So Im the new guy at $newJob, and here at $newjob we manage roughly 45 virtualized linux servers. I need a solution that can graphically manage the creation, modification and destruction of those VM's along with coordinating and managing the configurations.

Ive been reading about Foreman and Ansible and I have a pair of servers in our sandbox. However I'm finding that getting help with problems with those two talking to each other is very hard.

So Im here looking for recommendations of other products that can accomplish the same things. Thanks!!

I've been pulling my hair out this week setting up my VPS on DigitalOcean..I've literally destroyed and restarted my droplet a dozen times trying to go through the motions and figure out what is missing. There is something a bit off with the letsencrypt script that is packaged with DO's LAMP+WP stack for Ubuntu 16.04.

What I've done so far: Started out using their 1-click install for LAMP+WP, where everything goes swimmingly at first. The stack comes with UFW, IPtables, fail2ban, and letsencrypt installed already. I've gone through this process, as well as setting my LAMP server up from the ground up multiple times. Every single time I've gone from Ubuntu/Apache/MySQL/Php7.0 as a sudo user, settiing permissions, using SSH key access, setting up VHosts, and setup to the point of the WP-admin install process and everything is perfect there...

Now, the problem surfaces every time I run the letsencrypt client.

sudo letsencrypt --apache -d asdf.com -d www.asdf.com

I could be missing something along the way, configuring my VirtualHost files improperly..Not really sure. I've gone through every tutorial on DO 10 times over to see if I'm missing something.

Here is my VirtualHost file:

<VirtualHost *:443> ServerAdmin asdf@gmail.com ServerName asdf.com ServerAlias www.asdf.com DocumentRoot /var/www/asdf.com/public_html <Directory /var/www/html/> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined RewriteEngine on RewriteCond %{SERVER_NAME} =asdf.com [OR] RewriteCond %{SERVER_NAME} =www.asdf.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent] </VirtualHost> 

Let me know if you would like me to post anything else for you guys to help me figure this headache out.

The configuration file I am deploying depends on some variables. In puppet I can do that with templates, what's salt's solution to this?

Hello everyone,

I was messing around with my server PAM configuration files and added this lines to the already existing /etc/pam.d/common-auth:

auth required pam_succeed_if.so uid<1002 auth required pam_succeed_if.so user notingroup 1006 

I didn't edited the configurations that were already there, just added those. As far as my experience with PAM goes, those 2 lines should deny access to any user whose UID is greater or equal then 1002 or any user that belongs to the group whose id is 1006. Am I wrong?

Can't log in with any other user.

Any help would be appreciated.

Fixed! By resetting vSphere VM, enter GRUB boot options, Recovery Mode and remount the current filesystem as rw.

mount -o remount,rw /dev/sda1 

Thanks everyone for the suggestions and help.

Has anyone gotten pam authentication to work when you log into an XRDP Session. I want to be able to access my desktop at home from my work PC and have 2 factor auth. Or can anyone suggest another 2nd factor authentication?

a lot of people suggest I use rename but somehow the rename in google search doesn't work in my case. It seems centos rename is different than ubuntu rename.

I also know that if I do ls | sed -e 's/^[ \t]*//' i can display the directory/files where all leading white space is removed. My question is how can I use it to mv/rename all the files/dir?

And the catch there's some edge cases because the directories and files itself contains whitespaces in it's name.

#ls aaaaa aaaa bbbb aaaa bbbb cccc aaaa bbb cccc dddd 

I want the send result to be

#ls aaaaa aaaa bbbb aaaa bbbb cccc aaaa bbb cccc dddd 

notice those 4 can either be a file or directory and I want it to be recursive.

My current script; syntax wise, it must be the last file, and the name string cannot contain spaces except leading space. That said my script is not working, I tried echoing $Ori and it doesn't show the leading space zzzzz. when I do ls | sed -n "3p" in terminal it does shows. Even if the $Ori have the leading space my script won't work because I am doing mv aaaa bbbb cccc aaaa bbbb cccc where does the correct move command is mv \ \ \ \ aaaa\ bbbb\ cccc aaaa\ bbbb\ cccc. It seems the way I attack the problem just gives me more problem I would appreciate if anyone can show me an elegant way.

