As symfony4 uses dotenv and environment variables for configuration, they are also needed on the server.

to pass the variables it is possible to add the following to the pool config:

example-pool.conf:

env[APP_ENV] = 'prod'

the problem is the following feature:

All $VARIABLEs are taken from the current"environment

as nearly every crypted/hashed password string contains a $, i run into the problem, that the environment variables containing a $ are empty.

php bin/console security:encode-password
...snip...
------------------ ---------------------------------------------------------------
  Key                Value
 ------------------ ---------------------------------------------------------------
  Encoder used       Symfony\Component\Security\Core\Encoder\BCryptPasswordEncoder
  Encoded password   $2y$12$RbCl.SsH6yFDHtTq1Bc1xeK3cdkWbtZEmzyVTnMzlOEuVyC5EySg.
 ------------------ ---------------------------------------------------------------
...snip...

of course i can use nginx to pass my environment variables to php-fpm

nginx-vhost.conf:

fastcgi_param APP_ENV "prod";

but in this case i would have to refactor my puppet recipe, so i am looking for an alternative way to set this in php-fpm

i tried to single, double quote and escape the $

example-pool.conf:

...snip...
env[PASSWORD1] = $2y$12$RbCl.SsH6yFDHtTq1Bc1xeK3cdkWbtZEmzyVTnMzlOEuVyC5EySg.
env[PASSWORD2] = "$2y$12$RbCl.SsH6yFDHtTq1Bc1xeK3cdkWbtZEmzyVTnMzlOEuVyC5EySg."
env[PASSWORD3] = '$2y$12$RbCl.SsH6yFDHtTq1Bc1xeK3cdkWbtZEmzyVTnMzlOEuVyC5EySg.'
env[PASSWORD4] = "'$2y$12$RbCl.SsH6yFDHtTq1Bc1xeK3cdkWbtZEmzyVTnMzlOEuVyC5EySg.'"
env[PASSWORD5] = '"$2y$12$RbCl.SsH6yFDHtTq1Bc1xeK3cdkWbtZEmzyVTnMzlOEuVyC5EySg."'
env[PASSWORD6] = "\$2y\$12\$RbCl.SsH6yFDHtTq1Bc1xeK3cdkWbtZEmzyVTnMzlOEuVyC5EySg."
env[PASSWORD7] = '\$2y\$12\$RbCl.SsH6yFDHtTq1Bc1xeK3cdkWbtZEmzyVTnMzlOEuVyC5EySg.'
env[PASSWORD8] = \$2y\$12\$RbCl.SsH6yFDHtTq1Bc1xeK3cdkWbtZEmzyVTnMzlOEuVyC5EySg.
env[PASSWORD9] = $$2y$$12$RbCl.SsH6yFDHtTq1Bc1xeK3cdkWbtZEmzyVTnMzlOEuVyC5EySg.
env[PASSWORD10] = '$$2y$$12$RbCl.SsH6yFDHtTq1Bc1xeK3cdkWbtZEmzyVTnMzlOEuVyC5EySg.'
...snip...

leads to the following output in php test.php containing a simple:

output:

  "PASSWORD10" => ""
  "PASSWORD9" => ""
  "PASSWORD8" => "\$2y\$12\$RbCl.SsH6yFDHtTq1Bc1xeK3cdkWbtZEmzyVTnMzlOEuVyC5EySg."
  "PASSWORD7" => "\$2y\$12\$RbCl.SsH6yFDHtTq1Bc1xeK3cdkWbtZEmzyVTnMzlOEuVyC5EySg."
  "PASSWORD6" => ""
  "PASSWORD5" => ""$2y$12$RbCl.SsH6yFDHtTq1Bc1xeK3cdkWbtZEmzyVTnMzlOEuVyC5EySg.""
  "PASSWORD4" => "'$2y$12$RbCl.SsH6yFDHtTq1Bc1xeK3cdkWbtZEmzyVTnMzlOEuVyC5EySg.'"
  "PASSWORD3" => ""
  "PASSWORD2" => ""
  "PASSWORD1" => ""

tagged this as security related because it leads to use weak (alphanum) plain-text passwords.

