Keres: Difference between revisions

From Federal Burro of Information
Jump to navigationJump to search
 
(26 intermediate revisions by the same user not shown)
Line 1: Line 1:


This machine will put [[Athena]] out of service
== Overview ==


E45M1 - I Deluxe - Mobo - from Martin McCourt - what a guy.
This machine has put [[Athena]] out of service.


* AMD
* AMD
Line 8: Line 8:
* centos 7
* centos 7


== Hardware ==
Mother board: E45M1 - I Deluxe - Mobo - from Martin McCourt - what a guy.
Key Devices:
00:11.0 SATA controller: Advanced Micro Devices, Inc. [AMD/ATI] SB7x0/SB8x0/SB9x0 SATA Controller [AHCI mode] (rev 40)
02:00.0 Network controller: Qualcomm Atheros AR9285 Wireless Network Adapter (PCI-Express) (rev 01)
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 06)
== Services / Apps ==
* wiki
* smokeping https://www.quadratic.net/cgi-bin/smokeping.cgi https://192.168.1.98/cgi-bin/smokeping.cgi
=== Grafana Setup ===
to do https://grafana.com/docs/grafana/latest/installation/rpm/
=== Prometheus Setup ===
by hand in a screen, ghetto style
/usr/local/prometheus/prometheus-2.14.0.linux-amd64
./prometheus
<pre>
# my global config
global:
  scrape_interval:    1m # Set the scrape interval to every 15 seconds. Default is every 1 minute.
  evaluation_interval: 1m # Evaluate rules every 15 seconds. The default is every 1 minute.
  # scrape_timeout is set to the global default (10s).
# Alertmanager configuration
alerting:
  alertmanagers:
  - static_configs:
    - targets:
      # - alertmanager:9093
# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files:
  # - "first_rules.yml"
  # - "second_rules.yml"
# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
  - job_name: 'prometheus'
    static_configs:
    - targets: ['localhost:9090']
      labels:
        name: keres
  - job_name: 'pi-htu21d'
    static_configs:
    # - targets: ['192.168.1.113:8000']
    - targets: ['10.23.45.6:8000']
      labels:
        name: pi
        device: htu21d
  - job_name: 'pi-node-exporter'
    static_configs:
    - targets: ['10.3.45.6:9100']
      labels:
        name: pi
  - job_name: 'thelaptop'
    static_configs:
    - targets: ['192.168.1.120:9100']
      labels:
        name: thelaptop
</pre>
=== MineCraft Setup ===
manual DL of binary jar
by hand:
/data/minecraft_server.1.15.2
run.sh
#!/bin/sh
java -Xmx1024M -Xms1024M -jar minecraft_server.1.15.2.java nogui
== ID ==
users
david 1001
ashley 1002
webcam 1003
groups
users 100
removed splunk


== Todo ==
== Todo ==


* OS
* OS - DONE - centos 7
* firewalld
* firewalld - kicked out , not good logging features, so now have iptables back in and firewalld disabled.
* Wifi
* Wifi - none - disabled for now.
* snmp
* powertop tuning
* systemd bootchart.conf(5)
 
 
* services
* services
** web
 
*** wiki
{| {{table}}
** snmp
| align="center" style="background:#f0f0f0;"|'''Service'''
** mysql
| align="center" style="background:#f0f0f0;"|'''Software'''
** dns
| align="center" style="background:#f0f0f0;"|'''process'''
** ntp
| align="center" style="background:#f0f0f0;"|'''status'''
* acpi
| align="center" style="background:#f0f0f0;"|'''notes'''
* Local monitoring
|-
| firewall||iptables||n/a||DONE||not using firewalld due to lack of default deny log.
|-
| web||apache||httpd||DONE||
|-
| ntp||chrony||chronyd||DONE||
|-
| monitoring||misc||n/a||PENDING||still looking at optins, possibly ganglia / collectd / statsd
|-
| sql||mariadb||mysqld||DONE||and backups done.
|-
| dns||isc bind||named||DONE||really need to try something new here.
|}
 
* web apps:
** wiki - DONE
** pagespeed - https://developers.google.com/speed/pagespeed/module - DONE
 
* rancid:
* rancid:
** rancid installed : done
** rancid installed : done
** fortigate (http://thedonkeyland.com/blog/2011/07/backing-up-fortinet-fortigate-configs-with-rancid/)
** fortigate (http://thedonkeyland.com/blog/2011/07/backing-up-fortinet-fortigate-configs-with-rancid/)
** CVSROOT=/home/rancid/var/rancid/CVS
** one module: firewall  ( /home/rancid/var/rancid/firewall )
* snmp
* acpi
* https://collectd.org/wiki/index.php/Iptables
* backups
from local disk to freenas
** wiki - done
** mysql done
** system config ( etc etc? )


