Best posts made by Emad R

This is to all the folks that still love to use Hyper-V

Youtube Video

Look how easy and swift life can be.

so this thread:

https://mangolassi.it/topic/13635/saltstack-use-cases

Got me all excited about saltstack, I hope it remains Opensource and free and available forever.

And I really wanted Active Directory replacement, I dont have AD at my work, we do have centralized I.T services like XMPP server/Nextcloud/some machines have secure VNC installed but not all, but nothing to manage the Windows clients. Thus it depends on the users most of the time.

So WannaCry came up and the max I can do is download the patch and host it on our NAS, and email everyone with the link and steps on how to do it, and tell them I am available for support just reply to the email and I will try to VNC to the machine or go manually and apply it (we are talking about managing 100+ machines).

But that did test our infrastructure readiness for similar scenarios and it was poor and slow, cause it depends on the users, who you just cant trust on doing the right thing, sometimes they get so busy, some think just that download the .msu file patch to their desktop means that they did it and applied the patch without even running it.

So that got me trialing SaltStack:

I did the basic stuff, Got Centos 7 minmial machine (2 cpu/2 gb ram) and installed SaltStack using this info :
https://repo.saltstack.com/#rhel

Then create 2 folders:
mkdir /srv/salt/
mkdir /srv/pillar/

Then edit this file:
/etc/salt/master

And uncomment the following lines, keeping the default config for them.
interface #(change this to your machine IP)
publish_port
user
ret_port
root_dir: /
file_roots:
base:
- /srv/salt
pillar_roots:
base:
- /srv/pillar

Then ensure firewalld is allowing the ports (puplish+ret) configured above to be opened or accessible in your LAN.

Currently I do not use SS for provisioning servers, or salt state files, but I reckon I will get to that once I am more knowledgeable with the tool

So the above covered the Centos Salt Master part, now for the minions, simply download the file:
https://repo.saltstack.com/#windows

And install it, during install you will be asked to provide the IP for the salt master + the ID name of the client minion machine. (It is important to come up with an minion naming plan prior)

And this covers the minion part, what I found is very interesting is that SS works even if the windows machine had kaspersky workstation security installed with everything set on high as well as UAC, usually kaspersky messes everything up.

Now go back to the Centos Salt master:

and type :

salt-key -L
You should see the new client minion name but it not authorized, thus type:
salt-key -A
to authorize the windows minion to connect (you can enable in the salt master config to accept all requests by default)

Now the actual patch part, lets say our windows minion ID is 123 in this example:

1. Download wannacry patch and put in Centos Salt Master dir of /srv/salt.
   and cd to that dir in the Master.

2. run the following on the Master:

salt '123' service.start 'wuauserv' && salt "" cp.get_file salt://wannacry_patch_x64.msu C:/wannacry_patch_x64.msu && salt '' cmd.run 'wusa.exe C:/wannacry_patch_x64.msu /quiet /norestart'

If you want the patch to work on selected machines, simply use salt -L '123,124' instead, and all machines use salt '*' instead.

The above command will apply the patch, without rebooting the machine.

3. Checking up on the patch after some time:

salt '123' cmd.run 'wmic qfe | find “4012212”'

This is based on:

https://technet.microsoft.com/library/security/MS17-010

Windows 7 for x64-based Systems Service Pack 1
(4012212)
Security Only[1]

This will return to you that the user have it installed, the minion might need to reboot first then it will be listed, not sure.

4. Cleanup and delete the file from Windows clients after all patched:

salt '123' cmd.run 'del C:\wannacry_patch_x64.msu'

I know the above is rough and un-tidy, but I like to help in increasing the popularity of this awesome solution that I am trialing and it is stable and speedy and works, truly a GPO solution that works.

@stacksofplates said in KVM in Production - Build it yourself:

I have 12 KVM hosts in production. For the very few machines that have stateful data, I use either the backup options built into the software/service that's running to a mounted location, my script, or I use ReaR. The rest of the systems are stored in Git.

Bare KVM is just fast and easy. I second that, but the issue there is no standard way to manage it, especially backups, so this leaves KVM a solution for person that knows much about, and usually the sole IT in that location, cause if there was other IT folks, they just pick ESXi or Hyper-V to ensure continuity.

@popester

Well what services do you use currently ?

