Topics created by anthonyh

@pete-s said in MariaDB/MySQL Table Repair Eating TONS of disk space:

@anthonyh said in MariaDB/MySQL Table Repair Eating TONS of disk space:

I have a MariaDB database that is of moderate size (~48 GB) and two of the tables within this database have corruption. One of the offending tables is reportedly ~25 GB in size. When running REPAIR TABLE, the process eats up all the remaining disk space (which admittedly wasn't a lot, 14 GB).

I started growing the disk and gave it an additional 50 GB. The repair process gobbled it up. Gave it 50 GB more, repair process gobbled it up. Gave it 100 GB more (for a total of 200 GB additional disk), and the repair process still gobbled it all up. I'm a little baffled as to why and am wondering if anyone here can shed some light as to why a 25GB table would need over 200GB of working space for a repair?

The database is using MyISAM storage (I know, I'm working on it) and the table in question stores data (document images) in longblob format. From what I understand, MyISAM table repairs basically involve reconstructing the table, so I wouldn't be surprised at needing at least an equal amount of free space to the size of the table. This behavior has me a little confused.

I assume there are no database clients trying to access the database during your repair.

I don't know the answer to your question but have you had a look at the different settings for repair table?
https://dev.mysql.com/doc/refman/5.7/en/repair-table-optimization.html

Check myisam_max_sort_file_size for instance. If it's larger than your disk then it could outgrow the available space.

You are correct. No clients are accessing the database. I'm doing the repair on a clone of the actual host.

I will investigate myisam_max_sort_file_size and report back.

@Net-Runner said in Windows Server 2012 - Task Scheduler Issue:

There was an issue with US NTP servers multiple users reported during this week. Not sure if it might be the case here but still.

That's why anyone who relies on proper time sync should never use pool.ntp.org servers. They even spell it out on their website but nobody seems to read it.

@stacksofplates Thanks! I started down the path of Logstash/Greylog/others and realized that it's going to take a bit more of my bandwidth than I can dedicate at the moment. So I ended up throwing together a BASH script that'll copy the current log files over to the share every minute. It works for now...

A quick update for y'all that are watching/participating in this thread (thank you, by the way!).

Late Friday I realized where the lockouts where coming from. We have a Windows VM that has a suite of applications that folks need to use every blue moon or so, and they access the VM via RDP. Of course, users don't log out, they just close the RDP client (I am going to fix this). The user in question had an old logon session on this VM. Killing the user's session (I just rebooted the VM) seems to have done the trick.

Now the goal is to better position myself for the next time this happens. I also figure it's probably not a bad idea to have more visibility on account lockouts and where they are coming from in general.

You may want to try:

Get-ADUser -Filter * -Properties *|Select SamAccountName,HomeDirectory,HomeDrive

and see if that returns what you are looking for.

@anthonyh said in GPO Software Deployment Woes:

Just a side note: I can confirm that @Dashrender 's suggestion of creating a CNAME works like a charm. I created a new software deployment GPO and added the source via the CNAME record and deployment was successful.

Glad to see that I was mistaken 🙂

@anthonyh said in Zimbra, fail2ban, CentOS 7, and firewalld:

@scottalanmiller said in Zimbra, fail2ban, CentOS 7, and firewalld:

https://arstech.net/zimbra-fail2ban-setup/

I came across that article and it's the most promising. Though it's still a iptables based fail2ban configuration. I'm not sure if it's as simple as changing the references to iptables or if tweaking it to work with firewalld is more involved.

I suppose an option is to disable firewalld and install iptables. I've done that before in the past.

Hmm...

That's probably what they did, because you need to disable firewalld to enable iptables.

Another revision.

Added logic for when "lastlogontimestamp" does not exist. This indicates the account has never logged in. So now if "lastlogontimestamp" doesn't exist it checks the account's creation date and disables the account if the creation date is past the expiration threshold.

