Friday 19 September 2014

Mount read-only a Linux ext3/ext4 partition from within Mac OS

http://diesistmein.name/?p=30

or some variation.

Might help: http://osxdaily.com/2014/03/20/mount-ext-linux-file-system-mac/

Friday 15 August 2014

OpenVPN version 2.3.2: using new easyrsa mechanism for multiple users

  1. Server setup
    1. ./easyrsa init-pki
      1. don't do this twice!
    2. ./easyrsa build-ca
  2. User key and cert signing request on complete separate machine
    1. ./easyrsa init-pki
      1. don't do this twice!
    2. ./easyrsa gen-req myuser
  3. Server signs user cert req
    1. ./easyrsa import-req myuser.req myuser
    2. ./easyrsa sign-req client myuser
Generate your server key and cert in a similar manner to a user.

Any client with a signed cert may connect to the server. There is no record of the client cert on the server itself; since the server signed the user cert, that is authority enough to validate the user cert.

Only if a user cert needs to be revoked, is a "revocation file" created on the server; this revocation file disallows that user from connecting. If no users need to be revoked, nothing needs to be done, nothing needs to exist about users on the server-side.

https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

Wednesday 6 August 2014

Very fast editing over sshfs

Update: this can cause some of your ssh sessions to hang, so be aware of that.

Add this to your ~/.ssh/config

Host myserver.mydomain.com
  ControlMaster auto
  ControlPath /tmp/%r@%h:%p


Then, say you have root access via your ssh pub key

mkdir tmp001
sshfs -o uid=1000 root@myserver.mydomain.com:/var/www tmp001

Now, the files in tmp001 map to your remote /var/www directory. And access to them uses an ssh session that is maintained in your /tmp directory, i.e. all interactions are performed over the same ssh session.

To see the tmp file, if you just opened the sshfs session in the last 10 mins

find /tmp -mmin -10 -ls

Friday 1 August 2014

AWS cli: rework EBS volume on AMI launch: switch to SSD, "delete on termination" to true

aws
    ec2
        run-instances
            --image-id
                ami-aaaaaa
            --instance-type
                hi1.4xlarge
            --security-group-ids
                sg-eeeeeeee
            --subnet-id
                subnet-cccccccc
            --block-device-mappings
                '[
                    {
                        "DeviceName":"/dev/sdb",
                        "VirtualName":"ephemeral0"
                    },
                    {
                        "DeviceName":"/dev/sdc",
                        "VirtualName":"ephemeral1"
                    },
                    {
                        "DeviceName":"/dev/sdd",
                        "Ebs":
                        {
                            "SnapshotId":"snap-6",
                            "VolumeType":"gp2",
                            "DeleteOnTermination":"true"
                        }
                    }
                ]'
            --region
                us-east-1


Switch to high IOPS
aws
    ec2
        run-instances
            --image-id
                ami-aaaaaa
            --instance-type
                hi1.4xlarge
            --security-group-ids
                sg-eeeeeeee
            --subnet-id
                subnet-cccccccc
            --block-device-mappings
                '[
                    {
                        "DeviceName":"/dev/sdb",
                        "VirtualName":"ephemeral0"
                    },
                    {
                        "DeviceName":"/dev/sdc",
                        "VirtualName":"ephemeral1"
                    },
                    {
                        "DeviceName":"/dev/sdd",
                        "Ebs":
                        {
                            "SnapshotId":"snap-6",
                            "VolumeType":"io1",
                            "Iops":4000,
                            "DeleteOnTermination":"true"
                        }
                    }
                ]'
            --region
                us-east-1

Monday 28 July 2014

Change graphite's default dashboard graph colors

  1. cp -v /opt/graphite/conf/graphTemplates.conf.example /opt/graphite/conf/graphTemplates.conf
  2. vi /opt/graphite/conf/graphTemplates.conf
  3. change '[default]' section to '[uggs]'
  4. change another section, e.g. '[solarized-dark]', to '[default]'
  5. reload dashboard and you should see changed colors

Wednesday 23 July 2014

Ganglia on Amazon Linux (and other RedHat derivatives)

The below is for setting up unicast, not multicast. AWS does not support multicast networking.