Cause cloud for file sharing and storage can be great option. Also for small web sites.

Also CEOs just read email about Amazon and bam they are hooked like 7yr old kid, and they want to move everything to it, cause they read in the email that 33% cost reduction, 20% efficiency increase, 50% penis growth
and they actually believe it

Ever thought how come the word penis is pronounced peanus but we type it penis
I am now ..

@scottalanmiller said in If you are new drop in say hello and introduce yourself please!:

Welcome to @msff-amman-Itofficer from Jordan!

Hey,

I'm Emad Ramlawi, working at MSFF reconstructive surgery project in Amman Jordan.
My title currently is Information System Technician, but mostly referred to as I.T or I.T guy... and basically helping the organization in Amman to move to digital documents format, as well as supporting end users, and maintaining a couple of servers, and the network.

Oh lets not forget the printers, some days thats 90% of my job... supporting printers

Hi,

I know the community outgrew the Windows stuff, and favors Linux (Centos especially), but after being a reader in this community I wanted to share something, hopefully it might help someone and it is very Keep It Simple approach for backups for Windows environments and requires a Windows machine, preferably virtual machine, so here goes:

1)Download 7za.exe from:
http://www.7-zip.org/download.html

Either (old stable) Download 7-Zip 9.20 (2010-11-18) for Windows:
32-bit 7-Zip Command Line Version

Or (latest stable) Download 7-Zip 16.04 (2016-10-04) for Windows:
7-Zip Extra: standalone console version, 7z DLL, Plugin for Far Manager

2)Extract 7za.exe from those archives to the root of your drive (preferably the 32-bit version for broader compatibility).

3)Now to create backup files you will need to use the following plan at the backup location (NAS) create 2 folders:

· Archives
· Mirror

Archives will have multiple versions of archives of the files you select to backup, while Mirror will always have latest sync of the backup, this is intended so we don’t archive the real source files, and instead we archive the Mirror folder.

4)Now on the server that have access to the source files and backup location, create the following .cmd file (Supply_Unit_Backup.cmd) on the Desktop for example, in a folder called Scripts (optional).

robocopy.exe /MIR "source folder" "backup Mirror folder"

C:\7za.exe a –ttar "backup Archives folder\date and time in a windows batch script.tar" "backup Mirror folder"

Real life example of the above:

robocopy.exe /MIR "\192.168.1.200\Public\Supply Unit" "Z:\Supply_Unit_Backup\Mirror"

C:\7za.exe a -ttar "Z:\Supply_Unit_Backup\Archives%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%__%TIME:~-11,2%hour.tar"
"Z:\Supply_Unit_Backup\Mirror"

Do note Robocopy command will do the sync or mirroring of the files, from the source folder to the Mirror folder, and it can support many useful argument, for example if you wish to grab/backup only excel files you can do the following:

robocopy.exe /MIR "source folder" "backup Mirror folder" .xls .xlsx

Also if you want to backup only specific files using robocopy, you will need to run this command instead:

robocopy.exe /MIR "source folder" "backup Mirror folder" uCalendar.ini

And as seen above basically anything that will be placed in the Mirror we will take archive snapshot of it on regular intervals, and robocopy is good with network shares and incremental backup runs.
The 7za a –ttar is recommended (TAR format), but you can choose any other archiving/compression format, I think it makes sense to use 7z format, but the added bonus with .tar is that you can open it in Linux natively, and when you compare archiving file types with each other, there is no real performance winner. However if you want to compress files I highly recommend using 7z format, which can be done by this command:

C:\7za.exe a "backup Archives folder\date and time in a windows batch script.7z" "backup Mirror folder"

And this way you can compress and reduce your backup files sizes, However using tar archive (or 7z with zero compression) a.k.a archiving have its benefits against compression, it is much faster performed and you can test the archives easier, and theoretically reduces corrupt the chance of file corruption; cause it takes less time dealing with the file than with compression.

Now create task with Windows task scheduler to execute the cmd by pointing Windows Task Scheduler to run the script inside the scripts folder at different intervals, depending on your work nature and selected files this can vary from weekly backups to 3 times a day backup.

