Netapp. Opening the export policy of the SVM root volume

You must add a rule to the default export policy to allow all clients access through NFSv3. Without such a rule, all NFS clients are denied access to the Storage Virtual Machine (SVM) and its volumes.

Steps

  1. In the navigation pane, select the SVM and click Policies > Export Policies.
  2. Select the export policy named default, which is applied to the SVM root volume.
  3. In the lower pane, click Add.
  4. In the Create Export Rule dialog box, create a rule that opens access to all clients for NFS clients:
    1. In the Client Specification field, enter 0.0.0.0/0 so that the rule applies to all clients.
    2. Retain the default value as 1 for the rule index.
    3. Select NFSv3.
    4. Clear all the check boxes except the UNIX check box under Read-Only.
    5. Click OK.

Links:
https://library.netapp.com/ecmdocs/ECMP1547459/html/GUID-FC041987-F793-427E-BB00-19D3DB1F30DA.html
https://library.netapp.com/ecmdocs/ECMP12517204/html/GUID-44DFBDC9-03DD-4046-A9B8-4857858AB9C1.html
https://kb.netapp.com/support/s/article/ka21A0000000Z9uQAE/how-do-export-policies-work-in-clustered-data-ontap?language=en_US
https://library.netapp.com/ecmdocs/ECMP1366835/html/GUID-EB3438EC-21B1-401F-8190-D509E67D8E90.html

KVM. Configure Mirrored Port’s Traffic to Be Visible in Guest

cat /etc/sysconfig/network-scripts/ifcfg-eth3
DEVICE=eth3
HWADDR=64:31:50:4B:52:4E
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=none
BRIDGE=br2

cat /etc/sysconfig/network-scripts/ifcfg-br2
DEVICE=br2
ONBOOT=yes
TYPE=Bridge
NM_CONTROLLED=no
BOOTPROTO=none

cat /etc/rc.local
#add it to your /etc/rc.local file:
for task in /etc/rc.local.d/*
do
# Source the post-boot script
. $task
done

cat /etc/rc.local.d/kvm
brctl setageing br2 0
brctl setfd br2 0

Links:
http://www.ryanhallman.com/kvm-configure-mirrored-ports-traffic-to-be-visible-in-guest-snort/
https://serverfault.com/questions/798001/kvm-bridge-for-promisc-interface-ids
http://linux-blog.anracom.com/2016/01/14/vmware-ws-bridging-of-linux-bridges-and-security-implications/
https://wiki.linuxfoundation.org/networking/bridge#Showing_devices_in_a_bridge
https://wiki.libvirt.org/page/Networking

Verifying that a Private Key Matches a Certificate

The private key contains a series of numbers. Two of those numbers form the “public key”, the others are part of your “private key”. The “public key” bits are also embedded in your Certificate (we get them from your CSR). To check that the public key in your cert matches the public portion of your private key, you need to view the cert and the key and compare the numbers. To view the Certificate and the key run the commands:

$ openssl x509 -noout -text -in server.crt
$ openssl rsa -noout -text -in server.key

The `modulus’ and the `public exponent’ portions in the key and the Certificate must match. But since the public exponent is usually 65537 and it’s bothering comparing long modulus you can use the following approach:

$ openssl x509 -noout -modulus -in server.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5

And then compare these really shorter numbers. With overwhelming probability they will differ if the keys are different. As a “one-liner”:

$ openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
openssl rsa -noout -modulus -in server.key | openssl md5

And with auto-magic comparison (If more than one hash is displayed, they don’t match):

$ (openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
openssl rsa -noout -modulus -in server.key | openssl md5) | uniq

BTW, if I want to check to which key or certificate a particular CSR belongs you can compute

$ openssl req -noout -modulus -in server.csr | openssl md5

Links: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify
https://kb.wisc.edu/middleware/page.php?id=4064

Snipe-IT 3.6.4 on CentOS 6

Requirements here.

PHP 5.5 installation:
yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
yum install http://rpms.remirepo.net/enterprise/remi-release-6.rpm
yum install php55.x86_64 php55-php php55-php-pdo php55-php-gd php55-php-mysql php55-php-mcrypt php55-php-common php55-php-mbstring php55-php-pecl-imagick mysql-server.x86_64 php55-php-pecl-zip php55-php-ldap
yum install mod_ssl

Creating a Database and User:
mysql_secure_installation
mysql -u root -p
create database snipeit;
show databases;
create user snipe_user;
grant all on snipeit.* to 'snipe_user'@'localhost' identified by 'YOUR_DB_PASSWORD_HERE';

wget https://github.com/snipe/snipe-it/archive/v3.6.4.tar.gz
tar zxvf snipe-it-3.6.4.tar.gz
mkdir /var/www/snipeit && cp -r snipe-it-3.6.4/* /var/www/snipeit/
cd /var/www/snipeit/
cp .env.example .env

.env file has to be filled out with your data:

vi .env
# --------------------------------------------
# REQUIRED: BASIC APP SETTINGS
# --------------------------------------------
APP_ENV=production
APP_DEBUG=false
APP_KEY=ChangeMe
APP_URL=null
APP_TIMEZONE='UTC'
APP_LOCALE=en

# --------------------------------------------
# REQUIRED: DATABASE SETTINGS
# --------------------------------------------
DB_CONNECTION=mysql
DB_HOST=localhost
DB_DATABASE=null
DB_USERNAME=null
DB_PASSWORD=null
DB_PREFIX=null
DB_DUMP_PATH='/usr/bin'

# --------------------------------------------
# OPTIONAL: SSL DATABASE SETTINGS
# --------------------------------------------
DB_SSL=false
DB_SSL_KEY_PATH=null
DB_SSL_CERT_PATH=null
DB_SSL_CA_PATH=null
DB_SSL_CIPHER=null

# --------------------------------------------
# REQUIRED: OUTGOING MAIL SERVER SETTINGS
# --------------------------------------------
MAIL_DRIVER=smtp
MAIL_HOST=email-smtp.us-west-2.amazonaws.com
MAIL_PORT=587
MAIL_USERNAME=YOURUSERNAME
MAIL_PASSWORD=YOURPASSWORD
MAIL_ENCRYPTION=null
MAIL_FROM_ADDR=you@example.com
MAIL_FROM_NAME='Snipe-IT'
MAIL_REPLYTO_ADDR=you@example.com
MAIL_REPLYTO_NAME='Snipe-IT'

# --------------------------------------------
# REQUIRED: IMAGE LIBRARY
# This should be gd or imagick
# --------------------------------------------
IMAGE_LIB=gd

# --------------------------------------------
# OPTIONAL: SESSION SETTINGS
# --------------------------------------------
SESSION_LIFETIME=12000
EXPIRE_ON_CLOSE=false
ENCRYPT=false
COOKIE_NAME=snipeit_session
COOKIE_DOMAIN=null
SECURE_COOKIES=false