related but not the same as

• php-fpm and Nginx dynamic environment variable
• Pass environment variables to the PHP CLI and FPM

side question, as the php-fpm process is started as the user defined in user, which environment files are loaded? tested .bashrc and .profile as this are the locations where php-cli reads the env variables i would be happy to declare them only in one place and use them from cli and fpm. this question is already indirectly asked here Pass environment variables to the PHP CLI and FPM

thinking about creating a bug report on php, as the workaround to this leads in using dotenv files directly:

Environment variables for PHP applications

comming from debian i am currently working with centos7.

i am trying to install the lsb_release command, which is quite small.

looking for packages which provide lsb_release with

yum provides */lsb_release

shows me the following packages which provide the package

Repo        : epel
Matched from:
Filename    : /usr/lib/dkms/lsb_release

redhat-lsb-core-4.1-27.el7.centos.1.i686 : LSB Core module support
Repo        : base
Matched from:
Filename    : /usr/bin/lsb_release

redhat-lsb-core-4.1-27.el7.centos.1.x86_64 : LSB Core module support
Repo        : base
Matched from:
Filename    : /usr/bin/lsb_release

installing it with yum install redhat-lsb shows me quite a lot dependencies which i simply don't want and need.

Installing for dependencies:
---snip---
emacs-filesystem
---snip---
libXfont
---snip---
mailx
---snip---

full list: http://pastie.org/10984474

why centos need for example mailx to give me information of the current installed system?

is there some way to install just a minimal lsb_release without *X*, qt*, gtk2, emacs-filesystem, desktop-file-utils, ...

installing it with yum install dkms has a much lighter footprint but feels wrong to me and also puts the command in the wrong directory /usr/lib/dkms/lsb_release also the dependency of kernel-devel is doubtful.

i know there are some alternatives https://linuxconfig.org/how-to-check-centos-version but my question references to the lsb_release command.

edit:

also a much smaller footprint has the package redhat-lsb-core but it still requires mailx

I am running a Debian 8.5 with postifx 2.11.3-1 and i try to log the whole smtp session including DATA to mail.log.

it was possible to see a part of the data by increasing the verbosity by adding -vvv to the smtpd in the master.cf (see whole file below) but it wasn't possible for me to get the complete data, only the first 10 chars are being logged.

mail.log

--- snip ---
Sep 18 18:22:03 vagrant postfix/smtpd[9220]: rec_put: type T len 17 data 1474215723
Sep 18 18:22:03 vagrant postfix/smtpd[9220]: rec_put: type A len 18 data log_ident=
Sep 18 18:22:03 vagrant postfix/smtpd[9220]: rec_put: type A len 21 data rewrite_co
Sep 18 18:22:03 vagrant postfix/smtpd[9220]: rec_put: type S len 23 data foo@exampl
Sep 18 18:22:03 vagrant postfix/smtpd[9220]: rec_put: type A len 25 data log_client
--- snip ---

also by increasing the verbosity postfix really logs a lot. is there a better way rather then increasing verbosity level?

as far as i found out it is only possible to use tcpdump or whireshark to really only log the smtp session, do i see this correct?

example smtp session of what i want to log:

telnet www.sample.com 25

Server Response: 220 www.sample.com ESMTP Postfix
Client Sending : HELO domain.com
Server Response: 250 Hello domain.com
Client Sending : MAIL FROM: <[email protected]>
Server Response: 250 Ok
Client Sending : RCPT TO: <[email protected]>
Server Response: 250 Ok
Client Sending : DATA
Server Response: 354 End data with <CR><LF>.<CR><LF>
Client Sending : Subject: Example Message
Client Sending : From: [email protected]
Client Sending : To: [email protected]
Client Sending :
Client Sending : Yo,
Client Sending :
Client Sending :   Sending a test message.
Client Sending :
Client Sending :   Later,
Client Sending : Carl
Client Sending : .
Server Response: 250 Ok: queued as 45334
Client Sending : QUIT
Server Response: 221 Bye

master.cf

smtp      inet  n       -       -       -       -       smtpd -vvv

pickup    unix  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr

tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp

showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -   n   n   -   2   pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

main.cf

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = localhost.at.dev
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = localhost.at.dev
mydestination = localhost.at.dev, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

Many tutorials tell you to config your ssh server like this:

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no 

but with this setup you cannot use PAM, as i plan to use 2 Factor Auth with Google Authenticator (OTP Onetime Password) i need PAM.