Num=`ls | wc -l` for i in `seq 1 $Num` do A=$i A+="p" Ori=`ls | sed -n "$A"` New=`ls | sed -e 's/^[ \t]*//' | sed -n "$A"` mv $Ori $New done 

Hello Guys, I want to set a really simple reverse proxy in my local lane and I asked a round and It appears that pound is a good choice.

anyway I downloaded It in my Server and tried to start simple at first with this simple configs and then changed my hosts file in my computer and add

192.168.1.4 www.sonarrme.com 

My expectation was that when I write www.sonarrme.com it will point my to the 192.168.1.4:8988 but that's just didn't happen! it didn't open anything.

I'm still newbie in this kidda things so please forgive my Ignorance.

Hi, I've been playing around with this problem for a while now and I've hit a wall, so I thought I'd ask for suggestions.

The following setup:

I have 2 routing tables: Table 1 normal internet, Table 2 openvpn.

Table2: default via 10.56.10.5 dev tun0 172.18.0.0/16 dev br-0f4636039afc proto kernel scope link src 172.18.0.1 192.168.0.0/24 dev enp4s0 proto kernel scope link src 192.168.0.1

tun0 = ovpn, 172. = docker network, 192. = local network. To route the traffic via this table: from 172.18.0.2 lookup rt2

Now I would like to make it possible to connect to the docker container from outside (the internet). So I DNAT a port that hits my Server: DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8001 to:172.18.0.2:9091

Now here is what I don't understand: While openvpn is not running, the connection works (the return packet from DNAT correctly gets routed via the default -internet- gateway). As soon as openvpn is running, the packet coming from outside will not even hit the docker container (although it gets forwarded from the host). What do i not understand here? Shouldn't the packet that gets DNATed to 172.18.0.2:9091 be routed via the default routing table and reach the container? As far as I understand it, the routing via the other table should not come to effect in that situation regardless.

Any help or pointers would be really appreciated.

//edit: I solved it via a second network interface. I am now masquerading all traffic through that second interface, so the container answers through another route

Hello all! We're a small Ubuntu shop and majority of our servers are single purpose machines which needs updates. So far I automatically install Security updates across the board but what about packages? For my windows infrastructure we auto approve security updates and we test critical updates to a batch up testing workstation before deployment down the line. However, being fairly new to Linux administration I'm not too sure how to go about this. Also, is there a site/email notification system that tells the latest vulnerabilities for linux? I'm subscribed to ICS-CERT which has been very helpful but I was wondering there was something similar for Linux distros. Any input is greatly appreciated! Thank you all for your time!

public: firewalld.present: - services: - ftp - nfs - https - http - dns - dhcp - mountd - rpc-bind - tftp firewalld: service.running: - enable: True - reload: True - watch: - firewalld: public 

On the salt minion I turn off the firewalld service and run state.apply it gives me the following error.

[ERROR ] Command '/bin/firewall-cmd --get-zones' failed with return code: 252 [ERROR ] stdout: FirewallD is not running [ERROR ] retcode: 252 [ERROR ] Error: firewall-cmd failed: FirewallD is not running 

Why is that? I already define the service needs to be running. So I try to trim down my config, and if I delete the watch statement, it will start up by itself, but then it won't reload when I do any changes.

Hi

I am currently a cook and although I like cooking the pay and hours are quite harsh.

I recently built my own computer and "re-ignited" my passion for computers. Stumbled upon this subreddit and being a linux admin seems like a good idea.

So far it seems like learning from linuxfoundation.org and then getting the red hat certification is one way. My question is am I right?

Thanks in advance everyone!

Edit: If it matters I currently live in Toronto, Canada

So I am trying to create a pxelinux puppet/salt module, but I am at a dead end. I automated almost everything, the pxelinux.cfg/default, firewall rules, the images via nfs. However, there's this one thing I cannot automated, it is to copy what's in /usr/share/syslinux/* to /var/lib/tftpboot/. I can't simply put the cp -R command in puppet/salt because every time I do that I need to do restorecon -Rv /var/lib/tftpboot/. What do you guys do it?

