Devator's questions

Introduction

I have one router, running pfSense (can be anything since it's a virtual machine on VMware, so if the solution requires anything else, that's fine by me) and behind it I have multiple virtual machines (NAT).

What I'd like to accomplish

I'd like to use a proxy of some sort to use multiple services with 1 IP, preferably based on DNS. For example; running a mail server (and website for webaccess) on mail.domain.com and running a website on www.domain.com and running a FTP server on ftp.domain.com, but all are a different virtual machine.

So basically:

Hostname          Internal NAT IP     Port

www.domain.com    192.168.1.10        80
mail.domain.com   192.168.1.11        25
mail.domain.com   192.168.1.11        80
mail.domain.com   192.168.1.11        443
ftp.domain.com    192.168.1.12        21

So I thought of using HAProxy, but HAProxy only allows this for HTTP traffic and not for "regular" TCP traffic (based on DNS name). I'd like to have all ports (both TCP and UDP, but if TCP is only possible then it's fine aswell) to be redirected to the respective virtual machine.

The question

So, I have setup a new domain with two DC's. I'm trying to remove the Authenticated Users group from the one of the OU's and that works fine, however child objects do not update (they still have the Authenticated Users security groep applied) while inheritance is enabled:

OU topology:

Top OU TestOU notice the Authenticated Users group is removed:

Child1 security properties notice the Authenticated Users group:

Child1 advanced security notice the Disable inheritance button:

I have tried to clear all permissions on the Authenticated Users object and then apply to all descendants but that doesn't work...

There isn't a function either (although, not that I am aware of) to replace all child object permissions (as you can on filesystem level).

So, how do I get the inheritance working as I think it should?

We currently have the following environment (hosted on server 2003 and terminals servers on 2008 R2) and we need to upgrade this to their 2012 versions. We will create a new environment from scratch.

Domain controllers

• DC01
• DC02

File server

• File01

Exchange server

• Exchange01

Terminal servers

• TS_ClientA
• TS_ClientB
• TS_ClientC

Each client has their own OU within our AD and using denies (ADSIedit) they can't see each other in Exchange and neither as normal objects (like for folder permissions).

We don't want to use these tricks again and rather have a well thought out active directory design.

Now, I have googled on this, but it doesn't seem this is possible (atleast, natively). We still need to use adsiedit and do tricks to get a multi tenant environment. Regarding Exchange, we thought about using Office 365 for the clients.

I'd like to know if I misunderstood something or if there's anything I'm missing to create a multi tenant 2012 R2 environment.

I'm looking into ZFS and using FreeNAS for ZFS management and have the following question:

Do the ZFS advantages as deduplication, auto error fixing etc still work when creating an iSCSI target on a ZFS volume?

In FreeNAS, this is probably a raw image file which in used as a target on a ZFS volume. Since it's block based (rather than file based): do ZFS the advantages still apply?

Edit: Intended use will be storage for VMware (ESXi).

I'm adding the route IP_ADDRESS NETMASK net_gatewayto the OpenVPN config file (locally), so it's not being pushed by the server and it works perfectly fine.

However, when I remove the routing line from the configuration file and reconnect to the OpenVPN server, it stays in the routing tables (according to route PRINT (in cmd.exe) on Windows 7). Which means OpenVPN doesn't remove the previously generated route.

I'd like to know how to prevent this. I have added a sample configuration file below (which is not too special).

client
dev tap
proto tcp-client
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
comp-lzo
verb 3
auth-user-pass
route 192.168.1.100 255.255.255.255 net_gateway

I have switch (HP ProCurve 1810-24G to be exact) and it's placed in a datacenter.

To secure the switch, there's a lenghty password on it. But, there's one great downside: anyone with the IP address has access to the login screen. While this normally not an issue, I don't like it. There are some brute-force attacks going on and who knows there might be a zero-day exploit available for the switch. The switch doesn't have the option to 'auto-ban' IP's with exessive login attempts nor does it have a whitelist for allowed IP's.

So, my question is: how to secure this switch better than I currently have? I was thinking about giving it a private IP address, but then when my server crashes, I would be unable to access the switch (if I need to for any reason).

What are best practises for something like this?

I have a simple webserver (Debian 6.0 x86, DirectAdmin with 1 GB of memory and still 10 GB free space, mySQl version 5.5.9), however the mySQL server keeps crashing and I need to kill all mySQL processes to be able to restart it again.