Key concepts: gmond daemons run on every server and use C code to collect the server's stats; this data is stored in local memory. Multiple gmonds can send their data on to one central gmond to hold, call this a gmond "bank"; this "bank" also uses only memory to store the server stats. gmetad comes along and collects the data from the gmond "banks" and stores in it rrds, these are files; the web interface uses these rrd files, and it usually runs on the same server as gmetad.

Cluster name: cluster name is key in grouping data and getting it from gmond to gmond and then on to gmetad. data_source is the way gmetad find the "banks"; and, by the way, you can have redundant "banks" for one cluster data_source.

Getting rid of multicast settings: comment out all references to multicast: bind_hostname, mcast_join, bind. Comment them all out.

UDP vs TCP, and port 8649: port 8649 is the default. UDP traffic on port 8649 is used for gmond intercommunication. And TCP traffic on port 8649 is used by the gmetad daemon to pull data from all your gmond "banks". Run "tcpdump -i any -nn port 8649" ALL THE TIME ON EVERY SERVER in a separate terminal when debugging.

Source: http://www.admin-magazine.com/HPC/Articles/Monitoring-HPC-Systems
  1. mkdir ganglia_rpms
  2. cd ganglia_rpms/
  3. wget http://vuksan.com/centos/RPMS-6/x86_64/ganglia-gmond-3.6.0-1.x86_64.rpm
  4. wget http://vuksan.com/centos/RPMS-6/x86_64/libganglia-3.6.0-1.x86_64.rpm
  5. wget http://vuksan.com/centos/RPMS-6/x86_64/ganglia-debuginfo-3.6.0-1.x86_64.rpm
  6. wget http://vuksan.com/centos/RPMS-6/x86_64/ganglia-devel-3.6.0-1.x86_64.rpm
  7. wget http://vuksan.com/centos/RPMS-6/x86_64/ganglia-gmetad-3.6.0-1.x86_64.rpm
  8. wget http://vuksan.com/centos/RPMS-6/x86_64/ganglia-gmond-modules-python-3.6.0-1.x86_64.rpm
  9. wget http://vuksan.com/centos/RPMS-6/x86_64/libconfuse-2.6-2.el6.rf.x86_64.rpm
  10. wget http://vuksan.com/centos/RPMS-6/x86_64/libconfuse-devel-2.6-2.el6.rf.x86_64.rpm
  11. yum localinstall ganglia-*.rpm lib*.rpm
  12. yum install httpd
  13. yum install php
  14. cd
  15. mkdir ganglia-web-dev
  16. cd ganglia-web-dev/
  17. wget http://downloads.sourceforge.net/project/ganglia/ganglia-web/3.5.12/ganglia-web-3.5.12.tar.gz
  18. tar zxvf ganglia-web-3.5.12.tar.gz
  19. cd ganglia-web-3.5.12
  20. vi Makefile 
    1. GDESTDIR = /var/www/html/ganglia
    2. APACHE_USER = apache
  21. make install
  22. cp apache.conf /etc/httpd/conf.d/ganglia.conf
  23. vi /etc/httpd/conf.d/ganglia.conf 
    1. /usr/share/ganglia-webfrontend -> /var/www/html/ganglia
  24. service httpd start
  25. setenforce 0 
    1. not needed on Amazon Linux
  26. vi /etc/ganglia/gmond.conf
  27. vi /etc/ganglia/gmetad.conf
  28. service gmond start
  29. service gmetad start

