@obsolesce said in Fedora 28 KVM Cockpit Doesn't Show All VMs:

Everyone is always waiting for someone else to report bugs and issues, that's why they take so long to get fixed. Not as bad with FOSS, but a big reason with MS for example.

But I don't know that it is a bug. It's reasonable that it might be, but it's just one possibility.

@eddiejennings said in Strange PBX CDR Entries:

I've disallowed SIP guests. We'll see if I get future CDR entries like these.

You won't.

@romo said in EdgeRouter L2TP VPN can't pass IKE phase 1:

A DNAT rule was the culprit of everything, it was redirecting the traffic and not letting it reach WAN_LOCAL.

FINALLY SOLVED!!!!!!!!!!!!!!!!!!!!!!!!!

As reminder for anyone that could encounter a similar issue:
DNAT rules are evaluated before firewall rules.

Yes, this is a known function of VyOS/EdgeOS. But nothing was ever posted baout DNAT rules in use, so I assumed there were none. There are not by default.

Does your buddy have support from the Resolume people? That would be where I'd start as there are a lot of pieces to this that could be wrong.

@dave247 said in Questions on redundant switch setup:

@pete-s said in Questions on redundant switch setup:

@dave247 said in Questions on redundant switch setup:

@pete-s said in Questions on redundant switch setup:

@jaredbusch said in Questions on redundant switch setup:

@dave247 said in Questions on redundant switch setup:

@pete-s

What kind of firewall and switches are you running?

One option: if you're switches have stacking, then you can put them in a single stack and then create a port group that spans the two switches and then connect that to your NIC teams on the other end. This guards against switch failure, switchport failure, server NIC port failure, Ethernet cable failure, etc..

0_1538492722247_2c736016-a7ca-4c86-96bc-9550d33aa58b-image.png

This adds a level of complexity that you don't have to deal with when using a simple team. But the plus side is higher bandwidth per connected server.

The "switch independant team" what bonding mode is that in linux? Is it mode 1, active/backup policy?

You will have to look at your individual network card's drivers and management software with regards to Linux. AKA, read the manual. My guess is that you're running Broadcom NICs and the management software that I've seen/used is called "Broadcom Advanced Control Suite 4" and the "switch independent mode" or team type is called, "Smart Load Balancing and Failover (SLB)".

I'm all Intel on the NIC side in this case as Supermicro is predominately intel NICs and they are very well supported both in freebsd and linux.

Contrary to Windows, linux actually have bonding of different types in the kernel (a module called bonding). So the drivers don't have to do bonding.

oh nice. I have no idea. I haven't done much with Linux lately. Still, I would read the NIC documentation as it pertains to Linux.

Looking at Dell switches it seems like Dell N1124 will do the job. It's 24x1G switch with 4x10G for uplinks and stacking and has most of the features of it's bigger brothers in the N2000, N3000 series.
Pricing looks very attractive where I'm at (<$400 USD per switch), otherwise it's $1259 in the dell.com store.
I've never used Dell switches though.

@coliver said in CentOS7 Server Apache Disable old TLS for higher versions:

@jaredbusch said in CentOS7 Server Apache Disable old TLS for higher versions:

@coliver said in CentOS7 Server Apache Disable old TLS for higher versions:

@DustinB3403 I really like this site for information on securing various web servers.

https://cipherli.st/

I just implemented their Nginx setting but getting back that TLSv1 was accepted?

https://www.ssllabs.com/ssltest/analyze.html?d=naggaroth.daerma.com

First line should read TLS1.2 if you don't have a version of Nginx that supports 1.3.

Correct. That is the only change I made to their config. I even reran dhparam

Via the ActiveDir list:

https://github.com/CarlWebster

There are some amazing scripts in there for ADDS but also for XenApp, NetScaler, Citrix, and others.

Site: https://carlwebster.com/downloads/download-info/active-directory-2/

@jaredbusch said in mailto alternative for systemd timers:

I would recommend writing the script to take parameters. Because then it is generic and you can plug it in on every system as part of the system setup process.
https://tecadmin.net/pass-command-line-arguments-in-shell-script/

Here's a template that I loosely follow for this:

#!/bin/bash #Script functions function script_help () { echo " Usage: $(basename $0) [options] -a word -a Echos the word you type -h this help text Example: $(basename $0) "-a word exit ${1:-0} } function thing () { echo $variable } #Show help if no arguments or options are passed [[ ! "$*" ]] && script_help 1 OPTIND=1 #Read command line options # A colon after a flag means it takes an argument while getopts "a:ih" opt; do case "$opt" in a) variable=$OPTARG ;; h) script_help ;; \?) script_help 1 ;; esac done shift $(($OPTIND-1)); #Run argument function thing

In this case, it calls the thing function on the argument from the -a flag and also has a help function.