== Done ==
== Done ==
Line 40: Line 184:




== Firewalld ==
== Interfaces ==
 
ip link set  wlp2s0 down
 
 
== Firewall ==
 
ports and services
 
<pre>
22
53 pihole
80
8080 pihole
8443 pihole
 
443 ??
 
tcp        0      0 127.0.0.1:5432          0.0.0.0:*              LISTEN      1121/postgres
tcp        0      0 0.0.0.0:45055          0.0.0.0:*              LISTEN      -
tcp        0      0 0.0.0.0:2049            0.0.0.0:*              LISTEN      -
tcp        0      0 192.168.1.98:514        0.0.0.0:*              LISTEN      20562/syslog-ng
tcp        0      0 0.0.0.0:53991          0.0.0.0:*              LISTEN      1058/rpc.statd
tcp        0      0 0.0.0.0:3306            0.0.0.0:*              LISTEN      1455/mysqld
tcp        0      0 127.0.0.1:6379          0.0.0.0:*              LISTEN      1050/redis-server 1
tcp        0      0 0.0.0.0:26379          0.0.0.0:*              LISTEN      1053/redis-sentinel
tcp6      0      0 :::2049                :::*                    LISTEN      -
tcp6      0      0 :::26379                :::*                    LISTEN      1053/redis-sentinel
tcp6      0      0 :::39662                :::*                    LISTEN      -
</pre>
 


<pre>
<pre>
[root@keres etc]# firewall-cmd --permanent --zone=public --add-service=dns
# Generated by iptables-save v1.4.21 on Mon Jul 11 10:52:12 2016
success
*filter
[root@keres etc]# firewall-cmd --permanent --zone=public --add-service=https
:INPUT ACCEPT [0:0]
success
:FORWARD ACCEPT [0:0]
[root@keres etc]# firewall-cmd --permanent --zone=public --add-service=nfs
:OUTPUT ACCEPT [0:0]
success
:DOCKER - [0:0]
[root@keres etc]# firewall-cmd --permanent --zone=public --add-service=ntp
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
success
-A INPUT -p icmp -j ACCEPT
[root@keres etc]# firewall-cmd --reload
-A INPUT -i lo -j ACCEPT
success
-A INPUT -p udp -m multiport --dports 67,68,8612 -j DROP
[root@keres etc]#  firewall-cmd --zone=public --list-all
-A INPUT -s 192.168.1.28/32 -d 192.168.1.98/32 -p udp -m udp --dport 514 -j ACCEPT
public (default, active)
-A INPUT -s 192.168.1.97/32 -d 192.168.1.98/32 -p tcp -m tcp --dport 2145 -j ACCEPT
  interfaces: enp3s0 wlp2s0
-A INPUT -s 192.168.1.28/32 -d 192.168.1.98/32 -p udp -m udp --dport 5514 -j ACCEPT
  sources:
-A INPUT -s 192.168.1.28/32 -d 192.168.1.98/32 -p tcp -m tcp --dport 5514 -j ACCEPT
  services: dhcpv6-client dns https nfs ntp ssh
-A INPUT -s 192.168.1.99/32 -d 192.168.1.98/32 -p tcp -m tcp --sport 5514 -j ACCEPT
  ports:
-A INPUT -s 192.168.1.135/32 -d 192.168.1.98/32 -p tcp -m tcp --sport 5514 -j ACCEPT
  masquerade: no
-A INPUT -s 74.213.172.121/32 -d 192.168.1.98/32 -p tcp -m multiport --dports 9200 -j ACCEPT
  forward-ports:
-A INPUT -s 192.168.1.0/24 -d 192.168.1.98/32 -p tcp -m multiport --dports 8000,9200 -j ACCEPT
  icmp-blocks:
-A INPUT -s 192.168.1.0/24 -d 192.168.1.98/32 -p udp -m multiport --dports 123 -j ACCEPT
  rich rules:
-A INPUT -p udp -m multiport --dports 53,5353 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 22,25,53,80,443,3000 -j ACCEPT
-A INPUT -m limit --limit 6/min -j LOG --log-prefix "INPUT "
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 224.0.0.22/32 -j ACCEPT
-A OUTPUT -s 192.168.1.98/32 -j ACCEPT
-A OUTPUT -s 192.168.1.0/24 -p udp -m udp --dport 53
-A OUTPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 53
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A OUTPUT -m limit --limit 6/min -j LOG --log-prefix "OUTPUT "
COMMIT
# Completed on Mon Jul 11 10:52:12 2016
# Generated by iptables-save v1.4.21 on Mon Jul 11 10:52:12 2016
*nat
:PREROUTING ACCEPT [4048612:479815547]
:INPUT ACCEPT [1897626:154434964]
:OUTPUT ACCEPT [17436175:1078002115]
:POSTROUTING ACCEPT [17436175:1078002115]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT
# Completed on Mon Jul 11 10:52:12 2016
</pre>
 
