Linux – Derek Demuro

Monitoring the kindgdom… ZABBIX!

ddemuro — Mon, 01 Jun 2020 05:10:21 +0000

For a while, we’ve been trying to get proper monitoring at TakeLAN, my home servers, and customers after a lot of work, tuneup and changes we finally made it we got the perfect monitoring setup.

Monitoring…

Zabbix monitoring

DHT22 sensor.

On the owned datacenters, we’ve installed DHT22 sensors to monitor intake, and exhaust of the room temperature, with that we can get an idea on the heat produced, and it’s circulation. (There’s another sensor above some servers for extra monitoring) but we don’t pay attention to those since we also monitor the temp of the servers.

This exact aluminum case with a Raspi4

Those and our friendly Raspberry Pi 4 were enough to monitor both UPS’s and the temperature of one of the rooms.

The changes gave us peace of mind that at low cost, we could also keep historical data on it and use it as a primary jump host for techs and admins.

Setting those DHT22 was easy enough, we wrote some apps to monitor both and to calibrate them precisely at the temperature inside the room and the humidity.
This Raspberry also is in charge of reporting the temperature on other sensors, so it must be operative; we should change this single point of failure. Still, the UPS’s don’t support this operation in USB, and I’m looking into multiplexing options to detect a failure of this device and switch over.

Backups!

It’s no secret, I run multiple servers in my house, and I also have a detached garage which comes very handy for remote backups!

The backup happens over powerline (yeah yeah, I have two gig network wires running to the garage, but powerline was more comfortable!)

Again, it’s a raspberry pi 4 with 2 10 TB hard drives plugged in who receive a copy of my zpool, media, storage, LXC containers, and QEMU backups.
I guess if we need to grow, we’ll continue to use USB since we don’t write full blast to it, and it’s mainly archival… if we are going to recover more than likely, we’ll pick up the drives and plug them straight to a machine.

Exact model being used for backups.

For this to happen, we had to retrofit the garage with an exhaust fan on the roof to keep the garage fresh enough for this device’s regular operation, and I also hooked them up in the roof gable to avoid vibrations of the air compressor and what not.

With this, we have covered the main points, monitoring, and backup.

Sync between datacenters

We opted for rsync + lsyncd.

This is the example we use to sync TX01 server to LA, KS and SEC.

-- General Settings
local sourcesandtargets = require('syncfolders')

settings {
        logfile = "/var/log/lsyncd.log",
        statusFile = "/var/run/lsyncd/lsyncd.status",
        pidfile = "/var/run/lsyncd/lsyncd.pid",
        maxDelays = 4000,
        insist = true,
        maxProcesses = 20
}

--------------------------------------------------------------------------
-- LAX TRANSFER DETAILS                                                 --
--------------------------------------------------------------------------
----------------------------------------------------------------- Bind Transfers

sync {
        default.rsyncssh,
        source = "/var/lib/bind",
        targetdir = "/var/lib/bind",
        host = "lsyncd-vmin.la.takelan.com",
        excludeFrom = "/etc/lsyncd/exclude",
        exclude = { "*.log", "*.tmp", "*~", "*.swp" },
        delete = "running",
        delay = 0,
        settings { maxProcesses = 1 },
        rsync = {
                binary = "/etc/lsyncd/locking_rsync.sh",
                backup = true,
                backup_dir = "/var/lsyncdbackup/var/lib/bind/",
                archive = true,
                links = true,
                update = true,
                temp_dir = "/tmp/",
        },
}

sync {
        default.rsyncssh,
        source = "/etc/bind",
        targetdir = "/etc/bind",
        host = "lsyncd-vmin.la.takelan.com",
        excludeFrom = "/etc/lsyncd/exclude",
        exclude = { "*.log", "*.tmp", "*~", "*.swp" },
        delete = "running",
        delay = 0,
        settings { maxProcesses = 1 },
        rsync = {
                binary = "/etc/lsyncd/locking_rsync.sh",
                backup = true,
                backup_dir = "/var/lsyncdbackup/etc/bind/",
                archive = true,
                links = true,
                update = true,
                temp_dir = "/tmp/",
        },
}
--------------------------------------------------------------------------
-- LAX TRANSFER DETAILS                                                 --
--------------------------------------------------------------------------

--------------------------------------------------------------------------
-- KAN TRANSFER DETAILS                                                 --
--------------------------------------------------------------------------
----------------------------------------------------------------- Bind Transfers

sync {
        default.rsyncssh,
        source = "/var/lib/bind",
        targetdir = "/var/lib/bind",
        host = "lsyncd-vmin.ks.takelan.com",
        excludeFrom = "/etc/lsyncd/exclude",
        exclude = { "*.log", "*.tmp", "*~", "*.swp" },
        delete = "running",
        delay = 0,
        settings { maxProcesses = 1 },
        rsync = {
                binary = "/etc/lsyncd/locking_rsync.sh",
                backup = true,
                backup_dir = "/var/lsyncdbackup/var/lib/bind/",
                archive = true,
                links = true,
                update = true,
                temp_dir = "/tmp/",
        },
}

sync {
        default.rsyncssh,
        source = "/etc/bind",
        targetdir = "/etc/bind",
        host = "lsyncd-vmin.ks.takelan.com",
        excludeFrom = "/etc/lsyncd/exclude",
        exclude = { "*.log", "*.tmp", "*~", "*.swp" },
        delete = "running",
        delay = 0,
        settings { maxProcesses = 1 },
        rsync = {
                binary = "/etc/lsyncd/locking_rsync.sh",
                backup = true,
                backup_dir = "/var/lsyncdbackup/etc/bind/",
                archive = true,
                links = true,
                update = true,
                temp_dir = "/tmp/",
        },
}
--------------------------------------------------------------------------
-- KAN TRANSFER DETAILS                                                 --
--------------------------------------------------------------------------

--------------------------------------------------------------------------
-- SEC TRANSFER DETAILS                                                 --
--------------------------------------------------------------------------
----------------------------------------------------------------- Default to transfer home files (mail, websites, etc)

for _, sourcesandtargets in ipairs( sourcesandtargets )
do
        sync {
                default.rsyncssh,
                source = sourcesandtargets,
                targetdir = sourcesandtargets,
                host = "lsyncd-vmin.nj.takelan.com",
                excludeFrom = "/etc/lsyncd/exclude",
                exclude = { "*.log", "*.tmp", "*~", "*.swp" },
                settings { maxProcesses = 1 },
                delay = 300,
                delete = "running",
                rsync = {
                        binary = "/etc/lsyncd/locking_rsync.sh",
                        backup = true,
                        backup_dir = "/var/lsyncdbackup/",
                        archive = true,
                        links = true,
                        update = true,
                        append_verify = true,
                        temp_dir = "/tmp/",
                },
        }
end

----------------------------------------------------------------- Bind Transfers

sync {
        default.rsyncssh,
        source = "/var/lib/bind",
        targetdir = "/var/lib/bind",
        host = "lsyncd-vmin.nj.takelan.com",
        excludeFrom = "/etc/lsyncd/exclude",
        exclude = { "*.log", "*.tmp", "*~", "*.swp" },
        delete = "running",
        delay = 0,
        rsync = {
                binary = "/etc/lsyncd/locking_rsync.sh",
                backup = true,
                backup_dir = "/var/lsyncdbackup/var/lib/bind/",
                archive = true,
                links = true,
                update = true,
                temp_dir = "/tmp/",
        },
}

sync {
        default.rsyncssh,
        source = "/etc/bind",
        targetdir = "/etc/bind",
        host = "lsyncd-vmin.nj.takelan.com",
        excludeFrom = "/etc/lsyncd/exclude",
        exclude = { "*.log", "*.tmp", "*~", "*.swp" },
        delete = "running",
        delay = 0,
        rsync = {
                binary = "/etc/lsyncd/locking_rsync.sh",
                backup = true,
                backup_dir = "/var/lsyncdbackup/etc/bind/",
                archive = true,
                links = true,
                update = true,
                temp_dir = "/tmp/",
        },
}

----------------------------------------------------------------- Apache Transfers

sync {
        default.rsyncssh,
        source = "/etc/apache2",
        targetdir = "/etc/apache2",
        host = "lsyncd-vmin.nj.takelan.com",
        excludeFrom = "/etc/lsyncd/exclude",
        exclude = { "*.log", "*.tmp", "*~", "*.swp" },
        delete = "running",
        rsync = {
                binary = "/etc/lsyncd/locking_rsync.sh",
                backup = true,
                backup_dir = "/var/lsyncdbackup/etc/apache2/",
                archive = true,
                links = true,
                update = true,
                temp_dir = "/tmp/",
        },
}

----------------------------------------------------------------- Logrotate Transfers

sync {
        default.rsyncssh,
        source = "/etc/logrotate.d",
        targetdir = "/etc/logrotate.d",
        host = "lsyncd-vmin.nj.takelan.com",
        excludeFrom = "/etc/lsyncd/exclude",
        exclude = { "*.log", "*.tmp", "*~", "*.swp" },
        delete = "running",
        rsync = {
                binary = "/etc/lsyncd/locking_rsync.sh",
                backup = true,
                backup_dir = "/var/lsyncdbackup/etc/logrotate.d/",
                archive = true,
                links = true,
                update = true,
                temp_dir = "/tmp/",
        },
}

----------------------------------------------------------------- Cronjobs Transfers

sync {
        default.rsyncssh,
        source = "/var/spool/cron/crontabs",
        targetdir = "/var/spool/cron/crontabs",
        host = "lsyncd-vmin.nj.takelan.com",
        excludeFrom = "/etc/lsyncd/exclude",
        exclude = { "*.log", "*.tmp", "*~", "*.swp" },
        delete = "running",
        rsync = {
                binary = "/etc/lsyncd/locking_rsync.sh",
                backup = true,
                backup_dir = "/var/lsyncdbackup/var/spool/cron/crontabs/",
                archive = true,
                links = true,
                update = true,
                temp_dir = "/tmp/",
        },
}

sync {
        default.rsyncssh,
        source = "/etc/cron.d",
        targetdir = "/etc/cron.d",
        host = "lsyncd-vmin.nj.takelan.com",
        excludeFrom = "/etc/lsyncd/exclude",
        exclude = { "*.log", "*.tmp", "*~", "*.swp" },
        delete = "running",
        rsync = {
                binary = "/etc/lsyncd/locking_rsync.sh",
                backup = true,
                backup_dir = "/var/lsyncdbackup/etc/cron.d/",
                archive = true,
                links = true,
                update = true,
                temp_dir = "/tmp/",
        },
}

sync {
        default.rsyncssh,
        source = "/etc/cron.daily",
        targetdir = "/etc/cron.daily",
        host = "lsyncd-vmin.nj.takelan.com",
        excludeFrom = "/etc/lsyncd/exclude",
        exclude = { "*.log", "*.tmp", "*~", "*.swp" },
        delete = "running",
        rsync = {
                binary = "/etc/lsyncd/locking_rsync.sh",
                backup = true,
                backup_dir = "/var/lsyncdbackup/etc/cron.daily/",
                archive = true,
                links = true,
                update = true,
                temp_dir = "/tmp/",
        },
}

sync {
        default.rsyncssh,
        source = "/etc/cron.hourly",
        targetdir = "/etc/cron.hourly",
        host = "lsyncd-vmin.nj.takelan.com",
        excludeFrom = "/etc/lsyncd/exclude",
        exclude = { "*.log", "*.tmp", "*~", "*.swp" },
        delete = "running",
        rsync = {
                binary = "/etc/lsyncd/locking_rsync.sh",
                backup = true,
                backup_dir = "/var/lsyncdbackup/etc/cron.hourly/",
                archive = true,
                links = true,
                update = true,
                temp_dir = "/tmp/",
        },
}

sync {
        default.rsyncssh,
        source = "/etc/cron.monthly",
        targetdir = "/etc/cron.monthly",
        host = "lsyncd-vmin.nj.takelan.com",
        excludeFrom = "/etc/lsyncd/exclude",
        exclude = { "*.log", "*.tmp", "*~", "*.swp" },
        delete = "running",
        rsync = {
                binary = "/etc/lsyncd/locking_rsync.sh",
                backup = true,
                backup_dir = "/var/lsyncdbackup/etc/cron.monthly/",
                archive = true,
                links = true,
                update = true,
                temp_dir = "/tmp/",
        },
}

sync {
        default.rsyncssh,
        source = "/etc/cron.weekly",
        targetdir = "/etc/cron.weekly",
        host = "lsyncd-vmin.nj.takelan.com",
        excludeFrom = "/etc/lsyncd/exclude",
        exclude = { "*.log", "*.tmp", "*~", "*.swp" },
        delete = "running",
        rsync = {
                binary = "/etc/lsyncd/locking_rsync.sh",
                backup = true,
                backup_dir = "/var/lsyncdbackup/etc/cron.weekly/",
                archive = true,
                links = true,
                update = true,
                temp_dir = "/tmp/",
        },
}