I use wordpress with Wocommerce, integrates with paypal and stripe.

@mroth911 said in How to make 3 node cluster like Scale:

I Understand now. so i wanted to build something that is like "SCALE" meaning the vm's with failover and I can spin up a vm fast. just to understand the technology.

I heard of KVM. Never played with it yet.

KVM is the hypervisor behind Scale (and loads of others.)

So the things you want from your setup are a tiny function of what Scale does. All you are looking for is "high availability virtualization" which is a massively broad category. Scale does it in a very specific way, that is very good. But it's a cat and there are many ways to skin it. Some good, some bad, some just different.

@fateknollogee said in Unifi on Vultr: you 'has mad skillz?:

I don't quite get your answer..does that mean it's too easy or it's not worth the effort?

Basically yes, it is not worth the effort. You can setup apt to update automatically yourself quite trivially.

The same for Let's Encrypt.

Reskimming, I am not sure WTF he is doing with lighttpd I would need to look closer.

But the scripting of the backup to a third party site is going to be totally custom to every install. This is way too complex to setup in a simple script.

It works for him because everything is tied to the Google account.

@stacksofplates said in Remote management of VMs hosted in colocation:

@dashrender said in Remote management of VMs hosted in colocation:

@stacksofplates said in Remote management of VMs hosted in colocation:

@scottalanmiller said in Remote management of VMs hosted in colocation:

@stacksofplates said in Remote management of VMs hosted in colocation:

@scottalanmiller said in Remote management of VMs hosted in colocation:

@eddiejennings said in Remote management of VMs hosted in colocation:

Allowing an SSH connection to the managementVM from the Internet

I have not tried this approach yet, and it appears more risky than the Screen Connect approach, since SSH to that VM would be open to the Internet. Unless I'm missing some benefit to this approach, I'll not be using it.

Use a strong key, lock to your IP. Very safe. Add Fail2Ban, of course.

Or add Salt and open/close based on need so it doesn't stay open.

Fail2ban doesn't work with keys.

But it would work normally with people attacking using non-keys, would it not? Or am I missing something about what it would do?

Why would you not require keys? Not making them mandatory defeats the purpose of using them.

I think he means - if a hacker is trying to use a password on a system setup to only allow keys - the fail2ban will block those users, or won't it?

No. It's dropped before fail2ban even sees it.

Oh, makes sense. There is no "attempt" like with a password, it is "already blocked."

@scottalanmiller said in What are you using for Documentation?:

@dashrender said in What are you using for Documentation?:

@scottalanmiller said in What are you using for Documentation?:

@wirestyle22 said in What are you using for Documentation?:

@scottalanmiller said in What are you using for Documentation?:

@wirestyle22 said in What are you using for Documentation?:

@scottalanmiller said in What are you using for Documentation?:

@wirestyle22 said in What are you using for Documentation?:

@wrcombs said in What are you using for Documentation?:

I use Google Docs, and the ticketing system ; Im the only one who does write ups on things I think we need to know more about, or are things that will be needed in the future.

I/We don't use any fancy third party software for documentation.

We have infrastructure (Me), DevOps, Desktop Support. I think one person from each team should be responsible for technical documentation. I'd prefer for it to be me but I also have a lot on my plate.

How do you separate infrastructure and DevOps? DevOps is for managing infrastructure.

Infrastructure team is really networking team

Infrastructure teams normally refers to the non-networking ones. Although networking is obviously infrastructure. But SA is normally core infrastructure teams. Enterprise jobs labeled infrastructure are not networking.

Yeah that's just what they are calling us. Not very helpful for me to use the name here though as it's confusing for you guys

You are doing networking now? So mostly switches, routers, routing tables, firewall rules?

What jobs are in that other infrastructure department you're talking about?

System Admin, System Engineering, DevOps, App Support, DBA

Basically this

The size difference on files on my computer was an issue with dropbox on the latest version of Win10. I used my mac to download all files and then moved the Dropbox folder inside OneDrive and got all synced. Apart from some files not being synced all looks good now. I am almost ready to cut Dropbox, part of that I already switched from yearly plan to monthly (was due for renewal on sep), just keeping it a month or two more to finalize.