# --------------------------------------------
# OPTIONAL: CACHE SETTINGS
# --------------------------------------------
CACHE_DRIVER=file
SESSION_DRIVER=file
QUEUE_DRIVER=sync

# --------------------------------------------
# OPTIONAL: AWS S3 SETTINGS
# --------------------------------------------
AWS_SECRET=null
AWS_KEY=null
AWS_REGION=null
AWS_BUCKET=null

# --------------------------------------------
# OPTIONAL: LOGIN THROTTLING
# --------------------------------------------
LOGIN_MAX_ATTEMPTS=5
LOGIN_LOCKOUT_DURATION=60

# --------------------------------------------
# OPTIONAL: MISC
# --------------------------------------------
APP_LOG=single
APP_LOCKED=false
FILESYSTEM_DISK=local
APP_TRUSTED_PROXIES=192.168.1.1,10.0.0.1
ALLOW_IFRAMING=false

Detailed information about all options could be found here.

Composer installation:
su - snipeit
cd /var/www/snipeit/
curl -sS https://getcomposer.org/installer | php
php composer.phar install --no-dev --prefer-source

Generate Your App Key:
This should automatically set the APP_KEY value in your .env file for you.
php artisan key:generate

To start installation process just go to your Snipe IT url

Web Server and SSL config:
openssl req -new -x509 -days 1825 -keyout servername.domain.com.key -out servername.domaincom.crt -nodes -subj '/O=Organization/OU=Organization Department/CN=servername.domain.com
cp servername.domain.com.key /etc/pki/tls/private/
chmod 400 /etc/pki/tls/private/servername.domain.com.key
cp servername.domain.com.crt /etc/pki/tls/certs/

vi /var/www/snipeit/public/.htaccess
#Uncomment these lines
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

vi /etc/httpd/conf.d/snipeit.conf:
DocumentRoot /var/www/snipeit/public
ServerName servername.domain.com
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/servername.domaincom.crt
SSLCertificateKeyFile /etc/pki/tls/private/servername.domain.com.key
Allow From All
AllowOverride All
Options +Indexes

chown -R snipeit:snipeit /var/www/snipeit/
chown -R apache:apache /var/www/snipeit/storage
chown -R apache:apache /var/www/snipeit/public/uploads
chmod -R 755 /var/www/snipeit/storage
chmod -R 755 /var/www/snipeit/public/uploads/

LDAP Settings:
LDAP Integration - LDAP enabled
Active Directory - This is an Active Directory server
LDAP Password Sync - Yes
Active Directory domain - domain.com
LDAP Server ldap://servername.domain.com
LDAP Bind Username - readonlyuser@domain.com
Base Bind DN - OU=Users,OU=SomeOU,DC=domain,DC=com
#Request only enabled users
LDAP Filter - &(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))
Username Field - samaccountname
Last Name - sn
LDAP First Name - givenname
LDAP Authentication query - samaccountname=
LDAP Version - 3
LDAP Email - mail

Links: https://snipe-it.readme.io/docs
https://snipe-it.readme.io/v3.6.2/docs/ldap-sync-login

GlusterFS 3.6.1 Add replacement HDD to a glusterfs volume

First, make sure a new HDD replaced and initialized correctly. In my example it’s /dev/sdc.

Creating linux primary partition, formating as xfs and mounting to the same mount point as it was before:
parted -a optimal /dev/sdc mkpart primary 0% 100%
mkfs.xfs -i size=512 /dev/sdc1
mount /dev/sdc1 /export/sdc1
mkdir -p /export/sdc1/brick1

gluster volume info gfsvol – BrickN server1-gluster:/export/sdc1/brick1 should be listed here

Volume Name: gfsvol
Type: Replicate
Volume ID: def9e71b-e3cd-4d25-a604-e53aa717e744
Status: Started
Number of Bricks: 1 x 2 = 2
Transport-type: tcp
Bricks:
Brick1: server1-gluster:/export/sdc1/brick1
Brick2: server2-gluster:/export/sdc1/brick1

gluster volume heal gfsvol full
Another transaction is in progress for gfsvol. Please try again after sometime.

ls -ltr /var/log/glusterfs

cat etc-glusterfs-glusterd.vol.log

[2017-05-17 23:57:24.089817] W [socket.c:611:__socket_rwv] 0-management: readv on /var/run/6a4503614e8aae691f635297ed0dca19.socket failed (Invalid argument)
The message "I [MSGID: 106005] [glusterd-handler.c:4142:__glusterd_brick_rpc_notify] 0-management: Brick server1-gluster:/export/sdc1/brick1 has disconnected from glusterd." repeated 39 times between [2017-05-17 23:55:27.065833] and [2017-05-17 23:57:24.091004]
[2017-05-17 23:57:27.090603] W [socket.c:611:__socket_rwv] 0-management: readv on /var/run/6a4503614e8aae691f635297ed0dca19.socket failed (Invalid argument)
[2017-05-17 23:57:27.091934] I [MSGID: 106005] [glusterd-handler.c:4142:__glusterd_brick_rpc_notify] 0-management: Brick server1-gluster:/export/sdc1/brick1 has disconnected from glusterd.
[2017-05-17 23:57:30.091171] W [socket.c:611:__socket_rwv] 0-management: readv on /var/run/6a4503614e8aae691f635297ed0dca19.socket failed (Invalid argument)

gluster volume heal gfsvol full
Commit failed on server2-gluster. Please check log file for details.

