Antitribu's questions

We're trying to grant access to an internal SSH server using a HAProxy setup on a public DMZ. This works as expected however connections into the server are originated from the HAProxy (tproxy won't work as the HAProxy is not the default route for the server which is buried in a different subnet). We wish to block brute force connections using fail2ban, denyhosts or similar.

Is there any way to block anywhere along the chain; the SSH server knows about the failed login but can't block without blocking every incoming connection. The HAProxy can descriminate but doesn't know to, syslog shipping the logs to the HAproxy might work however there doesn't appear to be a clean way to marry the HAProxy and sshd logs. Mitigating controls like rate limits on the HAProxy are already in place.

Whats the best way to handle brute force connections in this scenario?

We are using two servers separated by a WAN to replicate approximately 1TB of data.

On the master side we have a single server with a Gluster volume exported to a number of other servers that write in data.

On the slave side we have a single server with a Gluster volume exported as a read only share to disaster recovery servers.

Over time the slave has become out of sync with the master to the tune of 200gb, files that should be there aren't and files that have been deleted are. There does not appear to be a great deal of consistency in this.

What is the simplest way to force cluster to checksum every file on the slave and re-replicate where required?

The documentation suggests:

Description: GlusterFS Geo-replication did not synchronize the data completely but still the geo-replication status display OK.

Solution: You can enforce a full sync of the data by erasing the index and restarting GlusterFS Geo-replication. After restarting, GlusterFS Geo-replication begins synchronizing all the data, that is, all files will be compared with by means of being checksummed, which can be a lengthy /resource high utilization operation, mainly on large data sets (however, actual data loss will not occur). If the error situation persists, contact Gluster Support.

But does not refer to where this index may be.

#   gluster volume geo-replication share gluk1::share stop
Stopping geo-replication session between share & gluk1::share has been successful
# gluster volume set share geo-replication.indexing off
volume set: failed: geo-replication.indexing cannot be disabled while geo-replication sessions exist

This index shutoff fails while the connection still exists at all and the documentation doesn't mention this requirement.

Any suggestions?

I'm trying to join a RHEL6 server using samba4 to a domain. Net ads join works correctly, join member does not however. Effectively wbinfo --getdcname does not work where as wbinfo --dsgetdcname does.

If some light could be shed on the difference between these commands that would be very helpful.

The join is successful on Samba3 and works as expected except for Nested Groups

[root@sent-test-smg2 - (11:51:01) samba]#  net join member -U smg
Enter smg's password:
Failed to join domain: failed to find DC for domain member
ADS join did not work, falling back to RPC...
Unable to find a suitable server for domain SENT
Unable to find a suitable server for domain SENT

[root@sent-test-smg2 - (11:52:29) samba]#  net ads info
LDAP server: 10.74.160.8
LDAP server name: SENTVMDC2.Sent.local
Realm: SENT.LOCAL
Bind Path: dc=SENT,dc=LOCAL
LDAP port: 389
Server time: Fri, 04 Jul 2014 11:57:49 IST
KDC server: 10.74.160.8
Server time offset: 0

[root@sent-test-smg2 - (11:57:49) samba]#  wbinfo --online-status
BUILTIN : online
SENT-TEST-SMG2 : online
SENT : offline

[root@sent-test-smg2 - (11:59:28) samba]#  wbinfo --getdcname=SENT.LOCAL
Could not get dc name for SENT.LOCAL

[root@sent-test-smg2 - (11:59:42) samba]#  wbinfo -P
checking the NETLOGON dc connection to "" failed
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)

[root@sent-test-smg2 - (12:02:02) samba]#  wbinfo --dsgetdcname=sent.local
SENTVMDC2.Sent.local
\\10.74.160.8
1
f170eb24-d9f3-44cb-b622-02765ed83ed7
Sent.local
Sent.local
0xe00031fc
Ballycoolin
Ballycoolin

[root@sent-test-smg2 - (12:02:22) samba]#  wbinfo --getdcname=sent.local
Could not get dc name for sent.local

smb.conf:

