From trilug at trilug.org Mon Aug 31 08:43:45 2015 From: trilug at trilug.org (Scott Chilcote via TriLUG) Date: Mon, 31 Aug 2015 08:43:45 -0400 Subject: [TriLUG] OT: Wired Gigabit Router Postscript, or Post Mortem... Message-ID: <55E44C01.1020406@ncrrbiz.com> Hello LUGers, The reason I was looking for a wired-only router in my earlier thread was to connect my home office computers to my employer’s VPN. The product I wound up purchasing was a Ubiquiti EdgeRouter Lite . Or “ERL”, as its dedicated, cult-like fan base refers to it. As it turns out, buying this router for such a purpose is like going to the hardware store for a stud finder, cracking off the shrink-wrap, and finding out that you have brought home the Starship Enterprise rev. A. You think about taking it back to the store, but then it occurs to you that within seconds of arriving in a solar system it can locate and scan all of the planets, tell you whether they have atmospheres, are inhabitable, and harbor civilizations. So really, it ought to be able to tell you where the snippets of metal behind your wallboard are hiding. Instead of comprehensive documentation, all you have is a 16 page Quick Start Guide. And it doesn’t even include the word “sensor”. But on the other hand, there's a website address… If advice like “The graphical configuration support is very much a work in progress, so most users get the job done using the command line interface” Spark your sense of intrigue, this might be your ideal product. And if you really begin to salivate when you see that the software is a fork of the open source network operating system Vyatta 6.3, you /may/ have already waited too long. I’m three weeks into setting up this pint-sized 3 port obelisk, attempting to accomplish what I was able to do in five minutes with DD-WRT by filling out a handful of text fields and clicking "Apply Settings". I spend an hour or so a day wandering through the support forums on Ubiquiti’s website, waiting to see if one of the veteran users will be sufficiently bored enough to share a crumb or two of laboriously extracted knowledge. I should have taken the hint and sent it back in the original box when I found that the instructions for configuring a client VPN were not in the product specific manual (there isn’t one), and not in the 50 page PDF manual for the router’s operating system. I eventually found those in a wiki file on the company’s support pages, but it took Google keyword searches to ferret them out. But like John Cleese in Monty Python’s cheese shop sketch, “I am keen to guess!” So on it goes. Why settle for incremental progress when you can seek out new life, and new civilizations? Scott C. -- Scott Chilcote scottchilcote at ncrrbiz.com Cary, NC USA From trilug at trilug.org Mon Aug 31 08:49:07 2015 From: trilug at trilug.org (Mauricio Tavares via TriLUG) Date: Mon, 31 Aug 2015 08:49:07 -0400 Subject: [TriLUG] OT: Wired Gigabit Router Postscript, or Post Mortem... In-Reply-To: <55E44C01.1020406@ncrrbiz.com> References: <55E44C01.1020406@ncrrbiz.com> Message-ID: On Mon, Aug 31, 2015 at 8:43 AM, Scott Chilcote via TriLUG wrote: > Hello LUGers, > > The reason I was looking for a wired-only router in my earlier thread > was to connect my home office computers to my employer’s VPN. The > product I wound up purchasing was a Ubiquiti EdgeRouter Lite > . > Or “ERL”, as its dedicated, cult-like fan base refers to it. > > As it turns out, buying this router for such a purpose is like going to > the hardware store for a stud finder, cracking off the shrink-wrap, and > finding out that you have brought home the Starship Enterprise rev. A. > You think about taking it back to the store, but then it occurs to you > that within seconds of arriving in a solar system it can locate and scan > all of the planets, tell you whether they have atmospheres, are > inhabitable, and harbor civilizations. So really, it ought to be able > to tell you where the snippets of metal behind your wallboard are hiding. > > Instead of comprehensive documentation, all you have is a 16 page Quick > Start Guide. And it doesn’t even include the word “sensor”. But on the > other hand, there's a website address… > > If advice like “The graphical configuration support is very much a work > in progress, so most users get the job done using the command line > interface” Spark your sense of intrigue, this might be your ideal > product. And if you really begin to salivate when you see that the > software is a fork of the open source network operating system Vyatta > 6.3, you /may/ have already waited too long. > > I’m three weeks into setting up this pint-sized 3 port obelisk, > attempting to accomplish what I was able to do in five minutes with > DD-WRT by filling out a handful of text fields and clicking "Apply > Settings". I spend an hour or so a day wandering through the support > forums on Ubiquiti’s website, waiting to see if one of the veteran users > will be sufficiently bored enough to share a crumb or two of laboriously > extracted knowledge. > > I should have taken the hint and sent it back in the original box when I > found that the instructions for configuring a client VPN were not in the > product specific manual (there isn’t one), and not in the 50 page PDF > manual for the router’s operating system. I eventually found those in a > wiki file on the company’s support pages, but it took Google keyword > searches to ferret them out. > > But like John Cleese in Monty Python’s cheese shop sketch, “I am keen to > guess!” So on it goes. Why settle for incremental progress when you > can seek out new life, and new civilizations? > > Scott C. > Vyatta is pretty impressive. I think I still know an engineer there; haven't talked to her in a while. > -- > Scott Chilcote > scottchilcote at ncrrbiz.com > Cary, NC USA > > -- > This message was sent to: raubvogel at gmail.com > To unsubscribe, send a blank message to trilug-leave at trilug.org from that address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/raubvogel%40gmail.com > Welcome to TriLUG: http://trilug.org/welcome From trilug at trilug.org Mon Aug 31 10:29:58 2015 From: trilug at trilug.org (Dewey Hylton via TriLUG) Date: Mon, 31 Aug 2015 10:29:58 -0400 (EDT) Subject: [TriLUG] OT: Wired Gigabit Router Postscript, or Post Mortem... In-Reply-To: <55E44C01.1020406@ncrrbiz.com> References: <55E44C01.1020406@ncrrbiz.com> Message-ID: <1272969501.12365.1441031398056.JavaMail.zimbra@hyltown.com> for what it's worth, this device is also able to run openbsd - which is how i'm using it. openbsd base pf/ipsec/ospf and such are working well for me. and of course the throughput is much better than with the alix board this replaced. i use ubiquity wireless products for site-to-site connectivity between buildings and some internal wifi as well; generally speaking, i think their software is pretty darned good. of course i've never seen the interface for the edgerouter lite - i purchased it with the sole intent of installing openbsd. ----- On Aug 31, 2015, at 8:43 AM, Triangle Linux Users Group General Discussion trilug at trilug.org wrote: Hello LUGers, The reason I was looking for a wired-only router in my earlier thread was to connect my home office computers to my employer’s VPN. The product I wound up purchasing was a Ubiquiti EdgeRouter Lite . Or “ERL”, as its dedicated, cult-like fan base refers to it. As it turns out, buying this router for such a purpose is like going to the hardware store for a stud finder, cracking off the shrink-wrap, and finding out that you have brought home the Starship Enterprise rev. A. You think about taking it back to the store, but then it occurs to you that within seconds of arriving in a solar system it can locate and scan all of the planets, tell you whether they have atmospheres, are inhabitable, and harbor civilizations. So really, it ought to be able to tell you where the snippets of metal behind your wallboard are hiding. Instead of comprehensive documentation, all you have is a 16 page Quick Start Guide. And it doesn’t even include the word “sensor”. But on the other hand, there's a website address… If advice like “The graphical configuration support is very much a work in progress, so most users get the job done using the command line interface” Spark your sense of intrigue, this might be your ideal product. And if you really begin to salivate when you see that the software is a fork of the open source network operating system Vyatta 6.3, you /may/ have already waited too long. I’m three weeks into setting up this pint-sized 3 port obelisk, attempting to accomplish what I was able to do in five minutes with DD-WRT by filling out a handful of text fields and clicking "Apply Settings". I spend an hour or so a day wandering through the support forums on Ubiquiti’s website, waiting to see if one of the veteran users will be sufficiently bored enough to share a crumb or two of laboriously extracted knowledge. I should have taken the hint and sent it back in the original box when I found that the instructions for configuring a client VPN were not in the product specific manual (there isn’t one), and not in the 50 page PDF manual for the router’s operating system. I eventually found those in a wiki file on the company’s support pages, but it took Google keyword searches to ferret them out. But like John Cleese in Monty Python’s cheese shop sketch, “I am keen to guess!” So on it goes. Why settle for incremental progress when you can seek out new life, and new civilizations? Scott C. -- Scott Chilcote scottchilcote at ncrrbiz.com Cary, NC USA -- This message was sent to: Dewey Hylton To unsubscribe, send a blank message to trilug-leave at trilug.org from that address. TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/plug%40hyltown.com Welcome to TriLUG: http://trilug.org/welcome From trilug at trilug.org Mon Aug 31 10:48:13 2015 From: trilug at trilug.org (Igor Partola via TriLUG) Date: Mon, 31 Aug 2015 10:48:13 -0400 Subject: [TriLUG] OT: Wired Gigabit Router Postscript, or Post Mortem... In-Reply-To: <1272969501.12365.1441031398056.JavaMail.zimbra@hyltown.com> References: <55E44C01.1020406@ncrrbiz.com> <1272969501.12365.1441031398056.JavaMail.zimbra@hyltown.com> Message-ID: >From what I've read, OpenBSD on ERL does not support hardware acceleration of the network stack, so you won't get the same performance as with the original OS. Having said that, I am happy with my TP-Link running OpenWRT. Igor From trilug at trilug.org Mon Aug 31 14:58:00 2015 From: trilug at trilug.org (Grawburg via TriLUG) Date: Mon, 31 Aug 2015 14:58:00 -0400 Subject: [TriLUG] HDD may be failing Message-ID: <32dd452310bcae7a750e0f63de5d4c69@myglnc.com> I've had several crashes on my system and the Disk Utility warns of bad sectors, Reallocated Sector Count, and warns of a possible disk failure. I'm running Debian 7 64-bit. I'm going out today to buy a new drive but wonder what's the best way to transfer everything to it? The currect drive is a 1TB but I have 340 GB unallocated. If I use Clonezilla can I write directly to the new drive? I'm guessing it will take quite a while. Thanks, Brian Grawburg Wilson From trilug at trilug.org Mon Aug 31 15:11:50 2015 From: trilug at trilug.org (Igor Partola via TriLUG) Date: Mon, 31 Aug 2015 15:11:50 -0400 Subject: [TriLUG] HDD may be failing In-Reply-To: <32dd452310bcae7a750e0f63de5d4c69@myglnc.com> References: <32dd452310bcae7a750e0f63de5d4c69@myglnc.com> Message-ID: I would use dd: https://wiki.archlinux.org/index.php/Disk_cloning Get a drive that's larger than 1 TB, copy everything then use your filesystem's utility of choice to resize it to fit the entire drive. Igor From trilug at trilug.org Mon Aug 31 15:16:53 2015 From: trilug at trilug.org (Sean Korb via TriLUG) Date: Mon, 31 Aug 2015 15:16:53 -0400 Subject: [TriLUG] HDD may be failing In-Reply-To: References: <32dd452310bcae7a750e0f63de5d4c69@myglnc.com> Message-ID: dd could be tricky if you have a different hard drive geometry... you could maybe dd to an iso and mount the iso for a good stable copy. I used rsync and some dry ice last time. It worked pretty good but definately use the --dry-run option if you can first. It's a great program which uses multiple streams for efficiency and you can get into trouble in a hurry. sean On Mon, Aug 31, 2015 at 3:11 PM, Igor Partola via TriLUG wrote: > I would use dd: > > https://wiki.archlinux.org/index.php/Disk_cloning > > Get a drive that's larger than 1 TB, copy everything then use your > filesystem's utility of choice to resize it to fit the entire drive. > > Igor > -- > This message was sent to: Sean Korb > To unsubscribe, send a blank message to trilug-leave at trilug.org from that > address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : > http://www.trilug.org/mailman/options/trilug/spkorb%40gmail.com > Welcome to TriLUG: http://trilug.org/welcome > -- Sean Korb spkorb at spkorb.org http://www.spkorb.org '65,'68 Mustangs,'68 Cougar,'78 R100/7,'60 Metro,'59 A35,'71 Pantera #1382 "The more you drive, the less intelligent you get" --Miller "Computers are useless. They can only give you answers." -P. Picasso From trilug at trilug.org Mon Aug 31 15:23:54 2015 From: trilug at trilug.org (Bill Farrow via TriLUG) Date: Mon, 31 Aug 2015 15:23:54 -0400 Subject: [TriLUG] HDD may be failing In-Reply-To: References: <32dd452310bcae7a750e0f63de5d4c69@myglnc.com>