So how to configure a fresh debian jessie ssh deamon, if i want to prevent the login with the normal password but still allow to use PAM.

maybe the exact question is how to configure pam to disallow passwords?

Details on PAM Authentication

Disabling PAM-based password authentication is rather un-intuitive. It is needed on pretty much all GNU/Linux distributions (with the notable exception of Slackware), along with FreeBSD. If you're not careful, you can have PasswordAuthentication set to 'no' and still login with just a password through PAM authentication. It turns out that you need to set 'ChallengeResponseAuthentication' to 'no' in order to truly disable PAM authentication. The FreeBSD man pages have this to say, which may help to clarify the situation a bit:

Note that if ChallengeResponseAuthentication is 'yes', and the PAM authentication policy for sshd includes pam_unix(8), password authentication will be allowed through the challenge-response mechanism regardless of the value of PasswordAuthentication.

http://www.unixlore.net/articles/five-minutes-to-more-secure-ssh.html

in a two disk setup

/dev/sda
/dev/sdb

i created per disk 3 partitions

bios_grub   1mb
linux raid  512mb   md0 (/boot - ext3)
linux raid  rest    md1 (physical volume for lvm)

the answer on https://unix.stackexchange.com/a/218384 states that it is not possible to create a mirror raid for bios grub

You will need hardware RAID if you want the BIOS boot partition to be mirrored.

but on https://askubuntu.com/a/57010 it looks like it is possible but there is no info how it works

You will need hardware RAID if you want the BIOS boot partition to be mirrored. You can, however, install GRUB to multiple drives; just run grub-install in the target OS on each drive that has a BIOS boot partition (give it the entire drive, like /dev/sda, as an argument; grub-install will figure out the location of the BIOS boot partition from the GPT).

so is it possible to create a software raid for the bios_grub partition? if yes how? currently i use fai setup-storage to create the partitions.

To start from a clean state I need to reset the hard disk to an empty state from command line.

It is not about running a wipe utility, the data don't have to be overwritten.

This question is quite similar to Deleting All Partitions From the Command Line

The solution there works quite well,

dd if=/dev/zero of=/dev/sda bs=512 count=1 conv=notrunc

but if I want to work with such an overwritten disk, I get the error that the device is still in use.

root@grml ~ # blockdev --rereadpt /dev/sda
BLKRRPART: Device or resource busy

or

root@grml ~ # partprobe
Error: Partition(s) 2, 3 on /dev/sda have been written, but we have been unable to inform the kernel of the change, probably because it/they are in use.  As a result, the old partition(s) will remain in use.  You should reboot now before making further changes.
Error: Partition(s) 2, 3 on /dev/sdb have been written, but we have been unable to inform the kernel of the change, probably because it/they are in use.  As a result, the old partition(s) will remain in use.  You should reboot now before making further changes.

So I have to manually disable everything which "sits" on the device

umount /mnt/debootstrap
umount /mnt/debootstrap/tmp
umount /mnt/debootstrap/var/log
umount /mnt/debootstrap/var
umount /mnt/debootstrap/home
service mdadm stop
service lvm2 stop
vgremove vg_main
pvremove /dev/md1
mdadm --stop /dev/md0
mdadm --stop /dev/md1
mdadm --remove /dev/md0
mdadm --remove /dev/md1

after that the partprobe command works.

is there some command which works simpler? like

harddiskreset /dev/sda

so it can easily be used on systems with different partition/lvm/md layout?

puppet version 2.7.18 stored configs (not puppetdb)

I my case i have 3 couchbase nodes, which should be concated to an couchbase connection string which looks like that:

192.168.19.12;192.168.19.40;192.168.19.66

so on each couchbase server i do something like this:

@@concat::fragment { "foo": target => '/tmp/foo', content => "$ipaddress", order => 1, }

and on the app server, which should connect to the couchbase server, i want generate a yaml config file looking like this:

  couchbase:
    class:          MyCouchbaseStorage
    param:
      connection:   MyCouchbaseConnection
      connection_param:
        username:     myusername
        password:     mypassword
        bucket:       mybucket
        host:         192.168.19.12;192.168.19.40;192.168.19.66
        persist:      1

all except the host lines are no problem, but the host entry is really tricky

i concat the hosts by collecting them with:

Concat::Fragment <<| tag == 'mycbtag' |>> { target => '/tmp/database.yml' }

so now i have the problem, that i have no ";" calling concat like this

@@concat::fragment { "foo": target => '/tmp/foo', content => ";$ipaddress", order => 1, }

will produce:

host:         ;192.168.19.12;192.168.19.40;192.168.19.66

calling concat like that

@@concat::fragment { "foo": target => '/tmp/foo', content => "$ipaddress;", order => 1, }

will produce:

host:         192.168.19.12;192.168.19.40;192.168.19.66;

so how to modify the collected content or how do i get the desired result?

host:         192.168.19.12;192.168.19.40;192.168.19.66

How to install Oracle Java on Debian Wheezy with make-jpkg and fakeroot?

the manual for installing oracle java on debian wheezy is quite clear and understandable:

http://wiki.debian.org/JavaPackage https://blogs.oracle.com/marigan/entry/installation_of_the_jdk_on http://www.debian-administration.org/articles/142

• download jdk-7u21-linux-x64.tar.gz from oracle
• install the java-package
• run make-jpkg with jdk-7u21-linux-x64.tar.gz

as root running:

make-jpkg jdk-7u21-linux-x64.tar.gz fakeroot make-jpkg jdk-7u21-linux-x64.tar.gz

results in the following error:

You are real root -- unfortunately, some Java distributions have install scripts that directly manipulate /etc, and may cause some inconsistencies on your system. Instead, you should become a non-root user and run:

fakeroot make-jpkg jdk-7u21-linux-x64.tar.gz

which will allow no damage to be done to your system files and still permit the Java distribution to successfully extract.

Aborting.

as normal user running:

make-jpkg jdk-7u21-linux-x64.tar.gz fakeroot make-jpkg jdk-7u21-linux-x64.tar.gz

results both in an warning/error wall.

some of the errors:

dpkg-shlibdeps: warning: Can't extract name and version from library name `libverify.so'
error: couldn't find library libxslt.so.1 needed by /tmp/make-jpkg.MxvYKHyE3L/install/usr/lib/jvm/j2sdk1.7-oracle/jre/lib/amd64/libjfxwebkit.so (ELF format: 'elf64-x86-64'; RPATH: '')
dpkg-gencontrol: warning: Depends field of package oracle-j2sdk1.7: unknown substitution variable ${shlibs:Depends}
dpkg-shlibdeps: error: cannot continue due to the errors listed above

full output: without fakeroot http://pastie.org/private/r2llqa2pubqzh8krhbymw

with fakeroot http://pastie.org/private/kigrgcsam9pvdazbex1fa

installing works fine:

dpkg -i oracle-j2sdk1.7_1.7.0+update21_amd64.deb

java version:

java -version
java version "1.7.0_21"
Java(TM) SE Runtime Environment (build 1.7.0_21-b11)
Java HotSpot(TM) 64-Bit Server VM (build 23.21-b01, mixed mode)

are the error safe to ignore?

My scenario

• 2 physical machines, each with 2 network interfaces (eth0, eth1).
• they act as virtual machine host
• for one machine alone, the networking works with no problems
• first i had two seperated networks and each machine has a own virtual dhcp server running
• then i tried to merge the seperated networks into one
• firewall: shorewall (connection policy for lan = allow on both machines)
• dhcp server: dnsmasq
• both machines can connect to the internet

i would like to connect the two machines over a crossovercable and want them to share one network, so i have only one dhcp server with one network and each server in this lan can connect to each other. does this make sense or are two seperate dhcp server and networks the better way?