[global]
   workgroup = SENT
   password server = *
   realm = SENT.LOCAL
   security = ads
   idmap config * : range = 10000-50000000
   winbind separator = +
   template homedir = /home/domain/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   preferred master = no
   allow trusted domains = no
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind nested groups = Yes
   winbind expand groups = 10000
   server string = Linux Server
   interfaces = eth0
   bind interfaces only = yes
   strict locking = no
   wins server = 192.168.0.6
   idmap cache time = 1
   idmap negative cache time = 1
   winbind cache time = 1   
   idmap config * : range = 10000-50000000
   idmap config * : backend = rid
   idmap config SENT : range = 10000-50000000
   idmap config SENT : default = yes 
   idmap config SENT : backend = rid

krb.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = SENT.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 SENT.LOCAL = {
  kdc = 192.168.0.6:88
  admin_server = 192.168.0.6:749
  kdc = *
 }

[domain_realm]
 SENT.LOCAL = SENT.LOCAL
 .SENT.LOCAL = SENT.LOCAL

 sent.local = SENT.LOCAL
 .sent.local = SENT.LOCAL

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

From the winbind log file with debugging at 10:

[2014/07/04 12:23:38.900108,  1, pid=12682, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:282(ndr_print_function_debug)
       wbint_PingDc: struct wbint_PingDc
          out: struct wbint_PingDc
              dcname                   : *
                  dcname                   : NULL
              result                   : NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
[2014/07/04 12:23:38.900835, 10, pid=12682, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:712(wb_request_done)
  wb_request_done[12705:PING_DC]: NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
[2014/07/04 12:23:38.901001, 10, pid=12682, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:773(winbind_client_response_written)
  winbind_client_response_written[12705:PING_DC]: delivered response to client
checking the NETLOGON dc connection to "" failed
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)

Yet later is seems to quite clearly know where the DC is:

[2014/07/04 12:23:39.044514,  9, pid=12707, effective(0, 0), real(0, 0)] ../source3/libsmb/conncache.c:150(check_negative_conn_cache)
  check_negative_conn_cache returning result 0 for domain SENT.LOCAL server 10.74.160.8
[2014/07/04 12:23:39.044732,  5, pid=12707, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:270(ads_try_connect)
  ads_try_connect: sending CLDAP request to 10.74.160.8 (realm: SENT.LOCAL)
[2014/07/04 12:23:39.046454,  1, pid=12707, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:245(ndr_print_debug)
       &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
          command                  : LOGON_SAM_LOGON_RESPONSE_EX (23)
          sbz                      : 0x0000 (0)
          server_type              : 0x000031fc (12796)
                 0: NBT_SERVER_PDC           
                 1: NBT_SERVER_GC            
                 1: NBT_SERVER_LDAP          
                 1: NBT_SERVER_DS            
                 1: NBT_SERVER_KDC           
                 1: NBT_SERVER_TIMESERV      
                 1: NBT_SERVER_CLOSEST       
                 1: NBT_SERVER_WRITABLE      
                 0: NBT_SERVER_GOOD_TIMESERV 
                 0: NBT_SERVER_NDNC          
                 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
                 1: NBT_SERVER_FULL_SECRET_DOMAIN_6
                 1: NBT_SERVER_ADS_WEB_SERVICE
                 0: NBT_SERVER_HAS_DNS_NAME  
                 0: NBT_SERVER_IS_DEFAULT_NC 
                 0: NBT_SERVER_FOREST_ROOT   
          domain_uuid              : f170eb24-d9f3-44cb-b622-02765ed83ed7
          forest                   : 'Sent.local'
          dns_domain               : 'Sent.local'
          pdc_dns_name             : 'SENTVMDC2.Sent.local'
          domain_name              : 'SENT'
          pdc_name                 : 'SENTVMDC2'
          user_name                : ''
          server_site              : 'Ballycoolin'
          client_site              : 'Ballycoolin'
          sockaddr_size            : 0x00 (0)
          sockaddr: struct nbt_sockaddr
              sockaddr_family          : 0x00000000 (0)
              pdc_ip                   : (null)
              remaining                : DATA_BLOB length=0
          next_closest_site        : NULL
          nt_version               : 0x00000005 (5)
                 1: NETLOGON_NT_VERSION_1    
                 0: NETLOGON_NT_VERSION_5    
                 1: NETLOGON_NT_VERSION_5EX  
                 0: NETLOGON_NT_VERSION_5EX_WITH_IP
                 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
                 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
                 0: NETLOGON_NT_VERSION_PDC  
                 0: NETLOGON_NT_VERSION_IP   
                 0: NETLOGON_NT_VERSION_LOCAL
                 0: NETLOGON_NT_VERSION_GC   
          lmnt_token               : 0xffff (65535)
          lm20_token               : 0xffff (65535)
[2014/07/04 12:23:39.049085, 10, pid=12707, effective(0, 0), real(0, 0)] ../source3/libads/sitename_cache.c:70(sitename_store)
  sitename_store: realm = [SENT], sitename = [Ballycoolin], expire = [2085923199]

