fix clamav freshclam failing database updates

If freshclam updates are failing even though the update servers are available and you find error messages like the following in the log you may have outdated or wrong data in freshclams data files:

Thu Mar 29 12:49:52 2018 -> ClamAV update process started at Thu Mar 29 12:49:52 2018
Thu Mar 29 12:49:52 2018 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Thu Mar 29 12:49:52 2018 -> WARNING: getpatch: Can't download daily-24428.cdiff from
Thu Mar 29 12:49:52 2018 -> WARNING: getpat...

Capistrano 3: assets:precompile only on one server


This should not be necessary in any case and is only for special cases, for e.g. if the assets directory is linked to a shared storage (for e.g. glusterfs). Please mind that it isn't wise to move your assets directory to a shared storage. The data in this directory should always be reproducible on all appservers when executing a assets precompile (so you don't need to sync this data). Other data should not be stored in the assets directory.
User uploads or files generated by requests should be stored in public/system.


Test websocket connections

You can use wscat:

sudo apt-get install node-ws
wscat -c ws://
connected (press CTRL+C to quit)
> foo

< foo
> bar

< bar

Graphite: reset a users password

If a users password for is unknown one can set it like this:

sudo python /opt/graphite/webapp/graphite/ changepassword ${USERNAME}

dumping and restoring PostgreSQL databases

This card is just about creating simple PostgreSQL dumps. This is no instruction for a backup strategy nor a guide for SQL dump performance optimization.

Read before starting

  • I will assume that all commands will be executed as local postgres user on a database server master. Please mind that you should stop the replication on a slave PostgreSQL server before creating dumps
  • Dumps can get huge, be careful so that the system running a production PostgreSQL won't run out of disk space
  • dumps should always be gzipped to reduce the siz...

controlling multiple PostgreSQL installations on Debian/Ubuntu

This applies only to distribusions based on Debian

If you have multiple Postgres Versions installed on a server and want to start/stop/restore/.. them separately you need to use pg_ctlcluster

Usage: /usr/bin/pg_ctlcluster <version> <cluster> <action>

For e.g.

/usr/bin/pg_ctlcluster 9.5 main start

With systemd you can start/stop the services via:

systemctl <action> postgresql@<version>-<cluster>.service

For e.g.

systemctl start postgresql@10-main.service



The Version of P...

How to remove cloud init from ubuntu

If you're trying to start a cloud-init based Ubuntu VM with KVM you will suffer long boot times and confusing output on the terminal. If you want to get rid of it you need to remove cloud-init.

  1. wait until the VM boots
  2. login
  3. echo 'datasource_list: [ None ]' | sudo -s tee /etc/cloud/cloud.cfg.d/90_dpkg.cfg
  4. sudo apt-get purge cloud-init
  5. sudo rm -rf /etc/cloud/; sudo rm -rf /var/lib/cloud/
  6. reboot

Disable only

Touch the file /etc/cloud/cloud-init.disabled or use the kernel parameter cloud-init=disabled to disabl...

stopping / restarting libvirt on Ubuntu 16.04 with systemd

Because systemd is the greatest thing ever it's not enough to stop the libvirt service. You need to disable the libvirt socket too.

sudo systemctl stop libvirt-bin
sudo systemctl stop libvirt-bin.socket
sudo systemctl start libvirt-bin

HowTo: verify SSL private key matches SSL certificate

When receiving a new SSL-Certificate for an existing SSL-key it should be checked that they match cryptographically.
Maybe the customer accidentally created a new key and certificate and sent us just the certificate.

It's also possible that the certificate chain is in the wrong order. Make sure that the server certificate is the first. This is also necessary for nginx.

It is recommended to pipe the public keys of both files through an hashing algorithm, to easier identify differences. Instead of comparing the modulus the same syntax appli...

Lenovo Laptop BIOS Update with Linux

You will need to look here and find your own device. Look for the "bootable CD" download, which will give you an ISO file.

Then you need a Perl script from the internet (, I attached it too, because, you know. Internet.) to extract the El Torito boot image from the Lenovo-supplied ISO.

Pro-Tip: Don't clic...

How to unban host with Fail2ban

To see all jails:

fail2ban status

Our $JAIL is usually ssh.

To see which IPs are banned currently:

fail2ban-client status ssh

If you want to unban a host banned by fail2ban on Ubuntu 14.04 or later use this method:

fail2ban-client set $JAIL unbanip $IP
#example with a jail named ssh
fail2ban-client set ssh unbanip

Please don't try to undo the ban by deleting the iptables rule. Fail2ban will recreate the rule if it is missing but fail2ban has still stored the ban.