== hfs plus ==
 
mac Files ystem stupport
 
 
== Yum repos ==


[root@keres etc]#
<pre>
(1/8): docker-ce-stable/x86_64/primary_db                                                                                                                                                                        |  70 kB  00:00:01
(2/8): epel/x86_64/updateinfo                                                                                                                                                                                    | 1.0 MB  00:00:01
(3/8): google-cloud-sdk/primary                                                                                                                                                                                  | 271 kB  00:00:01
(4/8): grafana/primary_db                                                                                                                                                                                        | 125 kB  00:00:00
(5/8): ius/x86_64/primary                                                                                                                                                                                        |  99 kB  00:00:00
(6/8): epel/x86_64/primary_db                                                                                                                                                                                    | 7.0 MB  00:00:05
(7/8): elrepo/primary_db                                                                                                                                                                                        | 542 kB  00:00:05
(8/8): updates/7/x86_64/primary_db 
</pre>
</pre>
== Software outside of YUM ==
* mediawiki - source install.
* https://developers.google.com/speed/pagespeed/module https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_x86_64.rpm


== See Also ==
== See Also ==
Line 74: Line 298:


[[Category: server]]
[[Category: server]]
[[Category: Computers]]

Latest revision as of 05:39, 21 January 2022

Overview

This machine has put Athena out of service.

  • AMD
  • centos 7

Hardware

Mother board: E45M1 - I Deluxe - Mobo - from Martin McCourt - what a guy.

Key Devices:

00:11.0 SATA controller: Advanced Micro Devices, Inc. [AMD/ATI] SB7x0/SB8x0/SB9x0 SATA Controller [AHCI mode] (rev 40)
02:00.0 Network controller: Qualcomm Atheros AR9285 Wireless Network Adapter (PCI-Express) (rev 01)
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 06)


Services / Apps


Grafana Setup

to do https://grafana.com/docs/grafana/latest/installation/rpm/

Prometheus Setup

by hand in a screen, ghetto style

/usr/local/prometheus/prometheus-2.14.0.linux-amd64
./prometheus
# my global config
global:
  scrape_interval:     1m # Set the scrape interval to every 15 seconds. Default is every 1 minute.
  evaluation_interval: 1m # Evaluate rules every 15 seconds. The default is every 1 minute.
  # scrape_timeout is set to the global default (10s).

# Alertmanager configuration
alerting:
  alertmanagers:
  - static_configs:
    - targets:
      # - alertmanager:9093

# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files:
  # - "first_rules.yml"
  # - "second_rules.yml"

# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
  - job_name: 'prometheus'
    static_configs:
    - targets: ['localhost:9090']
      labels:
        name: keres
  - job_name: 'pi-htu21d'
    static_configs:
    # - targets: ['192.168.1.113:8000']
    - targets: ['10.23.45.6:8000']
      labels:
        name: pi
        device: htu21d
  - job_name: 'pi-node-exporter'
    static_configs:
    - targets: ['10.3.45.6:9100']
      labels:
        name: pi
  - job_name: 'thelaptop'
    static_configs:
    - targets: ['192.168.1.120:9100']
      labels:
        name: thelaptop

MineCraft Setup

manual DL of binary jar

by hand:

/data/minecraft_server.1.15.2

run.sh

#!/bin/sh
java -Xmx1024M -Xms1024M -jar minecraft_server.1.15.2.java nogui

ID

users

david 1001
ashley 1002
webcam 1003

groups

users 100



removed splunk

Todo

  • OS - DONE - centos 7
  • firewalld - kicked out , not good logging features, so now have iptables back in and firewalld disabled.
  • Wifi - none - disabled for now.
  • snmp
  • powertop tuning
  • systemd bootchart.conf(5)


  • services
Service Software process status notes
firewall iptables n/a DONE not using firewalld due to lack of default deny log.
web apache httpd DONE
ntp chrony chronyd DONE
monitoring misc n/a PENDING still looking at optins, possibly ganglia / collectd / statsd
sql mariadb mysqld DONE and backups done.
dns isc bind named DONE really need to try something new here.
  • snmp
  • acpi
  • backups

from local disk to freenas

    • wiki - done
    • mysql done
    • system config ( etc etc? )