Message-ID: Stop ! If you have bad sectors or a dying drive, use ddrescue to clone the drive. You can clone directly to the new drive or to a image file on the new drive for later access. Disk size differences can be fixed later, most file systems can be resized offline if needed. http://www.gnu.org/software/ddrescue/ Bill From trilug at trilug.org Mon Aug 31 16:01:11 2015 From: trilug at trilug.org (Joseph Mack NA3T via TriLUG) Date: Mon, 31 Aug 2015 13:01:11 -0700 (PDT) Subject: [TriLUG] HDD may be failing In-Reply-To: References: <32dd452310bcae7a750e0f63de5d4c69@myglnc.com>

Message-ID: On Mon, 31 Aug 2015, Bill Farrow via TriLUG wrote: > Stop ! :-) > If you have bad sectors or a dying drive, use ddrescue to clone the > drive. You can clone directly to the new drive or to a image file on > the new drive for later access. Disk size differences can be fixed > later, most file systems can be resized offline if needed. > > http://www.gnu.org/software/ddrescue/ #hop over failed blocks on the first run ddrescue -n $ddrescue_source $ddrescue_target $ddrescue_logfile #do failed blocks only ddrescue -d -r3 $ddrescue_source $ddrescue_target $ddrescue_logfile make sure you have a logfile. you do have a disk ready that you've run badblocks on? If not get two disks. ddrescue to one and run badblocks on the other. Then when badblocks is done copy your files to it and use that disk. Then run badblocks on the othe disk. About 1:10 disks fails badblocks Joe -- Joseph Mack NA3T EME(B,D), FM05lw North Carolina jmack (at) austintek (dot) com - azimuthal equidistant map generator at http://www.wm7d.net/azproj.shtml Homepage http://www.austintek.com/ It's GNU/Linux! From trilug at trilug.org Mon Aug 31 17:44:21 2015 From: trilug at trilug.org (David Burton via TriLUG) Date: Mon, 31 Aug 2015 17:44:21 -0400 Subject: [TriLUG] HDD may be failing Message-ID: It is not correct to say that the HDD "may be failing."* It's dead, Jim. * I agree with Joseph (except that I wouldn't bother with badblocks on a new drive). Here it is in more detail: *Step 1: *if your most important files are not backed up, then, before you do anything else, manually copy them to something else (thumbdrive, external HDD, network drive, or whatever) *NOW*. Do that *before* your ddrescue attempt, if possible, because sometimes drive rot progresses fast, and copying the whole drive will necessarily give it a workout, which may worsen the file damage. *THEN* copy your ("rescue") dying drive with ddrescue, using either "step 2a" or "step 2b." 2a. You can either use a different computer running Linux with the old/sick and new drives attached as additional drives ("step 2a"), *or* 2b. You can use the sick computer with Linux booted from a "live" distro CD or thumbdrive ("step 2b"). In either case, you can attach the new drive via USB adapter during the rescue attempt, if you wish, but be sure to attach the old/sick drive via SATA cable, not USB adapter. (Error handling is poor over USB.) *Step 2a:* attach the new and old drives to the rescue machine, and boot up Linux. If you don't already have ddrescue installed, then install it. Assume that /dev/sdb is the old/sick drive, and /dev/sdc is the new one. Then: # fdisk -lu /dev/sdb >fdisk_out.txt # ddrescue --force /dev/sdb /dev/sdc drive.log # ddrescue -d -r10 --force /dev/sdb /dev/sdc drive.log --force (or -f) is necessary with recent ddrescue versions if the destination is a drive, rather than a file. -d (or --direct) says to bypass the Linux file system (open source drive with the O_DIRECT flag), and copy sector-by-sector. It's slow, but usually enables recovering some additional sectors. -r10 says retry ten times. There's nothing magic about 10. If there are only a few unrecovered sectors, you can use -r1000 and go to bed; sometimes you'll find that some of the failed sectors will eventually be recovered. "drive.log" is an ASCII logfile, which keeps track of what has and has not been rescued. (Author Antonio Diaz designed it that way at my suggestion.) That's what enables the 2nd pass to ignore the already recovered sectors. ddrescue flushes its status to the logfile about once a minute, so even if you crash during the recovery process you can reboot and resume where you left off. *Step 2b:* attach the new drive and a writeable USB flash thumbdrive, and boot your favorite rescue distro (e.g., parted magic, comes with ddrescue preinstalled) from CD or thumb drive. You'll need three drives attached (not counting the CD): 1. the dying drive, /dev/sda in this example 2. the new target drive, /dev/sdb in this example 3. another drive, probably a thumb drive, for the ddrescue logfile, /dev/sdc in this example. # mount /dev/sdc1 /media/sdc1 # mkdir /media/sdc1/rescue # cd /media/sdc1/rescue # fdisk -lu /dev/sda >fdisk_out.txt # ddrescue --force /dev/sda /dev/sdb drive.log # ddrescue -d -r10 --force /dev/sda /dev/sdb drive.log If you're lucky, then when ddrescue is done your new drive can be put into your computer in place of the dying drive, and you're off and running. In theory, you could use the information in drive.log + fdisk_out.txt to identify the damaged files, but I only know how to do that for ntfs file systems. Here's the ddrescue project page: http://freshmeat.net/projects/addrescue/ http://freecode.com/projects/addrescue This is the ddrescue manual: https://www.gnu.org/software/ddrescue/manual/ddrescue_manual.html On some distros, it might be useful to disable buffering on the old/sick drive before the 2nd ddrescue pass. E.g., for Step 2a: # hdparm -a0 -A0 -k1 -K1 /dev/sdb (That is not necessary with Parted Magic.) Dave On Mon, Aug 31, 2015 at 4:01 PM, Joseph Mack NA3T via TriLUG < trilug at trilug.org> wrote: > On Mon, 31 Aug 2015, Bill Farrow via TriLUG wrote: > > Stop ! >> > > :-) > > If you have bad sectors or a dying drive, use ddrescue to clone the >> drive. You can clone directly to the new drive or to a image file on >> the new drive for later access. Disk size differences can be fixed >> later, most file systems can be resized offline if needed. >> >> http://www.gnu.org/software/ddrescue/ >> > > #hop over failed blocks on the first run > ddrescue -n $ddrescue_source $ddrescue_target $ddrescue_logfile > > #do failed blocks only > ddrescue -d -r3 $ddrescue_source $ddrescue_target $ddrescue_logfile > > make sure you have a logfile. > > you do have a disk ready that you've run badblocks on? If not get two > disks. ddrescue to one and run badblocks on the other. Then when badblocks > is done copy your files to it and use that disk. Then run badblocks on the > othe disk. > > About 1:10 disks fails badblocks > > Joe > From trilug at trilug.org Mon Aug 31 18:16:39 2015 From: trilug at trilug.org (Phillip Rhodes via TriLUG) Date: Mon, 31 Aug 2015 18:16:39 -0400 Subject: [TriLUG] More on IPv6 with TWC Message-ID: So, a couple of weeks ago, I got an IPv6 address from my TWC cable modem for the first time, and all was good. But then I made a change to my TWC plan in order to save money and get faster 'net speeds, and somehow in all that, they sent me yet another new cable modem. And this one is the one with a built-in router, wireless access point, etc. OK, piece of cake, right? I wanted to keep using my Netgear router since I already had port forwarding and what-not setup the way I want it. So I went into the admin console for the TWC router and changed the NAT mode to "bridged" which basically makes it "just a cable modem" again. From there everything worked fine, until I noticed that I wasn't getting an IPv6 address handed to the Netgear box anymore. Strange. A little more probing in the admin console on the TWC box showed that the WAN interface still had an IPv6 address. So, guessing that somehow that this box grabbing a v6 address from upstream was interfering with the ability of the Netgear to ask for a v6 address, I unclicked the "enable IPv6" on the TWC router, and rebooted it. Still no IPv6 on the Netgear, until I rebooted it as well. Now everything is back to normal. So, the moral of this story appears to be - IF your TWC cable modem has a router built in, and you want to use your own router with IPv6, turn off IPv6 on the built-in router. That, and "when all else fails, reboot". :-) Phil ~~~ This message optimized for indexing by NSA PRISM From trilug at trilug.org Tue Sep 1 20:27:37 2015 From: trilug at trilug.org (Margaret Parrish via TriLUG) Date: Tue, 1 Sep 2015 20:27:37 -0400 Subject: [TriLUG] unsubscribe Message-ID: Please unsubscribe to mail letters. From trilug at trilug.org Tue Sep 1 21:02:35 2015 From: trilug at trilug.org (Alan Porter via TriLUG) Date: Tue, 1 Sep 2015 21:02:35 -0400 Subject: [TriLUG] unsubscribe In-Reply-To: References: Message-ID: <55E64AAB.4010407@trilug.org> To Margaret, I unsubscribed you from the TriLUG mailing list. If that's not what you wanted, you can re-subscribe at http://www.trilug.org/mailman/listinfo/trilug To the rest of the list, I took care of it manually... yup, that works. Alternatively, notice the links at the bottom of the emails that you receive from the list. There are links to sub/unsub. Alan Porter email janitor From trilug at trilug.org Wed Sep 2 06:43:58 2015 From: trilug at trilug.org (Brian McCullough via TriLUG) Date: Wed, 2 Sep 2015 06:43:58 -0400 Subject: [TriLUG] MySQL strangeness Message-ID: <20150902104358.GA16729@bdmcc-us.com> I am looking for somebody who is a decent MySQL DBA. I just "play a DBA on TV," and have run into an issue which I don't know how to solve. My user complains that his database keeps shutting down and rebooting every 10-12 hours, for no apparent reason. There doesn't seem to be anything useful in the log except the entries that show this happening, which I will quote below. There is plenty of disk space, there is about 1% use on that drive, and the database takes up about 550 Meg. ( InnoDB in Centos 6.5 ) The log: 150901 21:24:13 [Note] Event Scheduler: Loaded 0 events 150901 21:24:13 [Note] /usr/libexec/mysqld: ready for connections. Version: '5.1.73' socket: '/var/lib/mysql/mysql.sock' port: 3306 Source distribution 150902 5:50:54 [Note] /usr/libexec/mysqld: Normal shutdown 150902 5:50:54 [Note] Event Scheduler: Purging the queue. 0 events 150902 5:50:54 [ERROR] /usr/libexec/mysqld: Sort aborted 150902 5:50:54 [ERROR] /usr/libexec/mysqld: Sort aborted 150902 5:50:54 [ERROR] /usr/libexec/mysqld: Sort aborted 150902 5:50:54 [ERROR] /usr/libexec/mysqld: Sort aborted . . . many more of these . . . 150902 5:50:54 [ERROR] /usr/libexec/mysqld: Sort aborted 150902 5:50:55 [ERROR] /usr/libexec/mysqld: Sort aborted 150902 5:50:55 [ERROR] /usr/libexec/mysqld: Sort aborted 150902 5:50:55 [ERROR] /usr/libexec/mysqld: Sort aborted 150902 5:50:55 [ERROR] /usr/libexec/mysqld: Sort aborted 150902 5:50:57 InnoDB: Starting shutdown... 