Is anyone here using an offline cloud backup site? If so how are you doing it? How long would it take to spin everything up?

In my azure classes I learned about creating a warm backup site that is offline to save cost. You can set RPO and RTO for each set of resources depending on criticality. The offline backups still cost money to store, and you need to send changes often (defaults are 30 seconds, 5 minutes, or 15 minutes) to have an up to date recovery site.

Sure cloud storage isnt cheap, but neither is having another datacenter and the infrastructure needed to switch over. Not to mention the amount of man hours it takes to configure an offsite datacenter or colo. With Azure or AWS the networks are created in much quicker logical fashion. It is actually easier to do things right since you can spin up virtual devices with a click of a button.

I know if you have a large company, offsite datacenter would be cheaper since you have thousands of servers and equipment to worry about. Likely you need a hot site if you are at this scale anyway. This does seem to make sense for SMBs that have a hundred servers.

Thoughts?

@Dashrender said in Azure Warm Backup Site:

How are you dealing with onsite servers versus offsite? A VPN? The network component can be a PITA to say the least.

How do you do the tests? Do you disable all the local servers, then boot up the cloud versions?

I've never actually been through that process - so I'm really asking.

For a relatively small amount of traffic you can use a VPN through Azure which is really easy to setup. If you need a dedicated connection, you can setup an Azure Express Route

https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/

VPN

Express Route

Expres Route with VPN failover

@scottalanmiller said in Azure Warm Backup Site:

@IRJ said in Azure Warm Backup Site:

Both places had under 250 employees and had offside data centers.

But had on prem for their primary workloads?

We had a very old core that only supported a few apps and none of them were SaaS at the time

@wrx7m said in Using dnf-automatic to keep Fedora up to date:

@scottalanmiller said in Using dnf-automatic to keep Fedora up to date:

@wrx7m said in Using dnf-automatic to keep Fedora up to date:

@scottalanmiller said in Using dnf-automatic to keep Fedora up to date:

@wrx7m said in Using dnf-automatic to keep Fedora up to date:

@scottalanmiller said in Using dnf-automatic to keep Fedora up to date:

@wrx7m said in Using dnf-automatic to keep Fedora up to date:

@JaredBusch said in Using dnf-automatic to keep Fedora up to date:

/etc/dnf/automatic.conf

Does this use a built-in smtp server to send emails? What if I want to have it log into an office 365 account to send messages?

That's what the SMTP Server (aka an MTA) would be for. The SMTP server is literally the thing that logs into O365 or Gmail or whatever.

I understand that, I wanted to know if there was another config file somewhere for dnf-automatic to specify this information.

I don't believe so, I think that the SMTP config is the only place.

OK. So, since I most likely need to install a mail server to accomplish this, is postfix the best one for this?

Yes, definitely. It's well known, easy to configure, and the default on most all systems (and definitely all that use DNF.)

Down the rabbit hole I go. Needed a squid proxy server. Then needed fail2ban, then dnf-automatic, now postfix.

However this command works just fine...

sudo qemu-img convert -f qcow2 -O vhdx secureonion.qcow2 secureonion.vhdx

@Romo said in QUEMU/KVM to Azure:

@IRJ Try this:

qemu-img.exe convert source.qcow2 -O vpc -o subformat=fixed dest.vhd

This appeared to work. I haven't gotten a chance to test yet, but it's larger in size compared to vhdx as I'd expect.

The exe part just needs to be dropped.

sudo qemu-img convert source.qcow2 -O vpc -o subformat=fixed dest.vhd

@wrx7m said in Postfix on Fedora 29 - Why Can't I Send Mail?:

I am setting up Postfix on Fedora 29 to send notifications for dnf-automatic and fail2ban. This server is running on Vultr and I am trying to send from DomainB.com to DomainA.com. DomainB is a new domain that hasn't been used for anything and DomainA is our main email domain, setup on Office 365.

In the postfix logs, I am getting connection timed out -

Mar 18 17:19:41 HOSTNAME postfix/qmgr[4085]: EEE853EE90: from=<[email protected]>, size=465, nrcpt=1 (queue active)
Mar 18 17:20:11 HOSTNAME postfix/smtp[9703]: connect to domainA-com.mail.protection.outlook.com[104.47.48.36]:25: Connection timed out

I have tried disabling firewalld, but still have the same issue. Not sure where the hangup is. Any suggestions on what to check?

I just went through this on Friday

I upgraded using copr repository yesterday. I am really liking it! Much more responsive and it looks much nicer with the new icons.

I lost my keyboard shortcuts unfortunately, so I will need to recreate those. Overall I am very impressed.

In case anyone else is interested...

https://copr.fedorainfracloud.org/coprs/paulcarroty/Gnome_3.32/

Everything is migrated over to new server. I confirmed that domain is resolving to the new server. I was not able to grab a new cert, but the old one appears to be working fine. Maybe it's because I was requesting a cert for the same domain?

