Best posts made by Romo

I haven't used external snapshots for anything, but now that I am reading about them I should be using them more.

Seems like a really interesting product, wonder how well it really works. Just signed in for a test.

Its DigitalOcean turn to either adjust pricing or really offer something more compelling to keep them the same. They are now 2x more expensive than Linode and Vultr.

Is the DNS Resolver enabled?

Configuring MPIO to automatically claim all iSCSI devices

• Enable-MSDSMAutomaticClaim -BusType iSCSI
  

Using the GUI :

Go to Control Center > Startup Aplications Preferences > Add

Using CLI:
From you current user home, create the following file and add the following with your editor of choice.

vim .config/autostart/firefox.desktop

File contents:

[Desktop Entry]
Type=Application
Name=Firefox
Exec=/usr/bin/firefox
Comment="Optional"
X-MATE-Autostart-enabled=true

I am currently trying to build a 3 node setup in the lab, all of the Hyper V hosts have only one 150Gb disk available and 32Gb of ram.

According to the following screenshots from their documentation

Does this mean, since I am only using one disk, I need to create several partitions and set the Starwind storage pools to use them? Or will I be able to set on the drive of a regular one partition install?

Just as a reminder this setup is only for testing purposes.

@KOOLER @StarWind_Software @scottalanmiller

When using configuration management tools it does make things a lot easier to work with if you atleast have one user with passwordless sudo. You really don't need to log to the servers anymore, you only need to properly secure your ssh keys.

@black3dynamite said in ombutel.com:

What Linux distro is ombutel using?
FreePBX is using CentOS.
FusionPBX is using Debian.

They use CentOS 7.

@jaredbusch said in How to upgrade Snipe-IT on CentOS 7 that did not use git:

@ambarishrh said in How to upgrade Snipe-IT on CentOS 7 that did not use git:

@ambarishrh said in How to upgrade Snipe-IT on CentOS 7 that did not use git:

Invalid default value for 'locale'

I just updated .env and added APP_LOCALE=en executed again and it worked!

I never go that, it might be related to 4.

It is step 7 of the upgrade process to version 4.

@dustinb3403 Does the system have an static ip assigned? Because if it does not, if I am not mistaken, NetworkManager should be managing dhclient by default .

You could have tried

sudo dhclient -r eth0
sudo dhclient eth0

or restarting NetworkManager.service, it should have fixed your problem.

Do steps 1 -4 from the official guide - https://snipe-it.readme.io/docs/upgrading-to-v4. Step 3 is not required if no one else is using the app. Run the commands as the apache user ( sudo -u apache .........)

5- Follow along the first part from @JaredBusch guide to upgrade you install to use git

git clone https://github.com/snipe/snipe-it temp
rm -rf /var/www/html/snipeit/.git*
mv temp/.git* /var/www/html/snipeit/
rm -rf temp/
cd /var/www/html/snipeit/
git reset --hard origin/master
git pull --force
chown -R apache:apache /var/www/html/snipeit/

6- Run the following as apache user as @JaredBusch guide recommends.

sudo -u apache php composer.phar install --no-dev --prefer-source
sudo -u apache php composer.phar dump-autoload

7- Add APP_LOCALE=en to your .env file.

8- Double-check that your storage directory and all sub-directories are writable by apache user

9- Apply db migrations as the apache user

sudo -u apache php artisan migrate

10- Open your .env file again and change your current APP_KEY to LEGACY_APP_KEY and add a new APP_KEY= to the file. So assuming both fields are the last ones of the file, your .env file should look like this with the changes:

....
....
LEGACY_APP_KEY=thisisyourpreviouskey
APP_KEY=

Save your .env file with the changes and run

sudo -u apache php artisan key:generate
sudo -u apache php artisan config:clear
sudo -u apache php artisan snipeit:legacy-recrypt

If you get a "Whoops" error when you try to login or refresh your Snipe-IT page, you probably forgot to clear your browser cookies. That error happens because we use a more encryption cipher to encrypt your data (including sessions), and clearing your browser should fix that.