150902 5:51:00 InnoDB: Shutdown completed; log sequence number 0 4172635755 150902 5:51:00 [Note] /usr/libexec/mysqld: Shutdown complete 150902 05:51:01 mysqld_safe mysqld from pid file /mnt/cbsvolume1/mysql/mysqld.pid ended 150902 05:51:02 mysqld_safe Starting mysqld daemon with databases from /mnt/cbsvolume1/mysql 150902 5:51:02 InnoDB: Initializing buffer pool, size = 8.0M 150902 5:51:02 InnoDB: Completed initialization of buffer pool 150902 5:51:02 InnoDB: Started; log sequence number 0 4172635755 150902 5:51:02 [Note] Event Scheduler: Loaded 0 events 150902 5:51:02 [Note] /usr/libexec/mysqld: ready for connections. Version: '5.1.73' socket: '/var/lib/mysql/mysql.sock' port: 3306 Source distribution Suggestions? Thanks, Brian From trilug at trilug.org Wed Sep 2 08:29:34 2015 From: trilug at trilug.org (Mauricio Tavares via TriLUG) Date: Wed, 2 Sep 2015 08:29:34 -0400 Subject: [TriLUG] MySQL strangeness In-Reply-To: <20150902104358.GA16729@bdmcc-us.com> References: <20150902104358.GA16729@bdmcc-us.com> Message-ID: On Wed, Sep 2, 2015 at 6:43 AM, Brian McCullough via TriLUG wrote: > I am looking for somebody who is a decent MySQL DBA. > > I just "play a DBA on TV," and have run into an issue which I don't know > how to solve. > > > My user complains that his database keeps shutting down and rebooting > every 10-12 hours, for no apparent reason. There doesn't seem to be > anything useful in the log except the entries that show this happening, > which I will quote below. There is plenty of disk space, there is about > 1% use on that drive, and the database takes up about 550 Meg. ( InnoDB > in Centos 6.5 ) > > The log: > > 150901 21:24:13 [Note] Event Scheduler: Loaded 0 events > 150901 21:24:13 [Note] /usr/libexec/mysqld: ready for connections. > Version: '5.1.73' socket: '/var/lib/mysql/mysql.sock' port: 3306 > Source distribution > 150902 5:50:54 [Note] /usr/libexec/mysqld: Normal shutdown > > 150902 5:50:54 [Note] Event Scheduler: Purging the queue. 0 events > 150902 5:50:54 [ERROR] /usr/libexec/mysqld: Sort aborted > 150902 5:50:54 [ERROR] /usr/libexec/mysqld: Sort aborted > 150902 5:50:54 [ERROR] /usr/libexec/mysqld: Sort aborted > 150902 5:50:54 [ERROR] /usr/libexec/mysqld: Sort aborted > . > . > . > many more of these > . > . > . > 150902 5:50:54 [ERROR] /usr/libexec/mysqld: Sort aborted > 150902 5:50:55 [ERROR] /usr/libexec/mysqld: Sort aborted > 150902 5:50:55 [ERROR] /usr/libexec/mysqld: Sort aborted > 150902 5:50:55 [ERROR] /usr/libexec/mysqld: Sort aborted > 150902 5:50:55 [ERROR] /usr/libexec/mysqld: Sort aborted > 150902 5:50:57 InnoDB: Starting shutdown... > 150902 5:51:00 InnoDB: Shutdown completed; log sequence number 0 > 4172635755 > 150902 5:51:00 [Note] /usr/libexec/mysqld: Shutdown complete > > 150902 05:51:01 mysqld_safe mysqld from pid file > /mnt/cbsvolume1/mysql/mysqld.pid ended > 150902 05:51:02 mysqld_safe Starting mysqld daemon with databases from > /mnt/cbsvolume1/mysql > 150902 5:51:02 InnoDB: Initializing buffer pool, size = 8.0M > 150902 5:51:02 InnoDB: Completed initialization of buffer pool > 150902 5:51:02 InnoDB: Started; log sequence number 0 4172635755 > 150902 5:51:02 [Note] Event Scheduler: Loaded 0 events > 150902 5:51:02 [Note] /usr/libexec/mysqld: ready for connections. > Version: '5.1.73' socket: '/var/lib/mysql/mysql.sock' port: 3306 > Source distribution > > > > > Suggestions? > > > > Thanks, > Brian > Maybe check the sort_buffer_size? Don't know if it is still should be set to 256K, but whatever it is, it is per thread. > > -- > This message was sent to: raubvogel at gmail.com > To unsubscribe, send a blank message to trilug-leave at trilug.org from that address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/raubvogel%40gmail.com > Welcome to TriLUG: http://trilug.org/welcome From trilug at trilug.org Wed Sep 2 08:51:40 2015 From: trilug at trilug.org (Ron Kelley via TriLUG) Date: Wed, 2 Sep 2015 08:51:40 -0400 Subject: [TriLUG] Remote Execution using remctl Message-ID: <219028ED-C6F2-4479-8DB4-0EBBC2B7B030@gmail.com> Greetings all, I am trying to setup an environment whereby an admin server can run commands remotely on another server w/out using SSH (think automation with no interaction). I know I can setup password-less SSH via the “authorized_keys” file, but I prefer a more granular approach to specify which users/commands can be run. In my searching, I ran into a tool called “remctl” which seems to do what I want. Essentially, you create a config file on the client server specifying the remote server, remote username, and command(s) to allow. However, remctl requires some sort of Kerberos configuration - something I know nothing about. I was wondering if anyone had experience getting remctl running on CentOS and could share some advice. Or, perhaps, suggest an alternative to remctl. Thanks. -Ron From trilug at trilug.org Wed Sep 2 09:10:37 2015 From: trilug at trilug.org (John Vaughters via TriLUG) Date: Wed, 2 Sep 2015 13:10:37 +0000 (UTC) Subject: [TriLUG] Remote Execution using remctl In-Reply-To: <219028ED-C6F2-4479-8DB4-0EBBC2B7B030@gmail.com> References: <219028ED-C6F2-4479-8DB4-0EBBC2B7B030@gmail.com> Message-ID: <149693830.223738.1441199437514.JavaMail.yahoo@mail.yahoo.com> Ron, I am trying to figure out why you would pass on ssh. It allows for a subsystem of commands, users and hosts. I am not sure how you could get more granular than ssh features, they are pretty rich. You can configure ssh to allow a user from a host and only allow a limited number of commands that you choose. The commands can be custom commands that do not even relate to linux. Meaning you create your own scripts and make them available. There really is a ton of options with ssh if you look into the options, it is quite an amazing tool that is highly customizable and secure. John Vaughters On Wednesday, September 2, 2015 8:52 AM, Ron Kelley via TriLUG wrote: Greetings all, I am trying to setup an environment whereby an admin server can run commands remotely on another server w/out using SSH (think automation with no interaction). I know I can setup password-less SSH via the “authorized_keys” file, but I prefer a more granular approach to specify which users/commands can be run. In my searching, I ran into a tool called “remctl” which seems to do what I want. Essentially, you create a config file on the client server specifying the remote server, remote username, and command(s) to allow. However, remctl requires some sort of Kerberos configuration - something I know nothing about. I was wondering if anyone had experience getting remctl running on CentOS and could share some advice. Or, perhaps, suggest an alternative to remctl. Thanks. -Ron -- This message was sent to: John Vaughters To unsubscribe, send a blank message to trilug-leave at trilug.org from that address. TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/jvaughters04%40yahoo.com Welcome to TriLUG: http://trilug.org/welcome From trilug at trilug.org Wed Sep 2 09:36:48 2015 From: trilug at trilug.org (Jack Hill via TriLUG) Date: Wed, 2 Sep 2015 09:36:48 -0400 (EDT) Subject: [TriLUG] DevFestNC 2015 Call for Speakers In-Reply-To: References: Message-ID: On Wed, 26 Aug 2015, Luke Dary via TriLUG wrote: > This year, DevFestNC will be held at the North Carolina School for Science > and Mathematics on Saturday, November 7th. [snip] > Luke Dary > Organizer GDG Triangle Thanks Luke, this looks pretty neat. My Internet search skills seem to be failing me though, so can you expand on what DevFestNC and GDG Triangle are? Thanks, Jack From trilug at trilug.org Wed Sep 2 10:09:36 2015 From: trilug at trilug.org (Ron Kelley via TriLUG) Date: Wed, 2 Sep 2015 10:09:36 -0400 Subject: [TriLUG] Remote Execution using remctl In-Reply-To: <149693830.223738.1441199437514.JavaMail.yahoo@mail.yahoo.com> References: <219028ED-C6F2-4479-8DB4-0EBBC2B7B030@gmail.com> <149693830.223738.1441199437514.JavaMail.yahoo@mail.yahoo.com> Message-ID: <404733C8-DD83-4211-BB65-2EE8DBFCF56E@gmail.com> Thanks John. Maybe that is the gap I have. Traditionally, I create the authorized_keys file with the remote users. However, this means the user can run any allowed (i.e.: root on remote server can run *any* command). I need the ability to limit what the remote user can run. In my case, I need the ability to run openvz commands (vzctl, etc) via root on a remote system. But, I want to make sure root can’t run all commands in case my admin server gets compromised. Guess I need to do some more research on ssh. Thanks for the tip! -Ron On Sep 2, 2015, at 9:10 AM, John Vaughters wrote: > Ron, > > I am trying to figure out why you would pass on ssh. It allows for a subsystem of commands, users and hosts. I am not sure how you could get more granular than ssh features, they are pretty rich. You can configure ssh to allow a user from a host and only allow a limited number of commands that you choose. The commands can be custom commands that do not even relate to linux. Meaning you create your own scripts and make them available. There really is a ton of options with ssh if you look into the options, it is quite an amazing tool that is highly customizable and secure. > > John Vaughters > > > > On Wednesday, September 2, 2015 8:52 AM, Ron Kelley via TriLUG wrote: > > > Greetings all, > > I am trying to setup an environment whereby an admin server can run commands remotely on another server w/out using SSH (think automation with no interaction). I know I can setup password-less SSH via the “authorized_keys” file, but I prefer a more granular approach to specify which users/commands can be run. > > In my searching, I ran into a tool called “remctl” which seems to do what I want. Essentially, you create a config file on the client server specifying the remote server, remote username, and command(s) to allow. However, remctl requires some sort of Kerberos configuration - something I know nothing about. > > I was wondering if anyone had experience getting remctl running on CentOS and could share some advice. Or, perhaps, suggest an alternative to remctl. > > Thanks. > > -Ron > -- > This message was sent to: John Vaughters > To unsubscribe, send a blank message to trilug-leave at trilug.org from that address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/jvaughters04%40yahoo.com > Welcome to TriLUG: http://trilug.org/welcome > From trilug at trilug.org Wed Sep 2 10:12:42 2015 From: trilug at trilug.org (Alan Porter via TriLUG) Date: Wed, 2 Sep 2015 10:12:42 -0400 Subject: [TriLUG] MySQL strangeness In-Reply-To: <20150902104358.GA16729@bdmcc-us.com> References: <20150902104358.GA16729@bdmcc-us.com> Message-ID: <55E703DA.3060806@trilug.org> Is there a periodic backup job that's shutting down the database before saving? I've seen jobs in /etc/cron.d before that shut down databases, copy the underlying data store files, and then restart the database. (I prefer to run something like mysqldump for that). Alan On 9/2/15 6:43 AM, Brian McCullough via TriLUG wrote: > I am looking for somebody who is a decent MySQL DBA. > > I just "play a DBA on TV," and have run into an issue which I don't know > how to solve. > > > My user complains that his database keeps shutting down and rebooting > every 10-12 hours, for no apparent reason. There doesn't seem to be > anything useful in the log except the entries that show this happening, > which I will quote below. There is plenty of disk space, there is about > 1% use on that drive, and the database takes up about 550 Meg. ( InnoDB > in Centos 6.5 ) > > ... > > > Suggestions? > > > > Thanks, > Brian > > From trilug at trilug.org Wed Sep 2 10:18:02 2015 From: trilug at trilug.org (Brian McCullough via TriLUG) Date: Wed, 2 Sep 2015 10:18:02 -0400 Subject: [TriLUG] MySQL strangeness In-Reply-To: <1379D85D34756447A341C45CC85BBC1651AAB3BF2B@EXCH01.lgfcu.com> References: <20150902104358.GA16729@bdmcc-us.com> <1379D85D34756447A341C45CC85BBC1651AAB3BF2B@EXCH01.lgfcu.com> Message-ID: <20150902141802.GA18574@bdmcc-us.com> On Wed, Sep 02, 2015 at 09:11:42AM -0400, Shawn Taylor wrote: > You have a query or many queries that is taking a long time to sort the result