We have several RHEL6 servers connected to Active Directory using winbind. All servers are configured identically using a configuration management tool. Servers however produce different results when querying groups using the groups command and/or sudo. Getent and winbind however return correct consistent results on all servers.

user.name1 and user.name2 are members of the group test.group1. test.group1 is a member of the group test.group2

Running the following commands is consistent on all servers:

# getent group test.group1 
test.group1:*:16126:user.name1,user.name2

# getent group test.group2
test.group2:*:16125:user.name1,user.name2

# wbinfo --group-info test.group1 
test.group1:*:16126:user.name1,user.name2

# wbinfo --group-info test.group2
test.group2:*:16125:user.name1,user.name2

However server A incorrectly returns:

# groups user.name2
test.group1

Server B correctly returns:

# groups user.name2
test.group1
test.group2

The Samba config looks like:

   winbind use default domain = true
   winbind offline logon = false
   winbind separator = + 
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind nested groups = Yes
   winbind expand groups = 10
   server string = Linux Server
   strict locking = no
   wins server = 192.168.0.1
   idmap config * : range = 10000-50000000
   idmap config * : backend = rid
   idmap config SENT : range = 10000-50000000
   idmap config SENT : default = yes 
   idmap config SENT : backend = rid
   idmap uid = 10000-50000000
   idmap gid = 10000-50000000

nsswitch.conf looks like:

passwd:     files winbind
shadow:     files winbind
group:      files winbind

I'd hazard a guess to say the answer is somewhere in PAM or perhaps a winbind lookup error, Any thoughts or suggestions as where to look? Winbind / servers have been restarted, tdb files rebuilt. The problem may be intermittent as well.

Edit:

Finally getting to have another look at this issue. I've rebuilt the authentication using SSSD instead of winbind and the same occurs

sssd.conf

[sssd] 
config_file_version = 2 
domains = sent.local 
services = nss, pam 
debug_level = 1

[nss] 

[pam] 

[domain/sent.local]
id_provider = ad 
auth_provider = ad 
access_provider = ad

default_shell = /bin/bash 
fallback_homedir = /home/domain/%u

use_fully_qualified_names = False

Now we have some interesting results, users who have never been domain admins have the same result as before, until we pre-cache the groups we know they are members of, for example:

[root@test-smg1 - (11:46:40) sssd]#  id test.user5
uid=1084806380(test.user5) gid=1084800513(domain users) 
groups=1084800513(domain users)

[root@test-smg1 - (11:46:43) sssd]#  getent group testg2
testg2:*:1084806126:test.user5,test.user4,test.user3,test.user2

[root@test-smg1 - (11:46:46) sssd]#  id test.user5
uid=1084806380(test.user5) gid=1084800513(domain users) 
groups=1084800513(domain users),1084806126(testg2)

[root@test-smg1 - (11:46:49) sssd]#  getent group testg2-nest
testg2-nest:*:1084806125:test.user4,test.user3,test.user2,test.user5

[root@test-smg1 - (11:46:54) sssd]#  id test.user5
uid=1084806380(test.user5) gid=1084800513(domain users) 
groups=1084800513(domain users),1084806126(testg2),1084806125(testg2-nest)

This makes me think the issue might be more in the direction of active directory and this ADs specific implementation than an issue linux side. Making a user a member of Domain Admins causes all their groups to show correctly. Removing the user from Domain Admins leaves the user in this "fixed" state.