Hi, Is it possible to install OpenVPN (client) on rhel 7? So far i've had zero luck.. Can't install via yum or the rpm packages from the website.

I'm coming from r/linuxquestions, so I'm copy-pasting everything I wrote there, as they told me you might be able to help me:

I want to force every http request to be redirected over https. I'm trying to follow lighttpd guides but the use of python with fastcgi is making everything more difficult..

This is my 10-fastcgi.conf:

server.modules += ( "mod_fastcgi" ) server.modules += ( "mod_rewrite" )

fastcgi.server = ( "/run.py" => (( "socket" => "/tmp/fastcgi.socket", "bin-path" => "/home/pi/thermostat/run.py", "max-procs" => 1, "bin-environment" => ( "REAL_SCRIPT_NAME" => "" ), "check-local" => "disable" )) ) url.rewrite-once = ( "^/favicon.ico$" => "/static/favicon.ico", "^/static/(.*)$" => "/static/$1", "^/(.*)$" => "/run.py/$1", ) 

This is my lighttpd.conf:

server.modules = ( "mod_access", "mod_alias", "mod_compress", "mod_redirect", # "mod_rewrite", ) server.document-root = "/home/pi/thermostat/" server.upload-dirs = ( "/var/cache/lighttpd/uploads" ) server.errorlog = "/var/log/lighttpd/error.log" server.pid-file = "/var/run/lighttpd.pid" server.username = "www-data" server.groupname = "www-data" server.port = 80 fastcgi.debug=1 index-file.names = ( "index.php", "index.html", "index.lighttpd.html" ) url.access-deny = ( "~", ".inc" ) static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) compress.cache-dir = "/var/cache/lighttpd/compress/" compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" ) # default listening port for IPv6 falls back to the IPv4 port include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port include_shell "/usr/share/lighttpd/create-mime.assign.pl" include_shell "/usr/share/lighttpd/include-conf-enabled.pl" $HTTP["scheme"] == "http" { # capture vhost name with regex conditiona -> %0 in redirect pattern # must be the most inner block to the redirect rule $HTTP["host"] =~ ".*" { url.redirect = (".*" => "https://%0") } } 

As you see in the last lines of lighttpd.conf I have url.redirect which takes care of redirecting to HTTPS. The official documentation suggests using https://%0$0 but in this way I'm always redirected to https://myserver/run.py/page which leads to a 404. So I removed the $0, but now every page on http is redirect to the homepage, e.g:

• http://myserver/ => https://myserver/
• http://myserver/stat => https://myserver/

I think I should change something in the fastcgi config, but I'm not sure what to change.. I tried removing /run.py from the url.rewrite-once rule, but it's not working

I'm trying to configure single sign on for SSHD using SSSD on an active directory domain but it does not appear to be working. When I ssh into the same server it prompts for password login although as far as i can tell everything is configured correctly. The system appears to have all the kerberos ticket it needs:

 [root@DeskTest2 ]# klist -ke /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/desktest2.ad.domain.com@AD.domain.COM (des-cbc-crc) 2 host/desktest2.ad.domain.com@AD.domain.COM (des-cbc-md5) 2 host/desktest2.ad.domain.com@AD.domain.COM (aes128-cts-hmac-sha1-96) 2 host/desktest2.ad.domain.com@AD.domain.COM (aes256-cts-hmac-sha1-96) 2 host/desktest2.ad.domain.com@AD.domain.COM (arcfour-hmac) 2 host/DESKTEST2@AD.domain.COM (des-cbc-crc) 2 host/DESKTEST2@AD.domain.COM (des-cbc-md5) 2 host/DESKTEST2@AD.domain.COM (aes128-cts-hmac-sha1-96) 2 host/DESKTEST2@AD.domain.COM (aes256-cts-hmac-sha1-96) 2 host/DESKTEST2@AD.domain.COM (arcfour-hmac) 2 DESKTEST2$@AD.domain.COM (des-cbc-crc) 2 DESKTEST2$@AD.domain.COM (des-cbc-md5) 2 DESKTEST2$@AD.domain.COM (aes128-cts-hmac-sha1-96) 2 DESKTEST2$@AD.domain.COM (aes256-cts-hmac-sha1-96) 2 DESKTEST2$@AD.domain.COM (arcfour-hmac) [user@ad.domain.com@DeskTest2 ~]$ klist Ticket cache: KEYRING:persistent:1328401110:krb_ccache_8qaV38N Default principal: user@AD.domain.COM Valid starting Expires Service principal 10/16/2016 13:56:23 10/16/2016 23:56:23 krbtgt/AD.domain.COM@AD.domain.COM renew until 10/23/2016 13:56:23 

