Web Hosting Journal
Sometimes, you may want to run a screen command in a remote server. That makes it necessary to run the command inside the screen session while starting it.
# screen -d -m sh -c "yourcommand"
From the man page of Screen:
-d -m : Start screen in “detached” mode. This creates a new session but doesn’t attach to it. This is useful for system startup scripts.
sh -c: Starts a shell and runs a command for you.
How about install Let’s Encrypt for Cpanel?
Before we start, you may first want to install Let’s Encrypt to use an Immediately Issuing provider for your SSL in Cpanel?
https://mellowhost.com/blog/how-to-install-lets-encrypt-in-cpanel.html
Once done, you may now continue using this tutorial to install Let’s Encrypt for your Service SSL in Cpanel/WHM/Webmail.
How To Install AutoSSL for Server Hostname / Webmail / Cpanel / WHM
Starting from Cpanel 11.58, Cpanel is offering Free SSL, issued by ‘Cpanel INC’ for free of charge to the valid cpanel license owner. If you are using cpanel, login to your WHM >> Providers >> Enable Cpanel & from Options >> Check Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates.
Now, running upcp should automatically install the free SSL for your cpanel server hostname. If it doesn’t, it is probably because your server IP and the hostname IP are resolving to wrong address. To understand and troubleshoot the problem, run the following script from command line:
# /usr/local/cpanel/bin/checkallsslcerts
This script checks and installs certificate for expired, invalid and self signed certificates for the server services. If you are seeing an error like the following:
[WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID 62hp6x) The system queried for a temporary file at “http://server91.mellowhost.com/.well-known/pki-validation/D92868E512FB02354F2498B94E67430B.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
It means, your hostname is resolving to the wrong IP. You would need to check if the hostname is resolving to an IP which has first virtualhost pointed to /var/www/html or not under /etc/apache2/conf/httpd.conf
Exim provides a quick way to check the total number of mails in the queue. This is done using the exim -bpc Although, this is not the same for postfix. Postfix doesn’t come with an easy way to do that.
A quick tip on what I use to check the postfix queue number is the following command:
# mailq | tail -n 1
-- 6899 Kbytes in 1518 Requests.
Basically, postfix returns the queue statistics at the end of the queue listing command. We are simply tailing that to find the number.
In CentOS 6, timezone files are located under /usr/share/zoneinfo. So, if your zone is for example, America/Chicago (UTC -6), it would be /usr/share/zoneinfo/America/Chicago and so on.
CentOS 6, uses a file called ‘localtime’ located under /etc to determine it’s currently set timezone.
# ls -la /etc/localtime
This file, is either the actual time zone file moved to this location or a symlink to the timezone under zoneinfo directory. So if you want to change the timezone, first you need to determine which timezone to use and then symlink it to localtime. You can do that using the following:
# rm -f /etc/localtime
# ln -s /usr/share/zoneinfo/Asia/Dhaka /etc/localtime
# date
This would set the current timezone to GMT +6 BDT or Asia/Dhaka timezone, zone I belong to.
CentOS 7, comes with a tool called ‘timedatectl’. This can be used to find and set the symlink for you instead of doing the work that were required in CentOS 6.
To list available time zones, run:
# timedatectl list-timezones
You can find your desired timezone, as following:
# timedatectl list-timezones | grep Chicago
Now, to set a time zone, use the command set-timezone with timedatectl command. For example, if I want to set the time zone to America/Chicago, I would run the following:
# timedatectl set-timezone America/Chicago
# date
This also should create the symlink of locatime file to the zoneinfo directory. You can see that with the following:
# ls -l /etc/localtime
I have an UID, how do I get the username belongs to this UID in Linux?
We usually know, there is a dedicated command called ‘id’ in linux given to find UID from username is called ‘id‘
You can use that to get the UID from the username in linux:
# id -u root
0
Although, there is no built in command get fetch the username from the UID. We can use a pipe and regular expression match on getent to do that.
getent is a unix command that helps a user get entries in a number of important text files called databases. This includes the passwd and group databases which store user information – hence getent is a common way to look up user details on Unix.
You can use the following command to find username of the UID 752 for example in a system:
# getent passwd "752"|cut -d: -f1
texstard
getent can take group database too, although, we have used passwd database as that contains the UID of the respective linux user.
CentOS 7 / RHEL 7 doesn’t come with iptables by default. It uses a full functional firewall system called ‘firewalld’. I have been a big fan of iptables and it’s capability from the very first, and since I have switched to CentOS 7, I couldn’t stop using it. I had to stop firewalld and install iptables in all of my CentOS 7 installation and start using iptables rules as I was using before. Here is a small How To guide on installing Iptables and disabling firewalld from a CentOS 7 or RHEL 7 or a similar variant distro.
To begin using iptables, you need to download and install iptables-service package from the repo. It isn’t installed automatically on CentOS 7. To do that, run the following command:
# yum install iptables-services -y
Once the iptables-serivces package is installed, you can now stop the firewalld and start the iptables. Keeping both kind of network filtering too can create conflicts and it is recommended to use any out of two. To do that run the following:
# systemctl stop firewalld
# systemctl start iptables
Now to disable firewalld from the starting after the boot, you need to disable the firewalld:
# systemctl disable firewalld
To disallow starting firewalld manually as well, you can mask it:
# systemctl mask firewalld
Now you can enable iptables to start at the boot time by enabling iptables using systemctl command:
# systemctl enable iptables
In previous distros, iptables status could be fetched using service command, although, the option is no longer available in CentOS 7. To fetch the iptables status, use the following:
# iptables -S
Iptables save command can still be used using service tool:
# service iptables save
This would save your iptables rules to /etc/sysconfig/iptables as it used to do in previous distros.