And you will have similar output like the below:

The fact that we used 24 hour naming scheme will make your life a lot easier recognizing those files, I guess the only limitations we have is with this script that it you can’t run it each 1-59 minutes otherwise it will keep overwriting the same file over and over, for example if you ran the script 2 times at 11:01 and 11:20, you will get only 1 backup file, however if you ran it at 11:01 and 12:01 (hourly based) you will get 2 backup files.
For me this is not issue, cause I never handled situation where backups needed to be done on minutes bases, and I reckon that will be very interfering with the work, notice in the above screenshot I backup every 8PM + 1PM + 8AM, which translates in this company as after working hours when everybody leaves + break time + before working hours.

4)Retention policy:

Now that the backups are getting created you will notice that they can be populated quite easily, so you can create another cmd file (Purge_Backup.cmd) with the following command:

forfiles -p "backup Archives folder" -s -m . -d -8 -c "cmd /c del @file"

And have it run ok weekly basis, starting from the first working day of the week of the company, and what this will do is keep a week worth of backups always.
A real life example of this will be:

forfiles -p "Z:\Supply_Unit_Backup\Archives" -s -m . -d -8 -c "cmd /c del @path"

You can list files without deletion by:

forfiles -p "backup Archives folder" -s -m . -d -8 -c "cmd /c echo @file"

*note: UNC paths (\machine\share) are not supported, you will need to MAP them to a drive letter.

5)You can then test the backups manually (tar files) by selecting them all and right clicking them on the backup destination -> 7-zip -> test archive (you will need to have 7zip installed for the context menu to appear), or test from command line and schedule it, but I didn’t need to do this cause once you use archiving with zero compression format, everything just works. Especially since we move the files to another location first then we backup. This seems like a good method to backup but may not be appealing if you many large files.

You can test backups using

7za.exe t "backup Archives folder *.tar" >backup_log.txt

Then open the txt file and ensure the backup test result is = "Everything is Ok".

Extra Stuff:

You can use 7za to capture many folders and generate 1 file using windows system variables and produce log and have notepad open it for end users, for example:

7za.exe a -ttar "Backup%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%__%TIME:~-11,2%hour.tar" "%USERPROFILE%\Desktop" "%USERPROFILE%\Documents" "%USERPROFILE%\Contacts" "%USERPROFILE%\Music" "%USERPROFILE%\Pictures" "%USERPROFILE%\Videos"

Will create backup folder, wherever you run this script and will take the following folders:

Desktop Music Documents Pictures Contacts Videos

And create singe tar archive out of them. Then using this command:

7za.exe t "Backup*.tar" >backup_log.txt

msg * Notepad will open shortly. Please ensure the backup test result is "Everything is Ok".

notepad.exe backup_log.txt

You can instruct users on how to verify that their backups are complete. This can work as no software approach for users to backup manually, you will be surprised with 7za engine and how fast it can capture data and create the archive, especially since there is no GUI involved. Also with a bit of tinkering and closing programs like Outlook automatically by the script you can actually make it work. I also use with the above script that is more targeted for users with a program called everything which search using indexing of NTFS volumes and I can pass it:
Everything.exe -admin -s "*.pst | *.ost" which will show the user the location of their Outlook files, so they can add it in the backup folder, and tell them to only launch the script from inside of their N.A.S secure share on weekly/monthly basis.

Hello,

Just raising awareness of this project that caught my eye:
https://github.com/yueyongyue/saltshaker/blob/master/README.md
especially checking that screenshots. sadly the instructions are not very clear:
https://github.com/yueyongyue/saltshaker/blob/master/install.txt

But I hope I can manage to install this on server separate from the salt master, and have it functioning with good guide.

Will keep you posted, and any help analyzing the instructions are welcomed.

So i finally hit it in my job, yes I knew it and felt it very clear.

Now i am the IT supervisor that is in charge of new responsibility of paying the mobile communication bills, do you actually believe this ?

And afterwards I have to create some sophisticated dashboard with a click of button that will detect old hardware age so we can replace it, using an outdated web solution that I have no part of, and was created by third party team.

How did i reach this place ... hopefully soon I will find quick escape. You see it coming and your working with garbage but you never really know it will reach this low.

I asked for IT assistant.
IT separate room
IT level/salary increase.

But all those takes ages, and many promises and words, and what do i get, a responsibility that have 0% IT skills in it

@irj

Torvalds wades into CTS Labs' AMD chip security report

https://www.fudzilla.com/news/45819-torvalds-wades-into-cts-labs-amd-chip-security-report

"looks more like stock manipulation than a security advisory".