set. You need an index or indexes on your table to support the sort, or you need to use a different sort key in the query(ies). Mysql logs all slow queries, if that is turned on you should see the offenders in the slow log. By default, the file is called mysqld_slow.log. Thank you, Shawn. Yes, I have encountered the slow log before, but it has been at least a couple of years. I don't do much DBA work. I found it off. I turned it on for a minute or two, and got 191K of output before I turned it off again. Already I see at least one table that is getting a lot of hits and only has the Primary Key, no extra indexes. Onward ..... Brian From trilug at trilug.org Wed Sep 2 10:19:27 2015 From: trilug at trilug.org (Jack Hill via TriLUG) Date: Wed, 2 Sep 2015 10:19:27 -0400 (EDT) Subject: [TriLUG] Remote Execution using remctl In-Reply-To: <219028ED-C6F2-4479-8DB4-0EBBC2B7B030@gmail.com> References: <219028ED-C6F2-4479-8DB4-0EBBC2B7B030@gmail.com> Message-ID: On Wed, 2 Sep 2015, Ron Kelley via TriLUG wrote: > Greetings all, > > I am trying to setup an environment whereby an admin server can run > commands remotely on another server w/out using SSH (think automation > with no interaction). I know I can setup password-less SSH via the > “authorized_keys” file, but I prefer a more granular approach to specify > which users/commands can be run. > > In my searching, I ran into a tool called “remctl” which seems to do > what I want. Essentially, you create a config file on the client server > specifying the remote server, remote username, and command(s) to allow. > However, remctl requires some sort of Kerberos configuration - something > I know nothing about. > > I was wondering if anyone had experience getting remctl running on > CentOS and could share some advice. Or, perhaps, suggest an alternative > to remctl. Hi Ron, I've used remctl before and quite like it. In particular it's ACL support is great, so if you need to grant different permissions to different sets of users it really shines. Kerberos is a protocol scheme that solves various authentication problems for entities in the same (or manually federated) administrative realm using an online trusted third party (the Kerberos server or key distribution center (KDC)). Kerberos also provides a single-sign-on mechanism. I think Kerberos is pretty neat and is wildly popular due to Microsoft's co-option. It would be another security critical service for you to run, so if remctl is the only motivating factor for Kerberos it is probably not worth it. However, it may be worth looking at your infrastructure to see if Kerberos makes sense as it might solve other problems you have as well. The MIT Kerberos documentation is pretty good . There are other GSS-API mechanisms than Kerberos, but I don't know if remctl supports them or how much work they would be to add. Best, Jack From trilug at trilug.org Wed Sep 2 10:27:30 2015 From: trilug at trilug.org (C TC via TriLUG) Date: Wed, 2 Sep 2015 10:27:30 -0400 Subject: [TriLUG] More on IPv6 with TWC In-Reply-To: References: Message-ID: That, and "when all else fails, reboot". :-) - Fine words of wisdom. That's exactly why my cable modem and internal router are on the same power strip ... On/Off = Happy. On Mon, Aug 31, 2015 at 6:16 PM, Phillip Rhodes via TriLUG < trilug at trilug.org> wrote: > So, a couple of weeks ago, I got an IPv6 address from my TWC cable modem > for the first time, and all was good. But then I made a change to my TWC > plan in order to save money and get faster 'net speeds, and somehow in all > that, they sent me yet another new cable modem. And this one is the one > with a built-in router, wireless access point, etc. > > OK, piece of cake, right? I wanted to keep using my Netgear router since I > already had port forwarding and what-not setup the way I want it. So I > went into the admin console for the TWC router and changed the NAT mode to > "bridged" which basically makes it "just a cable modem" again. From there > everything worked fine, until I noticed that I wasn't getting an IPv6 > address handed to the Netgear box anymore. Strange. > > A little more probing in the admin console on the TWC box showed that the > WAN interface still had an IPv6 address. So, guessing that somehow that > this box grabbing a v6 address from upstream was interfering with the > ability of the Netgear to ask for a v6 address, I unclicked the "enable > IPv6" on the TWC router, and rebooted it. Still no IPv6 on the Netgear, > until I rebooted it as well. Now everything is back to normal. > > So, the moral of this story appears to be - IF your TWC cable modem has a > router built in, and you want to use your own router with IPv6, turn off > IPv6 on the built-in router. That, and "when all else fails, reboot". :-) > > > Phil > ~~~ > This message optimized for indexing by NSA PRISM > -- > This message was sent to: Carl > To unsubscribe, send a blank message to trilug-leave at trilug.org from that > address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : > http://www.trilug.org/mailman/options/trilug/c.crider%40gmail.com > Welcome to TriLUG: http://trilug.org/welcome From trilug at trilug.org Wed Sep 2 10:37:41 2015 From: trilug at trilug.org (Brian McCullough via TriLUG) Date: Wed, 2 Sep 2015 10:37:41 -0400 Subject: [TriLUG] MySQL strangeness In-Reply-To: <20150902141802.GA18574@bdmcc-us.com> References: <20150902104358.GA16729@bdmcc-us.com> <1379D85D34756447A341C45CC85BBC1651AAB3BF2B@EXCH01.lgfcu.com> <20150902141802.GA18574@bdmcc-us.com> Message-ID: <20150902143741.GB19027@bdmcc-us.com> On Wed, Sep 02, 2015 at 10:18:02AM -0400, Triangle Linux Users Group discussion list wrote: > > I found it off. I turned it on for a minute or two, and got 191K of > output before I turned it off again. > > Already I see at least one table that is getting a lot of hits and only > has the Primary Key, no extra indexes. Just for fun, I added an index to one column in a Select that I was seeing in the Slow Query log, and the Explain output went from 54,406 rows processed to 1! B-) From trilug at trilug.org Wed Sep 2 10:41:54 2015 From: trilug at trilug.org (Luke Dary via TriLUG) Date: Wed, 02 Sep 2015 14:41:54 +0000 Subject: [TriLUG] DevFestNC 2015 Call for Speakers In-Reply-To: References: Message-ID: Jack and anyone else, GDG stands for Google Developer Group, which are essentially just meetups for people interested in Google developer technologies that exist around the globe. GDG Triangle meets every third Tuesday of the month covering an array of topics, and can be found on Meetup.com ( http://www.meetup.com/Google-Developer-Group-Triangle/) as well as Google+ ( https://plus.google.com/+GDGTriangleNC). One of the large events we have put on for the last couple years is called DevFestNC. DevFests ( https://developers.google.com/events/devfest/?hl=en) are something Google helps GDGs put on with the purpose of bringing the broader (not just Google tech, although they like it when that is included) developer community together. This will be the third year for DevFestNC, and we've slowly grown the participation over the last two years. The first year we had an assortment of speakers present on a variety of topics ( https://www.youtube.com/playlist?list=PLDSP2nNhjqZGc3hovTvwREZcPJNL2EPTW). Last year we did an all-day look at Google's Polymer framework and a couple of talks given by people on topics other than Polymer. I am looking forward to this year as the facilities and staff at NCSSM are pretty fantastic. I've already gotten a few speakers signed up, and need to go through them to make sure we can accommodate all of them, but it should be a great time to socialize with other developers. If anyone has any other questions about the event or the group please feel free to reach out to me. Also, we can always use a few volunteers to help with setup and people-herding, or for helping people with any codelabs, and we're also always on the lookout for sponsors to help offset costs for things like food, badges, signage, and of course swag. Luke On Wed, Sep 2, 2015 at 9:36 AM Jack Hill wrote: > On Wed, 26 Aug 2015, Luke Dary via TriLUG wrote: > > > This year, DevFestNC will be held at the North Carolina School for > Science > > and Mathematics on Saturday, November 7th. > > [snip] > > > Luke Dary > > Organizer GDG Triangle > > Thanks Luke, this looks pretty neat. My Internet search skills seem to be > failing me though, so can you expand on what DevFestNC and GDG Triangle > are? > > Thanks, > Jack > From trilug at trilug.org Wed Sep 2 11:02:20 2015 From: trilug at trilug.org (Alan Porter via TriLUG) Date: Wed, 2 Sep 2015 11:02:20 -0400 Subject: [TriLUG] More on IPv6 with TWC In-Reply-To: References:

Message-ID: <55E70F7C.1010707@trilug.org> While On/Off does cause one type of silent, zen-style happiness... I prefer the Off/On kind. Alan On 9/2/15 10:27 AM, C TC via TriLUG wrote: > That, and "when all else fails, reboot". :-) > - > Fine words of wisdom. That's exactly why my cable modem > and internal router are on the same power strip ... On/Off = Happy. From trilug at trilug.org Wed Sep 2 11:54:59 2015 From: trilug at trilug.org (John Vaughters via TriLUG) Date: Wed, 2 Sep 2015 15:54:59 +0000 (UTC) Subject: [TriLUG] Remote Execution using remctl In-Reply-To: <630009824.275211.1441209199902.JavaMail.yahoo@mail.yahoo.com> References: <404733C8-DD83-4211-BB65-2EE8DBFCF56E@gmail.com> <630009824.275211.1441209199902.JavaMail.yahoo@mail.yahoo.com> Message-ID: <914580349.296929.1441209299885.JavaMail.yahoo@mail.yahoo.com> Ron, Here is one article that could help. Most people will recommend that you disable root access on SSH. While that is certianly not a bad idea, it is not the real security gain that most would think. The absolute best way to secure SSH is allow key only access. This is the greatest security gain you will ever get on SSH. Now key management is certianly a task, but not too bad really. Most will almost certianly tell you absolutely never create a root passwordless key. Well, I defintely would discourage it unless absolutely needed and in most cases you can set permissions for another user for just about any task. However, I have run into the case where I needed a passwordless key for root and I cannot remember why, but nothing else I did was working. You can do it securely by ilmiting the key's operation. A single command, a set of commands, no pty, limiting hosts/ip, etc. Read the article for more information. BTW he disables root access. In any case, most ilkely you should be able to give permissions to some other user for your tasks, but do not think that root access HAS to be disabled. The KEY is the KEYS to security. As an example, let's say someone disables root access, but allows passwords. Brute force on a user is still available and then brute force on the su command is still available as well. With a key you can have very long pass phrase. Example: "A secure key is a key that has a very long pass phrase like this one" Trying to brute force a pass phrase this long is not very easy. I hesitate to say impossible, but just know that once a cracker sees key only, he is moving on to other easier methods to get in. Once you have key only authentication, you can create as many keys as you want that have very specific functions limited to host/ip, key, commands/sub-systems. If in fact you deteremine you truly need a root passwordless key, you must restrict that key to the most minimum of access which is possible. One of the reasons you will get the NEVER use root passwordless keys so often on the internet, is because most people do not want to publicly encourage people that do not understand HOW to properly configure this situation. I would encourage you to consider not allowing root access and finding a way to accomplish your tasks, but know that if you gte stuck that you have this option. Have fun, John Vaughters Unixlore.net - Linux and Unix Commandline tips, hacks and howtos | | | | | | | | | | | Unixlore.net - Linux and Unix Commandline tips, hacks an...Linux and Unix Sysadmin and Security | | | | View on www.unixlore.net | Preview by Yahoo | | | | | From trilug at trilug.org Wed Sep 2 14:15:38 2015 From: trilug at trilug.org (Alan Porter via TriLUG) Date: Wed, 2 Sep 2015 14:15:38 -0400 Subject: [TriLUG] Remote Execution using remctl In-Reply-To: <914580349.296929.1441209299885.JavaMail.yahoo@mail.yahoo.com> References: <404733C8-DD83-4211-BB65-2EE8DBFCF56E@gmail.com> <630009824.275211.1441209199902.JavaMail.yahoo@mail.yahoo.com> <914580349.296929.1441209299885.JavaMail.yahoo@mail.yahoo.com> Message-ID: <55E73CCA.1090604@trilug.org> As usual, John has good advice. However, if you're new to SSH keys, don't get hung up on the idea of keys that are themselves encrypted using passphrases. That's a leap of logic that can be hard to swallow when you're first converting from passwords to keys. In general, I keep my keys without passphrases on machines that I operate (my personal laptop). I add passphrases to keys that are stored on someone else's machines (work laptop). That is... I am not afraid that you'll break into my laptop and steal the keys that will let you into my web server. But since my company's IT department has a backup of my $HOME, I encrypt those keys with a passphrase. (Actually, a far better motivation for encrypting my keys with a passphrase came when I learned that my backup of $HOME was accessible by my prankster co-workers). Without a passphrase: * $HOME/.ssh/id_rsa is readable and usable without a passphrase. * Scripts work without user interaction - rsync files every night at midnight, and so on. With a passphrase: * The $HOME/.ssh/id_rsa file is encrpyted. The IT department can't use that key. * You can't use that key in a script that runs via cron, because there's no one to unlock the key file. * There are tools like "ssh-agent" that will remember your passphrase for a while (like until you log out), so you are not continuously pestered to enter it. But yes, like John says, turn off passwords and turn on keys: * for root (using "PermitRootLogin without-password" in /etc/ssh/sshd_config)* * for everybody (using "ChallengeResponseAuthentication no" and "PasswordAuthentication no") It'll change your life. Alan * I know, that setting sounds scary. It's not what it sounds like. From trilug at trilug.org Wed Sep 2 14:23:31 2015 From: trilug at trilug.org (Igor Partola via TriLUG) Date: Wed, 2 Sep 2015 14:23:31 -0400 Subject: [TriLUG] Remote Execution using remctl In-Reply-To: <55E73CCA.1090604@trilug.org> References: <404733C8-DD83-4211-BB65-2EE8DBFCF56E@gmail.com> <630009824.275211.1441209199902.JavaMail.yahoo@mail.yahoo.com> <914580349.296929.1441209299885.JavaMail.yahoo@mail.yahoo.com> <55E73CCA.1090604@trilug.org> Message-ID: Alan, You might want to reconsider your policy of keeping unencrypted ssh keys, even on machines you trust otherwise. I keep mine encrypted, but also run ssh-agent so that I don't have to enter my passphrase all the time. This also has the benefit of allowing me ssh-agent forwarding so I can go from home laptop to random server A to random server B, even though random server A doesn't have my ssh_id. Another thing this lets me do is to see a notification any time my private key is used (or even pop up a confirmation dialog before allowing its use). That way I can see some rogue program is trying to get access to it. Igor From trilug at trilug.org Wed Sep 2 14:37:00 2015 From: trilug at trilug.org (John Vaughters via TriLUG) Date: Wed, 2 Sep 2015 18:37:00 +0000 (UTC) Subject: [TriLUG] Remote Execution using remctl In-Reply-To: References: Message-ID: <1147682953.375456.1441219020816.JavaMail.yahoo@mail.yahoo.com> Agreed Igor, I keep my keys pass phrase encrypted and use long sentences that I can remember that are never written anywhere. For key management, Putty on windows has pageant and ssh-agent for linux eliminates using pass phrases repeatedly. I mainly use passwordless keys for automation and heavily restrict the SSH access for those keys. But the beauty of the key concept is that a person has to get that key before they can even attempt to access anything if you turn off user/passwords auth. John Vaughters On Wednesday, September 2, 2015 2:23 PM, Igor Partola wrote: Alan, You might want to reconsider your policy of keeping unencrypted ssh keys, even on machines you trust otherwise. I keep mine encrypted, but also run ssh-agent so that I don't have to enter my passphrase all the time. This also has the benefit of allowing me ssh-agent forwarding so I can go from home laptop to random server A to random server B, even though random server A doesn't have my ssh_id. Another thing this lets me do is to see a notification any time my private key is used (or even pop up a confirmation dialog before allowing its use). That way I can see some rogue program is trying to get access to it. Igor From trilug at trilug.org Wed Sep 2 21:44:14 2015 From: trilug at trilug.org (Matthew Frazier via TriLUG) Date: Wed, 02 Sep 2015 21:44:14 -0400 Subject: [TriLUG] Meeting September 10: Use FOSS to Get a Job Message-ID: <1441244654.1196308.373373242.5DFB3A7E@webmail.messagingengine.com> Topic: Use FOSS to Get a Job Presenter: Michael Hrivnak & guests When: Thursday, 10 September 2015 - 7:00pm to 9:00pm Where: Bandwidth, Venture III, 900 Main Campus Dr, Raleigh, NC 27606 Parking: Venture Center Deck, adjacent to Venture III (visitor spaces are unrestricted after 5pm) Using free and open source software, and participating in the associated communities, *can* make you more employable! This presentation will cover how to get started as a community participant and how to gain résumé-enhancing experience. Special guests representing a variety of local organizations will then join us for an interactive discussion about hiring trends, which FOSS skills make a candidate stand out, and any questions you may have for someone directly responsible for hiring FOSS-experienced engineers. Michael Hrivnak, the presenter and panel facilitator, is a Principal Software Engineer at Red Hat and Team Lead for the Pulp Project. With strong experience in both software and systems engineering, he is excited to be writing software for systems engineers. Michael is passionate about open source software, live music, and reducing energy consumption. See you there, Matthew Frazier PR Officer, Triangle Linux Users Group https://www.trilug.org/ From trilug at trilug.org Thu Sep 3 10:19:13 2015 From: trilug at trilug.org (Grawburg via TriLUG) Date: Thu, 03 Sep 2015 10:19:13 -0400 Subject: [TriLUG] Boot "Partition" size Message-ID: <3655ce2d85300aac465d75793afa2274@myglnc.com> I have a new 2 TB drive. The boot "partition' is 1.33 GiB. Should I increase it, or am I asking for trouble by fooling with it? I've resized the "partitions" in the extended without problem. Brian Grawburg Wilson From trilug at trilug.org Thu Sep 3 10:29:36 2015 From: trilug at trilug.org (Mauricio Tavares via TriLUG) Date: Thu, 3 Sep 2015 10:29:36 -0400 Subject: [TriLUG] Boot "Partition" size In-Reply-To: <3655ce2d85300aac465d75793afa2274@myglnc.com> References: <3655ce2d85300aac465d75793afa2274@myglnc.com> Message-ID: On Thu, Sep 3, 2015 at 10:19 AM, Grawburg via TriLUG wrote: > I have a new 2 TB drive. The boot "partition' is 1.33 GiB. Should I increase it, or am I asking for trouble by fooling with it? > I've resized the "partitions" in the extended without problem. > I guess it depends on the OS. My Ubuntu and Centos installs have /boot at most 512MB and I am yet to have issues. Besides learning to keep the old cruft, that is. > > Brian Grawburg > Wilson > > > > > -- > This message was sent to: raubvogel at gmail.com > To unsubscribe, send a blank message to trilug-leave at trilug.org from that address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/raubvogel%40gmail.com > Welcome to TriLUG: http://trilug.org/welcome From trilug at trilug.org Thu Sep 3 10:41:59 2015 From: trilug at trilug.org (Alan Porter via TriLUG) Date: Thu, 3 Sep 2015 10:41:59 -0400 Subject: [TriLUG] Boot "Partition" size In-Reply-To: References: <3655ce2d85300aac465d75793afa2274@myglnc.com> Message-ID: <55E85C37.40406@trilug.org> > I guess it depends on the OS. My Ubuntu and Centos installs have > /boot at most 512MB and I am yet to have issues. Besides learning to > keep the old cruft, that is. On this note, I have a cron job that runs on every server that I maintain. It checks the disk usage and sends me an email if disk usage gets higher than I'd like. Sure, there are fancy tools to do this, but this is dirt stupid and it "just works". Share and enjoy! Alan H03/10:38:24|root at aloha:~$ crontab -l # m h dom mon dow command SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin HOME=/ # SYSTEM ADMINISTRATION 21 * * * 0-6 /root/cron/check_free.pl /dev/xvda=90 H03/10:38:32|root at aloha:~$ cat cron/check_free.pl #!/usr/bin/perl use strict 'vars'; my %PARTITION_LIMITS=(); my $parm_help; my $arg=0; for $arg (0..$#ARGV) { my ($parm, at val)=split('=',$ARGV[$arg]); my $val=join('=', at val); # now make sense of parm=value pairs if ($parm eq "help") { $parm_help++; } elsif ($parm eq "-h") { $parm_help++; } elsif ($parm eq "--help") { $parm_help++; } else { $PARTITION_LIMITS{$parm}=$val; } } if ($#ARGV<0) { $parm_help++; } if ($parm_help) { print("usage: $0 disk=percentage ...\n"); print("example: $0 /dev/hda1=90 /dev/sda1=25\n"); print(" prints one line for each disk that is over the given limit\n"); print(" prints nothing if the disks are under their limits\n"); print(" this is useful to run via cron, output mailed to sysadmin\n"); print("\n"); exit 0; } my $hostname=`hostname`; $hostname=~s/[\r\n]//g; # run 'df' and save the values in arrays my %used_percentage=(); my %mountpoint=(); my $df_out=`df | grep -v "^Filesystem"`; my @df_lines=split("\n",$df_out); my $line; for $line (@df_lines) { my ($partition,$totalblocks,$usedblocks,$availableblocks,$usedpct,$mountpt)=split(" +",$line); $usedpct=~s/[^0-9]//g; $used_percentage{$partition}=$usedpct; $mountpoint{$partition}=$mountpt; } # check the partitions in our list against the df-arrays my $partition; for $partition (keys(%PARTITION_LIMITS)) { if ($used_percentage{$partition} > $PARTITION_LIMITS{$partition}) { print "$hostname: partition $partition (mounted on $mountpoint{$partition}) is $used_percentage{$partition}% full\n"; } } H03/10:38:36|root at aloha:~$ From trilug at trilug.org Thu Sep 3 10:58:40 2015 From: trilug at trilug.org (Ron Kelley via TriLUG) Date: Thu, 3 Sep 2015 10:58:40 -0400 Subject: [TriLUG] Boot "Partition" size In-Reply-To: <55E85C37.40406@trilug.org> References: <3655ce2d85300aac465d75793afa2274@myglnc.com> <55E85C37.40406@trilug.org> Message-ID: <55E86020.3070601@gmail.com> To monitor disk usage, you might want to look at "monit". It is a very good tool to monitor lots of stuff on a host (CPU, load, processes, disk, etc). It can even restart services if they fail (php, web server, MySql, etc) I use it to manage hundreds of VMs/servers - works really, really well. On 9/3/2015 10:41 AM, Alan Porter via TriLUG wrote: > >> I guess it depends on the OS. My Ubuntu and Centos installs have >> /boot at most 512MB and I am yet to have issues. Besides learning to >> keep the old cruft, that is. > > On this note, I have a cron job that runs on every server that I maintain. > It checks the disk usage and sends me an email if disk usage gets higher > than I'd like. Sure, there are fancy tools to do this, but this is dirt > stupid > and it "just works". Share and enjoy! > > Alan > > > > > > H03/10:38:24|root at aloha:~$ crontab -l > # m h dom mon dow command > SHELL=/bin/bash > PATH=/sbin:/bin:/usr/sbin:/usr/bin > HOME=/ > > # SYSTEM ADMINISTRATION > 21 * * * 0-6 /root/cron/check_free.pl /dev/xvda=90 > > > > > > H03/10:38:32|root at aloha:~$ cat cron/check_free.pl > #!/usr/bin/perl > use strict 'vars'; > > my %PARTITION_LIMITS=(); > > my $parm_help; > my $arg=0; > for $arg (0..$#ARGV) { > my ($parm, at val)=split('=',$ARGV[$arg]); > my $val=join('=', at val); > # now make sense of parm=value pairs > if ($parm eq "help") { > $parm_help++; > } elsif ($parm eq "-h") { > $parm_help++; > } elsif ($parm eq "--help") { > $parm_help++; > } else { > $PARTITION_LIMITS{$parm}=$val; > } > } > > if ($#ARGV<0) { $parm_help++; } > > if ($parm_help) { > print("usage: $0 disk=percentage ...