There are times when you might require to view the IP address your server is using for outgoing connections. If you are in command line/console/mosh/ssh/rsh, you want an one command solution instead of visiting a page like whatismyip.com using lynx browser or so on. Here is a quick tip that I regularly use to perform this:
Using cURL:
curl ifconfig.co
Using wget:
wget -qO- ifconfig.co
ifconfig.co does it simple and easy.
We use Sophos AV instead of ClamAV in couple of our linux servers. Sophos comes with on access scanning that uses a kernel module to trigger which file has been accessed unlike ClamAV which only come with signature and a basic scanning tool by default. It has it’s own benefit while drawbacks too. You have to give a certain amount of resources for Sophos. There are times, when you may require to disable the On Access Scanning on Sophos AV to diagnose different issues with the server.
To disable on access scanning on sophos AV, run the following from your terminal/ssh console:
/opt/sophos-av/bin/savdctl disable
To re-enable on access scanning on sophos AV, run the following:
/opt/sophos-av/bin/savdctl enable
Sophos log file is located here:
/opt/sophos-av/log
Sophos comes with multiple control binaries. They can be found at the following directory:
/opt/sophos-av/bin
You can find sophos binaries available at the man page too:
man savdctl
We at Mellowhost has been utilizing R1Soft CDP backup for last 8 years. R1Soft has been a great backup tool even though the tool is immensely resource hoggy. At different times we had gone through different situations to handle our backup servers efficiently. After all the hiccups with backup nodes, we ended up efficiently configuring 3 backup servers of 3 different configuration
One of the key factor in designing a backup server is the size and the location. Need to keep in mind that CDP 3 takes more space than CDP 2 for unknown reason while still being a differential backup solution, not just an incremental. Location of the server matters due to the network speed. If you are hosting your server a lot far than the server network, it may take longer time to complete the initial storage. Due to the latency it may fails to perform as fast like 1Gbps even if both network supports it. Just for an example, if you are backing up your data at 1MBps speed, it would take 12.13 days to complete backup of 1TB data [ Calculation: (((1024 x 1024) / 60) / 60) / 24 = 12.13 days ]. A 100Mbps port can give you speed upto 10MBps, while you can have 50MBps+ speed if you are using a 1Gbps network roughly. So why does the speed matter? If you are backing up your initial data in 13 days, that doesn’t mean it will be the same all the time. Your second backup would take much less amount of time as it only needs to upload the differential backups. That is true! But the problem will come when you require to do a bare metal restore. If your server requires a disaster recovery, you would then need 13 days to restore your server to the original state. Your customers won’t sit down for 13 days! While creating backup, it is important to think about disaster recovery too. How fast are you going to be able to restore the backup is an important concern while designing your disaster recovery solution.
I always recommend users to choose a 1Gbps network with a latency below 2ms if you want to have a good disaster recovery solution. This can guarantee a faster bare metal restore when needed.
The second key factor while creating the R1soft backup server would be to choose the RAID. If you are thinking to create r1soft backup on a non-raided solution, I think you should drop off your idea. RAID isn’t necessarily always use to keep your data safe, it can also be used for performance. Keeping a RAID 0 or striping in general is must for a R1Soft server. Otherwise, every couple of times, you are going to see a lot of stalled processes doing ‘disk safe verification’ ‘block scan’ etc etc and not able to keep the backup up to date or canceling processes due to duplicate backup process (Old one taking too long to complete). It is better not to choose RAID 5. I particularly didn’t try RAID 5, but I have used RAID – Z on ZFS file system, which was seriously slow for my work around. I switched the server later on to RAID 0 and BTRFS compression to keep a weekly backup which tremendously improved the R1Soft performance. We at later time, worked to create more backup servers with hardware RAID WB cache and battery backed unit to give us more performance benefit while creating and restoring backups. These servers have been performing tremendously well with R1Soft. They can also be called good disaster recovery node.
Last, I recommend you to understand that backup isn’t just keeping a copy of your data of your online existence. It is important to design a disaster recovery solution instead of just creating backups. If you are simply into creating backups, you probably don’t need R1Soft or any high end servers instead simple Rsync would work fine. But to create ‘Disaster Recovery’ solution, you need high level planning, good hardwares and good cost estimation. If you are leaving behind in any, you will probably fail to create a good disaster recovery solution that actually ‘works’.
Sometimes, you will see the error thrown in dmesg or /var/log/messages are mentioned in dm-number format, while you manage the disk using lvm logical volume name. This is because lvm logical volumes are designed through kernel device mapper technique and kernel recognizes volumes using dm numbers. There is a tool to list all the device mappers used for block devices under Linux. Simply type the following to list the maps:
# lsblk
It shall show something like the following:
There you can see the dm number for each lvm volume is listed under first bracket. For example the swap in this server is created with LVM with the name vg_iof442/swap and has the dm-1 mapping.