"If you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah."

"I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?"

"News flash: If an attacker has the root password, your system is already completely hosed. Everything else is just details."

"It's the security industry that has taught everybody to not be critical of their findings."

He also thinks, "there are real security researchers". For many of the rest, it's all about giving even the most minor security bug. In Torvalds' words: "A catchy name and a website is almost required for a splashy security disclosure these days."

"security people need to understand that they look like clowns because of it. The whole security industry needs to just admit that they have a lot of sh*t going on, and they should use -- and encourage -- some critical thinking."

When the internet is faster than your HDD

NVM this was fixed after a last ditch of founding this :

https://www.igniterealtime.org/projects/openfire/plugins-beta.jsp

Do note although the versions and history of the beta plugins look the same, but after downloading them and using the BETA file import/export everything worked as it should.

I was using the latest stable OF which is 4.1.3 and latest stable import/export plugin 2.6.0 however using the one at BETA page shown above fixed the issue.

@scale

I was forunate enough to see Scale in action from friend and saw his lab of multiple nodes connected.

Scale does use KVM, and virt IO that is not secret, everyone can have this tech right now, but hypervisor alone is not enough, reminds me abit of mobile processors and cpus, you can have the best cpu but without decent gpu + uncore + modem, it will be crap, and same can be said for scale they wrap KVM with amazing tech to make it hyper-converged in such easy manner. Those multiple nodes pool resources and you have very easy web GUI to manage VMs and easily move them and clone them and migrate them to other nodes.

So KVM or ESXi alone does not really cut it in this time and age. And scale magic is mostly in pooling storage in an effortless manner between nodes, and giving you all this in an easy web UI.

@networknerd

I like, especially if it was series that compares with XEN HA and KVM HA in high level overview ofcourse. I found all his vids very easy to watch and learn from, and that is something rare for me especially for I.T videos.

@fateknollogee

After using Ovirt, and trying to configure it properly . I came to the conclusion that there is nothing better than a Vanilla KVM server, and backing it up using standard scripts, you want to feel extra fancy install cockpit.

Hi,

quick guide on how to setup MariaDB like boss I use Centos 7, but you can use whatever you want really.

yum install -y mariadb-server
systemctl enable mariadb 
systemctl start mariadb 
mysql_secure_installation

Click no when first asked if your MariaDB installation has root password already, to create it. Then let us create rule on the firewall.

firewall-cmd --zone=public --add-service=mysql \
  --permanent

There is bug with mysql_secure_installation, even if you pressed No to allow remote connections from root, it will still disallow it, also it is better to just answer "Y" to every question in mysql_secure_installation, even if you wish to remote manage it (you can use mysql work bench to manage it and connect via ssh tunnel from different machine as seen below).

Lets enable SQL STRICT MODE, so the database is more strict with dealing with invalid data.

mysql -uroot -pREPLACE_WITH_YOUR_ROOT_DB_PASS -e "SET GLOBAL sql_mode = 'STRICT_ALL_TABLES';";
mysql -uroot -pREPLACE_WITH_YOUR_ROOT_DB_PASS -e "SET SESSION sql_mode = 'STRICT_ALL_TABLES';";

You can double check your modes by:

mysql -uroot -pREPLACE_WITH_YOUR_ROOT_DB_PASS -e "SELECT @@SQL_MODE, @@GLOBAL.SQL_MODE;";

To backup your selected DB + triggers + events:

mysqldump --add-drop-database --events --triggers --routines -uroot -pREPLACE_WITH_YOUR_ROOT_DB_PASS  --databases contacts_db > backup.sql

To Restore:

mysql -uroot -pREPLACE_WITH_YOUR_ROOT_DB_PASS < backup.sql;

To Optimize your DB

Use one of the ready tempates mysql/mariadb creates for windows, here are they:

nano /etc/my.cnf

and add under [mysqld] only one of those below or customize it to your hardware

# # SMALL
 # This is for a system with little memory (<= 64M) where MySQL is only used
# from time to time and it's important that the mysqld daemon
# doesn't use much resources.
key_buffer_size = 16K
max_allowed_packet = 1M
table_open_cache = 4
sort_buffer_size = 64K
read_buffer_size = 256K
read_rnd_buffer_size = 256K
net_buffer_length = 2K
thread_stack = 240K

