If you use third party APT sources you might end up with unmaintained packages after removing the external source or performing a dist-upgrade. The reason for this is how external sources overwrite official package versions.
apt-forktracer
helps you to identify such packages:
APT will not warn you when newer versions of official packages (point releases, security updates) will appear in the stable release. This means you may miss some important change.
This is the output of `apt...
It's quite confusing how many external displays are usable with a MacBook that uses an M1 or M2 Chip. Documentation on the Internet is sparse and not even the Geniuses at the Genius Bar are 100% sure. We found out some things and can explain the backgrounds.
tl;dr: when using a dock for your MacBook, using more than one external display is only possible with workarounds.
Whenever you're considering using more than 1 external display, it makes sense to consider using a Docking Station for your Laptop of some sort. Af...
Intel CPUs receive updates, including security relevant upgrades, through 2 channels:
intel-microcode
package can patch the microcode in the CPU at boot time, given the kernel is cooperating. This patch is ephemeral and will be lost after a processor hard-reset or power-off.Yes. From the README.Debian.gz
in the intel-microcode
package:
While most of the microcode up...
When you are using the default MIME-Type configuration and your application allows uploading files, it can be a security issue.
A user uploads a file with HTML/JavaScript content using no file extension.
In the Apache default configuration if you access the file it will have no Content-Type
. Some browsers will guess/autodetect it as HTML and now you are vulnerable to XSS.
To prevent this, you can set a default Content-Type (e.g. plain/text
or application/octet-stream
).
If you want to perform a failover on another haproxy backend server this is the way you should do it:
Note: Please mind that the names of frontends / backends / servers are only examples. Mind this when you want to use the shown CLI commands. The path to the haproxy socket may also vary.
Example: We have two MySQL servers with Master-Master replication configured as backends in haproxy.
Your frontend / backend looks like this in hatop
:
| NAME | W | STATUS | CHECK | ACT | BCK | QCUR...
When using tmux
, selecting and copying multiple lines of text can be a hassle, especially when using splits (highlighting lines will cross pane borders, copying contents from the other pane too) and when the user wishes to copy (thus, select) lines that have already scrolled out of the viewport in the current pane.
One idea would be to enable mouse mode in tmux, which makes the selection tmux aware. However, this will no longer populate the selection clipboard of the graphical environment, limiting copying and pasting to the same tmux ins...
A convenient way to test SNS Subscription Filter Policies is using an email address as the subscription endpoint. However, for this to work when the filter is applied to the MessageBody
the protocol must be set to email-json
. Using the email
protocol will change the message format and filtering will not work as expected.
It is possible to manipulate the forwarded ports of an established interactive SSH session.
This is done by opening the command line with the escape character ~C
. This will open a ssh>
prompt. If it doesn't, make sure it's the first character in a line, i.e. press enter first.
-L[bind_address:]port:host:hostport Request local forward
-R[bind_address:]port:host:hostport Request remote forward
-D[bind_address:]port Request dynamic forward
-KL[bind_address:]port ...
When you're using a third party repository on your Ubuntu or Debian system and need to find out which packages are available in this repo and which versions, you can consult the local apt
cache.
In /var/lib/apt/lists
you'll find a lot of *_Packages
files that list the contents of apt repositories. Most repositories will have one file for the i386
architecture and one for the amd64
architecture. Make sure to pick the correct one.
To list the contents of the repository, view the respective files or, for a short summary:
/...
We recently encountered a problem with GlusterFS (7.x) when an application used the flock
syscall on a GlusterFS path. If somehow two flock
syscalls are made at the same time, the lock will never be released. And all future flock
syscalls will wait forever.
This problem doesn't happen only on our infrastructure. There are a lot of bugreports, e.g.:
A lot of web applications require being called over https
, which is a good thing. It's possible to configure this requirement at the web- or proxy server level, where nginx
or apache
will just redirect every request on http
to https
. Some applications additionally detect if the URL they've been called with contains the http
or the https
scheme and issue their own redirect response (usually 301
or 302
) to https
. This card is for the later kind.
When you want to test your application directly on the VM it...
It is a good idea to use named variables for storing parameters of a script or function. We can use parameter expansion to either set a default or check mandatory arguments
hello() {
NAME=${1:?provide name as first parameter}
echo "Hello $NAME!"
}
$ hello # $?=1
bash: 1: provide name as first parameter
$ hello Foo # $?=1
Hello Foo!
hello() {
NAME=${1:-Marvin}
echo "Hello $NAME!"
}
$ hello # $?=0
Hello Marvin!
$ hello Foo # $?=1
Hello Foo!