Problem

below i added some configs and i did some connection tests.

in short:

• machine1 + machine2 can reach ips on machine1
• machine1 + machine2 cannnot reach ips on machine2
• machine1 + machine2 can reach ips on machine2
• external dnat (for example ssh) does work for machine1 (port 5678 -> 10.62.63.20:22)
• external dnat (for example ssh) does not work for machine2 (port 5678 -> 10.62.63.30:22)

if i ssh connect to machine1 port 5678 the connection to 10.62.62.20 works and i only see shorewall log entries from this connection on machine1. but if i connect to machine2 port 5678 the connection does not work and i can see a martian log on machine1

Nov 29 15:26:57 machine1 kernel: [ 7495.749894] martian source **ssh.client.ip.addr** from **yyy.yyy.yyy.yyy**, on dev br1

Machine Overview

machine1 virtual machines:

• dhcp 10.62.63.2
• web1 10.62.63.20

machine2 virtual machines:

• web2 10.62.63.30

Config Files

machine1 /etc/shorewall/rules

***snip***
DNAT:debug  net  lan:10.62.63.20:22  tcp  5678  -  xxx.xxx.xxx.xxx
***snip***

machine2 /etc/shorewall/rules

***snip***
DNAT:debug  net  lan:10.62.63.30:22  tcp  5678  -  yyy.yyy.yyy.yyy
***snip***

machine1 /etc/networking/interfaces

# Loopback device:
auto lo
iface lo inet loopback

# device: eth0
#allow-hotplug eth0 
auto eth0
iface eth0 inet manual


# device: eth1
#allow-hotplug eth1
auto eth1
iface eth1 inet manual 

auto br0
iface br0 inet static
  address   xxx.xxx.xxx.xxx
  broadcast xxx.xxx.xxx.xxx
  netmask   xxx.xxx.xxx.xxx
  gateway   xxx.xxx.xxx.xxx
  bridge_ports eth0
  bridge_fd 0
  bridge_hello 2
  bridge_maxage 12
  bridge_maxwait 0
  bridge_stp off


auto br1
iface br1 inet static
  address 10.62.63.1
  broadcast 10.62.63.255
  netmask 255.255.255.0
  bridge_ports eth1
  bridge_fd 0
  bridge_hello 2
  bridge_maxage 12
  bridge_maxwait 0
  bridge_stp off

machine2 /etc/networking/interfaces

# Loopback device:
auto lo
iface lo inet loopback

# device: eth0
#allow-hotplug eth0 
auto eth0
iface eth0 inet manual


# device: eth1
#allow-hotplug eth1
auto eth1
iface eth1 inet manual 

auto br0
iface br0 inet static
  address   yyy.yyy.yyy.yyy
  broadcast yyy.yyy.yyy.yyy
  netmask   yyy.yyy.yyy.yyy
  gateway   yyy.yyy.yyy.yyy
  bridge_ports eth0
  bridge_fd 0
  bridge_hello 2
  bridge_maxage 12
  bridge_maxwait 0
  bridge_stp off


auto br1
iface br1 inet static
  address 10.62.63.3
  broadcast 10.62.63.255
  netmask 255.255.255.0
  bridge_ports eth1
  bridge_fd 0
  bridge_hello 2
  bridge_maxage 12
  bridge_maxwait 0
  bridge_stp off

Tests

machine1 (10.62.63.1)

routes:

ip route show
yyy.yyy.yyy.yyy/yy dev br0  proto kernel  scope link  src yyy.yyy.yyy.yyy
10.62.63.0/24 dev br1  proto kernel  scope link  src 10.62.63.1
default via yyy.yyy.yyy.yyy dev br0

• ping 10.62.63.3 to br1 ip (remote): ok
• ping 10.62.63.1 to br1 ip (local): ok
• ping 10.62.63.2 to dns (local): ok
• ping 10.62.63.20 to web01 (local): ok
• ping 10.62.63.30 to web02 (remote): ok
• ssh 10.62.63.20 to web01 (local): ok
• ssh 10.62.63.30 to web02 (remote): ok

machine2 (10.62.63.3)

routes:

ip route show
yyy.yyy.yyy.yyy/yy dev br0  proto kernel  scope link  src yyy.yyy.yyy.yyy
10.62.63.0/24 dev br1  proto kernel  scope link  src 10.62.63.3
default via yyy.yyy.yyy.yyy dev br0

• ping 10.62.63.3 to br1 ip (local): ok
• ping 10.62.63.1 to br1 ip (remote): ok
• ping 10.62.63.2 to dns (remote): ok
• ping 10.62.63.20 to web01 (remote): ok
• ping 10.62.63.30 to web02 (local): ok
• ssh 10.62.63.20 to web01 (remote): ok
• ssh 10.62.63.30 to web02 (local): ok