cat /var/log/glusterfs/bricks/export-sdc1-brick1.log

[2017-05-17 23:35:29.469536] I [MSGID: 100030] [glusterfsd.c:2018:main] 0-/usr/sbin/glusterfsd: Started running /usr/sbin/glusterfsd version 3.6.1 (args: /usr/sbin/glusterfsd -s server1-gluster --volfile-id gfsvol.server1-gluster.export-sdc1-brick1 -p /var/lib/glusterd/vols/gfsvol/run/server1-gluster-export-sdc1-brick1.pid -S /var/run/6a4503614e8aae691f635297ed0dca19.socket --brick-name /export/sdc1/brick1 -l /var/log/glusterfs/bricks/export-sdc1-brick1.log --xlator-option *-posix.glusterd-uuid=c876c33a-3605-4c5c-b773-8d5e85655111 --brick-port 49153 --xlator-option gfsvol-server.listen-port=49153)
[2017-05-17 23:35:29.608846] I [graph.c:269:gf_add_cmdline_options] 0-gfsvol-server: adding option 'listen-port' for volume 'gfsvol-server' with value '49153'
[2017-05-17 23:35:29.608880] I [graph.c:269:gf_add_cmdline_options] 0-gfsvol-posix: adding option 'glusterd-uuid' for volume 'gfsvol-posix' with value 'c876c33a-3605-4c5c-b773-8d5e85655111'
[2017-05-17 23:35:29.640944] I [rpcsvc.c:2142:rpcsvc_set_outstanding_rpc_limit] 0-rpc-service: Configured rpc.outstanding-rpc-limit with value 64
[2017-05-17 23:35:29.641025] W [options.c:898:xl_opt_validate] 0-gfsvol-server: option 'listen-port' is deprecated, preferred is 'transport.socket.listen-port', continuing with correction
[2017-05-17 23:35:29.656007] E [posix.c:5604:init] 0-gfsvol-posix: Extended attribute trusted.glusterfs.volume-id is absent
[2017-05-17 23:35:29.656026] E [xlator.c:425:xlator_init] 0-gfsvol-posix: Initialization of volume 'gfsvol-posix' failed, review your volfile again
[2017-05-17 23:35:29.656034] E [graph.c:322:glusterfs_graph_init] 0-gfsvol-posix: initializing translator failed
[2017-05-17 23:35:29.656041] E [graph.c:525:glusterfs_graph_activate] 0-graph: init failed
[2017-05-17 23:35:29.656750] W [glusterfsd.c:1194:cleanup_and_exit] (--> 0-: received signum (0), shutting down

“[2017-05-17 23:35:29.656007] E [posix.c:5604:init] 0-gfsvol-posix: Extended attribute trusted.glusterfs.volume-id is absent” – here it is. Let’s add extended attribute.

grep volume-id /var/lib/glusterd/vols/gfsvol/info | cut -d= -f2 | sed 's/-//g'
def9e71be3cd4d25a604e53aa717e744

setfattr -n trusted.glusterfs.volume-id -v 0xdef9e71be3cd4d25a604e53aa717e744 /export/sdc1/brick1

service glusterd restart

Just to confirm:
getfattr -d -m . -e hex /export/sdc1/brick1

Check if it’s getting synced:
while [ 1 ]; do du -sh /export/sdc1/brick1; sleep 30; done

Start heal process again
gluster volume heal gfsvol full

gluster volume heal gfsvol info

Links: https://serverfault.com/questions/710220/how-do-you-add-a-replacement-hdd-to-a-glusterfs-volume
https://joejulian.name/blog/replacing-a-brick-on-glusterfs-340/

GlusterFS 3.6.1 Split Brain resolution

Identify the bricks info:
[root@server1 ~]# gluster volume info images

Volume Name: images
Type: Replicate
Volume ID: e60b5d4b-be1f-4233-b09c-84a97001021f
Status: Started
Number of Bricks: 1 x 2 = 2
Transport-type: tcp
Bricks:
Brick1: server1-gluster:/export/images/brick1
Brick2: server2-gluster:/export/images/brick1
Options Reconfigured:
diagnostics.count-fop-hits: on
diagnostics.latency-measurement: on
performance.quick-read: off
performance.read-ahead: off
performance.io-cache: off
performance.stat-prefetch: off
cluster.eager-lock: enable
network.remote-dio: enable
cluster.quorum-type: fixed
cluster.quorum-count: 1
storage.owner-uid: 107
storage.owner-gid: 107

Get the path of the file that is in split-brain:
It can be obtained either by
a) The command gluster volume heal <volname> info split-brain.

[root@server1 ~]# gluster volume heal images info split-brain
Gathering list of split brain entries on volume images has been successful

Brick server1-gluster:/export/images/brick1
Number of entries: 1024
at path on brick
-----------------------------------
2017-02-08 06:14:56 /srvmsim01v.img
2017-02-08 07:55:53 /srvmmdb02v.img
2017-02-08 07:55:53 /srvmmgw02v.img
etc.

Brick server2-gluster:/export/images/brick1
Number of entries: 1024
at path on brick
-----------------------------------
2017-03-01 09:36:44 /srvmmgw02v.img
2017-03-01 09:37:45 /srvmsim01v.img
2017-03-01 09:37:45 /srvmmdb02v.img
etc.

b) Identify the files for which file operations performed from the client keep failing with Input/Output error.

Close the applications that opened this file from the mount point. In case of VMs, they need to be powered-off.

Decide on the correct copy:
This is done by observing the afr changelog extended attributes of the file on the bricks using the getfattr command; then identifying the type of split-brain (data split-brain, metadata split-brain, entry split-brain or split-brain due to gfid-mismatch); and finally determining which of the bricks contains the ‘good copy’ of the file.
getfattr -d -m . -e hex <file-path-on-brick>.

0x 000003d7 00000001 00000000
      |        |        |
      |        |         \_ changelog of directory entries
      |         \_ changelog of metadata
       \ _ changelog of data

It is also possible that one brick might contain the correct data while the other might contain the correct metadata.

[root@server1 ~]# stat /export/images/brick1/srvmsim01v.img
File: `/export/images/brick1/pny2msim01v.img'
Size: 15228796928 Blocks: 29743528 IO Block: 4096 regular file
Device: 812h/2066d Inode: 116 Links: 2
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2017-03-01 09:46:23.599184357 -0500
Modify: 2017-03-01 12:23:04.693187960 -0500
Change: 2017-03-01 12:23:21.924583877 -0500

[root@server1 ~]# md5sum /export/images/brick1/srvmsim01v.img
cb21a48ee44309cd0a2bcf6bec4c0f7c /export/images/brick1/srvmsim01v.img

[root@server2 ~]# stat /export/images/brick1/srvmsim01v.img
File: `/export/images/brick1/pny2msim01v.img'
Size: 15228796928 Blocks: 22730808 IO Block: 4096 regular file
Device: 812h/2066d Inode: 115 Links: 2
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2015-09-16 19:01:35.737767450 -0400
Modify: 2017-03-01 12:23:17.320088786 -0500
Change: 2017-03-01 12:23:34.542382249 -0500

[root@server2 ~]# md5sum /export/images/brick1/srvmsim01v.img
5062e0f3ef1a0a2c36825cd769366276 /export/images/brick1/srvmsim01v.img

[root@server1 ~]# getfattr -d -m . -e hex /export/images/brick1/srvmsim01v.img
getfattr: Removing leading '/' from absolute path names
# file: export/images/brick1/srvmsim01v.img
trusted.afr.dirty=0x000000000000000000000000
trusted.afr.images-client-0=0x000000000000000000000000
trusted.afr.images-client-1=0x015457d20000000000000000
trusted.gfid=0x43304ae0fa284e178e8364b837b30925

[root@server2 ~]# getfattr -d -m . -e hex /export/images/brick1/srvmsim01v.img
getfattr: Removing leading '/' from absolute path names
# file: export/images/brick1/srvmsim01v.img
trusted.afr.dirty=0x000000000000000000000000
trusted.afr.images-client-0=0x000000040000000000000000
trusted.afr.images-client-1=0x000000000000000000000000
trusted.gfid=0x43304ae0fa284e178e8364b837b30925

So, different md5sum output, blocks, inodes, but the same size. Meta data is not corrupted. I decided to keep the first replica.

