If you are anything like me, you like to over utilize haproxy. Salt stack has a nice feature for files that allow you to add to them in different state files. Say you want to have a stock haproxy config but sick and tired of having to maintain 5 different versions of a haproxy config. So our basic formula layout looks like this - packages/haproxy.sls - web/init.sls The haproxy.sls stores our basic haproxy install, template and makes sure the service is running

Sometimes salt has the tendency to crash. So we can use monit to fix that problem This assumes you already have the EPEL repo installed yum install monit Now with monit installed we can edit the following config /etc/monit.conf With the following contents set daemon 5 with start delay 5 set logfile /var/log/monit.log set idfile /var/lib/monit.id set statefile /var/run/monit.state set mailserver localhost port 25 with timeout 30 seconds set mail-format { from: monit@hostname.

I was trying to use guestfish to increase a qcow2 partition without booting live and fdisking and all that mess. So I tried to run it and was getting # virt-filesystems --long --parts --blkdevs -h -a disk.qcow2 libguestfs: error: /usr/bin/supermin-helper exited with error status 1. To see full error messages you may need to enable debugging. See http://libguestfs.org/guestfs-faq.1.html#debugging-libguestfs Scratching my head a bit and figured out you need to update the guestfs appliance packages

There are a lot of old blog posts out there to getting KVM guests to use different vlans via openvswitch. There are a lot that tell you to create fake bridges or create the ports via ovs-vsctrl and add tell libvirt to use that created interface or portgroup. Then there are almost no blogs that really say, when you setup openvswitch, this is how you make the interface settings stick. The correct way to do it is this basic flow

I’ve been doing a lot of playing around with full dis encryption. Now there’s one big problem when you do full disk encryption is when the server reboots you are left at a prompt to enter your password to mount the drive. This is solved by a tool call mandos. This is a client/server tool that the mandos client is loaded into the initrd image on the server and on boot will query the server and if the server will send back the encryption key to the client to use.

If there’s any chance you need to verify a user’s password on the command line and you are root you can use openssl with the info from /etc/shadow. So first we want to grab the entry from /etc/shadow cat /etc/shadow | grep mike That will give us something that looks like mike:$6$tCFXiZHH$tFN8HZg/hXxYePSLZHVyBWuCFKlyesvKGKefwef2qR.DEKrrkvDUhewfwefuM.kU1HewfwE3HvprG/oMnizG2.:15734:0:99999:7::: So the items we want are the $6 and the $tCFXiZHH. The $6 is important because that tells us the password is using sha512 for encryption.

Did you know that there is a max number of DNS lookups that can be done for an SPF lookup. The number is 10 and that includes any a or mx records along with includes to different hosts. I noticed this when I ran a SPF check on a domain and noticed it was 12. One of the errors is how Zendesk sets up their SPF record. For example their doc says use the following

Sometimes you might be installing a package and don’t want it to prompt at all. Apt will prompt you a lot sometimes if you just do an apt-get install packageName. For example If you want to install, if there are multiple packages</span> * Accept package from a signed repo that you don&#8217;t have the key for * If you want to keep the old config So you can run the following

So sometimes you have a command where you want to only grep stderr. For example I use Cronic to manage all my cronjobs. It’s really nice since it sends a nicely formatted email back to you if a command returns anything in stderr. Crontab alone will email me if anything in stdout/stderr is printed out from a command. There is a problem with cronic though. There’s an app called s3cmd which uploads files to s3 and on large files this output can happen

A proper way to setup your network is to have a postfix relay server sitting somewhere on your network that every other server has access to via port 25. Now your relay server(s) are the only ones that should have outside access to port 25. All other servers should be firewalled off!  So for example say your email chain looks like this for a new signup web1.domain.com -> mailserver.domain.com -> internet -> user's mailbox If the user views the email source they will see that the email started at web1.