Tuesday 8 July 2014

Latest graphite on Amazon Linux at AWS

NOTE: someone broke master branch, so reverting to 0.9.x
  1. yum update -y;reboot
  2. yum -y groupinstall "Development Tools"
  3. yum -y install git-core python-pip mlocate
  4. yum -y install python-rrdtool pycairo-devel
  5. mkdir -p /root/graphite-install
  6. cd /root/graphite-install
  7. git clone https://github.com/graphite-project/carbon.git
  8. git clone https://github.com/graphite-project/whisper.git
  9. git clone https://github.com/graphite-project/ceres
  10. git clone https://github.com/graphite-project/graphite-web.git
  11. cd /root/graphite-install/whisper
  12. git checkout 0.9.x
  13. python setup.py install
  14. cd /root/graphite-install/ceres
  15. # only has master branch, but it works with others
  16. pip install -r requirements.txt
  17. python setup.py install
  18. cd /root/graphite-install/carbon
  19. git checkout 0.9.x
  20. pip install -r requirements.txt
  21. python setup.py install
  22. cd /root/graphite-install/graphite-web
  23. git checkout 0.9.x
  24. yum install libffi-devel -y # some developer broke things, add this
  25. pip install -r requirements.txt
  26. python check-dependencies.py
  27. python setup.py install 
  28. cp -v /opt/graphite/conf/carbon.conf.example /opt/graphite/conf/carbon.conf
  29. cp -v /opt/graphite/conf/storage-schemas.conf.example /opt/graphite/conf/storage-schemas.conf
  30. cp -v /opt/graphite/conf/storage-aggregation.conf.example /opt/graphite/conf/storage-aggregation.conf
  31. cp -v /opt/graphite/webapp/graphite/local_settings.py.example /opt/graphite/webapp/graphite/local_settings.py
  32. cp -v /opt/graphite/conf/graphite.wsgi.example /opt/graphite/conf/graphite.wsgi
  33. vi /opt/graphite/webapp/graphite/local_settings.py
    1. set SECRET_KEY param
    2. uncomment DATABASE section
  34. add these lines to /root/.bash_profile
    1. export GRAPHITE_ROOT=/opt/graphite
    2. export PYTHONPATH=$GRAPHITE_ROOT/webapp:$GRAPHITE_ROOT/whisper
  35. source /root/.bash_profile
  36. django-admin.py syncdb --settings=graphite.settings
  37. yum -y install httpd24 mod24_wsgi
  38. mkdir /etc/httpd/vhosts.d
  39. add to end of /etc/httpd/conf/httpd.conf
    1. IncludeOptional vhosts.d/*.conf
  40. create /etc/httpd/vhosts.d/graphite.conf with below
  41. mkdir /var/run/wsgi;chmod -v 777 /var/run/wsgi
  42. apachectl -S
    1. check for errors
  43. service httpd start
  44. /opt/graphite/bin/carbon-cache.py start
  45. find /opt/graphite/storage -type d -exec chmod -v 777 {} \;
  46. find /opt/graphite/storage -type f -exec chmod -v 666 {} \;
  47. echo '127.0.1.3 graphite' >> /etc/hosts
  48. curl -I http://graphite
  49. on local machine
    1. make same /etc/hosts entry
    2. port forward 127.0.1.3:8081 to remote-server:80
    3. curl -I http://graphite:8081
  50. END

WSGISocketPrefix /var/run/wsgi

<VirtualHost *:80>
    ServerName graphite
    DocumentRoot "/opt/graphite/webapp"
    ErrorLog logs/webapp_error.log
    CustomLog logs/webapp_access.log common

    WSGIDaemonProcess graphite processes=5 threads=5 display-name='%{GROUP}' inactivity-timeout=120
    WSGIProcessGroup graphite
    WSGIApplicationGroup %{GLOBAL}
    WSGIImportScript /opt/graphite/conf/graphite.wsgi process-group=graphite application-group=%{GLOBAL}
    WSGIScriptAlias / /opt/graphite/conf/graphite.wsgi

    Alias /content/ /opt/graphite/webapp/content/
    <Location "/content/">
        SetHandler None
        Require all granted
    </Location>
  
    Alias /media/ "@DJANGO_ROOT@/contrib/admin/media/"
    <Location "/media/">
        SetHandler None
        Require all granted
    </Location>
 