It definitely needs to be done automatically not manually. There are plenty of products out there that can do this type of monitoring and dashboards out of the box. Why setup a website to do it manually?

@IRJ said in How to screen record the session:

I might make a cleaner guide for this
https://unix.stackexchange.com/questions/25639/how-to-automatically-record-all-your-terminal-sessions-with-script-utility

So I tested this and got it working, but I can just delete the file at the end of my session since it is in my home directory. No privilege elevation even needed.

@black3dynamite said in How to screen record the session:

@IRJ said in How to screen record the session:

@black3dynamite said in How to screen record the session:

Using the script command can make typescript of terminal session.

https://www.tecmint.com/record-and-replay-linux-terminal-session-commands-using-script/

https://noise.getoto.net/2016/06/14/how-to-record-ssh-sessions-established-through-a-bastion-host/

https://unix.stackexchange.com/questions/25639/how-to-automatically-record-all-your-terminal-sessions-with-script-utility#25725

User can easily delete though

What about using something like chattr or SELinux to prevent deletion?
https://serverfault.com/questions/448891/how-to-prevent-file-owner-from-changing-deleting-their-own-file-linux-centos

Do you think using auditd would be better?

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing

@JaredBusch said in Performance Advantages to Splitting Applications from Databases:

@gtech said in Performance Advantages to Splitting Applications from Databases:

Is there any performance increase when you separate your SQL server from the Application in cases where the application allows it?

The short answer is no. Read Scott’s reply for details.

Right and performance can decrease even more if you have SSL termination between these roles.

I am trying to configure my new laptop to dual boot between fedora and windows 10. When I received the laptop, it was configured with Ubuntu and windows 10 dual boot.

So I blew away Ubuntu and installed fedora. I was told to encrypt the disk for the Fedora install, which I did.

The system boots up to fedora and asks me for a password as it should with drive encryption. However, I cannot load windows 10 at all.

First of all is it possible to dual boot with encrypted drive?

If so I need help

I ran the following commands:

sudo mkdir -p /etc/ssl/certs /etc/ssl/private

sudo openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/kibana-access.key -out /etc/ssl/certs/kibana-access.pem

Here is my config file:

server {
    listen 80;
    listen [::]:80;
    return 301 https://$host$request_uri;
}

server {
    listen 443 default_server;
    listen            [::]:443;
    ssl on;
    ssl_certificate /etc/ssl/certs/kibana-access.pem;
    ssl_certificate_key /etc/ssl/private/kibana-access.key;
    access_log            /var/log/nginx/nginx.access.log;
    error_log            /var/log/nginx/nginx.error.log;
    location / {
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
        proxy_pass http://kibana-server-ip:5601/;
    }
}

@scottalanmiller said in KVM/QEMU DNS:

Technically those affect hostnames, not DNS names. "DNS name" technically means "not using the hosts file." Semantics, but important to note for someone reading this that it doesn't actually do what was asked, but does what was meant.

For a lot of people, the hostname and the DNS name are synonymous, but they are actually different things. And sometimes when troubleshooting networks, it matters quite a lot as both often exist.

Right since you are technically not using the Domain Name Service. You are just statically mapping a host to an IP.

I had a fun morning so far

I got to boot up to my encrypted drive, unlock the drive and Ubuntu freezes afterwards. So after doing some duckduckgo fu, it appears that this is problem related to Nvidia drivers that people are having across different systems with Nvidia cards. Well my machine doesnt have Nvidia, but I try the fix anyway to boot up without video drivers. No fix

So I boot up in recovery mode and try to update Ubuntu to see if there are any issues then a lightbulb goes off in my brain. I installed selinux yesterday and had no rebooted since.

So I run

sudo apt remove selinux

The package is removed and I quickly reboot my pc thinking I figured it out. Still no joy!

So I start removing everything I did yesterday and still no luck! I reboot in desperation and try removing selinux again

sudo apt remove selinux 

Ubuntu then tells me its already removed, but I can also remove all these other related packages by running:

sudo apt autoremove

I reboot and success!!!

I didn't see my exact problem anyway on the interwebs so I wanted to post my resolution here in case anyone runs into this issue.

@black3dynamite said in Cannot boot to LUKS encrypted drive on Ubuntu - freezes after unlocking drive:

@travisdh1 Is it possible that AppArmor installed by default on all ubuntu installation? Having AppArmor and SELinux both active can cause problems.

I'd love to hear a bit more about apparmor. I am not familiar with it at all. This should be a new thread.

@dyasny said in KVM/QEMU DNS:

libvirt has dnsmasq built in, to serve DHCP. It can also be configured to serve DNS to the libvirt NAT network, and the host.

This is an example of a working configuration: https://fabianlee.org/2018/10/22/kvm-using-dnsmasq-for-libvirt-dns-resolution/

Pretty cool. Thanks.