Keres: Difference between revisions
From Federal Burro of Information
Jump to navigationJump to search
(28 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Overview == | |||
This machine has put [[Athena]] out of service. | |||
* AMD | * AMD | ||
Line 8: | Line 8: | ||
* centos 7 | * centos 7 | ||
== Hardware == | |||
Mother board: E45M1 - I Deluxe - Mobo - from Martin McCourt - what a guy. | |||
Key Devices: | |||
00:11.0 SATA controller: Advanced Micro Devices, Inc. [AMD/ATI] SB7x0/SB8x0/SB9x0 SATA Controller [AHCI mode] (rev 40) | |||
02:00.0 Network controller: Qualcomm Atheros AR9285 Wireless Network Adapter (PCI-Express) (rev 01) | |||
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 06) | |||
== Services / Apps == | |||
* wiki | |||
* smokeping https://www.quadratic.net/cgi-bin/smokeping.cgi https://192.168.1.98/cgi-bin/smokeping.cgi | |||
=== Grafana Setup === | |||
to do https://grafana.com/docs/grafana/latest/installation/rpm/ | |||
=== Prometheus Setup === | |||
by hand in a screen, ghetto style | |||
/usr/local/prometheus/prometheus-2.14.0.linux-amd64 | |||
./prometheus | |||
<pre> | |||
# my global config | |||
global: | |||
scrape_interval: 1m # Set the scrape interval to every 15 seconds. Default is every 1 minute. | |||
evaluation_interval: 1m # Evaluate rules every 15 seconds. The default is every 1 minute. | |||
# scrape_timeout is set to the global default (10s). | |||
# Alertmanager configuration | |||
alerting: | |||
alertmanagers: | |||
- static_configs: | |||
- targets: | |||
# - alertmanager:9093 | |||
# Load rules once and periodically evaluate them according to the global 'evaluation_interval'. | |||
rule_files: | |||
# - "first_rules.yml" | |||
# - "second_rules.yml" | |||
# A scrape configuration containing exactly one endpoint to scrape: | |||
# Here it's Prometheus itself. | |||
scrape_configs: | |||
# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config. | |||
- job_name: 'prometheus' | |||
static_configs: | |||
- targets: ['localhost:9090'] | |||
labels: | |||
name: keres | |||
- job_name: 'pi-htu21d' | |||
static_configs: | |||
# - targets: ['192.168.1.113:8000'] | |||
- targets: ['10.23.45.6:8000'] | |||
labels: | |||
name: pi | |||
device: htu21d | |||
- job_name: 'pi-node-exporter' | |||
static_configs: | |||
- targets: ['10.3.45.6:9100'] | |||
labels: | |||
name: pi | |||
- job_name: 'thelaptop' | |||
static_configs: | |||
- targets: ['192.168.1.120:9100'] | |||
labels: | |||
name: thelaptop | |||
</pre> | |||
=== MineCraft Setup === | |||
manual DL of binary jar | |||
by hand: | |||
/data/minecraft_server.1.15.2 | |||
run.sh | |||
#!/bin/sh | |||
java -Xmx1024M -Xms1024M -jar minecraft_server.1.15.2.java nogui | |||
== ID == | |||
users | |||
david 1001 | |||
ashley 1002 | |||
webcam 1003 | |||
groups | |||
users 100 | |||
removed splunk | |||
== Todo == | == Todo == | ||
* OS | * OS - DONE - centos 7 | ||
* firewalld | * firewalld - kicked out , not good logging features, so now have iptables back in and firewalld disabled. | ||
* Wifi | * Wifi - none - disabled for now. | ||
* snmp | |||
* powertop tuning | |||
* systemd bootchart.conf(5) | |||
* services | * services | ||
*** | {| {{table}} | ||
** | | align="center" style="background:#f0f0f0;"|'''Service''' | ||
** | | align="center" style="background:#f0f0f0;"|'''Software''' | ||
** | | align="center" style="background:#f0f0f0;"|'''process''' | ||
** | | align="center" style="background:#f0f0f0;"|'''status''' | ||
| align="center" style="background:#f0f0f0;"|'''notes''' | |||
|- | |||
| firewall||iptables||n/a||DONE||not using firewalld due to lack of default deny log. | |||
|- | |||
| web||apache||httpd||DONE|| | |||
|- | |||
| ntp||chrony||chronyd||DONE|| | |||
|- | |||
| monitoring||misc||n/a||PENDING||still looking at optins, possibly ganglia / collectd / statsd | |||