We have the following setup:

• RedHat 6
• LVS set up to fail between two webservers
• Connection persistence of 900 seconds

It's a pretty simple setup however when a server is marked as failed the piranha/pulse/nanny process marks the weight of the server in the table as 0 and doesn't remove the failed server. This means any persistent connections remain attached to a failed server and the load balancing is defeated.

How can we tell nanny to force the failed node out so persistent connections are failed to a working node?

Thanks

We have the following lvs.cf:

serial_no = 201305302344
primary = 10.1.1.45
service = lvs
backup = 0.0.0.0
heartbeat = 1
heartbeat_port = 539
keepalive = 6
deadtime = 18
network = nat
nat_router = 10.1.1.70 eth0:1
nat_nmask = 255.255.255.0
debug_level = NONE
virtual http {
     active = 1
     address = 10.1.1.70 eth0:1
     vip_nmask = 255.255.255.0
     persistent = 900
     pmask = 255.255.255.0
     port = 80
     send = "GET / HTTP/1.0\r\n\r\n"
     expect = "HTTP/1.1 200 OK"
     use_regex = 0
     load_monitor = none
     scheduler = wlc
     protocol = tcp
     timeout = 6
     reentry = 15
     quiesce_server = 1
     server web1 {
         address = 10.1.1.51
         active = 1
         weight = 1
     }
     server web2 {
         address = 10.1.1.52
         active = 1
         weight = 1
     }
}
virtual https {
     active = 1
     address = 10.1.1.70 eth0:1
     vip_nmask = 255.255.255.0
     port = 443
     persistent = 900
     pmask = 255.255.255.0
     send = "GET / HTTP/1.0\r\n\r\n"
     expect = "up"
     use_regex = 0
     load_monitor = none
     scheduler = wlc
     protocol = tcp
     timeout = 6
     reentry = 15
     quiesce_server = 1
     server web1 {
         address = 10.1.1.51
         active = 1
         weight = 1
     }
     server web2 {
         address = 10.1.1.52
         active = 1
         weight = 1
     }
}

We're experiencing unexpected JBoss crashes on a semi-regular basis. JBoss 5 is running on RHEL6 in this case.

I believe this is related to a sigusr1 sent to the JBoss process. The JBoss server logs simply end, nothing is logged at all regarding the shutdown. Manually sending sigusr1 reproduces the problem.

My question is what is the best way to determine what is sending this signal. Is it possible to use auditd to somehow trap these and log the sender?

Other suggestions for protecting the process from signals, what may randomly be sending sigusr1's on a RHEL6 machine or auditing and logging signals welcome.

Thanks

We have a Lync 2010 server set up along side a Polycom HDX7000 which acts as a Lync endpoint. This works well for Windows Lync users who can dial and have video conferences with the device.

When a Mac client attempts to connect a connection is made, encryption is enabled and audio works fine, however attempts at video yield "Video call invitation was not accepted." on the client with little other errors.

Mac to Windows works fine. There are no firewalls in play (all on the same LAN).

Anyone have any ideas on where to start looking?

Logs from the polycom that might be relevant: 2011-12-07 17:26:50 DEBUG avc: pc[0]: VIDEO[0]: VideoRouteProcCodecSetConfig CodecConfig: alg unknown profile unknown bRate 0, fRate 0.000000, res 1-SQCIF updtAnnex 0x0 cam
2011-12-07 17:26:50 DEBUG avc: pc[0]: VIDEO[0]: WxH 128 x 96, maxpkt 0, Sym, Prog, 16x9sar 0 conceal off freezeDec 0

We have a multihomed windows server.

