I am new to doing this on 16.04 and have been unable to find documentation on how to correctly allow a domain group to have sudo access. The machine in question is fully up to date, and is joined to the domain via sssd.

Normally on CentOS 7 I would add something like:

%MYDOMAIN.COM\\admin-group ALL=(ALL) ALL 

to the sudoers file.

However this does not appear to work on Ubuntu 16.04, I just get "user is not in the sudoers file...".

I am able to logon with domain accounts, and I can restrict domain access down to specific groups - so this doesn't appear to be an issue with sssd looking up group membership - I'm lead to think there has been some change in how the sudoers file is read.

Any advice or suggestions for further troubleshooting is much appreciated.

I have a VPS and needed some extra storage space.

Ordered an extra virtual hdd and just created a partition with fdisk and did mkfs.etx4, so now I have this hard drive ready to mount.

The VPS runs as a webserver, and I need the extra space for uploaded files. Currently the files are being stored in /var/www/html/files. There's already a bunch of files there but the main hard drive is getting full.

Now lets see if I understand it correctly,

Can I mount this new partition to the same folder (mount /dev/dvb1 /var/www/html/files) ?

If I do, the new files ill go into the new disk. Right? What happens to the previously stored files? Do they just stay stored in the same folder but in the previous disk if I unmount the partition?

If it doesn't work like this, how can I use this extra partition to increase my storage for such files?

Thx for the help.

Hi linuxadmin,

I support a client that has had some serious issues with swap space. Some of the previous admins have left unused swap files all over their systems that are not in use and eating up space. The locations vary painfully.

I'm trying to find a quick and dirty method of finding swap files that are not currently in the swap pool.

Here's an example from my local system. I create a swap file but then DO NOT use swapon to activate it.

UBUNTU:/$ sudo dd if=/dev/zero of=/swapfile bs=1024 count=1048576 1048576+0 records in 1048576+0 records out 1073741824 bytes (1.1 GB, 1.0 GiB) copied, 3.93316 s, 273 MB/s UBUNTU:/$ sudo chown root:root /swapfile UBUNTU:/$ sudo chmod 0600 /swapfile UBUNTU:/$ sudo mkswap /swapfile Setting up swapspace version 1, size = 1024 MiB (1073737728 bytes) no label, UUID=bc9a3e9a-5af5-4452-bdf5-894d4e5ffc67 UBUNTU:/$ swapon -s Filename Type Size Used Priority /dev/dm-1 partition 8269820 70640 -1 UBUNTU:/$ cat /proc/swaps Filename Type Size Used Priority /dev/dm-1 partition 8269820 70640 -1 

If I didn't know that /swapfile was a swapfile, how would I go about finding it efficiently? It's not showing up in /proc/swaps because it's not active.

Any advice on this would be greatly appreciated.

We use a ruby service called tasseo that pulls data from graphite and displays some pretty graphs. It's the most resilient process I've ever come across. The documentation says to stop it with ctrl+C, but that's not an option for us since we call it with '&'.

There's a master process running under root that starts with "su - tasseo" and calls the wrapper script, the child process running as tasseo, and a child of the tasseo process:

• root .......... su - tasseo -c <wrapper-script/command>
• tasseo ....... -bash -c <wrapper-script/command>
• tasseo ....... ruby1.9 <actual-process>

Here's what I've tried:

• The bin file that starts it doesn't accept 'stop', nor does the one shown in the running process.
• pgrep -f tasseo | xargs kill -9 doesn't do shit, kill -SIGINT doesn't either.
• I even attached the process to a FIFO pipe and echo'd the SIGTERM signal to it - but it still lives.

When I check the parent-process of the master PID I end up at 1: /sbin/init. If I kill the master process it immediately respawns along with more child processes.

What's going on, and how can I kill this thing?!

Reading this

Copy the example and run salt-call state.apply gave me the following error. I am trying to do the equiv of semanage permissive -a httpd_t using salt selinux module.

 Warnings: 'disabled' is an invalid keyword argument for 'selinux.module'. If you were trying to pass additional data to be used in a template context, please populate 'context' with 'key: value' pairs. Your approach will work until Salt Carbon is out. Please update your state files. 