/var/log/mysql-error.log output:

130210 21:04:26 InnoDB: Using Linux native AIO
130210 21:04:34 InnoDB: Initializing buffer pool, size = 128.0M
130210 21:05:42 InnoDB: Completed initialization of buffer pool
130210 21:05:48 InnoDB: Initializing buffer pool, size = 128.0M
130210 21:06:22 InnoDB: Initializing buffer pool, size = 128.0M
130210 21:06:27 mysqld_safe mysqld from pid file /usr/local/mysql/data/website.pid ended
130210 21:06:29 mysqld_safe mysqld from pid file /usr/local/mysql/data/website.pid ended
130210 21:07:22 InnoDB: Completed initialization of buffer pool
130210 21:07:51 mysqld_safe mysqld from pid file /usr/local/mysql/data/website.pid ended
130210 21:08:33 InnoDB: Completed initialization of buffer pool
130210 21:12:03 [Note] Plugin 'FEDERATED' is disabled.
130210 21:12:47 InnoDB: The InnoDB memory heap is disabled
130210 21:12:47 InnoDB: Mutexes and rw_locks use InnoDB's own implementation
130210 21:12:47 InnoDB: Compressed tables use zlib 1.2.3
130210 21:12:47 InnoDB: Using Linux native AIO
130210 21:13:11 InnoDB: highest supported file format is Barracuda.
130210 21:13:23 InnoDB: Initializing buffer pool, size = 128.0M
InnoDB: The log sequence number in ibdata files does not match
InnoDB: the log sequence number in the ib_logfiles!
130210 21:14:05  InnoDB: Database was not shut down normally!
InnoDB: Starting crash recovery.
InnoDB: Unable to lock ./ibdata1, error: 11
InnoDB: Check that you do not already have another mysqld process
InnoDB: using the same InnoDB data or log files.
InnoDB: Unable to lock ./ibdata1, error: 11
InnoDB: Check that you do not already have another mysqld process
InnoDB: using the same InnoDB data or log files.
InnoDB: Unable to lock ./ibdata1, error: 11
InnoDB: Check that you do not already have another mysqld process
InnoDB: using the same InnoDB data or log files.
130210 21:17:53  InnoDB: Unable to open the first data file
InnoDB: Error in opening ./ibdata1
130210 21:17:53  InnoDB: Operating system error number 11 in a file operation.

I have found a topic on the mySQL website here however there's no solution for it.

Any ideas anyone?

I'd like to give users a certain amount of traffic. Let's say user A gets 1 GB and user B get 5 GB.

I have a great script which does log all this info, however this script is called when the user disconnects (client-disconnect).

Now, my problem is the following: what if user A uses up 1 GB of data and simply never disconnects? He would be able to use thousands of GB's. Is there any way run a specific script periodically within OpenVPN (so no crontab, since OpenVPN passes environment variables).

I have an OpenVPN server and I want it to log each users bandwidth. I'm looking to log the bytes_send and bytes_received. This is stored in the OpenVPN status file, but I can't easily read that file since it's always changing.

I could use a client-disconnect script, but how would I pass the bandwidth used to it? I'd rather not use this as the bandwidth will only be updated when a client disconnects. What if he just never does so? Right, then he can use as much bandwidth as he likes.

So, how can I log the bandwidth used per client?

I have a server with 2 HDD's (2x 1 TB), running in RAID 1 (SW-RAID). I want to improve IO performance by using flashcache. There are running KVM virtual machines on it, using LVM.

Regarding this, I have the following questions:

• Will this even work? flashcache works for block devices, however these are all virtual machines with their own setup.
• How much would I expect to increase performance? Most virtual machines run websites and some host games.
• How big does the SSD needs to be? Would having a bigger SSD increase performance since it's able to cache more files?
• What happens if the SSD dies? Would flashcache retrieve files from the traditional HDD and I could simply replace the SSD?
• How much faster would writeback be in comparison with writethrough and writearound?

I have no access to a test system unfortunately, so could I install flashcache on a live server without unmounting the the disks? I found a great tutorial here which I would be using.

I have a dedicated server connected to a 1000 Mbit port. However, the Debian guest is only getting half to a 1/4 the speeds:

On the node itself (Linux node 2.6.32-279.9.1.el6.x86_64 #1 SMP Tue Sep 25 21:43:11 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux):

wget http://www.bbned.nl/scripts/speedtest/download/file1000mb.bin -O /dev/null
--2012-11-11 23:10:11--  http://www.bbned.nl/scripts/speedtest/download/file1000mb.bin
Resolving www.bbned.nl... 62.177.144.181
Connecting to www.bbned.nl|62.177.144.181|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1048576000 (1000M) [application/octet-stream]
Saving to: â/dev/nullâ

100%[====================================>] 1,048,576,000  100M/s   in 10s

2012-11-11 23:10:21 (100 MB/s) - â/dev/nullâ

On the guest (Debian 6.0.5, x64: Linux debian 2.6.32-5-amd64 #1 SMP Sun Sep 23 10:07:46 UTC 2012 x86_64 GNU/Linux):

wget http://www.bbned.nl/scripts/speedtest/download/file1000mb.bin -O /dev/null
--2012-11-11 23:10:41--  http://www.bbned.nl/scripts/speedtest/download/file1000mb.bin
Resolving www.bbned.nl... 62.177.144.181
Connecting to www.bbned.nl|62.177.144.181|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1048576000 (1000M) [application/octet-stream]
Saving to: â/dev/nullâ

100%[=================================================================================================================================================================================================>] 1,048,576,000 16.5M/s   in 42s

2012-11-11 23:11:23 (23.8 MB/s) - â/dev/nullâ

I use the virtio NIC. I tried some more NICs: e1000 and the Realtek 8139 but those yield even worse results.