11 - If you put the site on maintenance bring it up (sudo -u apache php artisan up)and go to your snipeit url.

@travisdh1 He is running that command inside the container named rocketchat

@olivier said in What is KVM Best Management Tools in 2017?:

Do you know any valid API that can be called remotely and doing also network and storage operations?

I can't figure why I can't find this.

Maybe checkout the libvirt api?

• Application Development Guide (Python)
• Application Development Guide (C)

From the guide:

2.1 Object model
The scope of the libvirt API and the Python libvirt module is intended to extend to all functions necessary for deployment and management of virtual machines. This entails management of both the core hypervisor functions and host resources that are required by virtual machines, such as networking, storage and PCI/USB devices. Most of the classes and methods exposed by libvirt have a pluggable internal backend, allowing support for different underlying virtualization technologies and operating systems. Thus, the extent of the functionality available from a particular API or method is determined by the specific hypervisor driver in use and the capabilities of the underlying virtualization technology.

2.3. Remote management
While many virtualization technologies provide a remote management capability, libvirt does not assume this and provides a dedicated driver allowing for remote management of any libvirt hypervisor driver. The driver has a variety of data transports providing considerable security for the data communication. The driver is designed such that there is 100% functional equivalence whether talking to the libvirt driver locally, or via the RPC service.

In addition to the native RPC service included in libvirt, there are a number of alternatives for remote management that will not be discussed in this document. The libvirt-qpid project provides an agent for the QPid messaging service, exposing all libvirt managed objects and operations over the message bus. This keeps a fairly close, near 1-to-1, mapping to the C API in libvirt. The libvirt-CIM project provides a CIM agent, that maps the libvirt object model onto the DMTF virtualization schema.

@reid-cooper said in Anyone have a script to rip apart traceroute:

SmokePing

@JaredBusch maybe try using Scapy to get what you want? It can do plotting and graphing and many other things, just have to read through the documentation.

Ex: A simple traceroute to mangolassit from my work computer with a graph.

>>> res, unans = traceroute("mangolassi.it",dport=443,maxttl=20)
Begin emission:
****Finished to send 20 packets.
****************
Received 20 packets, got 20 answers, remaining 0 packets
   104.25.46.32:tcp443 
1  189.211.38.162  11  
2  200.78.150.113  11  
3  200.78.150.49   11  
4  148.240.205.13  11  
5  213.248.97.166  11  
6  213.248.97.166  11  
7  62.115.32.214   11  
8  104.25.46.32    SA  
9  104.25.46.32    SA  
10 104.25.46.32    SA  
11 104.25.46.32    SA  
12 104.25.46.32    SA  
13 104.25.46.32    SA  
14 104.25.46.32    SA  
15 104.25.46.32    SA  
16 104.25.46.32    SA  
17 104.25.46.32    SA  
18 104.25.46.32    SA  
19 104.25.46.32    SA  
20 104.25.46.32    SA  
>>> res.graph()

The register now button in the hero image is redirecting properly to https://sodium.waxquixotic.com/companyCreation, so new accounts can indeed register.

It is not really needed to tinker with CPU priorities unless you really, really know what you are doing.

Setting CPU scheduling and priorities on docker containers is just like doing it on any other Linux process it is just tinkering with CFS scheduler which is the Linux Kernel default scheduler.

So basically, do you set CPU schedules, limits and priorites for any other linux process? Most probably the answer will be no because you let the kernel and its default scheduler handle things without worrying about them. But if you know what you are doing and need those kinds of kernel feature go ahead and tinker with them.

We just always need to remember, Docker container are not VMS

Edit:
Right from the docker documentation:

The documentation says text mode doesn't allow LVM setup

Docs

But the installer does allow the option now so that probably means it they have been working on it

So we have the VPN setup and it is working currently for 3 out of 4 users. I have been dealing with the problematic connection but can't figure out how to solve the issue. I'd really appreciate any help you guys can provide.