Reset the relevant extended attribute on the brick(s) that contains the ‘bad copy’ of the file data/metadata using the setfattr command.
setfattr -n <attribute-name> -v <attribute-value> <file-path-on-brick>

[root@server2 ~]#setfattr -n trusted.afr.images-client-0 -v 0x000000000000000000000000 /export/images/brick1/srvmsim01v.img

Trigger self-heal on the file by performing lookup from the client:
ls -l <file-path-on-gluster-mount>

[root@server1 ~]# ls -l /export/images/brick1/srvmsim01v.img
-rw------- 2 qemu qemu 15236399104 Mar 1 17:37 /export/images/brick1/srvmsim01v.img
[root@server1 ~]# ls -l /var/lib/libvirt/images/pny2msim01v.img
-rw------- 1 qemu qemu 15236399104 Mar 1 17:38 /var/lib/libvirt/images/srvmsim01v.img

Links:
https://gluster.readthedocs.io/en/latest/Troubleshooting/split-brain/
https://gluster.readthedocs.io/en/latest/Troubleshooting/heal-info-and-split-brain-resolution/ (If you’re under 3.7 or higher))
https://github.com/gluster/glusterfs/blob/master/doc/debugging/split-brain.md

AWS. How to modify the EBS “Delete on Termination” flag

The only way to do this is by using the AWS CLI, at the current time there’s no way to do this using the web console.

aws ec2 modify-instance-attribute –instance-id i-123e4567fc8901234 –block-device-mappings “[{\”DeviceName\”: \”/dev/xvda\”,\”Ebs\”:{\”DeleteOnTermination\”:false}}]”

RHEL/CentOS 7 systemd ‘targets’ replacement of runlevels

cat /etc/inittab
# inittab is no longer used when using systemd.
#
# ADDING CONFIGURATION HERE WILL HAVE NO EFFECT ON YOUR SYSTEM.
#
# Ctrl-Alt-Delete is handled by /usr/lib/systemd/system/ctrl-alt-del.target
#
# systemd uses ‘targets’ instead of runlevels. By default, there are two main targets:
#
# multi-user.target: analogous to runlevel 3
# graphical.target: analogous to runlevel 5
#
# To view current default target, run:
# systemctl get-default
#
# To set a default target, run:
# systemctl set-default TARGET.target

Runlevel 3 is now multi-user.target and runlevel 5 is now graphical.target.

systemctl set-default multi-user.target;
systemctl set-default graphical.target;

To switch from graphical to multi-user:
systemctl isolate multi-user.target;

To switch from multi-user to graphical:
systemctl isolate graphical.target;

Links:
https://www.centos.org/forums/viewtopic.php?t=47306
http://www.freedesktop.org/software/systemd/man/systemd.special.html
https://www.youtube.com/watch?v=jbYucYX1WwM

Windows Server RDS and TS CAL Interoperability Matrix

One question I often hear is what CAL types can be used with what OS versions of Remote Desktop Licensing Server and Remote Desktop host server.

Background information:

Windows Server 2016 RD Licensing article Jump
Windows Server 2012 R2 licensing document Jump
Windows Server 2008R2 How To Install CALs article Jump
How to control issuance of RDS CALs Jump

The following matrix shows which TS CAL’s and RDS CAL’s can be entered on different versions of the TS and RD Licensing Server:

 TS|RD Licensing Server OS Version
CAL type 2000 2003 2003R2 2008 2008R2 2012 2012R2 2016
2000
Yes
Yes
Yes
Yes
Yes
No
No
No
2003
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
2008(2)
No
No
No
Yes
Yes
Yes
Yes
Yes
2012
No
No
No
No
No
Yes
Yes
Yes
2016
No
No
No
No
No
No
No
Yes
The following matrix shows which TS CAL’s and RDS CAL’s can be used to allow a user to connect to an RDS host OS version (from official article Jump )
 RD Session/Virtual Host OS version
CAL type 2000 2003 2003R2 2008 2008R2 2012 2012R2 2016
2000
Yes
No
No
No
No
No
No
No
2003
Yes
Yes
Yes
No
No
No
No
No
2008
Yes
Yes
Yes
Yes
Yes
No
No
No
2012
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
2016
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Notes:
(1) Per http://technet.microsoft.com/en-us/library/hh553159(v=ws.10).aspx Jump to install RDS CAL’s on a Windows Server 2008 License Server, http://support.microsoft.com/kb/968074 Jump required
(2) Despite the new name, the Windows Server 2008 TS CAL is functionally equivalent to the Windows Server 2008 R2 RDS CAL (per  http://technet.microsoft.com/en-us/library/hh553159 Jump )
(3) Can be RDSH (Session-based) or RDVH (Virtual machine-based).

Links:
https://social.technet.microsoft.com/wiki/contents/articles/14988.rds-and-ts-cal-interoperability-matrix.aspx

Manual RD Licensing Configuration on Windows Server 2012 R2

“There might be situation when you want to configure License server on the RD Session Host or on the RD Virtualization Host manually since you do not have any RD Connection Broker in your environment. You have already configured RD Session Host server or Virtualization Host Server as required and now you want to configure the License server which is already installed and configured with licenses. All you are left to do is configure the License Server and the Licensing mode on the corresponding RD session Host or Virtualization Host servers.”

To configure the license server on RDSH/RDVH:
$obj = gwmi -namespace “Root/CIMV2/TerminalServices” Win32_TerminalServiceSetting
$obj.SetSpecifiedLicenseServerList(“License.contoso.com”)

To verify the license server configuration on RDSH/RDVH:
$obj = gwmi -namespace “Root/CIMV2/TerminalServices” Win32_TerminalServiceSetting
$obj.GetSpecifiedLicenseServerList()

To change the licensing mode on RDSH/RDVH:
$obj = gwmi -namespace “Root/CIMV2/TerminalServices” Win32_TerminalServiceSetting
$obj.ChangeMode(value) – Value can be 2 – per Device, 4 – Per user

To validate the licensing mode:
$obj = gwmi -namespace “Root/CIMV2/TerminalServices” Win32_TerminalServiceSetting
$obj.LicensingType
$obj.LicensingName

Links:
https://blogs.technet.microsoft.com/askperf/2013/09/20/rd-licensing-configuration-on-windows-server-2012/