I've been driving myself crazy trying to get LACP NIC teaming working on a CentOS 7 / RHEL 7 system for the past week or two. I cannot figure out what's going on here. My ifcfg files follow this method: Creating a Network Team Using ifcfg Files

Any ideas? We're connecting to a Cisco switch. The config switch-side is so dead simple that I'm fairly certain the issue is on the system. Anyone have any idea at all?

Team Interface: /etc/sysconfig/network-scripts/ifcfg-team2

DEVICE=team2 DEVICETYPE=Team ONBOOT=yes BOOTPROTO=none IPADDR=192.168.80.94 NETMASK=255.255.255.0 GATEWAY=192.168.80.1 DNS1=192.168.10.100 DOMAIN="volant.local" TEAM_CONFIG='{"runner": {"name": "lacp", "active": true, "fast_rate": true, "tx_hash": ["eth", "ipv4"]}, "link_watch": {"name": "ethtool"}}' 

Slave Intf 1: /etc/sysconfig/network-scripts/ifcfg-ens5f0

DEVICE=ens5f0 ONBOOT=yes IPV6INIT=no HWADDR="00:0f:53:3b:76:10" NAME=ens5f0 TYPE=TeamPort TEAM_MASTER=team2 TEAM_PORT_CONFIG='{"prio": 100}' 

Slave Inft 2:/etc/sysconfig/network-scripts/ifcfg-ens5f1d1

DEVICE=ens5f1d1 ONBOOT=yes IPV6INIT=no HWADDR="00:0f:53:3b:76:11" NAME=ens5f1d1 TYPE=TeamPort TEAM_MASTER=team2 TEAM_PORT_CONFIG='{"prio": 100}' 

.

Hello.

Could someone explain to me or maybe give a link to a nice guide about how to work with conntrack helpers?

I'm trying to use nf_conntrack_sip, but RTP ports don't open when they are needed.

I'm trying something like this:

-P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m helper --helper sip -m comment --comment "allow sip" -j ACCEPT 

I try to watch a directory for change, posts from stackoverflow and other posts say I can use glob and do watch.file: /var/www/html/* but it's giving me error.

 httpd.ppma: service.running: - name: httpd - enable: True - reload: True - watch: - file: /var/www/html/* - pkg: httpd ensure_mariadb: service.running: - name: mariadb - enable: True - reload: True ppma_install: pkg.latest: - pkgs: - ppma 

 ID: httpd.ppma Function: service.running Name: httpd Result: False Comment: The following requisites were not found: watch: file: /var/www/html/* pkg: httpd Started: Duration: Changes: 

So I recently went for a technical interview where part of the exercise was based around debugging a misconfigured web server stack. I didn't get that position but I thought it would be useful to try and set up an equivalent stack from scratch as a study exercise. I have got part way and am a little confused. Can anyone advise?

Desired setup:

WordPress on Apache with nginx reverse proxy and Varnish caching in front. The idea is that this will give a more resilient server stack than vanilla WP/Apache.

Platform:

Ubuntu 16.10 server iso install (in kvm)

Where I have got to:

I have been (loosly) following the guides here and here

I have done repo installs of:

• Apache
• PHP
• MariaDB
• Nginx

I have done a manual install of Wordpress (download official zip file) after giving up in despair at the idiotic default Ubuntu packaged version

At the moment Varnish is not installed.

What is happening:

I have got Wordpress running in Apache on port 8080. If I attempt to access the server on port 80 (nginx) from another machine on the LAN then I get the wordpress site BUT on port 8080 - the port is visible in the browser address bar in Chrome. It appears that nginx is just redirecting to Apache and then everything is being served directly from there. Obviously if I set Apache to ignore remote connections then I just get a 404.

What I want to happen:

It should not be immediately obvious to clients that the site is being proxied and certainly they should not be redirected to another port

May be relevant:

I originally set up WordPress and dependencies with Apache on port 80 and then moved to 8080 (which was surprisingly complicated).