Also added basic email reporting.

param ( [string]$group, [string]$days = 30, [string]$test = "y" ) # This script will search AD for eligible accounts to disable if they have either # 1) never logged in and are older than the expration, or 2) if the last login is older than the expiration. $emailAddrTo = "[email protected]" $emailAddrFrom = "[email protected]" $emailSMTP = "mail.domain.org" $logStart = get-date -format g $hostName = $env:COMPUTERNAME $scriptPath = split-path -parent $MyInvocation.MyCommand.Definition $scriptName = $MyInvocation.MyCommand.Name $log = "$scriptPath\$scriptName.log" $delimitedList = "$scriptPath\$scriptName.delimited.txt" # If the group parameter is not specified, throw an error and short script usage example. if ( -not ($group)) { echo "Group parameter missing." echo "Script usage: $scriptName -group `'AD Group`' -days 30 -test NO" echo "If `"-days`" isn't specified the default is 30." echo "If `"-test NO`" isn't specified, no changes will be made." exit } echo "Disabling accounts in group $group that have no logged in for more than $days day(s)." if ( $test -ne "NO") { echo "Running in **TEST** mode. No changes will be made!" } import-module activedirectory # Select AD accounts based on group parameter if ( $group -eq "All") { echo "Group All specified, grabbing all Active Directory users" $disableList = @(get-aduser -filter * | select -expandproperty SamAccountName) } else { echo "Grabbing Active Directory users that are a member of $group" $disableList = @(get-adgroupmember $group | select -expandproperty SamAccountName) } # Set expiration threshold based on days parameter $expiration = (get-date).adddays(-$days) # Define arrays to log eligible accounts $noLogons = @() $expiredLogons = @() # Loop through accounts foreach ($acct in $disableList) { # Reset $lastLogonTS to accomodate for null results. $lastLogonTS = '' echo "Processing account $acct" # Get user's distinguished name $acctDN = get-aduser $acct -properties distinguishedname | select -expandproperty distinguishedname # Check if account is disabled. If disabled, skip account. $isEnabled = get-aduser $acct -properties enabled | select -expandproperty enabled if ( $isEnabled -eq $false) { echo "$acct is already disabled, skipping." } else { # Get the last logon timestamp for user. If user has no timestamp, this will error (which means user has never logged in) $lastLogonTS = get-aduser $acct -properties lastlogontimestamp | select -expandproperty lastlogontimestamp -ErrorAction SilentlyContinue # If last logon timestamp does not exist, check when the account was created. If the account is older than the threshold, disable. if (!$lastLogonTS) { $acctCreation = get-aduser $acct -properties whencreated | select -expandproperty whencreated if ( $acctCreation -lt $expiration) { echo "$acct has no recorded login and was created more than $days ago (created $acctCreation) which makes it eligible for deactivation." if ($test -eq "NO") { disable-adaccount -identity $acct echo "$acct disabled" $noLogons += "$acct | $acctDN | Created: $acctCreation" } else { $noLogons += "$acct | $acctDN | Created: $acctCreation | TEST ONLY" } } } else { # Convert last logon timestamp from file time to date time $lastLogon = [datetime]::FromFileTime($lastLogonTS) # If last logon timestamp is older than the threshold, disable account. if ($lastLogon -lt $expiration) { echo "$acct's last logon was more than $days days ago ($lastLogon) and is eligible for deactivation." if ($test -eq "NO") { disable-adaccount -identity $acct echo "$acct disabled" $expiredLogons += "$acct | $acctDN | Last Logon: $lastLogon" } else { $expiredLogons += "$acct | $acctDN | Last Logon: $lastLogon | TEST ONLY" } } } } } # Compile report # Start log file $logEnd = get-date -format g write-output "Log for $scriptName`r`nExecuted on $hostName`r`nScript started $logStart`r`nScript ended $logEnd`r`n" | out-file $log # Generate list of users removed from group, if any. if (!$noLogons) { write-output "Accounts older than $days days with no logon were not found (this is good!).`r`n" | out-file -append $log } else { write-output "The following accounts have been disabled because they are older than $days days and have never been used:" | out-file -append $log write-output $noLogons | out-file -append $log write-output "" | out-file -append $log } # Generate list of users added to the group, if any. if (!$expiredLogons) { write-output "Accounts with the last logon older than $days days were not found (yay!)." | out-file -append $log } else { write-output "The following accounts have been disabled because their last logon was more than $days days ago:" | out-file -append $log write-output $expiredLogons | out-file -append $log } # Dump account information to text file to be attached to the email. write-output $noLogons | out-file $delimitedList write-output $expiredLogons | out-file -append $delimitedList # Send log to $emailAddr if variable is set. if (!$emailAddrTo) { write-output "`r`nNo email address specified, no report sent." | out-file -append $log } else { $emailBody = get-content -path $log | out-string send-mailmessage -from "$hostName <$emailAddrFrom>" -to $emailAddrTo -subject "$scriptName Report" -body $emailBody -smtpserver $emailSMTP -attachments $delimitedList }

I have not used it, I disabled it on my recent install.