Done

  • nfs setup / data exported

athena -> keres data sync

time /usr/bin/rsync -avzr /etc/ /mnt/keres/data/athena/etc --stats
time /usr/bin/rsync -avzr /var/bind/ /mnt/keres/data/athena/var/bind --stats



Interfaces

ip link set  wlp2s0 down


Firewall

ports and services

22
53 pihole
80
8080 pihole
8443 pihole

443 ??

tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      1121/postgres
tcp        0      0 0.0.0.0:45055           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:2049            0.0.0.0:*               LISTEN      -
tcp        0      0 192.168.1.98:514        0.0.0.0:*               LISTEN      20562/syslog-ng
tcp        0      0 0.0.0.0:53991           0.0.0.0:*               LISTEN      1058/rpc.statd
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      1455/mysqld
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      1050/redis-server 1
tcp        0      0 0.0.0.0:26379           0.0.0.0:*               LISTEN      1053/redis-sentinel
tcp6       0      0 :::2049                 :::*                    LISTEN      -
tcp6       0      0 :::26379                :::*                    LISTEN      1053/redis-sentinel
tcp6       0      0 :::39662                :::*                    LISTEN      -


# Generated by iptables-save v1.4.21 on Mon Jul 11 10:52:12 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m multiport --dports 67,68,8612 -j DROP
-A INPUT -s 192.168.1.28/32 -d 192.168.1.98/32 -p udp -m udp --dport 514 -j ACCEPT
-A INPUT -s 192.168.1.97/32 -d 192.168.1.98/32 -p tcp -m tcp --dport 2145 -j ACCEPT
-A INPUT -s 192.168.1.28/32 -d 192.168.1.98/32 -p udp -m udp --dport 5514 -j ACCEPT
-A INPUT -s 192.168.1.28/32 -d 192.168.1.98/32 -p tcp -m tcp --dport 5514 -j ACCEPT
-A INPUT -s 192.168.1.99/32 -d 192.168.1.98/32 -p tcp -m tcp --sport 5514 -j ACCEPT
-A INPUT -s 192.168.1.135/32 -d 192.168.1.98/32 -p tcp -m tcp --sport 5514 -j ACCEPT
-A INPUT -s 74.213.172.121/32 -d 192.168.1.98/32 -p tcp -m multiport --dports 9200 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -d 192.168.1.98/32 -p tcp -m multiport --dports 8000,9200 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -d 192.168.1.98/32 -p udp -m multiport --dports 123 -j ACCEPT
-A INPUT -p udp -m multiport --dports 53,5353 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 22,25,53,80,443,3000 -j ACCEPT
-A INPUT -m limit --limit 6/min -j LOG --log-prefix "INPUT "
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 224.0.0.22/32 -j ACCEPT
-A OUTPUT -s 192.168.1.98/32 -j ACCEPT
-A OUTPUT -s 192.168.1.0/24 -p udp -m udp --dport 53
-A OUTPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 53
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A OUTPUT -m limit --limit 6/min -j LOG --log-prefix "OUTPUT "
COMMIT
# Completed on Mon Jul 11 10:52:12 2016
# Generated by iptables-save v1.4.21 on Mon Jul 11 10:52:12 2016
*nat
:PREROUTING ACCEPT [4048612:479815547]
:INPUT ACCEPT [1897626:154434964]
:OUTPUT ACCEPT [17436175:1078002115]
:POSTROUTING ACCEPT [17436175:1078002115]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT
# Completed on Mon Jul 11 10:52:12 2016

hfs plus

mac Files ystem stupport


Yum repos

(1/8): docker-ce-stable/x86_64/primary_db                                                                                                                                                                        |  70 kB  00:00:01
(2/8): epel/x86_64/updateinfo                                                                                                                                                                                    | 1.0 MB  00:00:01
(3/8): google-cloud-sdk/primary                                                                                                                                                                                  | 271 kB  00:00:01
(4/8): grafana/primary_db                                                                                                                                                                                        | 125 kB  00:00:00
(5/8): ius/x86_64/primary                                                                                                                                                                                        |  99 kB  00:00:00
(6/8): epel/x86_64/primary_db                                                                                                                                                                                    | 7.0 MB  00:00:05
(7/8): elrepo/primary_db                                                                                                                                                                                         | 542 kB  00:00:05
(8/8): updates/7/x86_64/primary_db   

Software outside of YUM

See Also