Details
-
AboutAccess Denied
-
SkillsLinux administration, Bash, basics of PHP, jS and other languages
Joined devRant on 5/13/2016
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
False alert everyone, I was just an idiot who didn't set the port 80 NAT at home to only apply to packets from the WAN interface... So it sent them right back...
-
@cuddlyogre I'm upgrading a fleet of legacy MySQL servers where the customer used memory tables for their performance benefits.
Not sure how much that still applies today, but it's a pain in the ass to work with.
Already have a bootstrapped and working multi-source replica (Did I mention they have like... 8 of those legacy SQL servers?), and now, I finally managed to bootstrap a replica of that replica, as the legacy servers are planned to be disconnected soon.
Lets hope none of the servers reboots in the meantime, or bye bye replication... -_-" -
@AnxiousADHDGuy suggested that as well, but was told that backing it up would be an issue as noone really knows what's on the laptop, and whether something's worth preserving.
Yea... I wonder what might be so important that you don't even remember it's there... -
@IntrusionCM it's an old AMD E200 APU. Notebook checker lists it as x86 with 64 bit support so... Really not sure what to take of that.
But when I ran file on the terminal emulator executable, it was 64bit, so I figured the laptop is so old it can't yet run 64 bit apps lol -
Edit: Okay, I finally managed to authenticate... Only to find out, to my utter horror and shock, that when someone was to impersonate the AP and even present an invalid certificate as the radius server... All that stands between me and getting PWN'd, is a teeny tiny little dialog saying something like "Do you expect to find this network here? Here's its cert. Connect / Cancel"
No huge red warning like in a browser when a webpage presents an invalid SSL certificate, nooooo. No 3-clicks-deep workaround or secret key combinations to add an exception.
Just a yes/no button. And if you click yes (And most users will just click yes), windows will happily connect you to the AP.
Only way to avoid this is changing the notification setting when the CA or Cert don't check out from "Ask the user" to "Don't ask the user", as that's the only way the connection will securely fail!
And this option is buried pretty deep in the WPA2 setup process, which in and of itself sucks donkey balls! -
Update: Figured it out!
SystemD, when it's the init in charge, indeed has several mechanisms of populating the machine id file if it isn't set, and/or in case the file is on a read only filesystem.
However.
None of those mechanisms account for the file not existing at all, like was the case with our automatically installed systems.
If the file was even just touched and left empty, it would have been populated on the next reboot.
Ugh. Okay. That's not something I would have thought as the cause behind it... Now to go and fix all the sysd machines that have the file missing. At least that isn't so hard... Yay... -
@IntrusionCM Funny, despite usually going for SO and/or its derivates, But in this case, I did end up on that exact man page you linked, and got all that I know from there... :'D
Will update tomorrow if and when I nail down the exact reason the file never gets generated. Hope it won't be something that'll make me look like a complete imbecile... -_-" -
@IntrusionCM During debugging, I came across a thread on the mailing list of the environment we use to automate system installations where a person had journald just not start at all cuz the machine id was missing. Though that was in 2017, guess the dependency on it lowered since then.
And... I know it should get auto-generated in case it's not found/empty, but... Despite there being *numerous* ways it can get first initialized... All of which... Mysteriously fail...
Can't wait for the debugging session tomorrow. Oh, how I love debugging. -
@NeatNerdPrime understandable, but this was A - a dev DB, and B - we, as the MSP company, provide support, debug and solutions to what the customer needs. They didn't, as far as I know, try to refine and/or revise the role perms. They just downright asked us to disable inheritance... Giving us more work down the line.
-
@NoToJavaScript I'd have to check for the PIT recovery, the DBs we run on Galera are about a TB in size. And our clients are fine having just daily backups.
And, sadly, Gallera cannot really be used for cross-region replication as it relies on fast operation acknowledgments between nodes, and if it doesn't receive it in time, it can one - kick the node out of the cluster, and two - block the whole DB as it waits for a consistency.
BUT, you can still replicate the normal "log-shipping" way via bin logs from one of the master nodes... Though the classic kind of replication is much less resilient and can break if you don't set it up correctly. -
@NoToJavaScript the software itself is completely free (If you don't need enterprise support), and only really need a reliable network link between the nodes as they constantly communicate with each other to keep the data consistent.
Then it's just a question of QPS you want out of your DB.
But for a DB that small, I can imagine you could make do very well with a 12c/24t cpu, 64 gigs of ram, and a speedy ssd or nvme based storage in raid1 or even 10 for those extra fast reads and not too bad writes
The software we use is MariaDB community edition and Gallera extension. -
@stop That's the only solution I found so far, but I worry that the two disks would eventually desync when someone forgets remount the second disk's efi partition when updating the BL... And I'd have to make a grub hook to always install on sdb as well.
-
@magicMirror That lands me in literally the same mess as with jS, I don't have an issue with the language itself (I could so-so understand it...), my issue is that the administration shell environment should not be programming language based at all!
All administration activities are made that much more complex when I have to parse machine-made texts instead of getting output in nice human-readable form.