I use an older version of the example42 mysql module, which defines the mysql.conf file but not its content. Mmy goal is to just include the mysql module and add a content definition in the node.

class mysql {
    ...
    file { "mysql.conf":
        path => "${mysql::params::configfile}",
        mode => "${mysql::params::configfile_mode}",
        owner => "${mysql::params::configfile_owner}",
        group => "${mysql::params::configfile_group}",
        ensure => present,
        require => Package["mysql"],
        notify => Service["mysql"],
    }
    ...
}


node xyz
{
    include mysql
    File["mysql.conf"] { content => template("mymodule/mysql.conf.erb")}
}

The above code produces a "Only subclasses can override parameters"

What is the correct way to just add a content definition to an existing file definition?

os: debian stable (squeeze) nginx: squeeze-backports 1.2.1-2~bpo60+1

try_files just behave strange to me.

this works as expected, $uri is tried localy if not found -> the @static location is used

try_files  $uri $uri/ @static;

just adding a =404 to the end leads to a 404. shouldn't it still work if i access a existing file which is located $uri or @static, and only serve a 404 if nothing is found on the @static location?

try_files  $uri $uri/ @static =404;

putting the =404 before the @static makes it work again. why? if the file is not located at the $uri or $uri/ location but on @static it should lead to 404 because =404 is befor the @static (for my understanding). if i put access a file which is located at $uri it is correctly served from nginx (not hitting the @static backend or the =404)

try_files  $uri $uri/ =404 @static ;

i am quite confused

edit: my goal would be: test if the file is locally, then check all upstream servers for the file and if not found on these locations return a 404

config:

upstream domain.com_upstream
{
    server yyy.yyy.yyy.yyy:8000 weight=10 max_fails=3 fail_timeout=3s;
    server zzz.zzz.zzz.zzz:8020 weight=10 max_fails=3 fail_timeout=3s;
}

server 
{
    server_name         www.domain.com;

    listen              xxx.xxx.xxx.xxx:80;

    location @static
    {
        proxy_ignore_client_abort off;
        proxy_intercept_errors    on;
        proxy_next_upstream       http_404 error timeout invalid_header;

        proxy_pass                  http://domain.com_upstream;
        proxy_redirect              off;
        proxy_set_header            Host                $host;
        proxy_set_header            X-Real-IP           $remote_addr;
        proxy_set_header            X-Forwarded-For     $proxy_add_x_forwarded_for;
        client_max_body_size        10m;
        client_body_buffer_size     128k;

        proxy_connect_timeout       10;
        proxy_send_timeout          120;
        proxy_read_timeout          120;

        proxy_buffers 8 16k;
        proxy_buffer_size 32k;
    }

    location ~ ^/test 
    { 
        root /var/www/test;
        try_files $uri @static =404; # exchange with upper try_file examples...
    }

    *** snip ***
}

is there an option to set a node on hold (set it on noop), on the puppetmaster side? i am looking for a setting like in the example below. every node which has a variable called noop set to true in it's definition, won't be updated.

so example1.node.com will not have the test1 file after multiple puppet client runs but example2.node.com will have the file.

is there such an option? does another approach exist? (of course i can simple add a "_" to the node name and it will stop matching. i am looking for the official way.

node "example1.node.com"
{
    $noop = true
    file 
    {
        "/root/test1":
            content => "test",
            ensure => present,
    }
}

node "example2.node.com"
{
    file 
    {
        "/root/test1":
            content => "test",
            ensure => present,
    }
}

i want to change the session.save_path in the php.ini with augeas

default:

session.save_path="/var/lib/php5"

target value

session.save_path="3;/var/lib/php5sessions"

augeas returns quite interesting results

not working command (save is failing)

set /files/etc/php5/apache2/php.ini/Session/session.save_path '"3;/tmp"'
set /files/etc/php5/apache2/php.ini/Session/session.save_path '"3\;/tmp"'
set /files/etc/php5/apache2/php.ini/Session/session.save_path \"3;/tmp\"

partly working commands (save works but not the desired result)

set /files/etc/php5/apache2/php.ini/Session/session.save_path '"/tmp/test"'

is there a way to force augeas to just set the value to the given string and don't try to spit them up

edit: bug report link: https://fedorahosted.org/augeas/ticket/243

• os: debian squeeze (up2date)
• 2 apache mod php webserver
• 2 memcache server

i have to apache mod_php nodes which use two memcache server for redundant session storage (used variant 3 from https://serverfault.com/a/165584).