Anyone has an idea how to improve these speeds?

So, one of my servers has a hard disk failure. It's running software RAID, the system locked up and according to /proc/mdstat (and /var/log/messages), it's really down:

Personalities : [raid1]
md2 : active raid1 sdb2[1]
      104320 blocks [2/1] [_U]

md5 : active raid1 sdb5[1]
      2104448 blocks [2/1] [_U]

md6 : active raid1 sdb6[1]
      830134656 blocks [2/1] [_U]

md1 : active raid1 sdb1[1]
      143363968 blocks [2/1] [_U]

and

Nov  5 22:04:37 m38501 smartd[4467]: Device: /dev/sda, not capable of SMART self-check

However

when I do smartctl -H /dev/sda, it passes the test. It also passes the test with smartctl --test=short /dev/sda.

So, is smartctl a broken testing tool, or am I doing something completely off?

I currently have a FOG server (which works perfectly fine) and I'm trying to boot Windows 7 through it (with memdisk).

But, since the ISO is rather large (more than 6 GB) it will try to put the ISO into memory and then boot however it crashes with the error message not enough memory to load specified image. The systems here don't have 6 GB of RAM so I need another way to boot it. I am aware of WDS and SCCM, however I want todo this with FOG.

Is there any way to boot the ISO and install Windows through FOG?

So I screwed up my grub.conf file on a CentOS system and I'm in recovery right now (it's only a test dedicated server). My disks are /dev/sda1 and /dev/sdb1 (RAID 1). Now I need to mount /dev/sda1 and make changes to the grub file, however those changed need to be reflected on the second disk aswell.

How do I mount these RAID disks? I can mount one using mount -t ext3however it will damage the RAID array.

Currently I use a script to put an image on the target server:

dd if=100mb.bin | ssh backup-server "dd of=/home/backupvps/blaa/100mb.bin"

However, how can I retrieve this very same file? I'd rather not use any FTP or Web server, but native commands.

I'm trying to create a backup of a LVM volume and I have a simple img file which contains all data. Is there any way to have this have incrementally backed up using rsync? Like a full backup every week, then each consecutive day an incremental backup until the full backup is again.

I'd like let's say restore to the backup made on Wednesday (similar as rdiff-backup can do, but rdiff-backup only support multiple files).

So: is it possible with rsync to have full and incremental backups and destroy the oldest (using a weekly 'rotation'?

I'm currently developing a Xen backup system, however I have met the following problem:

I have two methods of backing up:

• doing dd from the LVM snapshot, and tarring it., and rsync it remotely
• mount the LVM snapshot and rsync everything to a remote location

Now the second option allows me the use of rdiff-backupso I can save incremental backups and save a lot of space whilst the first option is really storage heavy.

Now, I have two questions:

• Is there any way to have no 'whitespace' when using dd? Let's say I have a 50GB LVM volume and only 3 GB is used, when using dd it will create a 50 GB image (and so 47 GB is wasted). tar can fix this but takes a lot of extra time (which I don't have basically)
• Can these img files created by dd saved incrementally in some way?

I'm looking for a way to create Xen (HVM) backups, using LVM. I know xm save but that is a) inefficient space wise, b) the VM will shut down. I found rsnapshot which is able to create an LVM snapshot, but to restore this I will have to copy all files over to the machine (instead of just restoring the complete LVM, everything seems to be individual files).

Is there any backup software you recommend? I'm running CentOS on my Xen host. Some requirements:

• It can be paid software but not too expensive (personal use)
• It should have differential (like a full backup, then an incremental backup (to preserve space)).
• Easy to restore the Xen VM (currently rsnapshot needs to copy all files over, instead of one .img file to restore or something similar).

Thanks in advance.

My Xen HVM machine has 4 cores on 2.4 Ghz however top gives me a load of 2-3. There are running 20 VM's on it (most of them are idle). The HDD is also almost idle (200 KB/s write and 6 KB/s read).

xentop gives me Domain-0 -----r 223766 121.0 4376576 26.1 no limit n/a 4 25 6105332 2824789 0 0 0 0 0 (so 121.0 as CPU% usage).

What's the reason of this? None of the VPSs have high CPU usage. It can't be the IO.

Anyone with some more experience know how to pinpoint this problem?

Thanks in advance.

Edit: You can find the output of top here: http://dl.dropbox.com/u/6166898/top.txt And here's the xentop full output: http://dl.dropbox.com/u/6166898/xentop.txt

There are some Windows VM's on it, I'm using Xen in conjunction with SolusVM.

I have 16GB ram in my machine. Before, free -m outputted the normal 16 GB ram, however now (after a reboot) it only detects 8 GB ram. Is one ram module damaged?

grep -i memory /var/log/dmesg outputs

Memory: 15621184k/16017200k available (2535k kernel code, 387120k reserved, 1748k data, 196k init). (Which looks like 16 GB to me).

free -m outputs:

              total       used       free     shared    buffers     cached
Mem:          7484       7415         68          0       6104        524
-/+ buffers/cache:        786       6697
Swap:         2055          0       2054

Anything I might be missing?

Thanks in advance.