Rancid linux CentOS 7 installation for Juniper/Cisco/Arista devices

Installation

yum install nano wget ftp telnet perl tcl expect gcc cvs rcs httpd autoconf openssh-clients postfix -y

groupadd netadm
useradd -g netadm -c “Networking Backups” -d /usr/local/rancid rancid
mkdir /usr/local/rancid/pkg
cd /usr/local/rancid/pkg
wget ftp://ftp.shrubbery.net/pub/rancid/rancid-3.4.1.tar.gz
tar zxvf rancid-3.4.1.tar.gz
cd rancid-3.4.1
./configure –prefix=/usr/local/rancid/
make install

Configuration

cp /usr/local/rancid/pkg/rancid-3.4.1/cloginrc.sample /usr/local/rancid/.cloginrc
chmod 0600 /usr/local/rancid/.cloginrc
chown -R rancid:netadm /usr/local/rancid/
chmod 775 /usr/local/rancid/
cp /usr/local/rancid/pkg/rancid-3.4.1/README /usr/local/rancid

SSH key/keys generation

su – rancid
ssh-keygen -t ecdsa (for Juniper)
ssh-keygen -t rsa -b 4096 (for Cisco/Arista devices)
ssh-keygen -f .ssh/id_rsa.pub -l (Show fingerprint of specified public key file)

clogin configuration

vi /usr/local/rancid/.cloginrc
#add method * ssh
#add user * rancid
#add password * RancidPW EnablePW
add password * blah

#Juniper
add user juniper-device-01 rancid
add method juniper-device-01 {ssh}
add identity juniper-device-01 $env(HOME)/.ssh/id_ecdsa

#Cisco/Arista
add user ciscoarista-device-02 rancid
add method ciscoarista-device-02 {ssh}
add identity ciscoarista-device-02 $env(HOME)/.ssh/id_rsa
add autoenable ciscoarista-device-02 1

Rancid configuration

vi /usr/local/rancid/etc/rancid.conf
LIST_OF_GROUPS=”LOC1 LOC2″
FILTER_PWDS=NO; export FILTER_PWDS
NOCOMMSTR=NO; export NOCOMMSTR

Once happy with your groups, you need to run rancid-cvs to create the directories/files required as the rancid user
su – rancid
/usr/local/rancid/bin/rancid-cvs

router.db config
cat “juniper-device-01;juniper;up” >> /usr/local/rancid/var/LOC1/router.db
cat “ciscoarista-device-02;arista;up” >> /usr/local/rancid/var/LOC1/router.db or cat “ciscoarista-device-02;cisco;up” >> /usr/local/rancid/var/LOC1/router.db

vi /etc/aliases:
rancid-LOC1: mail1@mail.com
rancid-admin-LOC1: mail1@mail.com
rancid-LOC2: mail1@mail.com
rancid-admin-LOC2: mail1@mail.com

newaliases

SMTP postfix relay configuration

vi /etc/postfix/main.cf
inet_interfaces = 192.168.0.100
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
relayhost = 192.168.0.111
smtp_fallback_relay = 192.168.0.112
mydomain = subdomain.domain.com
myorigin = monhost.subdomain.domain.com
mydestinations = monhost.subdomain.domain.com
local_transport = error:local mail delivery is disabled

systemctl restart postfix
systemctl status postfix

Juniper device configuration
set system login class RANCID permissions access
set system login class RANCID permissions admin
set system login class RANCID permissions firewall
set system login class RANCID permissions flow-tap
set system login class RANCID permissions interface
set system login class RANCID permissions network
set system login class RANCID permissions routing
set system login class RANCID permissions secret
set system login class RANCID permissions security
set system login class RANCID permissions snmp
set system login class RANCID permissions storage
set system login class RANCID permissions system
set system login class RANCID permissions trace
set system login class RANCID permissions view
set system login class RANCID permissions view-configuration
set system login user rancid full-name RANCID
set system login user rancid uid 2020
set system login user rancid class RANCID
set system login user rancid authentication ssh-ecdsa "ecdsa-sha2-nistp256 loooooooooooooooong-hash LOC1MGMTRANCID"

Cisco device configuration
#You could find ssh rsa key fingerprint by ssh-keygen -f .ssh/id_rsa.pub -l command
username rancid privilege 15
ip ssh pubkey-chain
username rancid
key-hash ssh-rsa ssh-rsa-fingerprint-without-colons

Arista device configuration
aaa authorization exec default local none
username rancid privilege 15 secret secret-password
username rancid sshkey ssh-rsa ssh-rsa-key-public-part-from-id_rsa.pub rancid@monhost

Check if ssh password less configuration works fine
#juniper
/usr/local/rancid/bin/jlogin -c “show version” juniper-device-01
#arista/cisco
/usr/local/rancid/bin/jlogin -c “show configuration” ciscoarista-device-02

Rancid manual start
/usr/local/rancid/bin/rancid-run

CRON setup
crontab -u rancid -e

1 * * * * /usr/local/rancid/bin/rancid-run

# Daily Clean Up of Diff Files at 11 50 pm
50 23 * * * /usr/bin/find /usr/local/rancid/var/logs -type f -mtime +2 -exec rm {} \;

# Daily Clean Up of .SITE.run.lock Files at 11 50 pm
50 23 * * * rm /tmp/.*.lock

ViewVC installation

I suggest if RANCID has been provisioned as a VM, snapshot at this point in case you make a any mistakes configuring View VC.

cd /usr/local/rancid/pkg
wget http://viewvc.tigris.org/files/documents/3330/49392/viewvc-1.1.23.tar.gz
tar -zxvf viewvc-1.1.23.tar.gz
cd viewvc-1.1.23
./viewvc-install ## we set the installation path as /usr/local/viewvc

Consult the INSTALL document for detailed information on completing the installation and configuration of ViewVC on your system. Here’s a brief overview of the remaining steps:

1) Edit the /usr/local/viewvc/viewvc.conf file.

2)Copy /usr/local/viewvc/bin/cgi/viewvc.cgi to an already-configured cgi-bin directory.

vi /usr/local/viewvc/viewvc.conf

root_parents = /usr/local/rancid/var/CVS : cvs
rcs_dir = /usr/bin/
#use_enscript = 1
#enscript_path = /usr/bin/
#use_highlight = 1
#highlight_path = /usr/bin

cp /usr/local/viewvc/bin/cgi/*.cgi /var/www/cgi-bin/

chown apache:apache /var/www/cgi-bin/query.cgi
chown apache:apache /var/www/cgi-bin/viewvc.cgi

vi /etc/httpd/conf/httpd.conf
ScriptAlias /rancid "/var/www/cgi-bin/viewvc.cgi"
ScriptAlias /query "/var/www/cgi-bin/query.cgi"

<Location /viewvc>
AuthType basic
AuthName "Client Access"
AuthUserFile /usr/local/viewvc/passwd
Require valid-user
</Location>

htpasswd -c /usr/local/viewvc/passwd admin

systemctl restart httpd

Links:
https://www.cryptomonkeys.com/2013/09/rancid-junos/
https://www.ip-life.net/rancid-setup-on-ubuntu-10-04-lts/