• It has two physical interfaces A (192.168.1.140) and B (10.42.130.140)
• From machines on the same subnet both interfaces are pingable
• From a 3rd subnet B is pingable but A is not
• The windows machines default route is via interface A however there is a static route to the 3rd subnet via interface B

When you ping A from the third subnet the router reports that outbound connections from interface A are actually been sent out of interface B (and thus denied).

The goal is to be able to have both interfaces pingable from the 3rd subnet 10.42.100.0/24. The network topology is fairly simple, three switches each with only their own subnet traffic A, B and C connected via a Cisco ASA 5520. There are other minor subnets around however they are not really relevant to the issue at hand.

This looks like windows isn't responding from the right interface (the interface it got the request in on) and is pushing all it's traffic out via which ever route it deems best. Is there any way to bind traffic to the correct interface? I'd even accept a Cisco ASA rule to allow the traffic (it's dropping the SYN ACK) out of the B subnet.

The routing table of the windows machine looks like so:

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 13 72 36 e5 30 ...... Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)
0x10004 ...00 13 72 36 e5 32 ...... Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client) #2
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.1.30    192.168.1.140     20
        10.42.0.0      255.255.0.0      10.42.130.1    10.42.130.140      1
      10.42.130.0    255.255.255.0    10.42.130.140    10.42.130.140     10
    10.42.130.140  255.255.255.255        127.0.0.1        127.0.0.1     10
   10.255.255.255  255.255.255.255    10.42.130.140    10.42.130.140     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.1.0    255.255.255.0    192.168.1.140    192.168.1.140     20
    192.168.1.140  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.1.255  255.255.255.255    192.168.1.140    192.168.1.140     20
        224.0.0.0        240.0.0.0    10.42.130.140    10.42.130.140     10
        224.0.0.0        240.0.0.0    192.168.1.140    192.168.1.140     20
  255.255.255.255  255.255.255.255    10.42.130.140    10.42.130.140      1
  255.255.255.255  255.255.255.255    192.168.1.140    192.168.1.140      1
Default Gateway:      192.168.1.30
===========================================================================
Persistent Routes:
  None

Thanks

We are looking at a new environment to run our Oracle Database running on SUSE (potentially migrating to RedHat). Our database is approximately 100GB and performs adequately on our current hardware (x86_64) with approximately 6GB of ram allocated to it. We are growing quickly however and will require more performance shortly.

Given the cost of Oracle licenses we would like to maximize the value from each license by choosing the most appropriate CPU to run the software on.

The questions are:

Are there substantial benefits to looking at Itanium or Sparc hardware, are there any drawbacks? Is there a point where one starts to scale out better?

What are the long term support options for Itanium? Given the dominance of x86 would it be safer long term to stick with x86?

On average what would be the performance benefit of implementing an Oracle database on Itanium or Sparc over x86_64? Is this an issue at all or will other factors (IO/RAM) cap out first?

If anyone can point me towards some solid documentation on comparisons between the platforms that provides good case analysis of when to choose which I'm more than happy to accept that as an answer.

Edit:- Added Sparc as an Option as it was previously not considered however with the recent Oracle Sun aquisition seems very relevant.

I've have a backup volume using truecrypt (USB Disk, entire disk (eg /dev/sdb)) accidentally added to a Windows System and then using windows that disk has been initialized.

No other action has been taken on that disk.

The disk no longer mounts.

Assuming no other external sources (backups of the headers etc) is it possible to fix that volume?

I'm running Mac 10.6 (Snow Leopard). I would like to have a shell script that handles some routing/vpn and server tasks executed on Machine startup.

This script should be preferably executed before the user logs in but as long as it is backgrounded there are no issues with timing.

Where is the best place to call this from?

Thanks all

I have a postfix server with amavisd and a clamav scanner. I have encountered a situation where clamav has issued false positives and quarantined messages in /var/virusmails/

What is the simplest way of taking these mails and pushing them through the postfix que again. I believe the false positive was temporary and would like to retry sending them.

Is there a postfix que directory I could place the files in?

Thank you.

I have the requirement to sync files (documents mostly, sound bites, high quality images) between multiple PCs, Macs and Linux clients and servers.