# # MEDUIM

# This is for a system with little memory (32M - 64M) where MariaDB plays
# an important part, or systems up to 128M where MariaDB is used together with
# other programs (such as a web server)
#
key_buffer_size = 16M
max_allowed_packet = 1M
table_open_cache = 64
sort_buffer_size = 512K
net_buffer_length = 8K
read_buffer_size = 256K
read_rnd_buffer_size = 512K
myisam_sort_buffer_size = 8M

# # LARGE
# This is for a large system with memory = 512M where the system runs mainly
# MariaDB.

key_buffer_size = 256M
max_allowed_packet = 1M
table_open_cache = 256
sort_buffer_size = 1M
read_buffer_size = 1M
read_rnd_buffer_size = 4M
myisam_sort_buffer_size = 64M
thread_cache_size = 8
query_cache_size= 16M
# Try number of CPU's*2 for thread_concurrency
thread_concurrency = 8

# # HUGE
# This is for a large system with memory of 1G-2G where the system runs mainly
#MariaDB.
key_buffer_size = 384M
max_allowed_packet = 1M
table_open_cache = 512
sort_buffer_size = 2M
read_buffer_size = 2M
read_rnd_buffer_size = 8M
myisam_sort_buffer_size = 64M
thread_cache_size = 8
query_cache_size = 32M
# Try number of CPU's*2 for thread_concurrency
thread_concurrency = 8

And you can go on and increase depending on your hardware, using the above as template.

Renée J. James is an American technology executive, who was formerly the president of Intel. She is currently Chairman and CEO of Ampere Computing.

Whats Ampere Computing.?

James has been quietly building Ampere Computing’s business over the past few years, she didn’t want to reveal the company to the public before its semiconductor chips were ready and were tested by a few customers like Oracle, Microsoft, and Lenovo, James said.

Ampere has a prototype 3.3-GHz ARM-based processor, which it plans to launch later this year. Ampere, which was built from the ashes of Applied Micro, wants to take ARM into space where it currently has promise but little market share: the 64-bit chips that power servers and storage devices in the world’s data centres. Ampere has hundreds of employees, including 300 that it acquired from Applied Micro through an acquisition.

Ampere’s chips are based on designs from semiconductor company ARM Holdings, which has also recently licensed its computer chip designs to Qualcomm that could help the mobile chip giant create a data centre processor competitor to Intel.

James claims Ampere’s server chips are tailored to meet the needs of cloud computing giants like Microsoft that want more energy-efficient processors.

She said she recruited several computer chip veterans from Intel and its rival AMD to lead Ampere, and that her tenure at Intel has prepared her to start her own company. James’ final years at Intel involved dealing with shrinking sales in the company’s PC business as it shifted its focus to data centre chips.

Source:
https://www.fudzilla.com/news/processors/45547-former-intel-woman-guns-for-chipzilla-with-arm-chips

@bbigford

This is in US ?

I hope they pay you shit loads to do this ... oh i meant, nvm.

@gjacobse said in Huawei and ZTE handed 5G network ban in Australia:

Wider coverage and more stable connections than current 4G technology are also highlighted as benefits.

But they allowed them 4G ? seems 100% political decision.
Someone needs to check is the Australian government got check from Trump.

@wrcombs said in First Time Server Buy . . . Build. . .:

So after i get the server: what would be my first steps in setting up?
Any threads here on ML?

Each month/weeks try hypervisor on it, till you find the one you like the most.

Hyper-V
ESXi
KVM

And afterwards you will be knowledgeable of all stuff, try going deep abit like Replication VMs and migration and backing up.

After you loved on brand of hypervisors, you can then build VMs on it for family/ friends and treat them as clients like scott alan miller wrote about this idea a while back.

Hello,

I wanted to start topic that hopefully will be always updated and kinda pinned, listing all the guides and neat stuff we can do with saltstack, I use it to manage Windows clients mostly, so for me this will be like Active Directory replacement show case.

Want to hear your feedback and correct me if you see room for improvements, and share ideas as well.

This will not cover setting up Salt, just the techniques which I call playbooks (I know taken from Ansible).