SCCM 1606. Software Updates Deployment fails after enabling HTTPS

After I have enabled HTTPS on every SCCM 1606 component all my windows update client just suddenly stopped working. Windows Update check stopped with “0x80244019”

WindowsUpdate.log on a client side:
2016/11/21 13:13:00.7947333 1396 5228 WebServices Auto proxy settings for this web service call.
2016/11/21 13:13:00.8137726 1396 5228 WebServices Auto proxy settings for this web service call.
2016/11/21 13:13:00.8267772 1396 5228 WebServices WS error: There was an error communicating with the endpoint at ‘https://sccmwsusserver.com:8531/ClientWebService/client.asmx’.
2016/11/21 13:13:00.8267778 1396 5228 WebServices WS error: The server returned HTTP status code ‘404 (0x194)’ with text ‘Not Found’.
2016/11/21 13:13:00.8267778 1396 5228 WebServices WS error: The requested resource was not found.
2016/11/21 13:13:00.8267787 1396 5228 WebServices Web service call failed with hr = 80244019.
2016/11/21 13:13:00.8267787 1396 5228 WebServices Current service auth scheme=0.
2016/11/21 13:13:00.8267790 1396 5228 WebServices Current Proxy auth scheme=0.

Ok, lets troubleshoot:

netsh winhttp show proxy

Current WinHTTP proxy settings:

Direct access (no proxy server).

https://sccmwsusserver.com:8531/SimpleAuthWebService/SimpleAuth.asmx – reachable
https://sccmwsusserver.com.com:8531/ClientWebService/client.asmx – reachable

Clients/DMZ firewalls were fine also

After some useless googling I’ve found this Microsoft TechNet thread .
And last replay was: “Whats in WCM.log on the SUP? Was KB3159706 recently installed? If you do, there is some post installation steps https://support.microsoft.com/en-au/kb/3159706”. Interesting. I checked updates on my SCCM server and I found KB3159706 installed there. Great. Let me copy-paste from the article:

Manual steps required to complete the installation of this update

Open an elevated Command Prompt window, and then run the following command (case sensitive, assume “C” as the system volume):

“C:\Program Files\Update Services\Tools\wsusutil.exe” postinstall /servicing

Select HTTP Activation under .NET Framework 4.5 Features in the Server Manager Add Roles and Features wizard.

HTTP activation
Restart the WSUS service.

If SSL is enabled on the WSUS server

Assign ownership of the Web.Config file to the administrators group (run at an elevated command prompt):
cd “C:\Program Files\Update Services\WebServices\ClientWebService\”
takeown /f web.config /a

icacls “C:\Program Files\Update Services\WebServices\ClientWebService\Web.config” /grant administrators:f

Locate the Web.Config file in the following path:
C:\Program Files\Update Services\WebServices\ClientWebService\Web.Config
Make the following changes in the file.

Note This code sample represents a single text block. The line spacing is used only to emphasize the text changes, which are shown in bold.

<services>
          <service
                name="Microsoft.UpdateServices.Internal.Client"
                behaviorConfiguration="ClientWebServiceBehaviour">
               <!-- 
                  These 4 endpoint bindings are required for supporting both http and https
                -->
                <endpoint address=""
                        binding="basicHttpBinding"
                        bindingConfiguration="SSL"
                        contract="Microsoft.UpdateServices.Internal.IClientWebService" />
                <endpoint address="secured"
                        binding="basicHttpBinding"
                        bindingConfiguration="SSL"
                        contract="Microsoft.UpdateServices.Internal.IClientWebService" />
               <endpoint address=""
                        binding="basicHttpBinding"
                        bindingConfiguration="ClientWebServiceBinding"
                        contract="Microsoft.UpdateServices.Internal.IClientWebService" />
                <endpoint address="secured"
                        binding="basicHttpBinding" 
                        bindingConfiguration="ClientWebServiceBinding"
                        contract="Microsoft.UpdateServices.Internal.IClientWebService" />
          </service>
    </services>

Add the multipleSiteBindingsEnabled=”true” attribute to the bottom of the Web.Config file, as shown:

</bindings>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>

Links:
https://nhogarth.net/2016/09/13/scan-failed-with-error-0x80244019/
http://thedesktopteam.com/raphael/sccm-2012-scan-failed-with-error-0x80244019/
https://support.microsoft.com/en-us/kb/900935
https://social.technet.microsoft.com/Forums/en-US/3b85e68e-7ab5-4935-9221-40973487ecae/software-updates-deployment-fails-after-enabling-https-scan-failed-with-error-0x80244019
https://support.microsoft.com/en-au/kb/3159706

Updating BIND default ROOT servers (named.ca)

Use the BIND dig utility to retrieve a list of root name servers
dig @a.root-servers.net . ns > named.ca
Make sure to copy named.ca to the directory containing your DNS maps. Restart BIND for the changes to take effect

Links:
Updating BIND default ROOT servers (named.ca)

Spacewalk 2.2 EPEL7 issues

1)
Got the issue on Centos 6.6 x86_64 with Spacewalk2.2 when tried to do client Centos 7 with EPEL installation – “/tmp/yum.cache/epel7-centos7-x86_64/comps.xml: not well-formed (invalid token): line 1, column 0”.
This is an XML parsing error. The installer is expecting this file to be in XML format. The file is not in XML format, it is XML that has been LZMA/XZ compressed.
I’ve found solution here and here.

So, the idea is to find, first, where spacewalk store python files that I have to update to support xz:
find / -name ‘reposync.py’ or find / -name ‘fileutils.py’

For me it’s here:
/usr/lib/python2.6/site-packages/spacewalk/satellite_tools/reposync.py
/usr/lib/python2.6/site-packages/spacewalk/common/fileutils.py

Update the files:

common/fileutils.py
@@ -17,6 +17,7 @@
import sys
import bz2
import gzip
+import lzma
import pwd
import grp
import types
@@ -478,6 +479,8 @@ def decompress_open(filename, mode='r'):
file_obj = gzip.open(filename, mode)
elif filename.endswith('.bz2'):
file_obj = bz2.BZ2File(filename, mode)
+ elif filename.endswith('.xz'):
+ file_obj = lzma.LZMAFile(filename, mode)
else:
file_obj = open(filename, mode)
return file_obj

satellite_tools/reposync.py
@@ -248,7 +248,7 @@ def import_groups(self, plug, url):
os.makedirs(absdir)
relativepath = os.path.join(relativedir, basename)
abspath = os.path.join(absdir, basename)
- for suffix in ['.gz', '.bz']:
+ for suffix in ['.gz', '.bz', '.xz']:
if basename.endswith(suffix):
abspath = abspath.rstrip(suffix)
relativepath = relativepath.rstrip(suffix)