------- THIS ONE MUST USE RSYNC DIRECTLY!
sync {
        default.rsyncssh,
        source = "/etc",
        targetdir = "/etc",
        host = "lsyncd-vmin.nj.takelan.com",
        excludeFrom = "/etc/lsyncd/exclude",
        exclude = { "*.log", "*.tmp", "*~", "*.swp" },
        delete = "running",
        rsync = {
                binary = "/usr/bin/rsync",
                backup = true,
                backup_dir = "/var/lsyncdbackup/etc/crontab/",
                archive = true,
                links = true,
                update = true,
                _extra = { "--include=crontab", "--exclude=*" },
                temp_dir = "/tmp/",
        },
}
------- THIS ONE MUST USE RSYNC DIRECTLY!
----------------------------------------------------------------- Webmin Transfers

sync {
        default.rsyncssh,
        source = "/etc/webmin",
        targetdir = "/etc/webmin",
        host = "lsyncd-vmin.nj.takelan.com",
        excludeFrom = "/etc/lsyncd/exclude",
        exclude = { "*.log", "*.tmp", "*~", "*.swp" },
        delete = "running",
        rsync = {
                binary = "/etc/lsyncd/locking_rsync.sh",
                backup = true,
                backup_dir = "/var/lsyncdbackup/etc/webmin",
                archive = true,
                links = true,
                update = true,
                temp_dir = "/tmp/",
        },
}
--------------------------------------------------------------------------
-- SEC TRANSFER DETAILS                                                 --
--------------------------------------------------------------------------

This image may explain the sync.

Picture from zabbix to show the interconnection between datacenters.

As you see, we keep servers in sync for some critical services to make sure if a location fails, we can still respond, namely (SEC01 & TX01).

This way, we’ll ensure changes in one server will reach another now a classic sync problem should we copy open files?… No, not really, so for that, we create a wrapper around rsync.

#!/bin/bash
# REMEMBER TO MOUNT THIS FOLDER!
# sshfs#root@vmin01.tx.takelan.com:/opt/scripts/locks /opt/scripts/locks fuse delay_connect,defaults,idmap=user,IdentityFile=/root/.ssh/id_rsa,port=22,uid=0,gid=0,allow_other 0 0

### Definitions
OPENFILES_SLEEP_TIME=5
SLEEP_TIME=25
MAX_WAIT=3600
LOCKFILE_FOLDER='/opt/scripts/locks'
LOCK_FILE="$LOCKFILE_FOLDER/rsync-lock"
FOLDER_HOST='vmin01'
HOSTNAME=`hostname`
# Rsync wrapper to avoid copying partial - opened files...
RSYNC_BINARY="/usr/bin/rsync"

echo "Running locking with $@" >> /root/params.log
source=(${@: -2})

#---------------------------------------------------------------> Functions

# Call this function to decide the final destiny of the sync.
function checkOrDie() {
    mountpoint $LOCKFILE_FOLDER > /dev/null 2>&1
    if [ $? -ne 0 ]; then
        echo "Failure... exiting due to mountpoint failure."
        exit 0
    fi
    return 0
}

# Check if the mountpoint is mounted and working...
function checkMountpoint() {
    mountpoint $LOCKFILE_FOLDER > /dev/null 2>&1

    if [ $? -eq 0 ]; then
        echo "Success: Everything is okay."
    else
        umount -f $LOCKFILE_FOLDER
        mount $LOCKFILE_FOLDER
        checkOrDie
    fi
    return 0
}

# Remove lockfile if exists
function checkMountpointWorks() {
    if [ $HOSTNAME == $FOLDER_HOST ]; then
        echo "I'm the folder host... so skipping"
    else
        checkMountpoint
    fi
    return 0
}

# Remove lockfile if exists
function removeLockfile() {
    if [ -f $LOCK_FILE ]; then
        cat $LOCK_FILE | grep $HOSTNAME > /dev/null 2>&1
        if [ $? -eq 0 ]; then
            echo "Lockfile exists and its mine, removing"
            rm $LOCK_FILE
        fi
    fi
    return 0
}

# Removes the lock even if it belongs to someone else
function forceRemoveLock(){
    if [ -f $LOCK_FILE ]; then
        LOCKCONTENT=`cat $LOCK_FILE`
        echo "Lockfile exists and belongs to $LOCKCONTENT! since im forcing... removing"
        rm $LOCK_FILE
    fi
    return 0
}

# Create the lockfile with my hostname
function createLockfile() {
    echo $HOSTNAME > $LOCK_FILE
    return 0
}

# Check if source has open files
function checkForOpenFiles() {
        echo "Checking ${source[0]} for open files..."
        lsof +D "${source[0]}" | tail -n +2 | awk '{ print $4 ";" $9 }' | grep -v 'cwd;' | grep -v 'dovecot' > /dev/null 2>&1
        hasOpenFiles=$?
        echo "Has open files, returned $hasOpenFiles"
        while [ $hasOpenFiles -eq 0 ]; do
                echo "It seems like we do have open files... blocking sync!"
                # This could take a bit...
                lsof +D "${source[0]}" | tail -n +2 | awk '{ print $4 ";" $9 }' | grep -v 'cwd;' | grep -v 'dovecot' > /dev/null 2>&1
                hasOpenFiles=$?
                echo "Has open files, returned $hasOpenFiles"
                # Avoid CPU Pinning
                sleep $OPENFILES_SLEEP_TIME
                echo "Sleeping for $OPENFILES_SLEEP_TIME"
        # Differential sleep
        sleep $[ ( $RANDOM % 5 )  + 1 ]s
        done
        echo "Done checking... calling rsync!"
    return 0
}

#---------------------------------------------------------------> Functions

#---------------------------------------------------------------> Main Program

# Make sure the mount is working properly
checkMountpointWorks

# Check if file exists, wait for global lock to go away
if [ ! -f $LOCK_FILE ]; then
    echo "Executing lock..."
    createLockfile
        echo "Checking for open files..."
    echo "Syncing!"

# Wait for the lock file to expire or until removed.
else
    NUM_SECS=$(( $(date +%s) - $(stat -c %Y $LOCK_FILE) ))
    while [ -f $LOCK_FILE ] && (( $NUM_SECS < $MAX_WAIT )); do
        sleep $SLEEP_TIME
        # Differential sleep
        sleep $[ ( $RANDOM % 10 )  + 1 ]s
        if [ -f $LOCK_FILE ]; then
            NUM_SECS=$(( $(date +%s) - $(stat -c %Y $LOCK_FILE) ))
            echo "Lockfile exists for: $NUM_SECS seconds..."
        else
            break
            fi
    done
    echo "Maximum wait reached or file removed on remote end"
    forceRemoveLock
    createLockfile
    echo "Syncing!"
fi

# Stop to check for open files
checkForOpenFiles

# Start syncing
$RSYNC_BINARY "$@"
rsync_res=$?

# Cleanup
echo "Rsync finished with status $rsync_res..."
removeLockfile
exit $rsync_res
#---------------------------------------------------------------> Main Program

This script will wrap the lsync rsync call and ensure that the origin doesn’t currently have open files, and thus we can initiate a copy.
Yes, this won’t guarantee that at that EXACT moment, there are no open files, but… remember it’s just a bandwidth saving operation, not a critical one.

I got tired of typing but this covers a large part of our monitoring and maintainance.

See ya in post 2!

Compiling Qemu-KVM

ddemuro — Thu, 07 Jul 2016 06:28:09 +0000

Lets compile KVM – QEMU from scratch on Debian Jessie

This… will take a long ass time!.

mkdir -p /usr/local/libexec
mkdir -p /usr/local/lib/qemu
mkdir -p /usr/local/var
mkdir -p /usr/local/share/doc
 
cd /usr/local/src/
git clone git://git.qemu-project.org/qemu.git
 
sudo aptitude install libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev libaio-dev \
    libbluetooth-dev libbrlapi-dev libbz2-dev  libcap-dev libcap-ng-dev libcurl4-gnutls-dev \
    libgtk-3-dev libibverbs-dev libjpeg8-dev libncurses5-dev libnuma-dev librbd-dev \
    librdmacm-dev libsasl2-dev libsdl1.2-dev libseccomp-dev libsnappy-dev libssh2-1-dev \
    libvde-dev libvdeplug-dev libvte-2.90-dev libxen-dev liblzo2-dev valgrind xfslibs-dev \
    gnutls-dev libiscsi-dev libgoogle-perftools-dev libspice-protocol-dev libspice-server-dev \
    libusb-dev libusb-1.0-0-dev libusbredirparser-dev libusbredirparser1 libnfs-dev
 
./configure --target-list=i386-linux-user,i386-softmmu,x86_64-linux-user,x86_64-softmmu --enable-system \
    --enable-sdl --enable-gtk --enable-vte --enable-kvm --enable-bzip2 --enable-libssh2 --enable-linux-user \
    --enable-docs --enable-gnutls --enable-nettle --enable-curses --enable-modules --enable-virtfs \
    --enable-curl --enable-fdt --enable-rdma --enable-uuid --enable-vde --enable-linux-aio --enable-cap-ng \
    --enable-attr --enable-vhost-net --enable-spice --enable-rbd --enable-libiscsi --enable-libnfs --enable-libusb \
    --enable-usb-redir --enable-lzo --enable-snappy --enable-seccomp --enable-coroutine-pool --enable-glusterfs \
    --enable-tpm --enable-vhdx --enable-numa --enable-tcmalloc
 
make -j4 <- (Core count)
 
checkinstall -D
 
(This will create the .deb package), make sure to fill in version, package name, etc.
dpkg -i (just created package)
qemu-system-x86_64 –version <== Check it's your version.

Find attached my .deb if you’re too lazy for that.