sshd_config that was changed from default centos 7 config

# Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes GSSAPIKeyExchange yes #GSSAPIEnablek5users no 

Example ssh login

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Delegating credentials debug1: Delegating credentials debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password 

The user supports Kerberos AES 256 bit within active directory and DESKTEST2 is configured to allow delegation to any service (Kerberos only) within active directory. Let me know if you nee any additional information.

Hey All,

Okay so I am running the following;

glusterfs 3.7.16 built on Oct 11 2016 14:02:29

Samba Version 4.3.11-Ubuntu

Distributor ID: Ubuntu Description: Ubuntu 14.04.4 LTS Release: 14.04 Codename: trusty

Previously was on Gluster 3.7.11 but upgraded over the weekend. Now was on 4.1.6 of Samba and once Gluster was upgraded all my windows clients started receiving ""An Unexpected Network Error has occurred"" when trying to copy from or onto the samba share.

I upgraded Samba to 4.3.11-Ubuntu but am still receiving the same issues. I wasn't first able to access the share points after the upgrade but after running 'apt-get install --reinstall libtevent0 libtalloc2’ I can now access it, just not copy from or onto.

Have increased logging on Samba but really the only consistent error I can find when trying to read/write a file is - http://paste.ubuntu.com/23336648/

Does anyone have a similar issue with this version of Samba? I mean even when I stop using samba-vfs-modules and just have a direct mountpoint I get the same issue. log.smbd - http://paste.ubuntu.com/23336705/

If anyone knows of a potential fix please let me know. If you'd like any more info just ask :)

Ryllise

Is anyone having any luck using Logstash to input logs into Graylog?

I'm currently switching from ELK to Graylog in a POC environment. I have a central syslog server where all syslogs get aggregated. These syslogs were being input into an ES cluster using Logstash. Now that I'm switching to Graylog I thought I could just change the output on logstash to gelf and setup the input in Graylog but it doesn't seem to be working.

I'm reading lots of mixed reviews about logstash with Graylog but they're all a little dated (2015). Wondering if anyone is using Logstash to input logs into Graylog and if there's anything tricks or tips to figuring this out?

Also, how about getting data into Graylog over SSL?

Dear all,

I'm relativly new to Linux so please bear with me.

I'm setting up a test environment in VMware workstation on my laptop. I have a virtual pfSense router setup and want to use VLANs. I have this working well with an installation of Ubuntu Desktop. I can communicate with pfSense across the default LAN from the Ubuntu install. I have also setup a new VLAN in pfSense, associated it with the LAN default interface and given it the tag 100.

Obviously I don't have a switch between the virtual pfSense install and the Ubuntu VM so I need to configure a VLAN in Ubuntu. I have done this in network manager and associated it with eth0. This also works so I can now access pfSense on the IP on pfSense's default LAN interface, and also across the new VLAN gateway IP as well, great.

My question is, is this the 'typical' way to do this on Linux. I'm unsure what to do about the network configuration on eth0 in Ubuntu for the default LAN. Does that normally need to be on the same subnet as pfSense's default LAN in order to add additional VLAN interfaces, or can it just have any placeholder IP?

Probably a very stupid question but am just after a sanity check. I figure it does have to be on the same LAN subnet in order to send the VLAN traffic across it?

Hope this makes sense, it's only for development.

Thanks