\n"); > print("example: $0 /dev/hda1=90 /dev/sda1=25\n"); > print(" prints one line for each disk that is over the given > limit\n"); > print(" prints nothing if the disks are under their limits\n"); > print(" this is useful to run via cron, output mailed to > sysadmin\n"); > print("\n"); > exit 0; > } > > my $hostname=`hostname`; > $hostname=~s/[\r\n]//g; > > # run 'df' and save the values in arrays > my %used_percentage=(); > my %mountpoint=(); > my $df_out=`df | grep -v "^Filesystem"`; > my @df_lines=split("\n",$df_out); > my $line; > for $line (@df_lines) { > my > ($partition,$totalblocks,$usedblocks,$availableblocks,$usedpct,$mountpt)=split(" > +",$line); > $usedpct=~s/[^0-9]//g; > $used_percentage{$partition}=$usedpct; > $mountpoint{$partition}=$mountpt; > } > > # check the partitions in our list against the df-arrays > my $partition; > for $partition (keys(%PARTITION_LIMITS)) { > if ($used_percentage{$partition} > $PARTITION_LIMITS{$partition}) { > print "$hostname: partition $partition (mounted on > $mountpoint{$partition}) is $used_percentage{$partition}% full\n"; > } > } > > > > H03/10:38:36|root at aloha:~$ > > > > From trilug at trilug.org Thu Sep 3 12:09:57 2015 From: trilug at trilug.org (John Vaughters via TriLUG) Date: Thu, 3 Sep 2015 16:09:57 +0000 (UTC) Subject: [TriLUG] Boot "Partition" size In-Reply-To: <55E86020.3070601@gmail.com> References: <55E86020.3070601@gmail.com> Message-ID: <372789273.729578.1441296597751.JavaMail.yahoo@mail.yahoo.com> RHEL 5 - 100MB BootCentos 6 - 500MB Boot Centos 7 - 500MB BootFedora 21 - 500MB Boot I'm seeing a trend on RedHat streams. John Vaughters From trilug at trilug.org Thu Sep 3 12:17:03 2015 From: trilug at trilug.org (Bill Farrow via TriLUG) Date: Thu, 3 Sep 2015 12:17:03 -0400 Subject: [TriLUG] Boot "Partition" size In-Reply-To: <372789273.729578.1441296597751.JavaMail.yahoo@mail.yahoo.com> References: <55E86020.3070601@gmail.com> <372789273.729578.1441296597751.JavaMail.yahoo@mail.yahoo.com> Message-ID: On Thu, Sep 3, 2015 at 12:09 PM, John Vaughters via TriLUG wrote: > RHEL 5 - 100MB BootCentos 6 - 500MB Boot > Centos 7 - 500MB BootFedora 21 - 500MB Boot > I'm seeing a trend on RedHat streams. The "/boot" partition size is/was limited by a number of complex factors related to the Intel architecture: BIOS, MBR, disk cylinders, partition type, bootloader (LILO/GRUB). http://unix.stackexchange.com/questions/33555/what-is-the-max-partition-supported-in-linux Bill From trilug at trilug.org Thu Sep 3 13:54:21 2015 From: trilug at trilug.org (Igor Partola via TriLUG) Date: Thu, 3 Sep 2015 13:54:21 -0400 Subject: [TriLUG] SSH security Message-ID: So this should probably be a blog post, but I'll just post it here for now. Since there was some discussion on here about ssh, ssh keys, etc. let me share some of my hard-acquired experience in this area: First, always use ssh keys. One of the first things you want to do is disable password-based logins. If you are not convinced that this is a good idea do `tail -f /var/log/auth.log` and take a look at all the bots trying to pick weak passwords on any Internet-connected host with sshd running. To disable password-based logins do this in /etc/ssh/sshd_config: ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no To generate a key for yourself, do this: $ ssh-keygen -t rsa If you live in the future (that is use newish distros), you can use ECDSA instead of RSA and get a smaller key: $ ssh-keygen -t ecdsa RSA will work everywhere, whereas ECDSA will not work with old distros. ECDSA may be more secure and is faster to use, but (1) there is no evidence that a 2048 bit RSA key is weak, and (b) you'd need a really slow box to feel any difference. Passphrase-protect your key and keep it only on machines you physically use. I don't believe in having a separate key for each machine. My work laptop and my home computer have the same private key. I have physical access to both and have no reason to trust one of them more than the other. Protecting it with a passphrase means it's secure at rest (assuming the passphrase is long enough). Use gpg-agent or ssh-agent. gpg-agent can store ssh keys as well as private gpg keys, so it is slightly easier. I am not going to go into details on how to get ssh or gpg agent running since this varies from OS to OS and sometimes from distro to distro. Suffice it to say, it is generally well documented and sometimes is already configured for you. Next, you can forward your ssh-agent connection to a new host. Here is an example (remember only my work laptop has the rsa_id file here): igor at work-laptop $ ssh -A remote-host-a igor at remote-host-a $ ssh remote-host-b igor at remote-host-b $ When going from remote-host-a to remote-host-b I don't have to enter any passwords. In fact, I can have password authentication disabled on both remote hosts and this would work. Why? Because the -A option tells ssh to create a UNIX socket on remote-host-a that is then connected, through my ssh session, to the ssh-agent socket running on my laptop. Beautiful, right? If you don't want to remember to specify -A every time, you can create/edit your ~/.ssh/config and add the following: Host *.example.com ForwardAgent yes There is a security issue with the above setup. If remote-host-a was compromised and someone got root access on it, they can interact with my ssh-agent UNIX socket. This is called ssh agent hijacking. If they do that, they then may log into remote-host-b or any other host I have access to. Because of that, it's best to not forward your ssh-agent to any host you do not trust. Note that it's not as bad as the attacker actually getting your private key. They can only log into these other servers while you have an ssh session open to remote-host-a. See http://www.clockwork.net/blog/2012/09/28/602/ssh_agent_hijacking for details. To mitigate ssh agent hijacking, ssh-add (1) has a -c option. When you add a key with -c, every time your private key is used a confirmation program will be executed first. By default this program is located at /usr/libexec/ssh-askpass. If it returns 0 the key usage is allowed, otherwise it is denied. You can write a custom script to log the key usage, display a popup warning about it in your notification tray, or even pop up a Yes/No dialog. I did the latter for OS X here: https://github.com/ipartola/mac-ssh-confirm. Lastly, I really don't like entering passwords into remote hosts. You never know if someone compromised remote-host-a and replaced /usr/bin/sudo with a script that transparently calls real sudo but also emails the attacker your password. Let's be honest, almost nobody has a different random password for all the servers they have access to. To fix that I like to use pam-ssh-agent-auth (https://github.com/cpick/pam-ssh-agent-auth). Basically, I authenticate to the remote host using my private key. It's not passwordless sudo because I have to prove to the remote host that I have the private ssh key that corresponds to the public key listed in my ~/.ssh/authorized_keys, but as long as I forwarded my ssh-agent to the remote host I don't have to enter my local password. I often do keep a random password as a backup, but now I can just store it on some keychain instead of having to memorize it. There are many more topics to cover here, such as Certificate Authority based client and server ssh keys, monkeysphere, etc., but this is hopefully enough to give you a taste of what you can do to make your life easier and more secure with ssh. Igor From trilug at trilug.org Thu Sep 3 14:10:58 2015 From: trilug at trilug.org (Mauricio Tavares via TriLUG) Date: Thu, 3 Sep 2015 14:10:58 -0400 Subject: [TriLUG] SSH security In-Reply-To: References: Message-ID: On Thu, Sep 3, 2015 at 1:54 PM, Igor Partola via TriLUG wrote: > So this should probably be a blog post, but I'll just post it here for now. > Since there was some discussion on here about ssh, ssh keys, etc. let me > share some of my hard-acquired experience in this area: > > First, always use ssh keys. One of the first things you want to do is > disable password-based logins. If you are not convinced that this is a good > idea do `tail -f /var/log/auth.log` and take a look at all the bots trying > to pick weak passwords on any Internet-connected host with sshd running. To > disable password-based logins do this in /etc/ssh/sshd_config: > > ChallengeResponseAuthentication no > PasswordAuthentication no > UsePAM no > > To generate a key for yourself, do this: > > $ ssh-keygen -t rsa > > If you live in the future (that is use newish distros), you can use ECDSA > instead of RSA and get a smaller key: > > $ ssh-keygen -t ecdsa > > RSA will work everywhere, whereas ECDSA will not work with old distros. > ECDSA may be more secure and is faster to use, but (1) there is no evidence > that a 2048 bit RSA key is weak, and (b) you'd need a really slow box to > feel any difference. > And, if you want you can use the -b option to define how many bits you want, as in ssh-keygen -b 4096 -t rsa > Passphrase-protect your key and keep it only on machines you physically > use. I don't believe in having a separate key for each machine. My work > laptop and my home computer have the same private key. I have physical > access to both and have no reason to trust one of them more than the other. > Protecting it with a passphrase means it's secure at rest (assuming the > passphrase is long enough). > > Use gpg-agent or ssh-agent. gpg-agent can store ssh keys as well as private > gpg keys, so it is slightly easier. I am not going to go into details on > how to get ssh or gpg agent running since this varies from OS to OS and > sometimes from distro to distro. Suffice it to say, it is generally well > documented and sometimes is already configured for you. > > Next, you can forward your ssh-agent connection to a new host. Here is an > example (remember only my work laptop has the rsa_id file here): > > igor at work-laptop $ ssh -A remote-host-a > igor at remote-host-a $ ssh remote-host-b > igor at remote-host-b $ > > When going from remote-host-a to remote-host-b I don't have to enter any > passwords. In fact, I can have password authentication disabled on both > remote hosts and this would work. Why? Because the -A option tells ssh to > create a UNIX socket on remote-host-a that is then connected, through my > ssh session, to the ssh-agent socket running on my laptop. Beautiful, right? > > If you don't want to remember to specify -A every time, you can create/edit > your ~/.ssh/config and add the following: > > Host *.example.com > ForwardAgent yes > > There is a security issue with the above setup. If remote-host-a was > compromised and someone got root access on it, they can interact with my > ssh-agent UNIX socket. This is called ssh agent hijacking. If they do that, > they then may log into remote-host-b or any other host I have access to. > Because of that, it's best to not forward your ssh-agent to any host you do > not trust. Note that it's not as bad as the attacker actually getting your > private key. They can only log into these other servers while you have an > ssh session open to remote-host-a. See > http://www.clockwork.net/blog/2012/09/28/602/ssh_agent_hijacking for > details. > > To mitigate ssh agent hijacking, ssh-add (1) has a -c option. When you add > a key with -c, every time your private key is used a confirmation program > will be executed first. By default this program is located at > /usr/libexec/ssh-askpass. If it returns 0 the key usage is allowed, > otherwise it is denied. You can write a custom script to log the key usage, > display a popup warning about it in your notification tray, or even pop up > a Yes/No dialog. I did the latter for OS X here: > https://github.com/ipartola/mac-ssh-confirm. > > Lastly, I really don't like entering passwords into remote hosts. You never > know if someone compromised remote-host-a and replaced /usr/bin/sudo with a > script that