Meet this requirements first, before using my .deb !!

apt-get install libdrm-intel1 libdrm-nouveau2 libdrm-radeon1 libgl1-mesa-glx libdrm2 libelf1 libglapi-mesa \
    libllvm3.5 libpciaccess0 libtxc-dxtn-s2tc0 libxcb-dri2-0 libxcb-dri3-0 libxcb-glx0 \
    libxcb-present0 libxcb-sync1 libxshmfence1 libxxf86vm1 libgl1-mesa-dri libglib2.0 libfdt \
    libpixman-1 zlib1g libaio libbluetooth libbrlapi libbz2 libcap libcap-ng libcurl4-gnutls \
    libgtk-3 libibverbs libjpeg8 libncurses5 libnuma librbd librdmacm libsasl2 libsdl1.2 libseccomp \
    libsnappy libssh2-1 libvde libvdeplug libvte-2.90 libxen liblzo2 xfslibs gnutls libiscsi \
    libgoogle-perftools libgoogle-perftools4 libspice-protocol libspice-server libusb libusb-1.0-0 \
    libusbredirparser1 libnfs4 libnfs8

If you’re missing packages… then… here you also have my apt sources.list

#------------------------------------------------------------------------------#
#                   OFFICIAL DEBIAN REPOS                    
#------------------------------------------------------------------------------#
 
###### Debian Main Repos
deb https://ftp.us.debian.org/debian/ jessie main contrib non-free
deb-src https://ftp.us.debian.org/debian/ jessie main contrib non-free
 
###### Debian Update Repos
deb https://security.debian.org/ jessie/updates main contrib non-free
deb https://ftp.us.debian.org/debian/ jessie-proposed-updates main contrib non-free
deb-src https://security.debian.org/ jessie/updates main contrib non-free
deb-src https://ftp.us.debian.org/debian/ jessie-proposed-updates main contrib non-free
 
#------------------------------------------------------------------------------#
#                      UNOFFICIAL  REPOS                       #
#------------------------------------------------------------------------------#
 
###### 3rd Party Binary Repos
 
#### Debian Mozilla team - https://mozilla.debian.net/
## Run this command: apt-get install pkg-mozilla-archive-keyring
deb https://mozilla.debian.net/ jessie-backports firefox-release
 
#### Debian Multimedia - https://deb-multimedia.org/
## Run this command: apt-get update && apt-get install deb-multimedia-keyring && apt-get update
deb https://www.deb-multimedia.org stable main non-free
 
#### Dotdeb - https://www.dotdeb.org
## Run this command: wget -q -O - https://www.dotdeb.org/dotdeb.gpg | apt-key add -
deb https://packages.dotdeb.org oldstable all
 
 
####### 3rd Party Source Repos
 
#### Dotdeb (Source) - https://www.dotdeb.org
## Run this command: wget -q -O - https://www.dotdeb.org/dotdeb.gpg | apt-key add -
deb-src https://packages.dotdeb.org oldstable all
 
deb https://cloudmin.virtualmin.com/kvm/debian binary/

Install missing keyrings!

apt-get install pkg-mozilla-archive-keyring
apt-get update && apt-get install deb-multimedia-keyring && apt-get update
wget -q -O - https://www.dotdeb.org/dotdeb.gpg | apt-key add -

Fix Virtualbox USB Passthrough

ddemuro — Fri, 01 Jul 2016 06:22:40 +0000

Why Virtualbox… why… why do package maintainers do this to us!

Well, guys, as usual, I post things that annoy me and how to fix them. So when my horrible memory forgets how to fix a simple issue, I know I can come back to my notes and figure it out again.

So, I’m typing this from my OpenSUSE Tumbleweed, installed Virtualbox from official repos (Package from the website has broken dependencies… figuring that out is more annoying than anything…).

As usual, go to your software center, as shown below. And check the following packages are installed.

Yeah yeah, I know what you’re going to say. I tried to install the packages from the website, YES I DID!.

Just make sure the following is installed.

If you’re all right, then you’re missing two probable things. Add yourself to the VirtualBox group as will show next, and you’re probably missing a udev rule that I’ll provide or tell you how to symlink it.

Okay as you can see with my user, I’ve added myself to the group.

hpprotumble:/home/ddemuro # cd /etc/udev/rules.d/
hpprotumble:/etc/udev/rules.d # vim 60-vboxdrv.rules
 
#
# COPY THE FOLLOWING TO THAT FILE!.
#
 
KERNEL=="vboxdrv", NAME="vboxdrv", OWNER="root", GROUP="vboxusers", MODE="0660"                                          
#                                                                                                                         
#these lines below give access permission to vboxusers to properly work with usb nodes, but enabling them could be security risk (bnc#664520) !!
#if you can live with this security problem put these lines below in to the new file /etc/udev/rules.d/60-vboxdrv.rules so they will stay enabled also after package update
SUBSYSTEM=="usb_device", ACTION=="add", RUN+="/usr/lib/udev/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass} vboxusers"       
SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="/usr/lib/udev/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass} vboxusers"
SUBSYSTEM=="usb_device", ACTION=="remove", RUN+="/usr/lib/udev/VBoxCreateUSBNode.sh --remove $major $minor"                               
SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="/usr/lib/udev/VBoxCreateUSBNode.sh --remove $major $minor"

Final step and most important… REBOOT!

Fix VNC has been configured on this system by Cloudmin, but the VNC server on port 590…

ddemuro — Mon, 06 Jun 2016 06:26:23 +0000

This Cloudmin issue drove me nuts, but then it clicked on why it didn’t work.

If, for some reason, after you configure your network or your server magically, VNC stops working. The answer is as simple as your host’s file.

root@mvd01:~# cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       mvd01.takelan.com       mvd01
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
 
# If we consider 127.0.1.1       mvd01.takelan.com       mvd01 as localhost MAKE SURE your HOSTNAME is THERE!
root@mvd01:~# cat /etc/hostname
mvd01.takelan.com

Your hostname MUST be declared in the Hosts file (as 127.0.0.x)…

After you’ve fixed that, try it again, and should be working just fine.

LUKS Drive Encryption

ddemuro — Fri, 23 Oct 2015 06:30:46 +0000

Luks keys… and luks encrypted drives:

Warning: Always backup the LUKS header before performing any maintenance on the hard drive!.

How to backup the luks header:
Drive: /dev/sdb [Example]

Name: /tmp/mybackup [Example]

cryptsetup luksHeaderBackup $DRIVE --header-backup-file $NAME

Add a LUKS key:

Deckey: Would be your passphrase key for decrypting your drive [first key when setting up the encrypted drive].

Slot: Luks has 8 possible slots, so you have to tell it where to store the key, ranges from 0 to 7.

Keylocation: Store the key you want to use somewhere, and pass it’s path there. Example /tmp/mykey, this is the safest way.

echo $DECKEY | cryptsetup luksAddKey --key-slot $SLOT $DRIVE $KEYLOCATION

Remove a LUKS key:

Using specific passphrase:

cryptsetup luksRemoveKey $DRIVE

Using a kill-slot, you can now use any passphrase remaining on the header to kill it:

cryptsetup luksKillSlot $DRIVE $SLOT

In both cases, you input the passphrase; there’s no further confirmation. If you want to remove it programmatically:

echo [passphrase] | cryptsetup luksKillSlot|luksRemoveKey $DRIVE

Now you can backup the header, remove the key, add the key…

Restore backup header:

PathToBackup: format /tmp/backupfile

cryptsetup luksHeaderRestore $DRIVE --header-backup-file $PATHTOBACKUP

Drive will be now restored; watch out, if the wrong backup file is used, your data may be now scrambled eggs.

Information about plugged-in devices in the motherboard

ddemuro — Wed, 29 Jul 2015 06:36:50 +0000

Finding out information about plugged in devices in the motherboard without opening the machine.

dmidecode -t memory

The following command should output something similar to this:

# dmidecode 2.11
SMBIOS 2.8 present.
# SMBIOS implementations newer than version 2.7 are not
# fully supported by this version of dmidecode.
 
Handle 0x0044, DMI type 16, 23 bytes
Physical Memory Array
        Location: System Board Or Motherboard
        Use: System Memory
        Error Correction Type: None
        Maximum Capacity: 32 GB
        Error Information Handle: Not Provided
        Number Of Devices: 4
 
Handle 0x0045, DMI type 17, 40 bytes
Memory Device
        Array Handle: 0x0044
        Error Information Handle: Not Provided
        Total Width: Unknown
        Data Width: Unknown
        Size: No Module Installed
        Form Factor: DIMM
        Set: None
        Locator: DIMM_A1
        Bank Locator: BANK 0
        Type: Unknown
        Type Detail: None
        Speed: Unknown
        Manufacturer: [Empty]
        Serial Number: [Empty]
        Asset Tag: Not Specified
        Part Number: [Empty]
        Rank: Unknown
        Configured Clock Speed: Unknown
 
Handle 0x0046, DMI type 17, 40 bytes
Memory Device
        Array Handle: 0x0044
        Error Information Handle: Not Provided
        Total Width: 64 bits
        Data Width: 64 bits
        Size: 8192 MB
        Form Factor: DIMM
        Set: None
        Locator: DIMM_A2
        Bank Locator: BANK 1
        Type: DDR3
        Type Detail: Synchronous
        Speed: 1600 MHz
        Manufacturer: Kingston
        Serial Number: 73389D10
        Asset Tag: 9876543210
        Part Number: KHX1866C10D3/8GX 
        Rank: 2
        Configured Clock Speed: 1600 MHz
 
Handle 0x0047, DMI type 17, 40 bytes
Memory Device
        Array Handle: 0x0044
        Error Information Handle: Not Provided
        Total Width: Unknown
        Data Width: Unknown
        Size: No Module Installed
        Form Factor: DIMM
        Set: None
        Locator: DIMM_B1
        Bank Locator: BANK 2
        Type: Unknown
        Type Detail: None
        Speed: Unknown
        Manufacturer: [Empty]
        Serial Number: [Empty]
        Asset Tag: Not Specified
        Part Number: [Empty]
        Rank: Unknown
        Configured Clock Speed: Unknown
 
Handle 0x0048, DMI type 17, 40 bytes
Memory Device
        Array Handle: 0x0044
        Error Information Handle: Not Provided
        Total Width: 64 bits
        Data Width: 64 bits
        Size: 8192 MB
        Form Factor: DIMM
        Set: None
        Locator: DIMM_B2
        Bank Locator: BANK 3
        Type: DDR3
        Type Detail: Synchronous
        Speed: 1600 MHz
        Manufacturer: Kingston
        Serial Number: 7338AA10
        Asset Tag: 9876543210
        Part Number: KHX1866C10D3/8GX 
        Rank: 2
        Configured Clock Speed: 1600 MHz

Congratulations, you now know you only used two banks out of 3, and the system’s maximum allowed memory.