L2TP over IPSEC VPN

VPN Server: EdgeRouter PoE 5 v1.10.5
Client: Windows 10 v1709 build 16299.579

Windows Side
Client is properly reaching the VPN server even though the Windows error says the server is unreachable (logs below). Don't really think the problem lies on the Windows side but still, I have checked the Windows setup and everything is set according to documentation and the same as the other working clients. The machine has been rebooted (several times) and I have even uninstalled and reinstalled the WAN Miniport interfaces.

Edge Router Side
Full log - sudo swanctl --log while trying to connect.

06[NET] received packet: from USER_PUBLIC_IP[500] to EDGE_ROUTER_IP[500] (408 bytes)06[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
06[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
06[IKE] received MS NT5 ISAKMPOAKLEY vendor ID06[IKE] received NAT-T (RFC 3947) vendor ID
06[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID06[IKE] received FRAGMENTATION vendor ID
06[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1
:20
06[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8
:1906[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86
:52
06[IKE] USER_PUBLIC_IP is initiating a Main Mode IKE_SA
06[ENC] generating ID_PROT response 0 [ SA V V V ]
06[NET] sending packet: from EDGE_ROUTER_IP[500] to USER_PUBLIC_IP[500] (136 bytes)
01[NET] received packet: from USER_PUBLIC_IP[500] to EDGE_ROUTER_IP[500] (228 bytes)
01[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]01[IKE] remote host is behind NAT
01[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]01[NET] sending packet: from EDGE_ROUTER_IP[500] to USER_PUBLIC_IP[500] (212 bytes)
05[NET] received packet: from USER_PUBLIC_IP[4500] to EDGE_ROUTER_IP[4500] (76 bytes
)05[ENC] parsed ID_PROT request 0 [ ID HASH ]
05[CFG] looking for pre-shared key peer configs matching EDGE_ROUTER_IP...USER_PUBLIC_IP[192.168.0.16]
05[CFG] selected peer config "remote-access"
05[IKE] IKE_SA remote-access[63] established between EDGE_ROUTER_IP[EDGE_ROUTER_IP
]...USER_PUBLIC_IP[192.168.0.16]05[IKE] DPD not supported by peer, disabled05[ENC] generating ID_PROT response 0 [ ID HASH ]
05[NET] sending packet: from EDGE_ROUTER_IP[4500] to USER_PUBLIC_IP[4500] (76 bytes)09[NET] received packet: from USER_PUBLIC_IP[4500] to EDGE_ROUTER_IP[4500] (444 byte
s)
09[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
09[IKE] received 3600s lifetime, configured 0s
09[IKE] received 250000000 lifebytes, configured 009[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
09[NET] sending packet: from EDGE_ROUTER_IP[4500] to USER_PUBLIC_IP[4500] (204 bytes
)
13[NET] received packet: from USER_PUBLIC_IP[4500] to EDGE_ROUTER_IP[4500] (60 bytes)
13[ENC] parsed QUICK_MODE request 1 [ HASH ]
13[CFG] unable to install policy EDGE_ROUTER_IP/32[udp/l2f] === USER_PUBLIC_IP/32[ud
p/l2f] out (mark 0/0x00000000) for reqid 35, the same policy for reqid 14 exists
13[CFG] unable to install policy USER_PUBLIC_IP/32[udp/l2f] === EDGE_ROUTER_IP/32[udp/l2f] in (mark 0/0x00000000) for reqid 35, the same policy for reqid 14 exists
13[CFG] unable to install policy EDGE_ROUTER_IP/32[udp/l2f] === USER_PUBLIC_IP/32[udp/l2f] out (mark 0/0x00000000) for reqid 35, the same policy for reqid 14 exists
13[CFG] unable to install policy USER_PUBLIC_IP/32[udp/l2f] === EDGE_ROUTER_IP/32[udp/l2f] in (mark 0/0x00000000) for reqid 35, the same policy for reqid 14 exists
13[IKE] unable to install IPsec policies (SPD) in kernel
13[KNL] deleting policy EDGE_ROUTER_IP/32[udp/l2f] === USER_PUBLIC_IP/32[udp/l2f] out failed, not found
13[KNL] deleting policy USER_PUBLIC_IP/32[udp/l2f] === EDGE_ROUTER_IP/32[udp/l2f] in failed, not found
13[KNL] deleting policy EDGE_ROUTER_IP/32[udp/l2f] === USER_PUBLIC_IP/32[udp/l2f] out failed, not found
13[KNL] deleting policy USER_PUBLIC_IP/32[udp/l2f] === EDGE_ROUTER_IP/32[udp/l2f] in failed, not found
13[IKE] sending DELETE for ESP CHILD_SA with SPI 740d890e
13[ENC] generating INFORMATIONAL_V1 request 3087336472 [ HASH D ]
13[NET] sending packet: from EDGE_ROUTER_IP[4500] to USER_PUBLIC_IP[4500] (76 bytes)
14[NET] received packet: from USER_PUBLIC_IP[4500] to EDGE_ROUTER_IP[4500] (76 bytes)
14[ENC] parsed INFORMATIONAL_V1 request 2912129370 [ HASH D ]
14[IKE] received DELETE for ESP CHILD_SA with SPI 740d890e
14[IKE] CHILD_SA not found, ignored
04[NET] received packet: from USER_PUBLIC_IP[4500] to EDGE_ROUTER_IP[4500] (92 bytes)
04[ENC] parsed INFORMATIONAL_V1 request 1035896583 [ HASH D ]
04[IKE] received DELETE for IKE_SA remote-access[63]
04[IKE] deleting IKE_SA remote-access[63] between EDGE_ROUTER_IP[EDGE_ROUTER_IP]...USER_PUBLIC_IP[192.168.0.16]