transparently calls real sudo but also emails the attacker your > password. Let's be honest, almost nobody has a different random password > for all the servers they have access to. To fix that I like to use > pam-ssh-agent-auth (https://github.com/cpick/pam-ssh-agent-auth). > Basically, I authenticate to the remote host using my private key. It's not > passwordless sudo because I have to prove to the remote host that I have > the private ssh key that corresponds to the public key listed in my > ~/.ssh/authorized_keys, but as long as I forwarded my ssh-agent to the > remote host I don't have to enter my local password. I often do keep a > random password as a backup, but now I can just store it on some keychain > instead of having to memorize it. > If you are using a .ssh/config file, you can also specify different keys as in ssh-keygen -f ~/.ssh/guineapigs-rsa for different hosts or groups of hosts, and then configure those in .ssh/config as needed. Save the default one (id_rsa) to something you do not care about since it is the one ssh will try if the other end accepts key auth by default. > There are many more topics to cover here, such as Certificate Authority > based client and server ssh keys, monkeysphere, etc., but this is hopefully > enough to give you a taste of what you can do to make your life easier and > more secure with ssh. > > Igor > -- > This message was sent to: raubvogel at gmail.com > To unsubscribe, send a blank message to trilug-leave at trilug.org from that address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/raubvogel%40gmail.com > Welcome to TriLUG: http://trilug.org/welcome From trilug at trilug.org Fri Sep 4 10:25:26 2015 From: trilug at trilug.org (Hariharan Gopalan via TriLUG) Date: Fri, 4 Sep 2015 10:25:26 -0400 Subject: [TriLUG] IaaS and PaaS / openstack / cloudify ... confused Message-ID: Hello Group Wonder if anyone with expertise / working knowledge of setting up a cloud stack would be available to chat, I'll buy you lunch. Thanks Hari From trilug at trilug.org Fri Sep 4 10:33:55 2015 From: trilug at trilug.org (Chris Bickhaus via TriLUG) Date: Fri, 4 Sep 2015 09:33:55 -0500 Subject: [TriLUG] WIFI EAP-TTLS connection issue Message-ID: So my grand plan to move my wife to Linux is hanging in the balance right now, and, as a relative newbie, I could use some help. Given the privacy issues, etc. with Windows 10, my wife was more than willing to try Ubuntu over Windows 10. I was able to get Citrix, etc. running for her work, and I thought the laptop was ready to go. Then she takes it to work, tries to connect to the wifi and can't. The wifi network is using EAP-TTLS for authentication without a certificate. When trying to connect, my wife is greeted with a message telling her that no certificate authority certificate has been chosen. If she clicks ignore, the prompt disappears, but she is not able to connect. She has confirmed with IT that they are not using a certificate, but that is as far as she got. She was told that Linux is a highly customizable OS and, as a result, they offer no support for it. My wife is running Ubuntu 14.04.3 with the 3.19 kernel. The /etc/NetworkManager/system-connections file for the SSID is as follows: [ipv6] method=auto [connection] id=(redacted) uuid=(redacted) type=802-11-wireless [802-11-wireless-security] key-mgmt=wpa-eap auth-alg=open [802-11-wireless] ssid=clubs mode=infrastructure mac-address=(redacted) security=802-11-wireless-security [802-1x] eap=ttls; identity=(redacted) phase2-auth=chap password-flags=1 [ipv4] method=auto Has anyone run into a similar issue and been able to work it out? I found a few somewhat relevant threads on askubuntu, etc. that talked about eliminating the line system-ca-cert=true, but that line is not present in the file (supposedly a bug surrounding this very issue has been fixed for 14.04). Any help would be greatly appreciated. Thanks, Chris From trilug at trilug.org Fri Sep 4 10:58:17 2015 From: trilug at trilug.org (Jeremy Davis via TriLUG) Date: Fri, 4 Sep 2015 10:58:17 -0400 Subject: [TriLUG] WIFI EAP-TTLS connection issue In-Reply-To: References: Message-ID: Not sure this would fix your wifi issue (it might), during the transition from Windows, the Linux Mint distro might be smoother. Mint is based on Ubuntu but it is the most widely downloaded on distrowatch because the desktop is straight forward simple and a lot of things just work. I tell folks, I think it would be easier to transition from Windows XP to Linux Mint than it would from XP to Vista or 7. On Sep 4, 2015 10:39 AM, "Chris Bickhaus via TriLUG" wrote: > So my grand plan to move my wife to Linux is hanging in the balance right > now, and, as a relative newbie, I could use some help. Given the privacy > issues, etc. with Windows 10, my wife was more than willing to try Ubuntu > over Windows 10. I was able to get Citrix, etc. running for her work, and > I thought the laptop was ready to go. Then she takes it to work, tries to > connect to the wifi and can't. The wifi network is using EAP-TTLS for > authentication without a certificate. When trying to connect, my wife is > greeted with a message telling her that no certificate authority > certificate has been chosen. If she clicks ignore, the prompt disappears, > but she is not able to connect. She has confirmed with IT that they are > not using a certificate, but that is as far as she got. She was told that > Linux is a highly customizable OS and, as a result, they offer no support > for it. > > My wife is running Ubuntu 14.04.3 with the 3.19 kernel. The > /etc/NetworkManager/system-connections file for the SSID is as follows: > > [ipv6] > method=auto > > [connection] > id=(redacted) > uuid=(redacted) > type=802-11-wireless > > [802-11-wireless-security] > key-mgmt=wpa-eap > auth-alg=open > > [802-11-wireless] > ssid=clubs > mode=infrastructure > mac-address=(redacted) > security=802-11-wireless-security > > [802-1x] > eap=ttls; > identity=(redacted) > phase2-auth=chap > password-flags=1 > > [ipv4] > method=auto > > Has anyone run into a similar issue and been able to work it out? I found > a few somewhat relevant threads on askubuntu, etc. that talked about > eliminating the line system-ca-cert=true, but that line is not present in > the file (supposedly a bug surrounding this very issue has been fixed for > 14.04). Any help would be greatly appreciated. > > Thanks, > > Chris > > -- > This message was sent to: Jeremy Davis > To unsubscribe, send a blank message to trilug-leave at trilug.org from that > address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : > http://www.trilug.org/mailman/options/trilug/jeremyhwllc%40gmail.com > Welcome to TriLUG: http://trilug.org/welcome From trilug at trilug.org Fri Sep 4 11:12:00 2015 From: trilug at trilug.org (Kurktchiev, Boris via TriLUG) Date: Fri, 4 Sep 2015 15:12:00 +0000 Subject: [TriLUG] IaaS and PaaS / openstack / cloudify ... confused In-Reply-To: References: Message-ID: Hey Hari, We actually have OpenShift v2(PaaS), we have POC of v3 running and are working out the kinks before going to it, stood up and working in production (e.g. open to every campus user). Depending on your use case we might be able to setup a meeting/chat :) -B On Sep 4, 2015, at 10:25 AM, Hariharan Gopalan via TriLUG > wrote: Hello Group Wonder if anyone with expertise / working knowledge of setting up a cloud stack would be available to chat, I'll buy you lunch. Thanks Hari -- This message was sent to: Boris Kurktchiev > To unsubscribe, send a blank message to trilug-leave at trilug.org from that address. TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/boris%40unc.edu Welcome to TriLUG: http://trilug.org/welcome From trilug at trilug.org Fri Sep 4 11:28:28 2015 From: trilug at trilug.org (C TC via TriLUG) Date: Fri, 4 Sep 2015 11:28:28 -0400 Subject: [TriLUG] WIFI EAP-TTLS connection issue In-Reply-To: References: Message-ID: I believe some of the Ubuntu users at my old job had to use the method below (found on askubuntu). I've emailed one of the guys .. will post reply if he answers. ------------------------------------------------------------------------------------------------------------------------------------ *The warning was happening again and again. What I ended up doing was first I did this I clicked the "Choose a Certificate Authority certificate..." * *Then I went to "/usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt" and Added that as my certificate.* *The certificate error went away but the password prompt for the WiFi did not * *So I went to "Edit Connections" and selected my wireless connection.* *Then I went to "General" tab and unticked "All users may connect to this network" * *No more CA prompt or wireless password prompt. * On Fri, Sep 4, 2015 at 10:33 AM, Chris Bickhaus via TriLUG < trilug at trilug.org> wrote: > So my grand plan to move my wife to Linux is hanging in the balance right > now, and, as a relative newbie, I could use some help. Given the privacy > issues, etc. with Windows 10, my wife was more than willing to try Ubuntu > over Windows 10. I was able to get Citrix, etc. running for her work, and > I thought the laptop was ready to go. Then she takes it to work, tries to > connect to the wifi and can't. The wifi network is using EAP-TTLS for > authentication without a certificate. When trying to connect, my wife is > greeted with a message telling her that no certificate authority > certificate has been chosen. If she clicks ignore, the prompt disappears, > but she is not able to connect. She has confirmed with IT that they are > not using a certificate, but that is as far as she got. She was told that > Linux is a highly customizable OS and, as a result, they offer no support > for it. > > My wife is running Ubuntu 14.04.3 with the 3.19 kernel. The > /etc/NetworkManager/system-connections file for the SSID is as follows: > > [ipv6] > method=auto > > [connection] > id=(redacted) > uuid=(redacted) > type=802-11-wireless > > [802-11-wireless-security] > key-mgmt=wpa-eap > auth-alg=open > > [802-11-wireless] > ssid=clubs > mode=infrastructure > mac-address=(redacted) > security=802-11-wireless-security > > [802-1x] > eap=ttls; > identity=(redacted) > phase2-auth=chap > password-flags=1 > > [ipv4] > method=auto > > Has anyone run into a similar issue and been able to work it out? I found > a few somewhat relevant threads on askubuntu, etc. that talked about > eliminating the line system-ca-cert=true, but that line is not present in > the file (supposedly a bug surrounding this very issue has been fixed for > 14.04). Any help would be greatly appreciated. > > Thanks, > > Chris > > -- > This message was sent to: Carl > To unsubscribe, send a blank message to trilug-leave at trilug.org from that > address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : > http://www.trilug.org/mailman/options/trilug/c.crider%40gmail.com > Welcome to TriLUG: http://trilug.org/welcome From trilug at trilug.org Fri Sep 4 11:38:43 2015 From: trilug at trilug.org (Grawburg via TriLUG) Date: Fri, 04 Sep 2015 11:38:43 -0400 Subject: [TriLUG] Epson V300 Scanner Message-ID: <4abf283c36123359a6a0f5790839125e@myglnc.com> I've been given an Epson V300 scanner. After reading a number of Web-posts about using this scanner with Debian 7 64-bit I thought I poll the group to see if anyone is using this model with Debian. No sense taking it out of the box if it's going to be a PIA to use. I have downloaded the xxxamd64.deb files from the Epson site. Thanks, Brian Grawburg Wilson From trilug at trilug.org Fri Sep 4 15:05:54 2015 From: trilug at trilug.org (Jeremy Davis via TriLUG) Date: Fri, 4 Sep 2015 15:05:54 -0400 Subject: [TriLUG] WIFI EAP-TTLS connection issue In-Reply-To: References: Message-ID: Chris, It was brought to my attention, by a good friend on this list, that it was a bit harsh to recommend a different distro for a very specific problem and it smells like distro pushing. He was right and I apologize for throwing my suggestion out there like that. I am not affiliated with Mint in any way, however, I do tend to push it whenever I hear