PCI Devices:

root@mvd02:~# lspci
00:00.0 Host bridge: Intel Corporation 4 Series Chipset DRAM Controller (rev 03)
00:02.0 VGA compatible controller: Intel Corporation 4 Series Chipset Integrated Graphics Controller (rev 03)
00:02.1 Display controller: Intel Corporation 4 Series Chipset Integrated Graphics Controller (rev 03)
00:03.0 Communication controller: Intel Corporation 4 Series Chipset HECI Controller (rev 03)
00:03.2 IDE interface: Intel Corporation 4 Series Chipset PT IDER Controller (rev 03)
00:03.3 Serial controller: Intel Corporation 4 Series Chipset Serial KT Controller (rev 03)
00:19.0 Ethernet controller: Intel Corporation 82567LM-3 Gigabit Network Connection (rev 02)
00:1a.0 USB controller: Intel Corporation 82801JD/DO (ICH10 Family) USB UHCI Controller #4 (rev 02)
00:1a.1 USB controller: Intel Corporation 82801JD/DO (ICH10 Family) USB UHCI Controller #5 (rev 02)
00:1a.2 USB controller: Intel Corporation 82801JD/DO (ICH10 Family) USB UHCI Controller #6 (rev 02)
00:1a.7 USB controller: Intel Corporation 82801JD/DO (ICH10 Family) USB2 EHCI Controller #2 (rev 02)
00:1b.0 Audio device: Intel Corporation 82801JD/DO (ICH10 Family) HD Audio Controller (rev 02)
00:1c.0 PCI bridge: Intel Corporation 82801JD/DO (ICH10 Family) PCI Express Port 1 (rev 02)
00:1c.4 PCI bridge: Intel Corporation 82801JD/DO (ICH10 Family) PCI Express Port 5 (rev 02)
00:1d.0 USB controller: Intel Corporation 82801JD/DO (ICH10 Family) USB UHCI Controller #1 (rev 02)
00:1d.1 USB controller: Intel Corporation 82801JD/DO (ICH10 Family) USB UHCI Controller #2 (rev 02)
00:1d.2 USB controller: Intel Corporation 82801JD/DO (ICH10 Family) USB UHCI Controller #3 (rev 02)
00:1d.7 USB controller: Intel Corporation 82801JD/DO (ICH10 Family) USB2 EHCI Controller #1 (rev 02)
00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev a2)
00:1f.0 ISA bridge: Intel Corporation 82801JDO (ICH10DO) LPC Interface Controller (rev 02)
00:1f.2 SATA controller: Intel Corporation 82801JD/DO (ICH10 Family) SATA AHCI Controller (rev 02)
10:01.0 Ethernet controller: Digium, Inc. Wildcard TDM410 4-port analog card (rev 11)
 
root@mvd02:~# lspci -nn
00:00.0 Host bridge [0600]: Intel Corporation 4 Series Chipset DRAM Controller [8086:2e10] (rev 03)
00:02.0 VGA compatible controller [0300]: Intel Corporation 4 Series Chipset Integrated Graphics Controller [8086:2e12] (rev 03)
00:02.1 Display controller [0380]: Intel Corporation 4 Series Chipset Integrated Graphics Controller [8086:2e13] (rev 03)
00:03.0 Communication controller [0780]: Intel Corporation 4 Series Chipset HECI Controller [8086:2e14] (rev 03)
00:03.2 IDE interface [0101]: Intel Corporation 4 Series Chipset PT IDER Controller [8086:2e16] (rev 03)
00:03.3 Serial controller [0700]: Intel Corporation 4 Series Chipset Serial KT Controller [8086:2e17] (rev 03)
00:19.0 Ethernet controller [0200]: Intel Corporation 82567LM-3 Gigabit Network Connection [8086:10de] (rev 02)
00:1a.0 USB controller [0c03]: Intel Corporation 82801JD/DO (ICH10 Family) USB UHCI Controller #4 [8086:3a67] (rev 02)
00:1a.1 USB controller [0c03]: Intel Corporation 82801JD/DO (ICH10 Family) USB UHCI Controller #5 [8086:3a68] (rev 02)
00:1a.2 USB controller [0c03]: Intel Corporation 82801JD/DO (ICH10 Family) USB UHCI Controller #6 [8086:3a69] (rev 02)
00:1a.7 USB controller [0c03]: Intel Corporation 82801JD/DO (ICH10 Family) USB2 EHCI Controller #2 [8086:3a6c] (rev 02)
00:1b.0 Audio device [0403]: Intel Corporation 82801JD/DO (ICH10 Family) HD Audio Controller [8086:3a6e] (rev 02)
00:1c.0 PCI bridge [0604]: Intel Corporation 82801JD/DO (ICH10 Family) PCI Express Port 1 [8086:3a70] (rev 02)
00:1c.4 PCI bridge [0604]: Intel Corporation 82801JD/DO (ICH10 Family) PCI Express Port 5 [8086:3a78] (rev 02)
00:1d.0 USB controller [0c03]: Intel Corporation 82801JD/DO (ICH10 Family) USB UHCI Controller #1 [8086:3a64] (rev 02)
00:1d.1 USB controller [0c03]: Intel Corporation 82801JD/DO (ICH10 Family) USB UHCI Controller #2 [8086:3a65] (rev 02)
00:1d.2 USB controller [0c03]: Intel Corporation 82801JD/DO (ICH10 Family) USB UHCI Controller #3 [8086:3a66] (rev 02)
00:1d.7 USB controller [0c03]: Intel Corporation 82801JD/DO (ICH10 Family) USB2 EHCI Controller #1 [8086:3a6a] (rev 02)
00:1e.0 PCI bridge [0604]: Intel Corporation 82801 PCI Bridge [8086:244e] (rev a2)
00:1f.0 ISA bridge [0601]: Intel Corporation 82801JDO (ICH10DO) LPC Interface Controller [8086:3a14] (rev 02)
00:1f.2 SATA controller [0106]: Intel Corporation 82801JD/DO (ICH10 Family) SATA AHCI Controller [8086:3a02] (rev 02)
10:01.0 Ethernet controller [0200]: Digium, Inc. Wildcard TDM410 4-port analog card [d161:8005] (rev 11)
 
root@mvd02:~# lspci -t
-[0000:00]-+-00.0
           +-02.0
           +-02.1
           +-03.0
           +-03.2
           +-03.3
           +-19.0
           +-1a.0
           +-1a.1
           +-1a.2
           +-1a.7
           +-1b.0
           +-1c.0-[20]--
           +-1c.4-[30]--
           +-1d.0
           +-1d.1
           +-1d.2
           +-1d.7
           +-1e.0-[10]----01.0
           +-1f.0
           \-1f.2

USB Devices:

root@mvd02:~# lsusb
Bus 007 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 008 Device 002: ID 046d:c534 Logitech, Inc. 
Bus 008 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 003: ID 0bc2:231b Seagate RSS LLC 
Bus 006 Device 002: ID 0bc2:ab34 Seagate RSS LLC 
Bus 006 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
 
root@mvd02:~# lsusb -t
/:  Bus 08.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
    |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M
    |__ Port 1: Dev 2, If 1, Class=Human Interface Device, Driver=usbhid, 12M
/:  Bus 07.Port 1: Dev 1, Class=root_hub, Driver=ehci-pci/6p, 480M
/:  Bus 06.Port 1: Dev 1, Class=root_hub, Driver=ehci-pci/6p, 480M
    |__ Port 1: Dev 2, If 0, Class=Mass Storage, Driver=usb-storage, 480M
    |__ Port 2: Dev 3, If 0, Class=Mass Storage, Driver=usb-storage, 480M
/:  Bus 05.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/:  Bus 04.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/:  Bus 03.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/:  Bus 02.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/:  Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
 
root@mvd02:~# lsusb -v
 
Bus 007 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            9 Hub
  bDeviceSubClass         0 Unused
  bDeviceProtocol         0 Full speed (or root) hub
  bMaxPacketSize0        64
  idVendor           0x1d6b Linux Foundation
  idProduct          0x0002 2.0 root hub
  bcdDevice            3.16
  iManufacturer           3 Linux 3.16.7-ckt25 ehci_hcd
  iProduct                2 EHCI Host Controller
  iSerial                 1 0000:00:1d.7
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           25
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xe0
      Self Powered
      Remote Wakeup
    MaxPower                0mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         9 Hub
      bInterfaceSubClass      0 Unused
      bInterfaceProtocol      0 Full speed (or root) hub
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0004  1x 4 bytes
        bInterval              12
Hub Descriptor:
  bLength               9
  bDescriptorType      41
  nNbrPorts             6
  wHubCharacteristic 0x000a
    No power switching (usb 1.0)
    Per-port overcurrent protection
  bPwrOn2PwrGood       10 * 2 milli seconds
  bHubContrCurrent      0 milli Ampere
  DeviceRemovable    0x06
  PortPwrCtrlMask    0xff
 Hub Port Status:
   Port 1: 0000.0100 power
   Port 2: 0000.0100 power
   Port 3: 0000.0100 power
   Port 4: 0000.0100 power
   Port 5: 0000.0100 power
   Port 6: 0000.0100 power
Device Status:     0x0001
  Self Powered
 
Bus 008 Device 002: ID 046d:c534 Logitech, Inc. 
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0         8
  idVendor           0x046d Logitech, Inc.
  idProduct          0xc534 
  bcdDevice           29.00
  iManufacturer           1 Logitech
  iProduct                2 USB Receiver
  iSerial                 0 
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           59
    bNumInterfaces          2
    bConfigurationValue     1
    iConfiguration          4 RQR29.00_B0015
    bmAttributes         0xa0
      (Bus Powered)
      Remote Wakeup
    MaxPower               98mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      1 Boot Interface Subclass
      bInterfaceProtocol      1 Keyboard
      iInterface              0 
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.11
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength      59
         Report Descriptors: 
           ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0008  1x 8 bytes
        bInterval               8
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      1 Boot Interface Subclass
      bInterfaceProtocol      2 Mouse
      iInterface              0 
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.11
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength     177
         Report Descriptors: 
           ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0014  1x 20 bytes
        bInterval               2
Device Status:     0x0000
  (Bus Powered)
 
Bus 008 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               1.10
  bDeviceClass            9 Hub
  bDeviceSubClass         0 Unused
  bDeviceProtocol         0 Full speed (or root) hub
  bMaxPacketSize0        64
  idVendor           0x1d6b Linux Foundation
  idProduct          0x0001 1.1 root hub
  bcdDevice            3.16
  iManufacturer           3 Linux 3.16.7-ckt25 uhci_hcd
  iProduct                2 UHCI Host Controller
  iSerial                 1 0000:00:1d.2
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           25
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xe0
      Self Powered
      Remote Wakeup
    MaxPower                0mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         9 Hub
      bInterfaceSubClass      0 Unused
      bInterfaceProtocol      0 Full speed (or root) hub
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0002  1x 2 bytes
        bInterval             255
Hub Descriptor:
  bLength               9
  bDescriptorType      41
  nNbrPorts             2
  wHubCharacteristic 0x000a
    No power switching (usb 1.0)
    Per-port overcurrent protection
  bPwrOn2PwrGood        1 * 2 milli seconds
  bHubContrCurrent      0 milli Ampere
  DeviceRemovable    0x00
  PortPwrCtrlMask    0xff
 Hub Port Status:
   Port 1: 0000.0103 power enable connect
   Port 2: 0000.0100 power
Device Status:     0x0001
  Self Powered
 