@anthonyh said in Testing Zimbra Upgrade - 8.6.0 to 8.8.6:

I restored our production Zimbra server (CentOS 7) from backup to use as a testing environment for upgrading from Zimbra 8.6.0 to current (8.8.6 as of this writing).

Restore was fine. Gave the host an IP on a separate network. Followed a Zimbra wiki article on changing the server's hostname which worked no problem (from what I can tell). Fired up the services and Zimbra 8.6.0 came up hunky dory.

I do a yum update and install all pending updates (not many since I try to keep prod as current as possible), reboot the test server to verify Zimbra is still happy. Everything is good.

I download the 8.8.6 installer and current hotfix and stage them. I then snapshot the VM.

I run the 8.8.6 installer and it completes without complaint.

Where the problems begin. I cannot get to the Zimbra user interface. Management (7071) works fine. This points to a proxy issue.

I check and the proxy service is not running. I fire it up manually using zmproxyctl start and wait a minute. I eventually get the following error:

Starting proxy...nginx: [emerg] invalid URL prefix in /opt/zimbra/conf/nginx/includes/nginx.conf.zmlookup:3

I edit the file in question and, sure enough, the production IP is listed.

zm_lookup_handlers [PROD-IP]:7072/service/extension/nginx-lookup;

So I change it to the IP of the test VM (also tried 127.0.0.1 for the heck of it). However, this did not resolve the problem. Attempting to start the proxy service results in the same error.

So I test by telnetting to [TEST-IP]:7072 and it works. I try browsing to the path as shown in the config via a web browser and I get (from Chrome):

[TEST-IP] didn’t send any data. ERR_EMPTY_RESPONSE

Though I don't know if that indicates if there is an issue or not with whatever service is listening on 7072.

Any ideas?

@anthonyh said in Testing Zimbra Upgrade - 8.6.0 to 8.8.6:

In case anyone needs it, here is the solution. Looks like the instructions I followed to change the hostname did not include the proxy service. So to cover all bases, use the following commands after following the article here: https://wiki.zimbra.com/wiki/ZmSetServerName

zmprov ms `zmhostname` zimbraReverseProxyUpstreamLoginServers new.hostname.com zmprov ms `zmhostname` zimbraReverseProxyUpstreamEwsServers new.hostname.com zmprov mcf zimbraReverseProxyUpstreamLoginServers new.hostname.com zmprov mcf zimbraReverseProxyUpstreamEwsServers new.hostname.com /opt/zimbra/libexec/zmproxyconfgen zmproxyctl restart

To quote this further..

Edit file /opt/zimbra/conf/nginx/includes/nginx.conf.zmlookup

Modify URL to match the below (change hostname with yours):

zm_lookup_handlers https://mail.hostname.com:7072/service/extension/nginx-lookup;

Disable module chunkin because since 1.3.9 & above, Nginx core already has built-in support for the chunked request bodies, hence its no longer needed.

Verify Nginx version to see if it has been upgraded to 1.7.1

[zimbra@mail ~]$ nginx -v nginx version: nginx/1.7.1

Edit file /opt/zimbra/conf/nginx/includes/nginx.conf.web

Comment the following:

# chunkin on;

Edit file /opt/zimbra/conf/nginx/includes/nginx.conf.web.https.default

Comment these 4 lines & save the file:

# chunkin handler # location @chunkin_handler { # chunkin_resume; # }

Finally restart the proxy service:

zmproxyctl restart

Hope this helps 🙂

Kind regards,
Viraj

@anthonyh said in XenServer 6.5 - Clean Up Storage Repository:

I've realized that there is other Zimbra maintenance that I need to schedule (most importantly upgrading from 8.6.0 to current). I'm going to do the shut down, rescan SR, and hope it coalesces when I do this work. I seem to be in OK shape for the moment. Alike is able to back it up and backups are good (I did a test restore successfully).