Checking the logs, I can see everything is working properly until this messages start to appear.

13[CFG] unable to install policy EDGE_ROUTER_IP/32[udp/l2f] === USER_PUBLIC_IP/32[udp/l2f] out (mark 0/0x00000000) for reqid 35, the same policy for reqid 14 exists
13[CFG] unable to install policy USER_PUBLIC_IP/32[udp/l2f] === EDGE_ROUTER_IP/32[udp/l2f] in (mark 0/0x00000000) for reqid 35, the same policy for reqid 14 exists

It can't install the policy for reqid 35 because there is an existing reqid (14) which has the same policy.

Indeed there is, policy remote-access policy 14 is a child of remote-access 28

remote-access: #28, ESTABLISHED, IKEv1, 2dba0e93f1dc2f3c:4a212e556a07f9b7
  local  'EDGE_ROUTER_IP' @ EDGE_ROUTER_IP
  remote '192.168.0.8' @ USER_PUBLIC_IP
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
  established 75540s ago
  remote-access: #14, INSTALLED, TRANSPORT-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96
    installed 75207 ago
    in  c9a20ab8, 2965565 bytes, 32775 packets,  8314s ago
    out 8fadd716, 44934358 bytes, 50838 packets,  8268s ago
    local  EDGE_ROUTER_IP/32[udp/l2f]
    remote USER_PUBLIC_IP/32[udp/l2f]

This leads me to believe the user maybe already be connected via another machine, but the user doesn't show as online when using show vpn remote-access.

Any idea how to fix the conflict with the duplicate policies and why it is happening?

Only thing I haven't done is rebooting the edge router since other users are working fine and don't want to cause a disruption for them.

Here is our issue https://wiki.strongswan.org/issues/431, it was fixed 3 years ago when version 5.3 of strongSwan came out.

I had not found what strongSwan version we were using, I just assumed we were using something newer. Then I found that our edge router is using strongSwan 5.2.2.

Here is our version.

Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.10.107-UBNT, mips64):
  uptime: 3 days, since Aug 06 22:12:40 2018
  malloc: sbrk 376832, mmap 0, used 295456, free 81376
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled:

From here https://community.ubnt.com/t5/EdgeMAX-Feature-Requests/Upgrade-to-strongswan-5-6-x/idi-p/1507341 we see a change to strongSwan 5.5.x has been accepted don't know when it will be available.

strongSwan 5.3 + can now handle identical policies by reusing the same reqid. This allows identical CHILD_SAs to the same host.

So that probably means multiple machines behind NAT could also work when the fix is implemented.