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               1.10
  bDeviceClass            9 Hub
  bDeviceSubClass         0 Unused
  bDeviceProtocol         0 Full speed (or root) hub
  bMaxPacketSize0        64
  idVendor           0x1d6b Linux Foundation
  idProduct          0x0001 1.1 root hub
  bcdDevice            3.16
  iManufacturer           3 Linux 3.16.7-ckt25 uhci_hcd
  iProduct                2 UHCI Host Controller
  iSerial                 1 0000:00:1d.1
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           25
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xe0
      Self Powered
      Remote Wakeup
    MaxPower                0mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         9 Hub
      bInterfaceSubClass      0 Unused
      bInterfaceProtocol      0 Full speed (or root) hub
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0002  1x 2 bytes
        bInterval             255
Hub Descriptor:
  bLength               9
  bDescriptorType      41
  nNbrPorts             2
  wHubCharacteristic 0x000a
    No power switching (usb 1.0)
    Per-port overcurrent protection
  bPwrOn2PwrGood        1 * 2 milli seconds
  bHubContrCurrent      0 milli Ampere
  DeviceRemovable    0x00
  PortPwrCtrlMask    0xff
 Hub Port Status:
   Port 1: 0000.0100 power
   Port 2: 0000.0100 power
Device Status:     0x0001
  Self Powered
 
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               1.10
  bDeviceClass            9 Hub
  bDeviceSubClass         0 Unused
  bDeviceProtocol         0 Full speed (or root) hub
  bMaxPacketSize0        64
  idVendor           0x1d6b Linux Foundation
  idProduct          0x0001 1.1 root hub
  bcdDevice            3.16
  iManufacturer           3 Linux 3.16.7-ckt25 uhci_hcd
  iProduct                2 UHCI Host Controller
  iSerial                 1 0000:00:1d.0
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           25
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xe0
      Self Powered
      Remote Wakeup
    MaxPower                0mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         9 Hub
      bInterfaceSubClass      0 Unused
      bInterfaceProtocol      0 Full speed (or root) hub
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0002  1x 2 bytes
        bInterval             255
Hub Descriptor:
  bLength               9
  bDescriptorType      41
  nNbrPorts             2
  wHubCharacteristic 0x000a
    No power switching (usb 1.0)
    Per-port overcurrent protection
  bPwrOn2PwrGood        1 * 2 milli seconds
  bHubContrCurrent      0 milli Ampere
  DeviceRemovable    0x00
  PortPwrCtrlMask    0xff
 Hub Port Status:
   Port 1: 0000.0100 power
   Port 2: 0000.0100 power
Device Status:     0x0001
  Self Powered
 
Bus 006 Device 003: ID 0bc2:231b Seagate RSS LLC 
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.10
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x0bc2 Seagate RSS LLC
  idProduct          0x231b 
  bcdDevice           18.05
  iManufacturer           1 Seagate
  iProduct                2 Expansion
  iSerial                 3 NA87MAPY
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           85
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              500mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass         8 Mass Storage
      bInterfaceSubClass      6 SCSI
      bInterfaceProtocol     80 Bulk-Only
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       1
      bNumEndpoints           4
      bInterfaceClass         8 Mass Storage
      bInterfaceSubClass      6 SCSI
      bInterfaceProtocol     98 
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
        Command pipe (0x01)
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
        Status pipe (0x02)
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
        Data-in pipe (0x03)
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x04  EP 4 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
        Data-out pipe (0x04)
Binary Object Store Descriptor:
  bLength                 5
  bDescriptorType        15
  wTotalLength           22
  bNumDeviceCaps          2
  USB 2.0 Extension Device Capability:
    bLength                 7
    bDescriptorType        16
    bDevCapabilityType      2
    bmAttributes   0x00000f0e
      Link Power Management (LPM) Supported
  SuperSpeed USB Device Capability:
    bLength                10
    bDescriptorType        16
    bDevCapabilityType      3
    bmAttributes         0x00
    wSpeedsSupported   0x000e
      Device can operate at Full Speed (12Mbps)
      Device can operate at High Speed (480Mbps)
      Device can operate at SuperSpeed (5Gbps)
    bFunctionalitySupport   1
      Lowest fully-functional device speed is Full Speed (12Mbps)
    bU1DevExitLat          10 micro seconds
    bU2DevExitLat          32 micro seconds
Device Status:     0x0000
  (Bus Powered)
 
Bus 006 Device 002: ID 0bc2:ab34 Seagate RSS LLC 
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.10
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x0bc2 Seagate RSS LLC
  idProduct          0xab34 
  bcdDevice            1.00
  iManufacturer           2 Seagate
  iProduct                3 Backup+  Desk
  iSerial                 1 NA7E39ZH
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           85
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xc0
      Self Powered
    MaxPower                0mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass         8 Mass Storage
      bInterfaceSubClass      6 SCSI
      bInterfaceProtocol     80 Bulk-Only
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       1
      bNumEndpoints           4
      bInterfaceClass         8 Mass Storage
      bInterfaceSubClass      6 SCSI
      bInterfaceProtocol     98 
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
        Data-in pipe (0x03)
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
        Data-out pipe (0x04)
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
        Status pipe (0x02)
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x04  EP 4 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
        Command pipe (0x01)
Binary Object Store Descriptor:
  bLength                 5
  bDescriptorType        15
  wTotalLength           22
  bNumDeviceCaps          2
  USB 2.0 Extension Device Capability:
    bLength                 7
    bDescriptorType        16
    bDevCapabilityType      2
    bmAttributes   0x00000002
      Link Power Management (LPM) Supported
  SuperSpeed USB Device Capability:
    bLength                10
    bDescriptorType        16
    bDevCapabilityType      3
    bmAttributes         0x00
    wSpeedsSupported   0x000e
      Device can operate at Full Speed (12Mbps)
      Device can operate at High Speed (480Mbps)
      Device can operate at SuperSpeed (5Gbps)
    bFunctionalitySupport   1
      Lowest fully-functional device speed is Full Speed (12Mbps)
    bU1DevExitLat          10 micro seconds
    bU2DevExitLat        2047 micro seconds
Device Status:     0x0001
  Self Powered
 
Bus 006 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            9 Hub
  bDeviceSubClass         0 Unused
  bDeviceProtocol         0 Full speed (or root) hub
  bMaxPacketSize0        64
  idVendor           0x1d6b Linux Foundation
  idProduct          0x0002 2.0 root hub
  bcdDevice            3.16
  iManufacturer           3 Linux 3.16.7-ckt25 ehci_hcd
  iProduct                2 EHCI Host Controller
  iSerial                 1 0000:00:1a.7
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           25
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xe0
      Self Powered
      Remote Wakeup
    MaxPower                0mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         9 Hub
      bInterfaceSubClass      0 Unused
      bInterfaceProtocol      0 Full speed (or root) hub
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0004  1x 4 bytes
        bInterval              12
Hub Descriptor:
  bLength               9
  bDescriptorType      41
  nNbrPorts             6
  wHubCharacteristic 0x000a
    No power switching (usb 1.0)
    Per-port overcurrent protection
  bPwrOn2PwrGood       10 * 2 milli seconds
  bHubContrCurrent      0 milli Ampere
  DeviceRemovable    0x00
  PortPwrCtrlMask    0xff
 Hub Port Status:
   Port 1: 0000.0503 highspeed power enable connect
   Port 2: 0000.0503 highspeed power enable connect
   Port 3: 0000.0100 power
   Port 4: 0000.0100 power
   Port 5: 0000.0100 power
   Port 6: 0000.0100 power
Device Status:     0x0001
  Self Powered
 
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               1.10
  bDeviceClass            9 Hub
  bDeviceSubClass         0 Unused
  bDeviceProtocol         0 Full speed (or root) hub
  bMaxPacketSize0        64
  idVendor           0x1d6b Linux Foundation
  idProduct          0x0001 1.1 root hub
  bcdDevice            3.16
  iManufacturer           3 Linux 3.16.7-ckt25 uhci_hcd
  iProduct                2 UHCI Host Controller
  iSerial                 1 0000:00:1a.2
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           25
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xe0
      Self Powered
      Remote Wakeup
    MaxPower                0mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         9 Hub
      bInterfaceSubClass      0 Unused
      bInterfaceProtocol      0 Full speed (or root) hub
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0002  1x 2 bytes
        bInterval             255
Hub Descriptor:
  bLength               9
  bDescriptorType      41
  nNbrPorts             2
  wHubCharacteristic 0x000a
    No power switching (usb 1.0)
    Per-port overcurrent protection
  bPwrOn2PwrGood        1 * 2 milli seconds
  bHubContrCurrent      0 milli Ampere
  DeviceRemovable    0x00
  PortPwrCtrlMask    0xff
 Hub Port Status:
   Port 1: 0000.0100 power
   Port 2: 0000.0100 power
Device Status:     0x0001
  Self Powered
 
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               1.10
  bDeviceClass            9 Hub
  bDeviceSubClass         0 Unused
  bDeviceProtocol         0 Full speed (or root) hub
  bMaxPacketSize0        64
  idVendor           0x1d6b Linux Foundation
  idProduct          0x0001 1.1 root hub
  bcdDevice            3.16
  iManufacturer           3 Linux 3.16.7-ckt25 uhci_hcd
  iProduct                2 UHCI Host Controller
  iSerial                 1 0000:00:1a.1
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           25
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xe0
      Self Powered
      Remote Wakeup
    MaxPower                0mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         9 Hub
      bInterfaceSubClass      0 Unused
      bInterfaceProtocol      0 Full speed (or root) hub
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0002  1x 2 bytes
        bInterval             255
Hub Descriptor:
  bLength               9
  bDescriptorType      41
  nNbrPorts             2
  wHubCharacteristic 0x000a
    No power switching (usb 1.0)
    Per-port overcurrent protection
  bPwrOn2PwrGood        1 * 2 milli seconds
  bHubContrCurrent      0 milli Ampere
  DeviceRemovable    0x00
  PortPwrCtrlMask    0xff
 Hub Port Status:
   Port 1: 0000.0100 power
   Port 2: 0000.0100 power
Device Status:     0x0001
  Self Powered
 
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               1.10
  bDeviceClass            9 Hub
  bDeviceSubClass         0 Unused
  bDeviceProtocol         0 Full speed (or root) hub
  bMaxPacketSize0        64
  idVendor           0x1d6b Linux Foundation
  idProduct          0x0001 1.1 root hub
  bcdDevice            3.16
  iManufacturer           3 Linux 3.16.7-ckt25 uhci_hcd
  iProduct                2 UHCI Host Controller
  iSerial                 1 0000:00:1a.0
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           25
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xe0
      Self Powered
      Remote Wakeup
    MaxPower                0mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         9 Hub
      bInterfaceSubClass      0 Unused
      bInterfaceProtocol      0 Full speed (or root) hub
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0002  1x 2 bytes
        bInterval             255
Hub Descriptor:
  bLength               9
  bDescriptorType      41
  nNbrPorts             2
  wHubCharacteristic 0x000a
    No power switching (usb 1.0)
    Per-port overcurrent protection
  bPwrOn2PwrGood        1 * 2 milli seconds
  bHubContrCurrent      0 milli Ampere
  DeviceRemovable    0x00
  PortPwrCtrlMask    0xff
 Hub Port Status:
   Port 1: 0000.0100 power
   Port 2: 0000.0100 power
Device Status:     0x0001
  Self Powered

KVM Nested virtualization Ubuntu 12.04 bug.

ddemuro — Wed, 29 Jul 2015 06:34:09 +0000

KVM Nested virtualization.

For my current project, I needed to perform nested virtualization on KVM using Ubuntu 12.04, and I encountered the VM would pause itself after showing the bios.