2)
rhn-client-tools dependencies:

rhn-client-tools-2.2.6-1.el7.noarch requires python-dmidecode
rhn-client-tools-2.2.6-1.el7.noarch requires python-gudev
rhn-client-tools-2.2.6-1.el7.noarch requires python-hwdata

This was caused by using the CentOS-7-x86_64-DVD-1511.iso iso as a kickstart tree…
Resolution: Prepare the centos7 tree using the CentOS-7-x86_64-Everything-1511.iso media:

mkdir /var/satellite/rhn/kickstart/2/centos-7-x86_64-base
mount -o loop /var/CentOS-7-x86_64-Everything-1511.iso /mnt/
rsync -arv /mnt/ /var/satellite/rhn/kickstart/2/centos-7-x86_64-base/
rm -f /var/satellite/rhn/kickstart/2/centos-7-x86_64-base/Packages/*.rpm

Links:

https://marc.info/?l=spacewalk-list&m=142387145808334&w=3

https://github.com/spacewalkproject/spacewalk/commit/76883065ff72449726adc82d081ae681f2a5bb59

Windows Server 2012 R2 and Windows 8.1. Change network category setting of a connection profile

Get-NetConnectionProfile

Open Windows PowerShell and type “Get-NetConnectionProfile”
PS C:\Users\Administrator> Get-NetConnectionProfile

Name : Network
InterfaceAlias : Ethernet
InterfaceIndex : 12
NetworkCategory : Public
IPv4Connectivity : LocalNetwork
IPv6Connectivity : NoTraffic

We need just InterfaceIndex number. It’s usually 12.

Set-NetConnectionProfile -InterfaceIndex 12 -NetworkCategory Private

Lenovo ThinkPad T420. NVIDIA Optimus in Fedora 21

Install Dependencies

#yum install -y libbsd-devel libbsd glibc-devel libX11-devel help2man autoconf git tar glib2 glib2-devel kernel-devel kernel-headers automake gcc gtk2-devel

You also need to install VirtualGL. Download the latest version for your arch at the VirtualGL download page or use yum command

#yum install VirtualGL

If you want to run 32 bit apps on your 64 bit system, then also install:

#yum install VirtualGL.i686

Install Bumblebee

Install the Bumblebee yum repository
Fedora 21

$yum install http://install.linux.ncsu.edu/pub/yum/itecs/public/bumblebee/fedora21/noarch/bumblebee-release-1.2-1.noarch.rpm

Install Bumblebee:

$yum install bbswitch bumblebee

Bumblebee with the NVIDIA proprietary drivers

The previous commands install bumbleblee with the nouveau drivers. If you want to install bumblebee with the NVIDIA proprietary drivers you must also follow these instructions:

Install the bumblebee-nonfree repository:
Fedora 21

$yum install http://install.linux.ncsu.edu/pub/yum/itecs/public/bumblebee-nonfree/fedora21/noarch/bumblebee-nonfree-release-1.2-1.noarch.rpm

For all versions

Make sure you have glibc-devel installed because it is needed for bumblebee-nvidia to compile the driver

sudo yum install glibc-devel

Now install bumblebee-nvidia

#yum -y install bumblebee-nvidia

“bumblebee-nvidia” is both a rpm package and a shell script. The “bumblebee-nvidia” package contains the shell “wrapper” script, init scripts to run it at bootup, and a SELinux security policy, and lastly a copy of the NVidia Linux binary driver “blob” downloaded from NVidia’s UNIX drivers page. This is why the packages are so large compared to the bumblebee package.

Reboot.

Testing Bumblebee

To verify you are now using the NVIDIA driver, run the glxgears demo (from mesa-demos):

optirun glxgears -info | grep “GL_VENDOR”

You should see some gears rotating. In the terminal you should see “GL_VENDOR = NVIDIA Corporation” or something similar.
Primus

For speed imrovements you can use primus. Primus is a shared library that provides OpenGL and GLX APIs and implements low-overhead local-only client-side OpenGL offloading via GLX forking, similar to VirtualGL. It intercepts GLX calls and redirects GL rendering to a secondary X display, presumably driven by a faster GPU. On swapping buffers, rendered contents are read back using a PBO and copied onto the drawable it was supposed to be rendered on in the first place. Currently primus requires the NVIDIA proprietary drivers.

Install primus:

#yum -y install primus

If you want to run 32 bit apps on your 64 bit system, then also install:

#yum -y install primus.i686

Testing primus

Open up a terminal and run:

PRIMUS_VERBOSE=2 optirun -b primus glxgears -info

If primus is working properly, you should see “primus: profiling:” messages every so often in the terminal you ran it from.
How to use Bumblebee

General Usage:

optirun [options] [application-parameters]

If you installed primus, then you can use the following command to take advantage of it:

optirun -b primus [application-parameters]

Start Windows applications:

optirun wine .exe

with primus:

optirun -b primus wine .exe

By default, primus renders up to 60 fps. To render more frames per second:

vblank_mode=0 optirun -b primus [application-parameters]

In practice this will probably only waste power, as most screens do not display more than 60 frames per second.

You can always run “man optirun” for more information.

Optimus and Steam for Linux

To make a game run using the discrete GPU, use these simple steps:
1. Select a game – that you want to run using your discrete Nvidia card – from the Library page of the Steam client, right-click, and select Properties.
2. Click the SET LAUNCH OPTIONS… button and specify primusrun %command% for the command line.
3. Save your changes.This method allows you to pick when the discrete NVidia GPU should be used on a per-game basis.

Links:
https://fedoraproject.org/wiki/Bumblebee
https://wiki.archlinux.org/index.php/Bumblebee
http://techies.ncsu.edu/wiki/bumblebee
http://bumblebee-project.org/
https://github.com/Bumblebee-Project/Bumblebee/wiki
http://ubuntuforums.org/showthread.php?t=2059854
https://fedoraproject.org/wiki/How_to_debug_Xorg_problems
https://wiki.archlinux.org/index.php/Lenovo_ThinkPad_T420#NVIDIA_Optimus
https://support.steampowered.com/kb_article.php?ref=6316-GJKC-7437
https://cjenkins.wordpress.com/2013/01/01/steam-for-linux-on-optimus-enabled-computer-running-ubuntu-12-04-64bits/
http://unix.stackexchange.com/questions/133921/is-it-possible-to-run-steam-games-using-optirun

Perl. Regular expressions

Metacharacters

char meaning
^ beginning of string
$ end of string
. any character except newline
* match 0 or more times
+ match 1 or more times
? match 0 or 1 times; or: shortest match
| alternative
( ) grouping; “storing”
[ ] set of characters
{ } repetition modifier
\ quote or special

To present a metacharacter as a data character standing for itself, precede it with \ (e.g. \. matches the full stop character . only).