|- | |||
| sql||mariadb||mysqld||DONE||and backups done. | |||
|- | |||
| dns||isc bind||named||DONE||really need to try something new here. | |||
|} | |||
* web apps: | |||
** wiki - DONE | |||
** pagespeed - https://developers.google.com/speed/pagespeed/module - DONE | |||
* rancid: | |||
** rancid installed : done | |||
** fortigate (http://thedonkeyland.com/blog/2011/07/backing-up-fortinet-fortigate-configs-with-rancid/) | |||
** CVSROOT=/home/rancid/var/rancid/CVS | |||
** one module: firewall ( /home/rancid/var/rancid/firewall ) | |||
* snmp | |||
* acpi | * acpi | ||
* | |||
* https://collectd.org/wiki/index.php/Iptables | |||
* backups | |||
from local disk to freenas | |||
** wiki - done | |||
** mysql done | |||
** system config ( etc etc? ) | |||
== Done == | == Done == | ||
Line 37: | Line 184: | ||
== | == Interfaces == | ||
ip link set wlp2s0 down | |||
== Firewall == | |||
ports and services | |||
<pre> | |||
22 | |||
53 pihole | |||
80 | |||
8080 pihole | |||
8443 pihole | |||
443 ?? | |||
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 1121/postgres | |||
tcp 0 0 0.0.0.0:45055 0.0.0.0:* LISTEN - | |||
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN - | |||
tcp 0 0 192.168.1.98:514 0.0.0.0:* LISTEN 20562/syslog-ng | |||
tcp 0 0 0.0.0.0:53991 0.0.0.0:* LISTEN 1058/rpc.statd | |||
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1455/mysqld | |||
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 1050/redis-server 1 | |||
tcp 0 0 0.0.0.0:26379 0.0.0.0:* LISTEN 1053/redis-sentinel | |||
tcp6 0 0 :::2049 :::* LISTEN - | |||
tcp6 0 0 :::26379 :::* LISTEN 1053/redis-sentinel | |||
tcp6 0 0 :::39662 :::* LISTEN - | |||
</pre> | |||
<pre> | <pre> | ||
[ | # Generated by iptables-save v1.4.21 on Mon Jul 11 10:52:12 2016 | ||
*filter | |||
:INPUT ACCEPT [0:0] | |||
:FORWARD ACCEPT [0:0] | |||
:OUTPUT ACCEPT [0:0] | |||
:DOCKER - [0:0] | |||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |||
-A INPUT -p icmp -j ACCEPT | |||
-A INPUT -i lo -j ACCEPT | |||
-A INPUT -p udp -m multiport --dports 67,68,8612 -j DROP | |||
-A INPUT -s 192.168.1.28/32 -d 192.168.1.98/32 -p udp -m udp --dport 514 -j ACCEPT | |||
-A INPUT -s 192.168.1.97/32 -d 192.168.1.98/32 -p tcp -m tcp --dport 2145 -j ACCEPT | |||
-A INPUT -s 192.168.1.28/32 -d 192.168.1.98/32 -p udp -m udp --dport 5514 -j ACCEPT | |||
-A INPUT -s 192.168.1.28/32 -d 192.168.1.98/32 -p tcp -m tcp --dport 5514 -j ACCEPT | |||
-A INPUT -s 192.168.1.99/32 -d 192.168.1.98/32 -p tcp -m tcp --sport 5514 -j ACCEPT | |||
-A INPUT -s 192.168.1.135/32 -d 192.168.1.98/32 -p tcp -m tcp --sport 5514 -j ACCEPT | |||
-A INPUT -s 74.213.172.121/32 -d 192.168.1.98/32 -p tcp -m multiport --dports 9200 -j ACCEPT | |||
-A INPUT -s 192.168.1.0/24 -d 192.168.1.98/32 -p tcp -m multiport --dports 8000,9200 -j ACCEPT | |||
-A INPUT -s 192.168.1.0/24 -d 192.168.1.98/32 -p udp -m multiport --dports 123 -j ACCEPT | |||
-A INPUT -p udp -m multiport --dports 53,5353 -j ACCEPT | |||
-A INPUT -p tcp -m state --state NEW -m multiport --dports 22,25,53,80,443,3000 -j ACCEPT | |||
-A INPUT -m limit --limit 6/min -j LOG --log-prefix "INPUT " | |||
-A INPUT -j REJECT --reject-with icmp-host-prohibited | |||
-A FORWARD -o docker0 -j DOCKER | |||
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |||
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT | |||
-A FORWARD -i docker0 -o docker0 -j ACCEPT | |||
-A FORWARD -j REJECT --reject-with icmp-host-prohibited | |||
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |||
-A OUTPUT -d 224.0.0.22/32 -j ACCEPT | |||
-A OUTPUT -s 192.168.1.98/32 -j ACCEPT | |||
-A OUTPUT -s 192.168.1.0/24 -p udp -m udp --dport 53 | |||
-A OUTPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 53 | |||
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT | |||