The connection tracking system often referenced as nf_conntrack
is part of the Netfilter framework. It allows the Linux kernel to keep track of all logical network connections and sessions. In combination with iptables
this feature is used to achieve a stateful firewall.
nf_conntrack
?All connections are stored in the connection tracking table. The size of the tracking table is based o...
The puppet master caches custom functions. If you edit an existing function (e.g. while you’re developing it), you’ll need to restart the puppet master before the new version can be used.
That also means you can't test functions in a different puppet environment. And also if you have changed functions in a different puppet environment (where you e.g. test some new module version) and this environment runs at first after a puppetmaster restart, you have this changed functions also in your production environment.
Changes in `modules/$FOOBA...
With passenger-status --show=requests
you can get a huge JSON showing current information about the running passenger processes.
This can be useful if you want to find out what a passenger process is doing at the moment (for e.g. if one worker seems to be stuck):
* PID: 4273 Sessions: 1 Processed: 47 Uptime: 50m 53s
CPU: 43% Memory : 3644M Last used: 49m 24s ago
Shutting down...
This passenger process is using too much memory and seems it's Last used
timestamp is old. The worker is processing a ...
The terraform documentation states the ...
syntax as (grouping mode*. See: Grouping-Results).
But this seems not the be the whole truth. Instead the ...
syntax behaves like Go's Ellipsis expression which is used to pass a list as multiple parameters to a Variadic Function.
You can use this behavior for example if you want to merge a list
of maps
into one map:
locals {
list_of_ma...
journalctl _CMDLINE=dockerd
journalctl SYSLOG_IDENTIFIER=podman
journalctl -o verbose
journalctl -o json | jq
You can add this function to your .bashrc
(or the configuration file of the shell your using instead):
man() {
LESS_TERMCAP_mb=$'\e'"[1;31m" \
LESS_TERMCAP_md=$'\e'"[1;31m" \
LESS_TERMCAP_me=$'\e'"[0m" \
LESS_TERMCAP_se=$'\e'"[0m" \
LESS_TERMCAP_so=$'\e'"[1;44;33m" \
LESS_TERMCAP_ue=$'\e'"[0m" \
LESS_TERMCAP_us=$'\e'"[1;32m" \
command man "$@"
}
When a nginx reverse proxy complains about upstreams sending too big headers, tweaking the buffers responsibly can help to prevent this issue.
Example log message:
upstream sent too big header while reading response header from upstream, client: 192.0.2.100, server: localhost, request: "GET /index.html HTTP/1.1", upstream: "http://198.51.100.123:80/index.html", host: "192.0.2.10:80"
This behaviour was caused by an application that transforms parts of the query from the URL into a response header. If the query in the ...
A severe bug was found in ImageMagick by Bryan Gonzalez from Ocelot Team.
It allows to embed the content of an arbitrary remote file when ImageMagick parses PNG files.
We found lots of older versions of ImageMagick to be vulnerable.
So far there is no information on updated Packages for Ubuntu (https://ubuntu.com/security/CVE-2022-44268).
Due to that we patched our systems as follows:
Get package source on a Ubuntu 22.04 syst...
If you want to check the configuration of a running JVM process you can use jcmd
.
List the running processes:
$ jcmd -l
1 /app.jar
140 jdk.jcmd/sun.tools.jcmd.JCmd -l
The first column shows the PID
of the process.
Print system configuration with the PID:
$ jcmd 1 VM.system_properties
1:
#Thu Jan 26 10:34:20 UTC 2023
java.specification.version=17
sun.jnu.encoding=UTF-8
java.class.path=/app.jar
java.vm.vendor=Eclipse Adoptium
sun.arch.data.model=64
catalina.use...
If you have for e.g. a Java application which outputs multiline stack traces inside a container running in kubernetes you might wonder how you can concat alle these lines to a single log message in fluent-bit
. If fluent-bit is receiving the log output directly you can just set the multiline.parser
to java
. But when you're reading the logs from /var/log/containers
this is not possible, because every line of the log message is logged in the CRI log format. This means that every line of the log becomes a JSON
object containing addit...
To delete a specific redis-DB you need to use the FLUSHDB
-command in combination with the SELECT
-command. For more information have a look at the documentation for FLUSHDB and SELECT.
Attention
By default when connecting to a redis-instance you always connect with
db0
.
When connecting to the db you can list your keyspaces/databases with:
# Show info about all databases
127.0.0.1:6379> INFO keyspace
# Keyspace
db0:keys=2674,expires=2663,avg_ttl=99821...
You can execute systemctl --user --failed
to check for failed systemd user units. But let's face it: It's inconvenient and you'll probably miss failures. Better use desktop notifications.
Add a OnFailure
handler to all user units.
[Unit]
OnFailure=user-failure-notification@%n
Add a template service unit which sends the notifications. The instance variable %i
is replaced by the calling unit.