In the table above, the characters themselves, in the first column, are links to descriptions of characters in my The ISO Latin 1 character repertoire – a description with usage notes. Note that the physical appearance (glyph) of a character may vary from one device or program or font to another.

Repetition

a* zero or more a’s
a+ one or more a’s
a? zero or one a’s (i.e., optional a)
a{m} exactly m a’s
a{m,} at least m a’s
a{m,n} at least m but at most n a’s
repetition? same as repetition but the shortest match is taken

Read the notation a’s as “occurrences of strings, each of which matches the pattern a”. Read repetition as any of the repetition expressions listed above it. Shortest match means that the shortest string matching the pattern is taken. The default is “greedy matching”, which finds the longest match. The repetition? construct was introduced in Perl version 5.

Special notations with \

Single characters
\t tab
\n newline
\r return (CR)
\xhh character with hex. code hh
“Zero-width assertions”
\b “word” boundary
\B not a “word” boundary
Matching
\w matches any single character classified as a “word” character (alphanumeric or “_”)
\W matches any non-“word” character
\s matches any whitespace character (space, tab, newline)
\S matches any non-whitespace character
\d matches any digit character, equiv. to [0-9]
\D matches any non-digit character

Character sets: specialities inside []

Different meanings apply inside a character set (“character class”) denoted by [] so that, instead of the normal rules given here, the following apply:

[characters] matches any of the characters in the sequence
[x-y] matches any of the characters from x to y (inclusively) in the ASCII code
[\-] matches the hyphen character “-
[\n] matches the newline; other single character denotations with \ apply normally, too
[^something] matches any character except those that [something] denotes; that is, immediately after the leading “[”, the circumflex “^” means “not” applied to all of the rest

Examples

expression matches…
abc abc (that exact character sequence, but anywhere in the string)
^abc abc at the beginning of the string
abc$ abc at the end of the string
a|b either of a and b
^abc|abc$ the string abc at the beginning or at the end of the string
ab{2,4}c an a followed by two, three or four b’s followed by a c
ab{2,}c an a followed by at least two b’s followed by a c
ab*c an a followed by any number (zero or more) of b’s followed by a c
ab+c an a followed by one or more b’s followed by a c
ab?c an a followed by an optional b followed by a c; that is, either abc or ac
a.c an a followed by any single character (not newline) followed by a c
a\.c a.c exactly
[abc] any one of a, b and c
[Aa]bc either of Abc and abc
[abc]+ any (nonempty) string of a’s, b’s and c’s (such as a, abba, acbabcacaa)
[^abc]+ any (nonempty) string which does not contain any of a, b and c (such as defg)
\d\d any two decimal digits, such as 42; same as \d{2}
\w+ a “word”: a nonempty sequence of alphanumeric characters and low lines (underscores), such as foo and 12bar8 and foo_1
100\s*mk the strings 100 and mk optionally separated by any amount of white space (spaces, tabs, newlines)
abc\b abc when followed by a word boundary (e.g. in abc! but not in abcd)
perl\B perl when not followed by a word boundary (e.g. in perlert but not in perl stuff)

Examples of simple use in Perl statements

These examples use very simple regexps only. The intent is just to show contexts where regexps might be used, as well as the effect of some “flags” to matching and replacements. Note in particular that matching is by default case-sensitive (Abc does not match abc unless specified otherwise).

s/foo/bar/;
replaces the first occurrence of the exact character sequence foo in the “current string” (in special variable $_) by the character sequence bar; for example, foolish bigfoot would become barlish bigfoot

s/foo/bar/g;
replaces any occurrence of the exact character sequence foo in the “current string” by the character sequence bar; for example, foolish bigfoot would become barlish bigbart

s/foo/bar/gi;
replaces any occurrence of foo case-insensitively in the “current string” by the character sequence bar (e.g. Foo and FOO get replaced by bar too)

if(m/foo/)
tests whether the current string contains the string foo

Links: https://www.cs.tut.fi/~jkorpela/perl/regexp.html
http://www.troubleshooters.com/codecorn/littperl/perlreg.htm
http://www.skillz.ru/dev/php/article-Regulyarnye_vyrazheniya_dlya_chaynikov.html
http://www.ultraedit.com/support/tutorials_power_tips/ultraedit/non-greedy-perl-regex.html
http://www.regular-expressions.info/wordboundaries.html
http://www.cs.xu.edu/csci380/99s/perlstuff/anchorreg.html
http://www.tutorialspoint.com/perl/perl_regular_expression.htm

Bash special parameters

Positional parameters $1,$2,$3… and their corresponding array representation, count and IFS expansion $@, $#, and $*.
$_ last argument of last command
$# number of arguments passed to current script
$* / $@ list of arguments passed to script as string / delimited list
$- current options set for the shell.
$$ pid of the current shell (not subshell)
$_ most recent parameter (or the abs path of the command to start the current shell immediately after startup)
$IFS the (input) field separator
$? most recent foreground pipeline exit status
$! PID of the most recent background command
$0 name of the shell or shell script

Links: http://www.gnu.org/software/bash/manual/bashref.html#Special-Parameters

Lenovo ThinkPad T420. Fingerprint reader

Make sure you have one of the supported finger scanners. You can check if your device is supported by checking this list of supported devices. To check which one you have, type:
lsusb
Bus 001 Device 003: ID 147e:2016 Upek Biometric Touchchip/Touchstrip Fingerprint Sensor

Installation:
yum install fprintd ImageMagick

Login configuration
Note: If you use GDM, the fingerprint-option is already available in the login menu. You can skip this section!

Add pam_fprintd.so to the auth section of /etc/pam.d/system-auth and /etc/pam.d/system-auth-ac

vi /etc/pam.d/system-auth

auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so

This tries to use fingerprint login first, and if if fails or if it finds no fingerprint signatures in the give user’s home directory, it proceeds to password login.

To add a signature for a finger, run

$ fprintd-enroll

You will be asked to scan the given finger. After that, the signature is created in /var/lib/fprint/$USER.

For more information, see man fprintd.

Links:
https://wiki.archlinux.org/index.php/Lenovo_ThinkPad_T420#Fingerprint_reader
https://wiki.archlinux.org/index.php/Fprint#Setup_fingerprint-gui
http://karuppuswamy.com/wordpress/2010/07/22/how-to-get-fingerprint-reader-working-in-fedora-linux-upek-147e1000-in-this-case/

MySQL. Table size

SELECT
    table_name AS table_name,
    engine,
    ROUND(data_length/1024/1024,2) AS total_size_mb,
    table_rows
FROM
    information_schema.tables
WHERE
    table_schema=DATABASE(); //or just table_schema='table_name';