-A OUTPUT -m limit --limit 6/min -j LOG --log-prefix "OUTPUT " | |||
COMMIT | |||
# Completed on Mon Jul 11 10:52:12 2016 | |||
# Generated by iptables-save v1.4.21 on Mon Jul 11 10:52:12 2016 | |||
*nat | |||
:PREROUTING ACCEPT [4048612:479815547] | |||
:INPUT ACCEPT [1897626:154434964] | |||
:OUTPUT ACCEPT [17436175:1078002115] | |||
:POSTROUTING ACCEPT [17436175:1078002115] | |||
:DOCKER - [0:0] | |||
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER | |||
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER | |||
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE | |||
COMMIT | |||
# Completed on Mon Jul 11 10:52:12 2016 | |||
</pre> | |||
== hfs plus == | |||
mac Files ystem stupport | |||
== Yum repos == | |||
<pre> | |||
(1/8): docker-ce-stable/x86_64/primary_db | 70 kB 00:00:01 | |||
(2/8): epel/x86_64/updateinfo | 1.0 MB 00:00:01 | |||
(3/8): google-cloud-sdk/primary | 271 kB 00:00:01 | |||
(4/8): grafana/primary_db | 125 kB 00:00:00 | |||
(5/8): ius/x86_64/primary | 99 kB 00:00:00 | |||
(6/8): epel/x86_64/primary_db | 7.0 MB 00:00:05 | |||
(7/8): elrepo/primary_db | 542 kB 00:00:05 | |||
(8/8): updates/7/x86_64/primary_db | |||
</pre> | </pre> | ||
== Software outside of YUM == | |||
* mediawiki - source install. | |||
* https://developers.google.com/speed/pagespeed/module https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_x86_64.rpm | |||
== See Also == | == See Also == | ||
Line 71: | Line 298: | ||
[[Category: server]] | [[Category: server]] | ||
[[Category: Computers]] |
Latest revision as of 05:39, 21 January 2022
Overview
This machine has put Athena out of service.
- AMD
- centos 7
Hardware
Mother board: E45M1 - I Deluxe - Mobo - from Martin McCourt - what a guy.
Key Devices:
00:11.0 SATA controller: Advanced Micro Devices, Inc. [AMD/ATI] SB7x0/SB8x0/SB9x0 SATA Controller [AHCI mode] (rev 40) 02:00.0 Network controller: Qualcomm Atheros AR9285 Wireless Network Adapter (PCI-Express) (rev 01) 03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 06)
Services / Apps
- wiki
- smokeping https://www.quadratic.net/cgi-bin/smokeping.cgi https://192.168.1.98/cgi-bin/smokeping.cgi
Grafana Setup
to do https://grafana.com/docs/grafana/latest/installation/rpm/
Prometheus Setup
by hand in a screen, ghetto style
/usr/local/prometheus/prometheus-2.14.0.linux-amd64
./prometheus
# my global config global: scrape_interval: 1m # Set the scrape interval to every 15 seconds. Default is every 1 minute. evaluation_interval: 1m # Evaluate rules every 15 seconds. The default is every 1 minute. # scrape_timeout is set to the global default (10s). # Alertmanager configuration alerting: alertmanagers: - static_configs: - targets: # - alertmanager:9093 # Load rules once and periodically evaluate them according to the global 'evaluation_interval'. rule_files: # - "first_rules.yml" # - "second_rules.yml" # A scrape configuration containing exactly one endpoint to scrape: # Here it's Prometheus itself. scrape_configs: # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config. - job_name: 'prometheus' static_configs: - targets: ['localhost:9090'] labels: name: keres - job_name: 'pi-htu21d' static_configs: # - targets: ['192.168.1.113:8000'] - targets: ['10.23.45.6:8000'] labels: name: pi device: htu21d - job_name: 'pi-node-exporter' static_configs: - targets: ['10.3.45.6:9100'] labels: name: pi - job_name: 'thelaptop' static_configs: - targets: ['192.168.1.120:9100'] labels: name: thelaptop
MineCraft Setup
manual DL of binary jar
by hand:
/data/minecraft_server.1.15.2
run.sh
#!/bin/sh java -Xmx1024M -Xms1024M -jar minecraft_server.1.15.2.java nogui
ID
users
david 1001 ashley 1002 webcam 1003
groups
users 100
removed splunk
Todo
- OS - DONE - centos 7
- firewalld - kicked out , not good logging features, so now have iptables back in and firewalld disabled.
- Wifi - none - disabled for now.