    <Directory /opt/graphite/conf/>
        Require all granted
    </Directory>
</VirtualHost>


Thursday 5 June 2014

OpenVPN: push all LAN traffic through an OpenVPN client to the other side

  1. Local variables for this post, adjust to fit your setup:
    1. OpenVPN client server IP
      1. 192.168.1.200
    2. Remote network
      1. 172.16.1.0/24
  1. Add this to the client server that is using OpenVPN to connect to the remote server:
    1. sudo iptables -A POSTROUTING -o tun0 -j MASQUERADE
    2. as root user, do
      1. echo 1 > /proc/sys/net/ipv4/ip_forward
  2. Add this to your local computer 
    1. Linux: 
      1. ip route add 172.16.1.0/24 via 192.168.1.200
    2. Mac:
      1. route -n add 172.16.1.0/24 192.168.1.200
Now, you should be able to ping from your local computer, through the client machine, and to a server in the remote network. Once that works, try ssh.

NOTE: take a look at /etc/sysctl.conf if you want the ip_forward to last through reboots of client server: net.ipv4.ip_forward=1

Thursday 29 May 2014

rebuild rpm

rpmrebuild -e -n -p myrpm.rpm

Wednesday 28 May 2014

unbound: default to Google's DNS

forward-zone:
       name: "."
       forward-addr: 8.8.8.8
       forward-addr: 8.8.4.4

unbound: custom records

server:
        verbosity: 1
        interface: 0.0.0.0
        access-control: 10.0.0.0/8 allow

        local-zone: "mydomain.internal" static
        local-data: "app01.mydomain.internal          IN A 10.0.0.10"
        local-data: "app02.mydomain.internal          IN A 10.0.0.11"
        local-data: "biggie01.mydomain.internal       IN A 10.0.0.12"
        local-data: "mysql01.mydomain.internal        IN A 10.0.0.20"
        local-data: "mysql02.mydomain.internal        IN A 10.0.0.31"
        local-data: "apache01.mydomain.internal       IN A 10.0.0.200"


Zenoss: CLI discovery and remodel

Become zenoss user 1st

su - zenoss 

Remodel a bunch

for i in server1 server2 server3;do zenmodeler run --now -d $i;done

Discover a bunch

for i in server1 server2 server3;do zendisc run --deviceclass=/Server/Linux --device=$i;done

Sunday 25 May 2014

Thunderbird version 24.x.y: message layout

I'm pretty certain this is impossible to find.
Preferences -> Layout -> Classic/Wide/Vertical View

Wednesday 23 April 2014

gnupg

  1. create
    1. gpg --gen-key
      1. if entropy taking too long
        1. sudo apt-get install rng-tools
      2. note your key ID from output
        1.  pub   4096R/B110C232 2014-04-23
        2. here it is: B110C232
  2.  push
    1. gpg --send-keys --keyserver keyserver.ubuntu.com B110C232
      1. replace B110C232 with the key ID output from above
  3. more to come

Thursday 20 February 2014

Puppet 3.1.1 using Ruby 1.9.3 on Amazon Linux

UPDATE: Amazon Linux is now on Ruby 2.x, so below is DEPRECATED for new Amazon Linux images. But parts may be useful.
  1. yum -y remove ruby
  2. yum -y install ruby19
  3. gem install --no-rdoc --no-ri puppet --version=3.1.1 
  4.  /usr/local/bin/puppet -V
    1. add /usr/local/bin to $PATH of users that need it
  5.  vi /usr/local/share/gems1.9/gems/facter-1.7.5/lib/facter/ec2.rb
    1. change line 28 to:
      1. if (Facter::Util::EC2.can_connect?)
    2. Reference: http://projects.puppetlabs.com/issues/7559
    3. existing line 28 is much longer
 If you manage user passwords with Puppet
  1. yum -y install ruby19-devel
  2. yum -y groupinstall "Developer Tools"
  3. gem install --no-rdoc --no-ri ruby-shadow

Friday 24 January 2014

Change email contents display font size of Thunderbird

Thunderbird email contents display appears to act similarly to a web brower, so hitting Ctrl and the '-'/'+' signs shrinks/enlarges the font size.