The number of files is large and delta syncs would be required. I would like a file changed on anywhere to be replicated. Additionally offline access is required. Version Control would be exceptionally useful and graceful recovery from duplicates etc.

In short I'm looking for dropbox but not hosted, SaaS or any other 3rd party involvement. Live mesh from Microsoft (or what it's called this week) would be ideal but for again 3rd party.

I figure this must be out there with a webdav backend or such and I just haven't found the cleanest solution.

I'm looking for the best way to implement the above. Open Source tools preferred but not explicitly required.

Thanks all.

After installing the run of the mill patches today on a Windows Server 2008 (Running as an AD controller and Exchange 2007 Server) the machine came back up with "configuring updates stage 3 of 3 0% complete".

The machine had been kept reasonably up to date so this likely was caused by a very recent patch. At the leaste the following patches were installed:

KB973037
KB969947
KB973565

Restarting the server into safe mode and then subsequently rebooting (with no changes made) allowed the computer to restart and I can now log in normally.

However none of the critical services start; including but not limited to Exchange, DNS and Terminal Services (Obviously if DNS doesn't start other things will break). I am unable to run Internet Explorer but Chrome will work.

There are no meaningful errors in the event logs as to why services won't start.

Under KDC I have

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart     card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

This is going to be an evil one to debug and I'm kinda hoping someone has encountered it and knows the answer off hand.

Thanks all.

I have a need to setup an FTP server for many users to upload and download files.

The users are not consistent in their chosen protocol, some use FTP, some FTPS, some SFTP.

I would like to setup a server to provide this preferably using some Virtual Hosting arrangement that does not involve setting up system accounts for individual users. While the software for FTPS and FTP to enable this is readily available SFTP (the subsystem of SSH) does not appear to have many equivalents.

I have a single RedHat EL machine provisioned for this purpose.

Any suggestions?

I am unable to remote desktop to our Windows Storage Server 2003 R2 machine.

There are a few people about with similar issues but no answers around. Symantec End Point is installed but no network protection.

Using rdesktop in Linux I receive:

ERROR: send: Connection reset by peer
NOT IMPLEMENTED: PDU 12
ERROR: Connection closed

Where the "PDU XX" number changes on each connection.

In windows using the latest mstsc I receive:

The connection was lost due to a network error. Try connecting again. 
If the problem persists, contact your network Administrator.

Any ideas?

I have 2 servers, Apache and Jboss. Using JKmount .war files are mounted and present a complex site.

eg:

JkMount /directory/* ajp13
Alias /directory /jboss/server/default/deploy/directory.war
<Directory  /jboss/server/default/deploy/directory.war>
  Order allow,deny
  allow from all
  Options -Indexes
</Directory>
<Directory  /jboss/server/default/deploy/directory.war/WEB-INF>
  deny from all
</Directory>

I would like to use mod_rewrite on the Apache side to alter the URLs returned by mod_jk.

eg:

RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^192.168.1.1$
RewriteRule /.* http://server.example/redirect.html [R=301,L]

Currently the above code only affects the images returned by Apache and not the pages returned by mod_jk.

Is this possible? How is it done?

There is a similar question asked at StackOverFlow however given a choice if it is possible I would like to handle this internal to Apache and not alter the Jboss configuration.

The server is OpenSuse 11.1 and I suspect there maybe some module precedence order issues however I have not been able to confirm this.

Examples of URLs would be:

http://site.example/directory/index.jsp
http://site.example/foo/other.html

In this example the first URL is mounted in mod_jk using the directives listed in the config above and would NOT be re-written by mod_rewrite. The second URL is a normal directory in the Apache site and is rewritten correctly.

Thanks All

If a log file such as nohup.out is deleted in Linux while it is still the subject of a running job (and further input) what happens to the data?

eg

script.sh

#!/bin/bash
while [ 1 ]
do
  fortune
done

then...

# nohup ./script.sh &

This outputs the log to nohup.out by default.