Also for a Zimbra you will have some downtime when upgrading for sure (Not as much as if you did Exchange 😉 )

Ha, ok, I found a workaround. I can simply cat the message back into the mail spool. 😄

cat $msgFile >> $mailSpool

Boom, message is back in the mail spool and my process re-consumes it.

The new ER4 will have an UBNT made rack mount. No idea if is is compatible with the ERL physically.

I was thinking ssh too.
You would need to run ssh into your vm from xs#
then run your template script, but save the machine name info as a variable that xs can use locally
Then run xe vm-param-set uuid=uuidofvm name-label=$variable
Then run xe vdi-param-set uuid=uuidofvm name-label=$variable.disk0
Or something like that. Youll probably have to mess with single and double quotes somewhere

@jaredbusch said in SIP Trunk Provider For Home Lab:

@dashrender said in SIP Trunk Provider For Home Lab:

@jaredbusch said in SIP Trunk Provider For Home Lab:

@scottalanmiller said in SIP Trunk Provider For Home Lab:

@jaredbusch said in SIP Trunk Provider For Home Lab:

@scottalanmiller I need a vendor to send me a Yealink W52P for testing and review.
Would be a good 'home" phone. Then I can convince the rest of the family a step at a time.

Yeah, me too. Still have a really old entry level T3xG on my desk right now.

I would not want a W52P for a desk phone. But for a home cordless phone, it is perfect. I know that @Minion-Queen has one at their house.

For your desk get the T41S since you do not care about gigabit.

I have one of these,... it was ok.

Is that response based on home use or office use..

I used it at home. granted I barely use the phone at home, so I would not call it a fair test.

@dafyre said in PowerShell - Script never completes. Is there a session timeout?:

@anthonyh said in PowerShell - Script never completes. Is there a session timeout?:

@dafyre said in PowerShell - Script never completes. Is there a session timeout?:

ROFL. Not a problem. Things working as designed. Next!

For what it's worth, my post was intended to be framed from the standpoint of "what am I doing wrong??" rather than "what's wrong with the system?!". I figured I was missing something stupid.

Never hurts to have extra eyes. I didn't even think about the potential for this to be a scheduled job... God, I have a case of the Mondays.

Not your fault at all. I did not mention it in my OP. Whoops. Perhaps I'm the one with a case of the Mondays.

Welp, as near as I can tell my cluster of a script does exactly what I'm looking for. I've updated the Pastebin link for those who are curious (https://pastebin.com/0JvUrzQU).

It will analyze existing group memberships and remove users if they do not meet all of the following requirements:

The account no longer matches the specified $fileString The account is disabled The account does not reside within the $searchBase

Next, it will pull all accounts from the system, excludes existing members, and adds the remaining users to the group if they meet all of the following requirements:

The account is enabled The account matches the specified $fileString The account resides within the $searchBase The sAMAccountName does not contain a 1 (something we use internally) The Display Name does not contain the string 'test' (we do not have any users who have 'test' in their name yet :-D)

After the above is done, it writes the changes to a log file (which is overwritten each time the script runs) and if emails it off to a specified email address.

With SSDs and big RAM and crazy amounts of CPU, I bet you could get 20K or more users on a single Zimbra instance. Of course, at those sizes, you get into scary places with having 20K users in a single failure domain. That's why you start looking at other options when you get big. But for pure performance, I bet you could do that no problem.

Eventually, they have said that you will be able to connect UniFi gear as endpoints. But there is no date on that last I read.

Edit: Looks like Q1 2018

0_1505582769558_0f2bbba2-ab3f-4661-a2b0-352af50599ad-image.png

@storageninja said in Spiceworld Trip Cancelled Due to CA Legislation - Alternate Conference Suggestions?:

@anthonyh said in Spiceworld Trip Cancelled Due to CA Legislation - Alternate Conference Suggestions?:

So, I work for a government agency in California. Legislation was passed where the state will not reimburse underlying agencies for travel expenses to states that have law(s) on the book that "have the effect of voiding or repealing existing state or local protections against discrimination..."

Isn't this a breach of the interstate commerce clause?

Since when has anyone paid any attention to little things like the constitution?