On 12.04 hosts fail2ban ...

create htpasswd entry and print to stdout

Create htpasswd entry and print to stdout:

$ sudo apt install apache2-utils # Optional

$ htpasswd -n $USERNAME
New password: 
Re-type new password: 
$USERNAME:<Password Hash>

Linux performance analysis

Brendan Gregg is the Linux performance god. Use the information in this link to find out what ways there are for performacne analysis.
This link is shows the more sophisticated way and encourages to dig deeper for optimizing your system. If you're in a hurry look at Linux Performance Analysis in 60,000 Milliseconds

puppet variable variable name


We want to make the following firewall rule to be applyable to different network interfaces (for e.g. different environments) with just one variable:

firewall { "010-reject-port":
  ensure      => present,
  dport       => [ 80 ],
  destination => $::ipaddress_eth0,
  proto       => 'tcp',
  action      => 'drop',
  iniface     => 'eth0',

We can create a $firewall_interface variable and apply it to iniface but how can we ensure that the correct ipaddress factof the corresponding interface is used for `destina...

Bash: Find out the exit codes of all piped commands

Bash stores the exitcodestatus of piped commands in the environment variable PIPESTATUS

So you can just echo ${PIPESTATUS[@]} to get them all.

13:52:30 ✔ claus:~$ ps ax | grep /usr/bin/ruby
13205 pts/20   S+     0:00 grep --color=auto /usr/bin/ruby

13:52:43 ✔ claus:~$ echo ${PIPESTATUS[@]}
0 0

PIPESTATUS is an array, so you can get the exitcode of an specific command (first pipe):

13:54:20 ✔ claus:~$ echo ${PIPESTATUS[1]}

get debug output for puppetmaster running with passenger

If you need the debug output of the puppetmaster running with passenger you have to uncomment this setting in the

#ARGV << "--debug"

If you don't know where your is, check the Apache DocumentRoot. It's in /path/to/DocumentRoot/../ For example if your DocumentRoot is /etc/puppet/rack/public/ the is in /etc/puppet/rack/

Exim: investigating frozen messages in the mailqueue

Investigate why mails are frozen

The exim documentation says:

Freezing occurs when a bounce message encounters a permanent failure because the sender address of the original message that caused the bounce is invalid, so the bounce cannot be delivered. This is probably the most common case, but there are also other conditions that cause freezing, and frozen messages are not always bounce messages.

By default, frozen bounce messages will b...

swaks - Swiss Army Knife SMTP, the all-purpose smtp transaction tester

swaks is a very nice tool to test SMTP. For the most linux distributions you can easily install it with your package management system.

This example send an email from to via the server with the user and password mysupersecurepasswordyouneverget for authentication and require the connection to use STARTTLS.

$ swaks -tls --to --from --auth-user  --server mail23.example....

Change / Update SSL certificate for Amazon Elastic Load Balancer with AWS Command Line Interface

  1. Install and configure the AWS Command Line Interface

  2. Show existing certificates to test if the AWS Cli is working:

    $ aws iam list-server-certificates
      "ServerCertificateMetadataList": [
              "Path": "/", 
              "Arn": "arn:aws:iam::5xxxxxxxxxxx:server-certificate/", 
              "ServerCertificateId": "AXXXXXXXXXXXXXXXXXXXX", 
              "ServerCertificateName": "", 

Fix "A client error (MalformedCertificate) occurred: Invalid Private Key." at AWS SSL Certificate upload

I'm creating certificate requests with this command:

openssl req -new -out -keyout -newkey rsa:2048 -nodes

When I try to upload the certificate to AWS IAM I get this error:

$ aws iam upload-server-certificate --server-certificate-name --certificate-body --private-key --certificate-chain 
A client error (MalformedCertificate) occurred: Invalid Public Key Certificate.

That's because o...

Create swap space on Linux

Create a 1 GB file to swap to (we have sufficient space on / on this machine. Use a different partition if necessary)

sudo dd if=/dev/zero of=/var/swapfile bs=1M count=1024

If you prefer 2GB swap, chose count=2048, 4GB: count=4096

Change permissions of swap file:

sudo chmod 0600 /var/swapfile

Set up swap file and enable it:

sudo mkswap /var/swapfile
sudo swapon /var/swapfile

You should see your swap space now:

thomas@machine:~$ free -m
              total       used       free     shared    buffers...

Run multiple Redis servers on Ubuntu

This is a way to run multiple redis server on one ubuntu server.

These steps you have to do only once:

  • Adjust init script

Change some Variables.
From this:


to this:

NAME=`basename ${0}`
  • Move redis configuration
    mv /etc/redis/redis.conf /etc/redis/redis-server.conf

These steps y...