That error dragged me to the logs where this line called my attention:

KVM: entry failed, hardware error 0x80000021
 
If you're running a guest on an Intel machine without unrestricted mode
support, the failure can be most likely due to the guest entering an invalid
state for Intel VT. For example, the guest is maybe running in a real big mode, which is not supported on less recent Intel processors.
 
EAX=00000011 EBX=00000000 ECX=00000030 EDX=00007baa
ESI=c007deba EDI=00038110 EBP=00000000 ESP=00007baa
EIP=00000370 EFL=00010006 [-----P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0030 0009aef0 ffffffff 0000f300 DPL=3 DS16 [-WA]
CS =9a60 0009a630 0000ffff 00009b00 DPL=0 CS16 [-RA]
SS =0000 00000000 0000ffff 00009300 DPL=0 DS16 [-WA]
DS =0030 0009aef0 ffffffff 0000f300 DPL=3 DS16 [-WA]
FS =0030 0009aef0 ffffffff 0000f300 DPL=3 DS16 [-WA]
GS =0030 0009aef0 ffffffff 0000f300 DPL=3 DS16 [-WA]
LDT=0000 00000000 0000ffff 00008200 DPL=0 LDT
TR =0000 00000000 0000ffff 00008b00 DPL=0 TSS32-busy
GDT=     0009af30 00000037
IDT=     00000000 0000ffff
CR0=00000011 CR2=00000000 CR3=00000000 CR4=00000000
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000000
Code=66 0f 01 16 40 00 66 0f 01 1e 78 00 0f 20 c0 0c 01 0f 22 c0 <66> ea a4 00 00 00 08 00 0f 20 c0 24 fe 0f 22 c0 ff 2e 7e 00 2e a1 14 08 8e d8 8e c0 8e e0
handle_dev_stop: stop

And digging, I found out it’s a bug known issue with the 12.04 kernel. After that, 400 patches came along and cleared the whole issue, and now I got to perform nested virtualization without issues. Updating the kernel fixed it, but how did we do it?:

In the KVM host, make sure you have nested VT enabled.
Reboot, and make sure when the machine comes back, the change is still there.
Test nested virtualization, and if it’s your case, like mine, three levels of virtualization, then perform the same changes to the second host.
Reboot the 2nd level host.
Check the changes are still there.
If so, you got your 3d level of hardware-assisted VT.

cat /sys/module/kvm_intel/parameters/nested 
Y
systool -m kvm_intel -v   | grep -i nested
---Not a command---
Otherwise, you can add that to modprobe...
---Not a command---
echo "options kvm-intel nested=y" > /etc/modprobe.d/dist.conf
or
echo "options kvm-intel nested=y" > /etc/modprobe.d/kvm.conf
---Not a command---
For AMD
---Not a command---
echo "options kvm-amd nested=0" > /etc/modprobe.d/kvm.conf

With that, you can now run your second host with the following params to make sure he gets to see he has VT.

–enable-kvm –cpu host

The perfect server.

ddemuro — Tue, 21 Oct 2014 06:39:16 +0000

The basics:

Virtualmin is a powerful and flexible web hosting control panel for Linux and UNIX systems based on the well-known Open Source web-based systems management GUI, Webmin. Manage your virtual domains, mailboxes, databases, applications, and the entire server, from one comprehensive and friendly interface.

I recommend using Virtualmin; it made my life so EASY!, managing mail accounts, FTP, websites, Nginx, firewall… everything!.

But like every tool, it doesn’t cover everything. And that’s the idea of this guide. Yes, I just made your life way more comfortable! But how about the “under the hood side”?.

Installing Virtualmin and ntpdate:

wget https://software.virtualmin.com/gpl/scripts/install.sh
chmod 755 *
./install.sh
apt-get install ntpdate

Configuring Virtualmin:

The firewall:

If you want some sort of security and active connections to your ftp, you’ll need:

modprobe ip_conntrack_ftp
echo "IPTABLES_MODULES="ip_conntrack_ftp"" >> /etc/sysconfig/iptables-config

Getting your server “secure”

➜  ~ cat iptables.save 
# Generated by iptables-save v1.4.14 on Mon Jun  6 02:31:37 2016
*filter
:INPUT DROP [19:1020]
:FORWARD ACCEPT [513:37370]
:OUTPUT ACCEPT [6333:10196027]
:LDAP - [0:0]
:fail2ban-default - [0:0]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-default
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -p tcp -m tcp --dport 389 -j LDAP
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25565 -j ACCEPT
-A INPUT -p udp -m udp --dport 25565 -j ACCEPT
-A INPUT -s 10.254.3.0/24 -j ACCEPT
-A INPUT ! -i eth0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4949 -j ACCEPT
-A INPUT -p udp -m udp --dport 1196 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 25,587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 110,995 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 143,220,993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000:10010 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3001 -j ACCEPT
-A LDAP -s 206.72.202.59/32 -j ACCEPT
-A LDAP -s 66.45.250.235/32 -j ACCEPT
-A LDAP -s 206.72.192.67/32 -j ACCEPT
-A LDAP -s 10.254.3.0/24 -j ACCEPT
-A LDAP -s 10.254.4.0/24 -j ACCEPT
-A LDAP -p tcp -m tcp --dport 3001 -j ACCEPT
-A fail2ban-default -j RETURN
-A fail2ban-ssh -s 222.186.21.217/32 -j DROP
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Mon Jun  6 02:31:37 2016
# Generated by iptables-save v1.4.14 on Mon Jun  6 02:31:37 2016
*mangle
:PREROUTING ACCEPT [49100981:39900927740]
:INPUT ACCEPT [47328481:39740284733]
:FORWARD ACCEPT [1408050:121664223]
:OUTPUT ACCEPT [32033396:88711307234]
:POSTROUTING ACCEPT [33441446:88832971457]
COMMIT
# Completed on Mon Jun  6 02:31:37 2016
# Generated by iptables-save v1.4.14 on Mon Jun  6 02:31:37 2016
*nat
:PREROUTING ACCEPT [1273587:85952983]
:INPUT ACCEPT [1201232:81100796]
:OUTPUT ACCEPT [587430:41574154]
:POSTROUTING ACCEPT [1110814:78989544]
-A PREROUTING -d 66.45.250.236/32 -j DNAT --to-destination 10.254.3.2
-A POSTROUTING -s 10.254.3.0/24 -j SNAT --to-source 66.45.250.236
COMMIT
# Completed on Mon Jun  6 02:31:37 2016

Configuring postfix:

General setup:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
 
 
# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
 
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
 
# appending .domain is the MUA's job.
append_dot_mydomain = no
 
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
 
readme_directory = no
 
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
 
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
# Add the networks used by you, that are safe.
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
recipient_delimiter = +
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service inet:127.0.0.1:10023
allow_percent_hack = no
# Allow 40 MB message size.
message_size_limit = 40000000

Master Configuration (master.cf)

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp    inet    n       -       -       -       -       smtpd -o smtpd_sasl_auth_enable=yes
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
#submission inet n       -       -       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
 
submission      inet    n       -       -       -       -       smtpd -o smtpd_sasl_auth_enable=yes

OhMyZSH / ZSH:

#Debian
apt-get install zsh curl
 
sh -c "$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"

MySQL:

Usually, I’d suggest using persona’s utility to figure out these values; I’ll post mine. https://tools.percona.com/

# Generated by Percona Configuration Wizard (https://tools.percona.com/) version REL5-20120208
# Configuration name sec02.takelan.com generated for ddemuro@gmail.com at 2015-04-11 05:31:01
 
[mysql]
 
# CLIENT #
port                           = 3306
socket                         = /var/run/mysqld/mysqld.sock
 
[mysqld]
 
# GENERAL #
user                           = mysql
default-storage-engine         = InnoDB
socket                         = /var/run/mysqld/mysqld.sock
pid-file                       = /var/run/mysqld/mysqld.pid
 
# MyISAM #
key-buffer-size                = 64M
myisam-recover                 = FORCE,BACKUP
 
# SAFETY #
max-allowed-packet             = 64M
max-connect-errors             = 1000000
skip-name-resolve
sql-mode                       = STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE
sysdate-is-now                 = 1
innodb                         = FORCE
innodb-strict-mode             = 1
 
# DATA STORAGE #
datadir                        = /var/lib/mysql/
 
 
# BINARY LOGGING #
log-bin                        = /var/lib/mysql/mysql-bin
expire-logs-days               = 14
sync-binlog                    = 1
 
# CACHES AND LIMITS #
tmp-table-size                 = 512M
max-heap-table-size            = 512M
query-cache-type               = 1
query-cache-size               = 512M
query_cache_limit              = 16M
max-connections                = 500
thread-cache-size              = 80
open-files-limit               = 65535
table-definition-cache         = 4096
table-open-cache               = 10240
 
# INNODB #
innodb-flush-method            = O_DIRECT
innodb-log-files-in-group      = 2
#innodb-log-file-size           = 512M
innodb-flush-log-at-trx-commit = 1
innodb-file-per-table          = 1
innodb-buffer-pool-size        = 1G
 
# LOGGING #
log-error                      = /var/lib/mysql/mysql-error.log
log-queries-not-using-indexes  = 1
slow-query-log                 = 1
slow-query-log-file            = /var/lib/mysql/mysql-slow.log

PostGrey:

# postgrey whitelist for mail client hostnames
# --------------------------------------------
# put this file in /etc/postgrey or specify its path
# with --whitelist-clients=xxx
#
# postgrey version: 1.34, build date: 2011-05-04
 
# Debian-specific additions
# I *know* they run real mail queues, so greylisting only creates
# bigger load for them.
debconf.org
debian.org
spi-inc.org
 