With the new option of getting MS offoce on unlimited devices and concurrent sign in to 5 devices with the O365 plan ( https://techcommunity.microsoft.com/t5/Office-365-Blog/You-re-about-to-get-even-more-from-your-Office-365-Home-or/ba-p/234907) along with smart sync, I guess its a great deal

@tonyshowoff said in Which Cloud Company Should Get The JEDI Contract?:

Yes it starts with a choice of good companies, but soon enough they'll leave after having to deal with technically incompetent committee members who don't understand what a scope is and the only ones left will be companies absolutely incapable of doing the job.

I can't upvote this enough. This is supposed to pay $10b. I will bet dollars to donuts that whoever gets the contract will A) lose money and B) have about 10 deadline extensions.

And after all that, it will be slapped together and almost unusable because of the red tape and ever moving goal posts of the scope of work.

@manxam said in New Tablet Search:

@scottalanmiller said in New Tablet Search:

Yeah, I get all that. But this is definitely just "normal USB", as it is a normal computer. Concepts unique to mobility don't apply here. So either OTG is a reference to all USB, or it's not applicable here. You would never call the USB port on your laptop or desktop OTG, and unless you do, you don't here.

But it's not a normal computer, it's a hybrid tablet running a Mobile/Tablet only OS utilizing a similar architecture to Android but with Chrome as it's UI instead of android.view/android.webkit.

Not really, it's running a desktop OS, ChromeOS. It's not similar to Android at all, it is in fact nothing but a normal laptop with no included keyboard. It's as much a desktop style device as any desktop you'd ever use. That the form factor is called a tablet is misleading, it would be like calling an iMac a tablet... the only difference between the two is one has a stand included, and one doesn't.

There is nothing "mobile" about this device. Other than it is easy to be mobile with it. Under the hood, it's identical to some of the world's most popular laptops, just with a keyboard sold separately.

Still not showing available.

0_1538331440965_38360ee2-b681-47f7-a178-b759045f012b-image.png

@ccwtech said in Computers not syncing with Domain Controller. Is my GPO blocking it?:

@dbeato said in Computers not syncing with Domain Controller. Is my GPO blocking it?:

@ccwtech said in Computers not syncing with Domain Controller. Is my GPO blocking it?:

@dbeato said in Computers not syncing with Domain Controller. Is my GPO blocking it?:

@ccwtech said in Computers not syncing with Domain Controller. Is my GPO blocking it?:

Computers in a domain are not syncing time with the Domain Controller (Hyper-V). They are all set to the local CMOS clock.

I had to restrict the ability for local users to change time by themselves. Is the GP that I created preventing the computers from syncing to the domain?

0_1538061340847_1.png
0_1538061350915_2.png

The time can be in different zones and not affect connectivity to the domain as long as it is 5 minutes from the DC time via UTC. Now I would really make the computers to just point to the DC as their NTP Server instead of anything else.

I thought they did by default in a domain.

They should but it is not enforced.

What do I need to do to enforce it? Or point them to the DC to use?

@ccwtech said in Computers not syncing with Domain Controller. Is my GPO blocking it?:

@dbeato said in Computers not syncing with Domain Controller. Is my GPO blocking it?:

@ccwtech said in Computers not syncing with Domain Controller. Is my GPO blocking it?:

@dbeato said in Computers not syncing with Domain Controller. Is my GPO blocking it?:

@ccwtech said in Computers not syncing with Domain Controller. Is my GPO blocking it?:

Computers in a domain are not syncing time with the Domain Controller (Hyper-V). They are all set to the local CMOS clock.

I had to restrict the ability for local users to change time by themselves. Is the GP that I created preventing the computers from syncing to the domain?

0_1538061340847_1.png
0_1538061350915_2.png

The time can be in different zones and not affect connectivity to the domain as long as it is 5 minutes from the DC time via UTC. Now I would really make the computers to just point to the DC as their NTP Server instead of anything else.

I thought they did by default in a domain.

They should but it is not enforced.

What do I need to do to enforce it? Or point them to the DC to use?

Enforce the time source on the DC
https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/

For clients look at this one
https://www.altaro.com/hyper-v/configuring-time-synchronization-for-all-computers-in-windows-domain/

And here it is, subscription Windows licensing seen in the wild.