- snmp
- powertop tuning
- systemd bootchart.conf(5)
- services
Service | Software | process | status | notes |
firewall | iptables | n/a | DONE | not using firewalld due to lack of default deny log. |
web | apache | httpd | DONE | |
ntp | chrony | chronyd | DONE | |
monitoring | misc | n/a | PENDING | still looking at optins, possibly ganglia / collectd / statsd |
sql | mariadb | mysqld | DONE | and backups done. |
dns | isc bind | named | DONE | really need to try something new here. |
- web apps:
- wiki - DONE
- pagespeed - https://developers.google.com/speed/pagespeed/module - DONE
- rancid:
- rancid installed : done
- fortigate (http://thedonkeyland.com/blog/2011/07/backing-up-fortinet-fortigate-configs-with-rancid/)
- CVSROOT=/home/rancid/var/rancid/CVS
- one module: firewall ( /home/rancid/var/rancid/firewall )
- snmp
- acpi
- backups
from local disk to freenas
- wiki - done
- mysql done
- system config ( etc etc? )
Done
- nfs setup / data exported
athena -> keres data sync
time /usr/bin/rsync -avzr /etc/ /mnt/keres/data/athena/etc --stats time /usr/bin/rsync -avzr /var/bind/ /mnt/keres/data/athena/var/bind --stats
Interfaces
ip link set wlp2s0 down
Firewall
ports and services
22 53 pihole 80 8080 pihole 8443 pihole 443 ?? tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 1121/postgres tcp 0 0 0.0.0.0:45055 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN - tcp 0 0 192.168.1.98:514 0.0.0.0:* LISTEN 20562/syslog-ng tcp 0 0 0.0.0.0:53991 0.0.0.0:* LISTEN 1058/rpc.statd tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1455/mysqld tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 1050/redis-server 1 tcp 0 0 0.0.0.0:26379 0.0.0.0:* LISTEN 1053/redis-sentinel tcp6 0 0 :::2049 :::* LISTEN - tcp6 0 0 :::26379 :::* LISTEN 1053/redis-sentinel tcp6 0 0 :::39662 :::* LISTEN -
# Generated by iptables-save v1.4.21 on Mon Jul 11 10:52:12 2016 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :DOCKER - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p udp -m multiport --dports 67,68,8612 -j DROP -A INPUT -s 192.168.1.28/32 -d 192.168.1.98/32 -p udp -m udp --dport 514 -j ACCEPT -A INPUT -s 192.168.1.97/32 -d 192.168.1.98/32 -p tcp -m tcp --dport 2145 -j ACCEPT -A INPUT -s 192.168.1.28/32 -d 192.168.1.98/32 -p udp -m udp --dport 5514 -j ACCEPT -A INPUT -s 192.168.1.28/32 -d 192.168.1.98/32 -p tcp -m tcp --dport 5514 -j ACCEPT -A INPUT -s 192.168.1.99/32 -d 192.168.1.98/32 -p tcp -m tcp --sport 5514 -j ACCEPT -A INPUT -s 192.168.1.135/32 -d 192.168.1.98/32 -p tcp -m tcp --sport 5514 -j ACCEPT -A INPUT -s 74.213.172.121/32 -d 192.168.1.98/32 -p tcp -m multiport --dports 9200 -j ACCEPT -A INPUT -s 192.168.1.0/24 -d 192.168.1.98/32 -p tcp -m multiport --dports 8000,9200 -j ACCEPT -A INPUT -s 192.168.1.0/24 -d 192.168.1.98/32 -p udp -m multiport --dports 123 -j ACCEPT -A INPUT -p udp -m multiport --dports 53,5353 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,25,53,80,443,3000 -j ACCEPT -A INPUT -m limit --limit 6/min -j LOG --log-prefix "INPUT " -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -d 224.0.0.22/32 -j ACCEPT -A OUTPUT -s 192.168.1.98/32 -j ACCEPT -A OUTPUT -s 192.168.1.0/24 -p udp -m udp --dport 53 -A OUTPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 53 -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT -A OUTPUT -m limit --limit 6/min -j LOG --log-prefix "OUTPUT " COMMIT # Completed on Mon Jul 11 10:52:12 2016 # Generated by iptables-save v1.4.21 on Mon Jul 11 10:52:12 2016 *nat :PREROUTING ACCEPT [4048612:479815547] :INPUT ACCEPT [1897626:154434964] :OUTPUT ACCEPT [17436175:1078002115] :POSTROUTING ACCEPT [17436175:1078002115] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE COMMIT # Completed on Mon Jul 11 10:52:12 2016
hfs plus
mac Files ystem stupport
Yum repos
(1/8): docker-ce-stable/x86_64/primary_db | 70 kB 00:00:01 (2/8): epel/x86_64/updateinfo | 1.0 MB 00:00:01 (3/8): google-cloud-sdk/primary | 271 kB 00:00:01 (4/8): grafana/primary_db | 125 kB 00:00:00 (5/8): ius/x86_64/primary | 99 kB 00:00:00 (6/8): epel/x86_64/primary_db | 7.0 MB 00:00:05 (7/8): elrepo/primary_db | 542 kB 00:00:05 (8/8): updates/7/x86_64/primary_db
Software outside of YUM
- mediawiki - source install.
- https://developers.google.com/speed/pagespeed/module https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_x86_64.rpm