memcache.ini

extension=memcache.so

[memcache]
memcache.dbpath="/var/lib/memcache"
memcache.maxreclevel=0
memcache.maxfiles=0
memcache.archivememlim=0
memcache.maxfilesize=0
memcache.maxratio=0

memcache.allow_failover=1
memcache.hash_strategy=consistent
memcache.session_redundancy=3

php.ini

session.save_handler = memcache
session.save_path="tcp://192.168.0.11:11211?persistent=1&weight=1&timeout=1&retry_interval=15,tcp://192.168.0.19:11211?persistent=1&weight=1&timeout=1&retry_interval=15"

everything works fine using only one memcache server, it also works quite nice with two or two redundant server. the sessions are written to both servers (i can verify it with phpmemcache admin), but as soon as i kill one node (stop one memcache server) i get into trouble.

the memcache servers look like the are having one "master" server and one "2nd" server. there are less problems when i kill the 2nd server, but as soon as shut down the 1st memcache server (having the 2nd one up), apache error log gets filled with segmentation faults on each connection try.

i also tried memcache.session_redundancy=3 but i have the value 3 because of the bug https://bugs.php.net/bug.php?id=58585

ps. if you use firefox use: https://addons.mozilla.org/en-US/firefox/addon/its-all-text i just lost my question on pressing back after running into the "are you human" stuff of serverfault....

i try to create two different files with one template, because they only diff by one line.

file 
{
    "/tmp/bootstrap-raid.sh":
    content => template("pxe/bootstrap.sh.erb"),
}

file 
{
    "/tmp/bootstrap-noraid.sh":
    content => template("pxe/bootstrap.sh.erb"),
}

bootstrap.sh.erb:

<% if ??? == "???" %>
-r yes \
<% else %> 
-r no \
<% end %>

i can't pass a variable by defining it twice like $raid=yes file{} $raid=no file{}, so i tried to define the variable inside each file{} with no effort. then i thought about using the targetfilename inside the template like <% if filename == "/tmp/bootstrap-raid.sh" %> which is also not possible.

how to work call a template twice with different "parameters"

my target is to not defining and calling an extra function in the manifest file, or making two templates. any ideas?

are there any predefined default variables in a template like the filename of the targetfile, the templatename,...?

edit: another example would be having two php.ini files like in debian, one for the command line and one for the webserver. i want only to exchange the memory limit. but each server needs both php.ini files. i am looking for a way to pass a hardcoded parameter to the template file or a way that i can if/then/else based upon the targetfilename. of course i know that i am able to create a new define, which i can call twice. but i am looking for an easier way.

my puppet.conf on the master

[master]
certname = myname.mydomain.com
ca_server = myname.mydomain.com
certdnsnames = puppet;puppet.local;myname.dyndns.org;hivemind.local;

for my understanding with the certdnsnames defined the following should work:

puppet agent --server myname.dyndns.org --test

but i get the following error:

err: Could not retrieve catalog from remote server: hostname was not match with the server certificate

how to avoid this error? how to correctly define certdnsnames? i have found diffent documentation about this, but no simple example. i i use "," for seperation i cannot sign at all. i also have seen a syntax like

certdnsnames = puppet:puppet.intra.myserver.fr,puppet.myserver.fr:puppet,puppet:puppet,puppet.intra.myserver.fr,puppet.myserver.fr

http://projects.puppetlabs.com/issues/5776

but for me its not clear when to add a "puppet:" and when not.

preseeding work perfect for me using:

auto url=http://mydomain.com/preseed.cfg

but as soon as i use a https connection, it doesn't work any more.

auto url=https://mydomain.com/preseed.cfg

with wget i can download the preseed file without a problem, with lynx i get an

"SSL-Error:no issuer was found"

so it looks like a cert problem, i use startssl.com to generate my free certs, nginx acts as ssl webserver (no problem accessing the https site with firefox).