someone is transitioning from Windows. I do this because I think it is the most user friendly and it lessens the odds of a would be new Linux user from throwing their hands up and saying "I can't do this" and resorting back to Windows. Although I was very determined, I started out with Ubuntu then had to resort back to Windows. It was a year or two later before I could finally escape Windows and Mint made the transition quite painless with very few problems. I have given non tech family members Mint and Ubuntu. They were confused by Ubuntu/Unity but happy for years with Mint and the Cinnamon desktop. I consider Mint to be the gateway distro. The drawback is it probably has the highest number of proprietary things running under the hood among all the distros. Anyhoo, this all happened before I found TriLUG. With TriLUG as a resource, you will very likely be successful with any distro or any Linux related endeavor. My apologies and good luck to you and your wife. Jeremy Davis On Sep 4, 2015 10:39 AM, "Chris Bickhaus via TriLUG" wrote: > So my grand plan to move my wife to Linux is hanging in the balance right > now, and, as a relative newbie, I could use some help. Given the privacy > issues, etc. with Windows 10, my wife was more than willing to try Ubuntu > over Windows 10. I was able to get Citrix, etc. running for her work, and > I thought the laptop was ready to go. Then she takes it to work, tries to > connect to the wifi and can't. The wifi network is using EAP-TTLS for > authentication without a certificate. When trying to connect, my wife is > greeted with a message telling her that no certificate authority > certificate has been chosen. If she clicks ignore, the prompt disappears, > but she is not able to connect. She has confirmed with IT that they are > not using a certificate, but that is as far as she got. She was told that > Linux is a highly customizable OS and, as a result, they offer no support > for it. > > My wife is running Ubuntu 14.04.3 with the 3.19 kernel. The > /etc/NetworkManager/system-connections file for the SSID is as follows: > > [ipv6] > method=auto > > [connection] > id=(redacted) > uuid=(redacted) > type=802-11-wireless > > [802-11-wireless-security] > key-mgmt=wpa-eap > auth-alg=open > > [802-11-wireless] > ssid=clubs > mode=infrastructure > mac-address=(redacted) > security=802-11-wireless-security > > [802-1x] > eap=ttls; > identity=(redacted) > phase2-auth=chap > password-flags=1 > > [ipv4] > method=auto > > Has anyone run into a similar issue and been able to work it out? I found > a few somewhat relevant threads on askubuntu, etc. that talked about > eliminating the line system-ca-cert=true, but that line is not present in > the file (supposedly a bug surrounding this very issue has been fixed for > 14.04). Any help would be greatly appreciated. > > Thanks, > > Chris > > -- > This message was sent to: Jeremy Davis > To unsubscribe, send a blank message to trilug-leave at trilug.org from that > address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : > http://www.trilug.org/mailman/options/trilug/jeremyhwllc%40gmail.com > Welcome to TriLUG: http://trilug.org/welcome From trilug at trilug.org Sat Sep 5 12:35:14 2015 From: trilug at trilug.org (Craig Cook via TriLUG) Date: Sat, 5 Sep 2015 16:35:14 +0000 (UTC) Subject: [TriLUG] WIFI EAP-TTLS connection issue In-Reply-To: References: Message-ID: <1687983346.2113174.1441470914325.JavaMail.yahoo@mail.yahoo.com> > My wife is running Ubuntu 14.04.3 with the 3.19 kernel. The > /etc/NetworkManager/system-connections file for the SSID is as follows: I had problems with an earlier version of ubuntu connecting to corporate wireless as well. I ended up uninstalling Network Manager and installing Wicd. It was a non-trivial exercise though. Another suggestion is to post your question on the ubuntu forums. Or, try using an older version of ubuntu (from a live boot CD/USB stick so you don't wipe your system first). Linux is nice when it works, but can be very painful/time consuming when it doesn't. Craig From trilug at trilug.org Sat Sep 5 12:46:46 2015 From: trilug at trilug.org (Alan Porter via TriLUG) Date: Sat, 5 Sep 2015 12:46:46 -0400 Subject: [TriLUG] WIFI EAP-TTLS connection issue In-Reply-To: <1687983346.2113174.1441470914325.JavaMail.yahoo@mail.yahoo.com> References: <1687983346.2113174.1441470914325.JavaMail.yahoo@mail.yahoo.com> Message-ID: <55EB1C76.1060409@trilug.org> > Linux is nice when it works, but can be very painful/time consuming when it doesn't. Lately, I am noticing that other more mainstream operating systems are even more painful when they don't work. There seems to be fewer knobs to turn, and the discussions about fixes seem to be very superficial "black box" suggestions to try this or that voodoo magic, without any attempt to understand the underlying issues. Peruse https://discussions.apple.com/ and you'll get a taste of what I mean. Alan From trilug at trilug.org Sat Sep 5 13:06:35 2015 From: trilug at trilug.org (Craig Cook via TriLUG) Date: Sat, 5 Sep 2015 17:06:35 +0000 (UTC) Subject: [TriLUG] JOB - Junior Linux admin roles at IBM - RTP Message-ID: <1991529911.2142492.1441472795945.JavaMail.yahoo@mail.yahoo.com> My new team (part of the Cloud team) is helping anyone try and buy IBM services. We are looking for people to join us. You will: - have linux administration skills - believe in DevOps - play nice with others - like receiving appreciation for things you do - love solving problems and know there is always a better way - always be learning new things - try to automate everything - know how to write code - know that you do not have 100% skills that we need, but can learn fast - figure out how to contact me - want to live in Raleigh-Durham, NC (this is an onsite position) Thanks Craig From trilug at trilug.org Sat Sep 5 14:49:22 2015 From: trilug at trilug.org (Ken MacKenzie via TriLUG) Date: Sat, 5 Sep 2015 14:49:22 -0400 Subject: [TriLUG] WIFI EAP-TTLS connection issue In-Reply-To: <55EB1C76.1060409@trilug.org> References: <1687983346.2113174.1441470914325.JavaMail.yahoo@mail.yahoo.com> <55EB1C76.1060409@trilug.org> Message-ID: Mainstream maybe, but more so the distros designed more for people coming from OSs that hide more of the base layers from you. Ubuntu and yes Mint as well. We have two more Mint instances in this house to swap out for debian. Thankfully debian now comes with cinnamon and mate desktop options for those in the family hat have gotten used to those. Although cinammon has been buggy. Frankly everyone in this house that needs a more hand holding WM/DE is starting to get used to gnome 3. I must confess gnome3 is not bad if that is what you want. I would definitely take it over unity. Personally I have moved over 100% to openbox for my wm. But the main base distros I find to be sane safe places to start if you know what you are doing or are willing to rtfm with maybe a friend to hold your hand. Debian, Fedora, Slack, Arch, and heck OpenSUSE and FreeBSD can do just about whatever you ask of them if you are willing to do it yourself. They all make great desktop environments, well BSD not as much. Most of them are also good server environments. It is one of the reasons I like using just plain debian so much as I find it is very easy to translate to both environments. Ken On Sat, Sep 5, 2015 at 12:46 PM, Alan Porter via TriLUG wrote: > > Linux is nice when it works, but can be very painful/time consuming when >> it doesn't. >> > > Lately, I am noticing that other more mainstream operating systems are > even more painful when they don't work. There seems to be fewer knobs to > turn, and the discussions about fixes seem to be very superficial "black > box" suggestions to try this or that voodoo magic, without any attempt to > understand the underlying issues. Peruse https://discussions.apple.com/ > and you'll get a taste of what I mean. > > Alan > > > > -- > This message was sent to: Ken M. > To unsubscribe, send a blank message to trilug-leave at trilug.org from that > address. > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > Unsubscribe or edit options on the web : > http://www.trilug.org/mailman/options/trilug/ken%40mack-z.com > Welcome to TriLUG: http://trilug.org/welcome > From trilug at trilug.org Sat Sep 5 14:54:25 2015 From: trilug at trilug.org (Ken MacKenzie via TriLUG) Date: Sat, 5 Sep 2015 14:54:25 -0400 Subject: [TriLUG] WIFI EAP-TTLS connection issue In-Reply-To: References: <1687983346.2113174.1441470914325.JavaMail.yahoo@mail.yahoo.com> <55EB1C76.1060409@trilug.org> Message-ID: To be fair I should be clear that wifi is always a minor extra headache in debain because of its only free options on install. I am yet to install debian on a laptop and not need a wired connection afterwards to install a non-free wifi driver. Well one exception is on the chromebook but that is in a chroot so really the wifi driver is handled by the custom Gentoo spin that is Chrome OS. Ken On Sat, Sep 5, 2015 at 2:49 PM, Ken MacKenzie wrote: > Mainstream maybe, but more so the distros designed more for people coming > from OSs that hide more of the base layers from you. Ubuntu and yes Mint > as well. We have two more Mint instances in this house to swap out for > debian. Thankfully debian now comes with cinnamon and mate desktop options > for those in the family hat have gotten used to those. Although cinammon > has been buggy. Frankly everyone in this house that needs a more hand > holding WM/DE is starting to get used to gnome 3. I must confess gnome3 is > not bad if that is what you want. I would definitely take it over unity. > Personally I have moved over 100% to openbox for my wm. > > But the main base distros I find to be sane safe places to start if you > know what you are doing or are willing to rtfm with maybe a friend to hold > your hand. Debian, Fedora, Slack, Arch, and heck OpenSUSE and FreeBSD can > do just about whatever you ask of them if you are willing to do it > yourself. They all make great desktop environments, well BSD not as much. > Most of them are also good server environments. It is one of the reasons I > like using just plain debian so much as I find it is very easy to translate > to both environments. > > Ken > > On Sat, Sep 5, 2015 at 12:46 PM, Alan Porter via TriLUG > wrote: > >> >> Linux is nice when it works, but can be very painful/time consuming when >>> it doesn't. >>> >> >> Lately, I am noticing that other more mainstream operating systems are >> even more painful when they don't work. There seems to be fewer knobs to >> turn, and the discussions about fixes seem to be very superficial "black >> box" suggestions to try this or that voodoo magic, without any attempt to >> understand the underlying issues. Peruse https://discussions.apple.com/ >> and you'll get a taste of what I mean. >> >> Alan >> >> >> >> -- >> This message was sent to: Ken M. >> To unsubscribe, send a blank message to trilug-leave at trilug.org from >> that address. >> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug >> Unsubscribe or edit options on the web : >> http://www.trilug.org/mailman/options/trilug/ken%40mack-z.com >> Welcome to TriLUG: http://trilug.org/welcome >> > > From trilug at trilug.org Sat Sep 5 19:57:15 2015 From: trilug at trilug.org (Aaron Schrab via TriLUG) Date: Sat, 5 Sep 2015 19:57:15 -0400 Subject: [TriLUG] WIFI EAP-TTLS connection issue In-Reply-To: References: <1687983346.2113174.1441470914325.JavaMail.yahoo@mail.yahoo.com> <55EB1C76.1060409@trilug.org>

Message-ID: <20150905235715.GB16390@pug.qqx.org> At 14:54 -0400 05 Sep 2015, Ken MacKenzie via TriLUG wrote: >To be fair I should be clear that wifi is always a minor extra headache in >debain because of its only free options on install. I am yet to install >debian on a laptop and not need a wired connection afterwards to install a >non-free wifi driver. There are unofficial installer images that include non-free firmware packages. I've used these to install Debian on laptops which require non-free firmware without using any wired connection. http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/