# greylisting.org: Southwest Airlines (unique sender, no retry)
southwest.com
# greylisting.org: isp.belgacom.be (wierd retry pattern)
isp.belgacom.be
# greylisting.org: Ameritrade (no retry)
ameritradeinfo.com
# greylisting.org: Amazon.com (unique sender with letters)
amazon.com
# 2004-05-20: Linux kernel mailing-list (unique sender with letters)
vger.kernel.org
# 2004-06-02: karger.ch, no retry
karger.ch
# 2004-06-02: lilys.ch, (slow: 4 hours)
server-x001.hostpoint.ch
# 2004-06-09: roche.com (no retry)
gw.bas.roche.com
# 2004-06-09: newsletter (no retry)
mail.hhlaw.com
# 2004-06-09: no retry (reported by Ralph Hildebrandt)
prd051.appliedbiosystems.com
# 2004-06-17: swissre.com (no retry)
swissre.com
# 2004-06-17: dowjones.com newsletter (unique sender with letters)
returns.dowjones.com
# 2004-06-18: switch.ch (works but personnel is confused by the error)
domin.switch.ch
# 2004-06-23: accor-hotels.com (slow: 6 hours)
accor-hotels.com
# 2004-06-29: rr.com (no retry, reported by Duncan Hill)
/^ms-smtp.*\.rr\.com$/
# 2004-06-29: cox.net (no retry, reported by Duncan Hill)
/^lake.*mta.*\.cox\.net$/
# 2004-06-29: motorola.com (no retry)
mot.com
# 2004-07-01: nic.fr (address verification, reported by Arnaud Launay)
nic.fr
# 2004-07-01: verizon.net (address verification, reported by Bill Moran and Eric, adapted by Adam C. Mathews)
/^s[cv]\d+pub\.verizon\.net$/
# 2004-07-02: cs.columbia.edu (no retry)
cs.columbia.edu
# 2004-07-02: papersinvited.com (no retry)
66.216.126.174
# 2004-07-02: telekom.de (slow: 6 hours)
/^mail\d+\.telekom\.de$/
# 2004-07-04: tiscali.dk (slow: 12 hours, reported by Klaus Alexander Seistrup)
/^smtp\d+\.tiscali\.dk$/
# 2004-07-04: freshmeat.net (address verification)
freshmeat.net
# 2004-07-11: zd-swx.com (unique sender with letters, reported by Bill Landry)
zd-swx.com
# 2004-07-11: lockergnome.wc09.net (unique sender with letters, reported by Bill Landry)
lockergnome.wc09.net
# 2004-07-19: mxlogic.net (no retry, reported by Eric)
p01m168.mxlogic.net
p02m169.mxlogic.net
# 2004-09-08: intel.com (pool on different subnets) 
/^fmr\d+\.intel\.com$/
# 2004-09-17: cox-internet.com (no retry, reported by Rod Roark)
/^fe\d+\.cox-internet\.com$/
# 2004-10-11: logismata.ch (no retry)
logismata.ch
# 2004-11-25: brief.cw.reum.de (no retry, reported by Manuel Oetiker)
brief.cw.reum.de
# 2004-12-03: ingeno.ch (no retry)
qmail.ingeno.ch
# 2004-12-06: rein.ch (no retry)
mail1.thurweb.ch
# 2005-01-26: tu-ilmenau.de (no retry)
piggy.rz.tu-ilmenau.de
# 2005-04-06: polymed.ch (no retry)
mail.polymed.ch
# 2005-06-08: hu-berlin.de (slow: 6 hours, reported by Joachim Schoenberg)
rz.hu-berlin.de
# 2005-06-17: gmail.com (big pool, reported by Beat Mueller)
proxy.gmail.com
# 2005-06-23: cacert.org (address verification, reported by Martin Lohmeier)
cacert.org
# 2005-07-27: polytech.univ-mrs.fr (no retry, reported by Giovanni Mandorino)
polytech.univ-mrs.fr
# 2005-08-05: gnu.org (address verification, reported by Martin Lohmeier)
gnu.org
# 2005-08-17: ciphirelabs.com (needs fast responses, reported by Sven Mueller)
cs.ciphire.net
# 2005-11-11: lufthansa (no retry, reported by Peter Bieringer)
/^gateway\d+\.np4\.de$/
# 2005-11-23: arcor-online.net (slow: 12 hours, reported by Bernd Zeimetz)
/^mail-in-\d+\.arcor-online\.net$/
# 2005-12-29: netsolmail.com (no retry, reported by Gareth Greenaway)
netsolmail.com
# mail.likopris.si (no retry, reported by Vito Robar)
193.77.153.67
# jcsw.nato.int (several servers, no retry, reported by Vito Robar)
195.235.39
# tesla.vtszg.hr (no retry, reported by Vito Robar)
tesla.vtszg.hr
# mailgw*.iai.co.il (pool of several servers, reported by Vito Robar)
/^mailgw.*\.iai\.co\.il$/
# gw.stud-serv-mb.si (no retry, reported by Vito Robar)
gw.stud-serv-mb.si
# mail.commandtech.com (no retry, reported by Vito Robar)
216.238.112.99
# duropack.co.at (no retry, reported by Vito Robar)
193.81.20.195
# mail.esimit-tech.si (no retry, reported by Vito Robar)
193.77.126.208
# mail.resotel.be (ocasionally no retry, reported by Vito Robar)
80.200.249.216
# mail2.alliancefr.be (ocasionally no retry, reported by Vito Robar)
mail2.alliancefr.be
# webserver.turboinstitut.si (no retry, reported by Vito Robar)
webserver.turboinstitut.si
# mil.be (pool of different servers, reported by Vito Robar)
193.191.218.141
193.191.218.142
193.191.218.143
194.7.234.141
194.7.234.142
194.7.234.143
# mail*.usafisnews.org (no retry, reported by Vito Robar)
/^mail\d+\.usafisnews\.org$/
# odk.fdv.uni-lj.si (no retry, reported by Vito Robar)
/^odk.fdv.uni-lj.si$/
# rak-gentoo-1.nameserver.de (no retry, reported by Vito Robar)
rak-gentoo-1.nameserver.de
# dars.si (ocasionally no retry, reported by Vito Robar)
mx.dars.si
# cosis.si (no retry, reported by Vito Robar)
213.143.66.210
# mta?.siol.net (sometimes no or slow retry; they use intermail, reported by Vito Robar)
/^mta[12].siol.net$/
# pim-N-N.quickinspirationsmail.com (unique sender, reported by Vito Robar)
/^pim-\d+-\d+\.quickinspirationsmail\.com$/
# flymonarch (no retry, reported by Marko Djukic)
flymonarch.com
# wxs.nl (no retry, reported by Johannes Fehr)
/^p?smtp.*\.wxs\.nl$/
# ibm.com (big pool, reported by Casey Peel)
ibm.com
# messagelabs.com (big pool, reported by John Tobin)
/^mail\d+\.messagelabs\.com$/
# ptb.de (slow, reported by Joachim Schoenberg)
berlin.ptb.de
# registrarmail.net (unique sender names, reported by Simon Waters)
registrarmail.net
# google.com (big pool, reported by Matthias Dyer, Martin Toft)
google.com
# orange.fr (big pool, reported by Lo�c Le Loarer)
/^smtp\d+\.orange\.fr$/
# citigroup.com (slow retry, reported by Michael Monnerie)
/^smtp\d+.citigroup.com$/
# cruisingclub.ch (no retry)
mail.ccs-cruising.ch
# digg.com (no retry, Debian #406774)
diggstage01.digg.com
# liberal.ca (retries only during 270 seconds, Debian #406774)
smtp.liberal.ca
# pi.ws (pool + long retry, Debian #409851)
/^mail[12]\.pi\.ws$/
# rambler.ru (big pool, reported by Michael Monnerie)
rambler.ru
# free.fr (big pool, reported by Denis Sacchet)
/^smtp[0-9]+-g[0-9]+\.free\.fr$/
/^postfix[0-9]+-g[0-9]+\.free\.fr$/
# thehartford.com (pool + long retry, reported by Jacob Leifman)
/^netmail\d+\.thehartford\.com$/
# abb.com (only one retry, reported by Roman Plessl)
/^nse\d+\.abb\.com$/
# 2007-07-27: sourceforge.net (sender verification)
lists.sourceforge.net
# 2007-08-06: polytec.de (no retry, reported by Patrick McLean)
polytec.de
# 2007-09-06: qualiflow.com (no retry, reported by Alex Beckert)
/^mail\d+\.msg\.oleane\.net$/
# 2007-09-07: nrl.navy.mil (no retry, reported by Axel Beckert)
nrl.navy.mil
# 2007-10-18: aliplast.com (long retry, reported by Johannes Feigl)
mail.aliplast.com
# 2007-10-18: inode.at (long retry, reported by Johannes Feigl)
/^mx\d+\..*\.inode\.at$/
# 2008-02-01: bol.com (no retry, reported by Frank Breedijk)
/^.*?.server.arvato-systems.de$/
# 2008-06-05: registeredsite.com (no retry, reported by Fred Kilbourn)
/^(?:mail|fallback-mx)\d+.atl.registeredsite.com$/
# 2008-07-17: mahidol.ac.th (no retry, reported by Alex Beckert)
saturn.mahidol.ac.th
# 2008-07-18: ebay.com (big pool, reported by Peter Samuelson)
ebay.com
# 2008-07-22: yahoo.com (big pool, reported by Juan Alonso)
yahoo.com
# 2008-11-07: facebook (no retry, reported by Tim Freeman)
/^outmail\d+\.sctm\.tfbnw\.net$/
# 2009-02-10: server14.cyon.ch (long retry, reported by Alex Beckert)
server14.cyon.ch
# 2009-08-19: 126.com (big pool)
/^m\d+-\d+\.126\.com$/
# 2010-01-08: tifr.res.in (no retry, reported by Alex Beckert)
home.theory.tifr.res.in
# 2010-01-08: 1blu.de (long retry, reported by Alex Beckert)
ms4-1.1blu.de
# 2010-03-17: chello.at (big pool, reported by Jan-willem van Eys)
/^viefep\d+-int\.chello\.at$/
# 2010-05-31: nic.nu (long retry, reported by Ivan Sie)
mx.nic.nu
# 2010-06-10: Microsoft servers (long/no retry, reported by Roy McMorran)
bigfish.com
frontbridge.com
microsoft.com
# 2010-06-18: Google/Postini (big pool, reported by Warren Trakman)
postini.com
# 2011-02-04: evanzo-server.de (no retry, reported by Andre Hoepner)
/^mx.*\.evanzo-server\.de$/
# 2011-05-02: upcmail.net (big pool, reported by Michael Monnerie)
upcmail.net

# postgrey whitelist for mail recipients
# --------------------------------------
# put this file in /etc/postgrey or specify its path
# with --whitelist-recipients=xxx
 
postmaster@
abuse@

Spamassassin:

# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# Only a small subset of options are listed below
#
###########################################################################
 
#   Add *****SPAM***** to the Subject header of spam e-mails
#
# rewrite_header Subject *****SPAM*****
 
 
#   Save spam messages as a message/rfc822 MIME attachment instead of
#   modifying the original message (0: off, 2: use text/plain instead)
#
# report_safe 1
 
 
#   Set which networks or hosts are considered 'trusted' by your mail
#   server (i.e. not spammers)
#
# trusted_networks 212.17.35.
 
 
#   Set file-locking method (flock is not safe over NFS, but is faster)
#
# lock_method flock
 
 
#   Set the threshold at which a message is considered spam (default: 5.0)
#
# required_score 5.0
 
 
#   Use Bayesian classifier (default: 1)
#
# use_bayes 1
 
 
#   Bayesian classifier auto-learning (default: 1)
#
# bayes_auto_learn 1
 
 
#   Set headers which may provide inappropriate cues to the Bayesian
#   classifier
#
# bayes_ignore_header X-Bogosity
# bayes_ignore_header X-Spam-Flag
# bayes_ignore_header X-Spam-Status
 
 
#   Some shortcircuiting, if the plugin is enabled
# 
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
#
#   default: strongly-whitelisted mails are *really* whitelisted now, if the
#   shortcircuiting plugin is active, causing early exit to save CPU load.
#   Uncomment to turn this on
#
# shortcircuit USER_IN_WHITELIST       on
# shortcircuit USER_IN_DEF_WHITELIST   on
# shortcircuit USER_IN_ALL_SPAM_TO     on
# shortcircuit SUBJECT_IN_WHITELIST    on
 
#   the opposite; blacklisted mails can also save CPU
#
# shortcircuit USER_IN_BLACKLIST       on
# shortcircuit USER_IN_BLACKLIST_TO    on
# shortcircuit SUBJECT_IN_BLACKLIST    on
 
#   if you have taken the time to correctly specify your "trusted_networks",
#   this is another good way to save CPU
#
# shortcircuit ALL_TRUSTED             on
 
#   and a well-trained bayes DB can save running rules, too
#
# shortcircuit BAYES_99                spam
# shortcircuit BAYES_00                ham
 
endif # Mail::SpamAssassin::Plugin::Shortcircuit

Fail2Ban:

jail.conf

# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko 
#
# $Revision$
#
 
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
 
[DEFAULT]
 