how to debug this? how to force to get the file over the ssl connection?

for me, a vmware machine normally has 2 lan interfaces, one connected with the lan or the management computer and the 2nd one connected with the wan interface for public access.

so security is ensured by having a firewall in front of the "public network card" of vmware and only making it possible to access the managment interface over the "private network card".

but how do i ensure security, if i install vmware esxi 5.0 on normal dedicated root server with multiple public ips, without a firewall in front of the server, without any (for me accessable) routing before the server, without multiple network interfaces?

i found the article about the firewall: http://www.virtualizationadmin.com/articles-tutorials/vmware-esx-and-vsphere-articles/networking/understanding-vmware-esx-server-security-profiles.html

but on which ip is the port open? is it bound to all public ips? can i bind the management interface to a specific ip? how to bind one ip to the management interface and the rest to one or more virtual machines?

i thought about making a vlan inside esxi and let building up a vpn over a routing vm, and making the managment console only accessable with an ip from the vpn but i tastes a little bit after how to lock myself out.

any hints?

edit: root server like: server4you.com/root-server a single server where vmware is installed, "directly" connected to the internet -> directly attackable, not in a well secured lan

edit2: keep in mind, that people who don't have english as their first language, maybe define things, like "root server" different than you. please comment on the question and write something about how making the question more clear for you.

maybe this phraseing is better: how to make a vmware esxi 5.0 server secure, which has only one network card and is directly connected to the internet?

i have no experience with securing esxi connected like that to net, if i run a virtualization like kvm or vserver it is rather easy, just securing the host server with a iptables firewall and also handle the routing there.

i havn't found a good info about my problem googleing for it, its quite a special problem, companies how do virtualization have a whole cluster of vmware servers and often not only one firewall in front of them.

so they simple don't have to secure a single vmware esxi host without an extra firewall and only a single network interface. others maybe don't virtualize or do not care about security.

so i ask the downvoters, is this question so bad?

php is truncating the session files to zero after migrating the session files from server one (debian lenny php 5.2) to the new server (debian squeeze php 5.3).

i create a session on server one with createsession.php (see below) and can view the content of the session with dumpsession.php on the same server.

after copying the session files from server one to the other server and switching to server two by changing my local hosts file, i have still the same cookie with the correct session id stored in the browser, the new server accesses the right session file, but instead of displaying the content of the session, the server truncates the session file to zero and starts a new session with the same session id.

is it possible to migrate the session files? is the serverip somehow hashed into the sessiondata?

is session sharing between php5.2 and php5.3 possible?

createsession.php

<?php
  session_name('mysession');
  session_start();
  var_dump(session_id());
  var_dump($_SESSION);
?>

dumpsession.php

<?php
  session_name('mysession');
  session_start();
  var_dump(session_id());
  $_SESSION['foo'] = 'bar';
?>

php.ini session part

[Session]
session.save_handler = files
session.save_path = "3;/var/lib/php5"
session.use_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly = 
session.serialize_handler = php
session.gc_divisor     = 100
session.gc_maxlifetime = 5184000
session.bug_compat_42 = 1
session.bug_compat_warn = 1
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 4
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="

edit: my solution was switching back to debian lenny.

in short:

• running production webserver
• tuesday: changed config (the change was erroneous, wrong syntax) but deliberately not restarted apache
• apache restarted or reloaded config by itself today @cron.daily time
• apache was down

why apache restarted or reloaded config by itself?

long version

on my debian lenny stable server, which has a quite default setup (apache2, mod_php, mysql client, apc,...) i made a change to my apc.ini where i was not sure if it is faulty or not, because it is an production server, i just safed the file without restarting the webserver.

today @cron.daily time (6:25), the server restarted itself and stayed down because of the faulty apc.ini. i really want to know, why the server restarted itself. also why today? it is the cron.daily time and not the weekly time, the faulty config is online since tuesday.

crontab:

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

cron.daily content:

apache2
apt
aptitude
bsdmainutils
logrotate
man-db
standard

cron.weekly content:

man-db

any ideas?

edit: added logrotate tag based on the selected answer