressed
Jun  4 14:17:36 ilium kernel: [25743.259955] martian source 216.59.11.21 from 127.0.0.1, on dev eth0
Jun  4 14:17:36 ilium kernel: [25743.259956] ll header: 00:30:48:7c:f8:10:00:24:c4:49:8d:00:08:00
Jun  4 14:17:58 ilium kernel: [25765.055449] martian source 216.59.11.21 from 127.0.0.1, on dev eth0
Jun  4 14:17:58 ilium kernel: [25765.055451] ll header: 00:30:48:7c:f8:10:00:24:c4:49:8d:00:08:00
Jun  4 14:18:43 ilium kernel: [25809.998978] martian source 216.59.11.21 from 127.0.0.1, on dev eth0
Jun  4 14:18:43 ilium kernel: [25809.998980] ll header: 00:30:48:7c:f8:10:00:24:c4:49:8d:00:08:00
Jun  4 14:24:11 ilium kernel: [26138.700143] martian source 216.59.11.71 from 127.0.0.1, on dev eth0
Jun  4 14:24:11 ilium kernel: [26138.700145] ll header: 00:30:48:7c:f8:10:00:24:c4:49:8d:00:08:00
Jun  4 14:28:42 ilium kernel: [26409.130701] martian source 216.59.11.71 from 127.0.0.1, on dev eth0
Jun  4 14:28:42 ilium kernel: [26409.130703] ll header: 00:30:48:7c:f8:10:00:24:c4:49:8d:00:08:00

I imported centos 5.6 into cobbler and set up all the pxe boot stuff. When I netboot it starts the install, but asks me "What type of media contains the packages to be installed". I'm given a choice of CDROM,HTTP,NFS,etc. I want to install from the mirror of the DVD on the cobbler server.

I think I'm missing some high level concepts here. My goal is to just go through a plain vanilla install at first with all the dialogs, and use the choices I make as a template for a kickstart file. For the first install I basically just want to use cobbler to PXE boot the CentOS DVD. This is what I'm doing now:

mount -o loop centos.iso /mnt    
cobbler import --name=centos5 --arch=x86_64 --path=/mnt

At this point the cd rsyncs to my local drive.

cobbler system add --name=myhost comment="Node" --dns-name=myhost.domain.tld --ip-address=192.168.111.201 --mac-addr=00:05:00:21:00:e0  --profile=centos5-x86_64
cobbler sync

I boot the system to PXE and begin the CentOS install. I choose keyboard & language and then I get the dialog "What type of media contains the packages to be installed?". Choices are 'Local CDROM', 'Hard drive', 'NFS image','FTP','HTTP'.

What do I need to do to get the CentOS install to pull the packages from the cobbler server?

I'm migrating from a Windows based server to Linux. One of the last holdouts on the Windows machine is "Campaign Manager", a software tool that runs a query on our member database, generates a list of emails and then emails them all, tracking bounces and other stats. I'd like to find a good replacement on Linux, but I don't have much experience with mass email software.

Can you give me a recommendation of software you have personal experience with?

I want to create a rule that allows anyone on eth1 to access port 80. Can UFW do this or should I go back to using Shorewall?

To clarify: this is a capabilties question, can ufw handle interfaces as a target?

When I restart the network using:

/etc/init.d/networking restart

I get this warning:

 Running /etc/init.d/networking restart is deprecated because it may not enable again some interfaces

So what's the best way to restart the network after making changes now?

This problem also applies to Debian as the netbase package is inherited from debian.

I would like my RAID10 to survive the failure of the bootdisk. I want to write grub to the MBR of each disk in the array so that in the case of a failure the array will still boot on the remaining members.

I have a 4 disk array, so in theory I only need 2 grub MBRs, but I don't see the harm in putting the bootloader on all 4.

Grub folder is: /boot/grub Root is: (md0)/

Step by step, how do I install grub on each drive?

I have a two interface Linux iptables firewall. Currently I have several servers behind it on a private network 192.168.0.x. The firewall currently has each IP configured locally and uses NAT to port forward to the appropriate server, for example:

208.80.x.130:80 -> 192.168.0.130:80

My interfaces look something like this:

vlan1      Link encap:Ethernet  HWaddr 20:20:30:87:20:30
           inet addr:208.80.x.129  Bcast:208.80.x.159  Mask:255.255.255.224
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:1140818 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1108086 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:462146250 (440.7 MiB)  TX bytes:590006065 (562.6 MiB)

vlan1:0    Link encap:Ethernet  HWaddr 20:20:30:87:20:30
           inet addr:208.80.x.130  Bcast:208.80.x.255  Mask:255.255.255.224
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

br0        Link encap:Ethernet  HWaddr 20:CF:30:87:EC:2F
           inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:1120674 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1105443 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:570011808 (543.6 MiB)  TX bytes:469174153 (447.4 MiB)

I have a /27 of IP addresses; 208.80.x.129-157 gateway 208.80.x.158. I'd like to split off a small subnet at the top end of that range, like a /29. I'm currently using ip's 129-141 so I don't want to touch those. My goal is to have a small vlan of routable addresses in addition to the natted addresses I currently serve.

    internets
       |
 208.80.x.158
  isp router
       |
 208.80.x.129-147
    firewall
     --+-------------------
     |                    |
192.168.0.x      208.80.x.148-156

How do I accomplish this?

Specifically I'm looking at running it on a node on this hardware:

http://www.supermicro.com/Aplus/system/2U/2022/AS-2022TG-HTRF.cfm

Any gotchas lurking out there? I'm assuming the AMD soft raid isn't going to fly ...

When I'm looking at the output of iptables -L

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            udp dpt:1194
DROP       all  --  anywhere             ip-x.x.x.nydsl.com
DROP       all  --  anywhere             anywhere            state INVALID

I've always assumed that the rules execute in order top to bottom. But reading the documentation I haven't been able to verify that. Can anyone confirm?

I need to change about 100 DNS records and IIS configurations on a Windows 2003 web server. The GUI doesn't accommodate it and the MS command line tools seem incomplete (for example: dnscmd cannot edit a record, only create). Is there a third party tool out there I can use?

Basically I just need to change one IP address to another.

I have a Linux NAT Firewall serving a virtual machine infrastructure. Right now all the VMs use NAT, but I'd like to have some of them to use a public IP that is not NATed. I have a range of IPs: 208.x.x.129-140, subnet 255.255.255.240. Right now these IP's sit on the WAN interface of the firewall. I'd like to move a few IP's behind the firewall.

Can I change the route on just a few of these IP's? Do I need to alter my subnet mask?

I'm using dd (under cygwin) to copy a shadow image of a disk in windows. Shadow copy will only give me a partion, so what I am doing is:

1) using dd to grab the disk header (32k on Win2003)
2) using dd to copy the shadow partition
3) using dd to copy the end of of the disk (8 meg reserved on Win2003)
4) stitch them all together and boot on KVM

I need the exact size of all the partitions and non partitioned space on this windows drive. Unfortunately most windows disk tools seem to fudge the numbers a bit, or at least give me a different size than Linux does. I could guess like this 32k + partition size + 8M, but I want to double check. If I make a mistake I could lose data.

This is on a remote & live Windows 2003 server so no offline solutions will be helpful. Latest cygwin is installed.