If the administration commands like db.getCurrentOps() would yield something more human readable, or had aliases like showProcesses, then I wouldn't have an issue, but it's like having to write "SELECT * FROM information_schema.processlist" then getting an output not in a nice table, but in a bloody SQL Dump file that a machine can read just fine, but that's frickin' impossible to easily make heads or tails of as a human.
I took a look at this pymongo thing, and it is, again, a wrapper to work with MongoDB from Python, and not a fully flashed out shell replacement... -
@100110111 In the end, it was just about the customer either not knowing the implication, not knowing alternate options, or just not caring.
Turns out that only one tiny sub-part of their app actually needed the 1GB limit -- Product Feed generation, which is understandable, dealing with large amounts of data and all.
Sure, it probably *could* be further optimized, but hey... At least now, I was able to raise the limit only to one specific URL and leave the rest of the web that actually gets public traffic on the default memory limit. -
@PonySlaystation Sadly, heavy modifications to Grafana itself is out of the game, I am not a programmer and my company would never pay for all the effort I'd have to go into to do that. I complained directly at Grafana's community forum, alas, without any sort of reaction...
@darkwind I don't worry about MITM attacks, rather, query forgery / modification by the clients themselves. The query gets sent over HTTPS to the Grafan server, that then sends it through a wireguard tunnel to prometheus. However, as said, the Grafana FE and BE don't implement any sort of query forgery mitigation... Once you can access the FE, you can query any and all data that the prometheus instance contains - All the data from all of our servers... -
@momad Haha, yeah, didn't even think about that. Guess I'm lucky that in my native language, a "graph" is spelled as "graf", so the name never felt wrong to me
-
@IntrusionCM Oh, I actually remember coming across the auditing framework once in the past already. It is super useful to me right now.
Thanks! -
Okay, TIL that table statistics are made out of just a few memory pages, the number of which can be changed.
Doubling it changed the statistics so much the plans finally synced up :3 -
@stop Yep, it runs before any partitioning is done on the drive
-
@stop If I could, I would. It's a part of an automated installation system that only allows me to include my own script snippets before an installation step - In this case, before the partitioning of the disk. So at the time, I don't yet know where the partitions are going to be created, and no sdaX exists.
-
@Fast-Nop pfffff, what a coincidence!
Poor Perl devs, noone seems to like their lang anymore :<
@Ranchonyx yeah, no, but we sure would agree perl... Is a way to threaten people more than actually help. Especially when there's only a single person in the company who understands it enough to modify those scripts. -
Firefox as I trust the Mozilla foundation won't sell users out for extra cash.
-
I only just found out the jist of the issue...
LE is too new of a CA. But because they wanted to support even older devices, LE's X3 root certificate was, instead of being self-signed, cross signed by another, older, root CA's root certificate - The ISRG Root X1.
This way, even though LE's root wasn't in the root trust store of many of the older devices, it'd be seen as valid, as it was signed by a root cert that was there.
What happens when *that* root cert expires though?
Hell ensues...
We already have... Several clients migrating away from LE because they need to keep supporting old android phones for example.
*Sigh* Why can't Google just push new root trust stores even to old devices as a security update? This way, one of the greatest companies to ever be created will suffer quite a lot... -
@iiii of course, when I encounter a site that doesn't accept refusal, most of the time, one can get around it through dev tools.
Most sites are stupid, load the content first, turn put a blocking modal form window over it. Remove the window, enable scroll bar and... You're good to go. -
@Hazarth Odd... The only slightly confusing part about Wireguard is the meaning of configuration parameters depends on the section of the configuration file. AllowedIPs can either be a list of IPs a client can present with... Or the IP addresses that are to be forwarded through to the given peer for example.
The configuration starts getting messy once you require the clients to be able to talk to each other through the tunnel. That... I can understand that OpenVPN can do in a more simple way. -
@LotsOfCaffeine the idea doesn't, it's better to have a dedicated GPU you can switch on only when you need it, and otherwise keep it off. You save battery life in a mobile laptop.
Now the implementation... That could use some work. -
@IntrusionCM Okay, I... Was about to write down all the different errors I got, but... I got it working.
Turns out the new drivers were just put somewhere else than bumblebee expected them, ending up with an error.
After adding the path, it started working. So... Yay? -
@electrineer I wish, luckily however, we don't get physical meetings with this particular customer, and only do meetings at all when dealing with a particularly nasty issue, or during migration planning and such.
@JeffGregg Hmm... That might be just it. I'll see if I could stuff an ELK stack somewhere on the existing HW. Thanks! -
@IntrusionCM As someone who works in bottom-end enterprise sector at most, most of our customers couldn't / wouldn't want to pay for a $2000 / Machine license.
And so, maybe sadly, I know only the opensource free Nginx, yet I still consider it to be much better than Apache by now.
That said... I might take a look at the tencent fork myself in my free time. Some customers here might benefit from its additions, and maybe, juuuuust maybe, I might be able to get it into use here.
I sounded a little dismissive before, but in retrospect, thank you for bringing it to my attention. I'll see what it can do. -
@IntrusionCM not in debian repo => equally as useless :/