Thanks

Edit:

Apologies, I forgot to link the guides I had been following:

How To Install Linux, Apache, MySQL, PHP (LAMP) stack on Ubuntu 16.04

How To Install WordPress with LAMP on Ubuntu 16.04

How to fix: WordPress not opening on localhost:8080 after port change from 80 to 8080 (HTTP 404 Not Found error)

How To Configure Nginx as a Reverse Proxy for Apache

I am trying to send an API request to a Foreman DNS smart proxy to create a PTR record

When I do, I get a return of 'Invalid reverse DNS 10.77.1.114' I am sending a POST request formatted as http://server:8000/dns/?fqdn=10.77.1.114&value=miq-ss14.example.com&type=PTR

From what I've seen in the API documentation, this is how to format the request. I can create A records just fine through this smart proxy. I am using a MS DNS server, I have tried dnscmd and gss-tsig providers

I can manually create A and PTR records, I can also use nsupdate with gss-tsig to manually create A and PTR records so I have ruled out permissions issues.

Question regarding mysql memory usage, namely I am suspecting that mysql eats more memory that is assigned to it. I've bold the statements which I am using for calculation for overall memory which mysql can take.

key_buffer_size = 192M

max_allowed_packet = 1M

sort_buffer_size = 2M

read_buffer_size = 2M

read_rnd_buffer_size = 8M

myisam_sort_buffer_size = 64M

query_cache_size = 32M

innodb_buffer_pool_size = 1536M

innodb_additional_mem_pool_size = 128M**

max_allowed_packet = 16M

key_buffer_size = 256M

sort_buffer_size = 256M

read_buffer = 2M

write_buffer = 2M

ps -eo pid,pmem,vsz,rss,comm | sort -rnk2 | head

13180 24.8 2436592 2044884 /opt/mysql/mysql/bin/mysqld

After restart RSS value looks good, I just want to be sure am I doing it right.

EDIT: Mysql version: 5.6.32.

Hi guys,

I'm just doing some learning with my home lab and had some questions. I have a Fedora 23 VM called net1, which I'm trying to make an NTP server. I've decided to use Chrony. Here is my chrony.conf file on net1:

pool 2.fedora.pool.ntp.org iburst driftfile /var/lib/chrony/drift makestep 1.0 3 rtcsync allow 10.0/16 local stratum 10 logdir /var/log/chrony log measurements statistics tracking 

For my test environment so far, I'm trying to make another VM, called lindev (Fedora 24), sync its time with and only with net1. Here is the chrony.conf file on lindev:

server net1 driftfile /var/lib/chrony/drift makestep 1.0 3 rtcsync logdir /var/log/chrony log measurements statistics tracking 

So, to summarize, net1 is the NTP server, and lindev is the NTP client.

I'm very new to this NTP stuff, but it appears as though net1 is successfully syncing its time from the pool:

dave@net1 etc $ sudo chronyc sources 210 Number of sources = 4 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^- ntp1.torix.ca 2 6 177 37 -1870us[-1870us] +/- 527ms ^+ hydrogen.constant.com 2 6 177 37 +10ms[ +10ms] +/- 42ms ^+ 92.246.24.228 1 6 177 36 -537us[ -537us] +/- 68ms ^* regar42.fr 3 6 177 38 -10ms[ -11ms] +/- 64ms 

Hmm. When I started typing this post, lindev kept showing net1 as "unreachable", but it seems as though it is now working:

dave@lindev chrony $ sudo chronyc sources 210 Number of sources = 5 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* net1 3 6 377 3 +1698us[+3979us] +/- 45ms ^- cheezum.mattnordhoff.net 3 7 377 60 -4991us[-2910us] +/- 100ms ^- 207.196.240.30 3 7 377 62 -504us[+1570us] +/- 144ms ^- caprica.willglynn.com 2 7 377 61 -1743us[ +333us] +/- 59ms ^+ helium.constant.com 2 7 377 60 -281us[+1798us] +/- 31ms 

So instead of wasting my time typing the above, my question now is: Where is chrony getting those other four servers from? (cheezum, caprica, etc.) They're not specified in my chrony.conf file, so it's very confusing to me.

Also, am I correct to assume that seeing the ^* next to one of the servers is sufficient evidence that the host is indeed syncing its time?

Don't ask why I am moving from puppet to salt, it's complicated.

1) How can I do the following in salt?