Note: this is not explained anywhere, and the preferences all change a different setting, AFAIK

Friday 17 January 2014

MacBook and Openbox: mimic keyboard shortcut Cmd-tab application switcher

    <keybind key="W-Tab">
      <action name="NextWindow">
        <allDesktops>yes</allDesktops>
        <finalactions>
          <action name="Focus"/>
          <action name="Raise"/>
          <action name="Unshade"/>
        </finalactions>
      </action>
    </keybind>
    <keybind key="W-S-Tab">
      <action name="PreviousWindow">
        <finalactions>
          <action name="Focus"/>
          <action name="Raise"/>
          <action name="Unshade"/>
        </finalactions>
      </action>
    </keybind>

Macbook Air and Openbox: copy the Spotlight(TM) keyboard shortcut

    <keybind key="W-space">
      <action name="Execute">
        <command>dmenu_run</command>
      </action>
    </keybind>


apt-get install suckless-tools

LXC and Puppet dev env in 60 seconds


  1. lxc-create -n puppetmaster01 -t debian
  2. lxc-create -n puppetclient01 -t debian
  3. /etc/default/lxc-net
    1. find subnet defined by LXC_NETWORK
  4. vi /var/lib/lxc/puppetmaster01/config
    1. add ip addr ending in .100 to subnet
      1. for example, lxc.network.ipv4 = 10.0.1.100/24
  5. vi /var/lib/lxc/puppetclient01/config
    1. add ip add ending in .101 to subnet
      1. for example, lxc.network.ipv4 = 10.0.1.101/24
  6. lxc-start -d -n puppetmaster01
    1. don't forget the "-d" or you'll be stuck in tty session
  7. lxc-start -d -n puppetclient01
  8. lxc-attach -n puppetmaster
    1. apt-get install puppetmaster
  9. lxc-attach -n puppetclient01
    1. apt-get install puppet
    2. vi /etc/hosts and add entry "puppet" to point at pmaster
WARNING: for distro "saucy" as your container/host system, dnsmasq is broken, vms can not get DHCP IP address from dnsmasq. To attempt to fix, try:
  1. sudo iptables -t mangle -A POSTROUTING -o lxcbr0 -p udp --dport bootpc -j CHECKSUM --checksum-fill
  2. refresh vm IP
    1. stop and start vm, 
    2. or kill existing dhclient process on vm, and run dhclient by hand
      1. pkill dhclient
      2. dhclient -v eth0
  3. If that doesn't help your vm to get an IP address from dnsmasq
    1. delete the iptables rule you just created
      1. iptables -L -t mangle -n --line-numbers
        1. show existing rule numbers in left column
      2. iptables -t mangle -D POSTROUTING <rule #>
        1. for example, iptables -t mangle -D POSTROUTING 1


Sunday 5 January 2014

Macbook Air and Openbox: Raise/Lower Volume, Up/Down Brightness

    <keybind key="XF86KbdBrightnessUp">
      <action name="Execute">
        <command>xbacklight +10</command>
      </action>
    </keybind>
    <keybind key="XF86KbdBrightnessDown">
      <action name="Execute">
        <command>xbacklight -10</command>
      </action>
    </keybind>
    <keybind key="XF86AudioRaiseVolume">
      <action name="Execute">
        <command>amixer -c 0 set Master 2dB+</command>
      </action>
    </keybind>
    <keybind key="XF86AudioLowerVolume">
      <action name="Execute">
        <command>amixer -c 0 set Master 2dB-</command>
      </action>
    </keybind>

Interview questions: 2020-12

Terraform provider vs provisioner Load balancing Network Load Balancer vs Application Load Balancer  Networking Layer 1 vs Layer 4 haproxy u...