Or even

# ./script.sh > nohup.out &

The question is; if nohup.out is deleted what happens? Is the file really gone assuming the job continues? What happens if script.sh generates enough data to fill a disk? Does this create a de-facto state of redirection to /dev/null?

By way of background I have found a process started previously in this method that can not be restarted for an extended duration but prior to that maintenance window it is my estimation the disk will fill. The situation will be avoided in the future, I am just curious as to what happens to an unlinked file still subject to redirection.

The Setup:-

• OpenCMS running on TomCat5.5
• System running on FreeBSD with the DiabloJVM

The OpenCMS system was working then after a restart of TomCat it stopped loading. The Database server (postgres) running on a different host has been rebooted and responds correctly.

Any suggestions to get it running?

When TomCat starts the following errors are in the stdout:

org.apache.openejb.OpenEJBException: org.apache.xbean.recipe.ConstructionException: Error invoking constructor: public org.apache.openejb.tomcat.catalina.TomcatSecurityService(): Error invoking constructor: public org.apache.openejb.tomcat.catalina.TomcatSecurityService()

...

6/12/09 10:11:29 AM (I) WebappClassLoader.validateJarFile : validateJarFile(/usr/local/tomcat5.5/webapps/opencms/WEB-INF/lib/servlet.jar) - jar not loaded. See Servlet Spec 2.3, section 9.7.2. Offending class: javax/servlet/Servlet.class

`

6/12/09 9:21:08 AM (S) HostConfig.deployDirectory : Error deploying web application directory opencms
java.lang.ArrayIndexOutOfBoundsException: 26
    at org.apache.openejb.asm.ClassReader.readClass(Unknown Source)
    at org.apache.openejb.asm.ClassReader.accept(Unknown Source)
    at org.apache.openejb.asm.ClassReader.accept(Unknown Source)
    at org.apache.openejb.util.AnnotationFinder.readClassDef(AnnotationFinder.java:251)
    at org.apache.openejb.util.AnnotationFinder.find(AnnotationFinder.java:157)
    at org.apache.openejb.config.DeploymentLoader.discoverModuleType(DeploymentLoader.java:1090)
    at org.apache.openejb.tomcat.catalina.TomcatWebAppBuilder.loadApplication(TomcatWebAppBuilder.java:540)
    at org.apache.openejb.tomcat.catalina.TomcatWebAppBuilder.start(TomcatWebAppBuilder.java:234)
    at org.apache.openejb.tomcat.catalina.GlobalListenerSupport.lifecycleEvent(GlobalListenerSupport.java:58)
    at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120)
    at org.apache.catalina.core.StandardContext.start(StandardContext.java:4148)
    at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760)
    at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740)
    at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544)
    at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:926)
    at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:889)
    at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:492)
    at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149)
    at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
    at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120)
    at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022)
    at org.apache.catalina.core.StandardHost.start(StandardHost.java:736)
    at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
    at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
    at org.apache.catalina.core.StandardService.start(StandardService.java:448)
    at org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
    at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:585)
    at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)

The situation is:

• I am running VMware ESX 3.5 (3 ESX Hosts w/ vCenter Server in a Cluster);
• I need five Virtual Machines to read from the same disk running a clustered file system;
• I cannot replicate data for each Virtual Machine due to capacity; and
• I need to avoid a single point of failure (sharing from a VM is not a viable option);

In a traditional system I would point two servers at the same LUN and used a clustered file-system and this is what I'm looking for an equivalent of inside of a virtualised environment.

I have a SAN and can use Raw Disk Mappings (RDM) from a VM to map to a LUN however there is LUN limit on the SAN and I am unable to establish a LUN for each Virtual Machine.

Is there a clever way around this or am I snookered?

More info:

I'm looking to run a clustered application and need to share file content and configuration between two Virtual Machines, about 50gb. This was previously done using a shared LUN on a SAN. I require both load balancing and HA of the machines. I do not have the capacity to replicate the data on each VM and the application cannot tolerate any sync-lag.

Essentially I "just" need a way to point each VM at a single LUN and allow the VM to then control that disk.

Licensed features include HA/DRS