• have a params.pp that contains all the parameters
• in the main config inherits the parameters.
• Looping through the parameter and creating files accordingly

params.pp

class test::params{ if ($::fqdn == 'AAA'){ $var= ['1111','2222'] $ip_addr = '1.1.1.1' } elsif ($::fqdn == 'BBB'){ $var= ['11111','22222','33333','44444'] $ip_addr = '1.1.1.2' } else { $var= [''] $ip_addr='' } } 

config.pp

class test::config inherits test::params{ $var.each |String $int| { file {"/tmp/test-$int": owner=>'root', group=>'root', mode=>'644', ensure=>'present', content=>template("test/test-int.erb"), } } } 

2) I still don't quite understand how to use pillar/top.sls to do my node classification. I'm very used to puppet roles and profiles. So let's take dokuwiki for example. I will have the following in puppet's site.pp.

 class base { include epel include test include sshd include backdoor_admin } class role { include base } class role::webserver inherits role{ include lamp_stack } class role::dokuwiki inherits role::webserver { include dokuwiki } class role::ppma inherits role::webserver { include ppma } #ppma webserver node 'ppma.test-abc.com'{ include role::ppma } #dokuwiki webserver node 'doku.test-abc.com'{ include role::dokuwiki } 

Where does in salt, I have to make several modifications on several different files and yet less powerful than roles and profiles.

top.sls

 base: '*': - epel - backdoor_admin - test - sshd 'ppma.test-abc.com' - ppma 'doku.test-abc.com' - dokuwiki webhost: - match: nodegroup - lamp_stack 

in /etc/salt/master

 nodegroups: webhost: 'L@ppma.test-abc.com,doku.test-abc.com' 

As things get more complex, i can use inheritance to keep up in puppet; where does in salt it will only get messier and messier. Or to be more precise "the way I implement node classification in my salt environment" will become messier and messier.

I am trying to setup a website in raspberry pi 3, with raspbian, lighttpd, and flask.

My lighttpd.conf is

server.document-root = "/var/www/html" server.upload-dirs = ( "/var/cache/lighttpd/uploads" ) server.errorlog = "/var/log/lighttpd/error.log" accesslog.filename = "/var/log/lighttpd/access.log" server.pid-file = "/var/run/lighttpd.pid" server.username = "www-data" server.groupname = "www-data" server.bind = "192.168.0.100" server.port = 80 server.modules = ( "mod_access", "mod_accesslog", "mod_alias", "mod_fastcgi", "mod_rewrite", "mod_auth" ) index-file.names = ( "index.html", "index.lighttpd.html" ) url.access-deny = ( "~", ".inc" ) static-file.exclude-extensions = ( ".py", ".fcgi" ) fastcgi.server = ("/microblog" => (( "socket" => "/tmp/microblog-fcgi.sock", "bin-path" => "/var/www/html/microblog/microblog.fcgi", "check-local" => "disable", "max-procs" => 1 ))) 

My flask application is in directory /home/pi/microblog with a symlink to /var/www/html/microblog

Access rights are to user www-data group www-data 774

I get the following message

This site can’t be reached 192.168.0.100 refused to connect.

What am I missing?

I took the RHCSA yesterday and beforehand you had to enter your email address for the results to be sent to. I entered the one that I thought was linked to my Red Hat account, but forgot (probably through nerves) that I had actually used an alias within that account. Now I'm terrified that my result will be deleted or untraceable, especially as I'm certain I passed. Has anyone here done the same thing, or are there any Red Hat employees that can reassure me?

Edit: I already tried calling Red Hat both in the UK (where I am) and the USA, but of course they're all closed because it's the weekend.

I'm trying to setup a few DNS cname records to round robin but I'm not having any luck.

Basically I want to point to a record like graylog.example.com and have it round robin to graylog-1.example.com, graylog-2.example.com, graylog-3.example.com but I'm not seeing any way to add records this way.

Has anyone done this before? I'm seeing things online about SRV records being used instead of CNAMEs but not finding much else...

I customized this iptables config for my personal server. I am running a teamspeak server, nginx webserver openvpn server and ssh. That is the only things I want outside connections to be allowed to. Is this configuration correct for that?

Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT udp -- anywhere anywhere state NEW udp dpt:openvpn ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- localhost.localdomain anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:mysshport ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:10011 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:30033 ACCEPT udp -- anywhere anywhere state NEW udp dpt:9987 ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 192.168.88.0/24 anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination 

So i'm setting up vncserver, it's annoying that I need to manually do vncpasswd on each user in order for them to use vnc. I was wondering is there a way I can use the user's login credentials for vnc? Be it from sssd, local, freeipa, ldap.