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8
bantime  = 600
maxretry = 3
 
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = auto
 
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost
 
#
# ACTIONS
#
 
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
 
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail
 
# Default protocol
protocol = tcp
 
# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
 
#
# Action shortcuts. To be used to define action parameter
 
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
 
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
 
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
 
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
 
#
# JAILS
#
 
# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
 
#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local
 
[ssh]
 
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6
 
[dropbear]
 
enabled  = false
port     = ssh
filter   = sshd
logpath  = /var/log/dropbear
maxretry = 6
 
# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]
 
enabled  = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter   = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port     = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 6
 
[xinetd-fail]
 
enabled   = false
filter    = xinetd-fail
port      = all
banaction = iptables-multiport-log
logpath   = /var/log/daemon.log
maxretry  = 2
 
 
[ssh-ddos]
 
enabled  = false
port     = ssh
filter   = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6
 
#
# HTTP servers
#
 
[apache]
 
enabled  = false
port     = http,https
filter   = apache-auth
logpath  = /var/log/apache*/*error.log
maxretry = 6
 
# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]
 
enabled   = false
port      = http,https
filter    = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6
 
[apache-noscript]
 
enabled  = false
port     = http,https
filter   = apache-noscript
logpath  = /var/log/apache*/*error.log
maxretry = 6
 
[apache-overflows]
 
enabled  = false
port     = http,https
filter   = apache-overflows
logpath  = /var/log/apache*/*error.log
maxretry = 2
 
#
# FTP servers
#
 
[vsftpd]
 
enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6
 
 
[proftpd]
 
enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6
 
 
[pure-ftpd]
 
enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = pure-ftpd
logpath  = /var/log/auth.log
maxretry = 6
 
 
[wuftpd]
 
enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6
 
 
#
# Mail servers
#
 
[postfix]
 
enabled  = false
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
 
 
[couriersmtp]
 
enabled  = false
port     = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log
 
 
#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#
 
[courierauth]
 
enabled  = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log
 
 
[sasl]
 
enabled  = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = /var/log/mail.log
 
[dovecot]
 
enabled = false
port    = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter  = dovecot
logpath = /var/log/mail.log
 
# DNS Servers
 
 
# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# };
#
# in your named.conf to provide proper logging
 
# !!! WARNING !!!
#   Since UDP is connection-less protocol, spoofing of IP and imitation
#   of illegal actions is way too simple.  Thus enabling of this filter
#   might provide an easy way for implementing a DoS against a chosen
#   victim. See
#    https://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
#   Please DO NOT USE this jail unless you know what you are doing.
#[named-refused-udp]
#
#enabled  = false
#port     = domain,953
#protocol = udp
#filter   = named-refused
#logpath  = /var/log/named/security.log
 
[named-refused-tcp]
 
enabled  = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log
@onerussian.com>

fail2ban.conf

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision$
#
 
[Definition]
 
# Option:  loglevel
# Notes.:  Set the log level output.
#          1 = ERROR
#          2 = WARN
#          3 = INFO
#          4 = DEBUG
# Values:  NUM  Default:  3
#
loglevel = 3
 
# Option:  logtarget
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
#          Only one log target can be specified.
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
#
logtarget = /var/log/fail2ban.log
 
# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
#         not remove this file when Fail2ban runs. It will not be possible to
#         communicate with the server afterwards.
# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock

Installing SWFTools in Debian 7

ddemuro — Mon, 20 Oct 2014 06:44:24 +0000

How to install PDF2SWF, PDFTools in Debian.

First you need the needed repositories.

wget https://download.savannah.gnu.org/releases/freetype/freetype-2.4.0.tar.gz
wget https://www.ijg.org/files/jpegsrc.v7.tar.gz
wget https://www.swftools.org/swftools-2013-04-09-1007.tar.gz
 
tar -zvxf swftools-2013*
tar -zvxf jpegsrc.v7
tar -zvxf freetype*
cd jpegsrc.v7
./configure
make
make install
cd freetype-2.4.0
./configure
make
make install
cd swftools-2013-04-09-1007
./configure
make
make install

modules/.././types.h:36:2: #error "no way to define 64 bit integer"
modules/.././types.h:39:2: #error "don't know how to define 32 bit integer"
modules/.././types.h:42:2: #error "don't know how to define 16 bit integer"
modules/.././types.h:45:2: #error "don't know how to define 8 bit integer"

The first solution.

ldconfig /usr/local/lib
./configure

Given that, not even then I got to install it, proceed and clone the master branch on Github, that seems to work perfectly fine.

So the solution I found somewhere:

apt-get install gcc g++ zlib1g-dev make libgif-dev
wget https://download.savannah.gnu.org/releases/freetype/freetype-2.4.9.tar.gz
tar xzvf freetype-*.tar.gz
cd freetype*
rm -f config.cache
ldconfig /usr/local/lib
LDFLAGS="-L/usr/local/lib" CPPFLAGS="-I/usr/local/include" ./configure
make
make install
cd ..
wget https://www.ijg.org/files/jpegsrc.v8d.tar.gz
tar xzvf jpeg*.tar.gz
cd jpeg*
rm -f config.cache
LDFLAGS="-L/usr/local/lib" CPPFLAGS="-I/usr/local/include" ./configure
make
make install
cd ..
wget https://www.swftools.org/swftools-0.9.1.tar.gz
tar xzvf swftools-*.tar.gz
wget ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.03.tar.gz
mv xpdf-*.tar.gz swftools-*/lib/pdf
cd swftools-*
LDFLAGS="-L/usr/local/lib" CPPFLAGS="-I/usr/local/include" ./configure
make
make install
cd ..
rm -r jpeg*
rm -r swftools*
rm -r freetype*

Optimizing server for APC, and PHP.

ddemuro — Fri, 10 Oct 2014 06:52:01 +0000

Many times our servers struggle to answer to connections in time, this is why we need to optimize.

First we assume we have installed Virtualmin on Debian 7.

Second, we assume you know some of PHP and common Linux utilities.

We’ll install memcached and php5-memcache [Memcache plugin for memcached].

php5-memcache and memcached

apt-get install memcached php5-memcache

We are assuming you’ll use Memcached on the local server, so just restart the service as follows:

/etc/init.d/memcached restart

Now we restart apache… to load up everything correctly including PHP.

/etc/init.d/apache2 restart

Now lets get dirty with APC!

apt-get install php-pear

This will allow us to build new modules into php.

Now we need some dependencies to be able to compile APC.

apt-get install php5-dev apache2-prefork-dev build-essential

A long list of dependencies you’ll receive, accept them, they are GCC and others.

Now lets build APC!

pecl install apc

As I don’t have the rest on my terminal right now…

server2:~# pecl install apc
downloading APC-3.0.17.tgz ...
Starting to download APC-3.0.17.tgz (116,058 bytes)
.........................done: 116,058 bytes
47 source files, building
running: phpize
Configuring for:
PHP Api Version:         20041225
Zend Module Api No:      20060613
Zend Extension Api No:   220060519
Use apxs to set compile flags (if using APC with Apache)? [yes] : <-- ENTER

[...]

----------------------------------------------------------------------
Libraries have been installed in:
   /var/tmp/pear-build-root/APC-3.0.17/modules

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the `LD_RUN_PATH' environment variable
     during linking
   - use the `-Wl,--rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------

Build complete.
(It is safe to ignore warnings about tempnam and tmpnam).

running: make INSTALL_ROOT="/var/tmp/pear-build-root/install-APC-3.0.17" install
Installing shared extensions:     /var/tmp/pear-build-root/install-APC-3.0.17/usr/lib/php5/20060613+lfs/
running: find "/var/tmp/pear-build-root/install-APC-3.0.17" -ls
998152    4 drwxr-xr-x   3 root     root         4096 Mar 28 15:23 /var/tmp/pear-build-root/install-APC-3.0.17
998214    4 drwxr-xr-x   3 root     root         4096 Mar 28 15:23 /var/tmp/pear-build-root/install-APC-3.0.17/usr
998215    4 drwxr-xr-x   3 root     root         4096 Mar 28 15:23 /var/tmp/pear-build-root/install-APC-3.0.17/usr/lib
998216    4 drwxr-xr-x   3 root     root         4096 Mar 28 15:23 /var/tmp/pear-build-root/install-APC-3.0.17/usr/lib/php5
998217    4 drwxr-xr-x   2 root     root         4096 Mar 28 15:23 /var/tmp/pear-build-root/install-APC-3.0.17/usr/lib/php5/20060613+lfs
998213  416 -rwxr-xr-x   1 root     root       418822 Mar 28 15:23 /var/tmp/pear-build-root/install-APC-3.0.17/usr/lib/php5/20060613+lfs/apc.so

Build process completed successfully
Installing '/var/tmp/pear-build-root/install-APC-3.0.17//usr/lib/php5/20060613+lfs/apc.so'
install ok: channel://pecl.php.net/APC-3.0.17
You should add "extension=apc.so" to php.ini
server2:~#

[FROM https://www.howtoforge.com/apc-php5-apache2-debian-etch](link is external)

If this didn’t go well, just go with apt-get install php-apc !
Now its when everything goes fuzzy… as we use virtualservers, you’ll need to configure each virtualserver APC individually and decide how much cache etc.

In our case, lets go with a client.

This should be good enough for you to start enjoying APC.

At your php.ini add this information: [if using vhosts with virtualmin…] cd /home/user/etc/->Php.ini in here.

[APC]
extension=apc.so
apc.enabled=1
apc.shm_segments=1
apc.shm_size=256M ===> This value depends on kernel.shmmax in our case would read 268435456 that would be around 256M.
;cat /proc/sys/kernel/shmmax => to read the size
apc.optimization=0
;Control TTL of Cache
apc.ttl=108000
apc.user_ttl=108000
apc.gc_ttl=108000
apc.cache_by_default=1
apc.filters="-/home/user/public_html/apc/apc\.php$"
apc.slam_defense=0
apc.use_request_time=1
apc.mmap_file_mask=/tmp/apc-user.XXXXXX
;apc.mmap_file_mask=/dev/zero
apc.file_update_protection=2
apc.enable_cli=1
apc.max_file_size=5M
;WARNING => APC.STAT checks if file changed every time b4 opening.
apc.stat=0
apc.write_lock=1
apc.report_autofilter=0
apc.include_once_override=0
apc.rfc1867=0
apc.rfc1867_prefix=upload_
apc.rfc1867_name=APC_UPLOAD_PROGRESS
apc.rfc1867_freq=0
apc.rfc1867_ttl=3600
apc.lazy_classes=0
apc.lazy_functions=0

I’d also recommend you changing the swappiness of the server to a low value, remember IO is a killer… and it’s better to max out the ram, and leave the swap for emergencies.

Normally it would be set to 60.

My test’s proven for my configurations its best to have it ~15 – ~30.

To check the actual value:

cat /proc/sys/vm/swappiness

That should print: 60 on the screen.

To change it on the fly and test it:

sysctl vm.swappiness=[value]

On reboot that will reset to default, to make it stick:

edit /etc/sysctl.conf

and add at the end of the file:

vm.swappiness=[value]

Now that will stick on every restart.

Stay tuned, i’ll keep expanding my guide into getting the best out of your servers.