RoseWiki - User contributions [en]

Category:Networking Tutorials

2024-10-10T15:47:36Z

Rosemark: Created page with "Here are some of our networking related guides. == Web Hosting == === Proxying requests === * Proxy Server * Reverse Proxy"

Here are some of our networking related guides.

== Web Hosting ==

=== Proxying requests ===

* [[Proxy Server]]
* [[Reverse Proxy]]

Offline Uncorrectable Sectors

2024-10-10T13:47:48Z

Rosemark:

'''Offline Uncorrectable Sectors''' is a common disk-related error experienced on Linux machines. Here's a method you can use to understand and fix them.

== Fixing Offline Uncorrectable Sectors ==
Current Pending Sector is the number of locations the disk knows about that needs to be reallocated but haven't reallocated yet.

Since the disk has no source for the data to be reallocated it will remain in this state until you write into that location.

Once that location is written to, the disk will automatically reallocate the area to another place and write the new data in the new place and the current pending sector count will decrease.

You can use diskscan on Linux or HD Tune on Windows to scan the disk for the bad locations and also attempt to "fix" the locations by making the software write into them in order to attempt the reallocation immediately.

This message was generated by the smartd daemon running on:

host name: host-example
DNS domain: example.local

The following warning/error was logged by the smartd daemon:

Device: /dev/sdf [SAT], 1 Offline uncorrectable sectors

Device info:
Micron_1100_MTFDDAK2T0TBN, S/N:17161B3C0923, WWN:5-00a075-11b3c0923, FW:M0MU031, 2.04 TB

For details see host's SYSLOG.

You can also use the smartctl utility for further investigation.
The original message about this issue was sent at Wed May 27 01:46:08 2020 EDT
Another message will be sent in 24 hours if the problem persists.

root@example:~# apt install diskscan

diskscan [options] /dev/sd
Options:
-v, --verbose - Increase verbosity, multiple uses for higher levels
-f, --fix - Attempt to fix near failures, nothing can be done for unreadable sectors
-s, --scan <mode> - Scan in order (seq, random)
-e, --size <size> - Scan size (default to 64K, must be multiple of 512)
-o, --output <file> - Output file (json)
-r, --raw-log <file> - Raw log of all scan results (json)
--force-mounted - Allow checking a read-only mounted disk
--force-mounted-rw - Allow checking a read-write mounted disk

root@example:~# diskscan /dev/sda
diskscan version 0.19

I: Validating path /dev/sda
I: Disk start temperature is 28
I: Opened disk /dev/sda sector size 512 num bytes 5000981077504
I: Scanning disk /dev/sda in 65536 byte steps
I: Scan started at: Thu May 25 11:23:35 2023

Disk scan | | ETA: 0h00m00s
E: Error when reading at offset 0 size 65536 read -1, errno=0: Success
I: Disk temperature changed from 30 to 31
E: Details: error=need_retry data=none 06/29/00
Disk scan |==== | ETA:10h18m51s
[[Category:Linux Tutorials]]

Category:Linux Tutorials

2024-10-09T17:26:37Z

Rosemark: Created page with "Here are some of our Linux tutorials. == Linux Tutorials (Especially helpful for Proxmox) == * Offline Uncorrectable Sectors * ZFS Failed Disk Replacement"

Here are some of our Linux tutorials.

== Linux Tutorials (Especially helpful for Proxmox) ==

* [[Offline Uncorrectable Sectors]]
* [[ZFS Failed Disk Replacement]]

Category:Software Tutorials

2024-10-09T17:21:44Z

Rosemark: Created page with "Here are some of our tutorials and notes on software, both selfhosted FOSS and 3rd party products. == Software Tutorials == * Firebox Content Inspection (HTTPS Content Inspection) * Nextcloud * Proxy Server (high level) ** Reverse Proxy (use-case specific) * Zabbix"

Here are some of our tutorials and notes on software, both selfhosted FOSS and 3rd party products.

== Software Tutorials ==

* [[Firebox Content Inspection|Firebox Content Inspection (HTTPS Content Inspection)]]
* [[Nextcloud]]
* [[Proxy Server]] (high level)
** [[Reverse Proxy]] (use-case specific)
* [[Zabbix]]

Category:Windows Tutorials

2024-10-09T17:12:46Z

Rosemark: Created page with "Here are some of our Windows / Active Directory tutorials. == Windows == * Folder Redirection * Time Sync * Software Installation (GPO)"

Here are some of our Windows / Active Directory tutorials.

== Windows ==

* [[Folder Redirection]]
* [[Time Sync]]
* [[Software Installation (GPO)]]

Software Installation

2024-10-09T17:07:29Z

Rosemark: Rosemark moved page Software Installation to Software Installation (GPO)

#REDIRECT [[Software Installation (GPO)]]

MediaWiki:Common.css

2024-10-09T16:49:15Z

Rosemark:

/* CSS placed here will be applied to all skins */
.mw-category-generated
{
visibility: hidden;
display:none;
}
#t-specialpages { display: none; visibility: hidden; }

MediaWiki:Common.css

2024-10-09T16:48:10Z

Rosemark:

/* CSS placed here will be applied to all skins */
.mw-category-generated
{
visibility: hidden;
display:none;
}
.t-specialpages { display: none; }

MediaWiki:Common.css

2024-10-09T16:47:55Z

Rosemark:

/* CSS placed here will be applied to all skins */
.mw-category-generated
{
visibility: hidden;
display:none;
}
#t-specialpages { display: none; }

MediaWiki:Sidebar

2024-10-09T16:45:08Z

Rosemark: Created page with " * navigation ** mainpage|mainpage-description ** recentchanges-url|recentchanges * SEARCH * LANGUAGES"

* navigation
** mainpage|mainpage-description
** recentchanges-url|recentchanges
* SEARCH
* LANGUAGES

MediaWiki:Common.css

2024-10-09T16:43:34Z

Rosemark: Created page with "/* CSS placed here will be applied to all skins */ .mw-category-generated { visibility: hidden; display:none; }"

/* CSS placed here will be applied to all skins */
.mw-category-generated
{
visibility: hidden;
display:none;
}

Firebox Content Inspection

2024-10-08T21:37:32Z

Rosemark:

[[Category:Heard County School District]]
The following guide describes the system in place that allows Heard County School District to allow / deny HTTP(S) content coming from the internet.

== Overview ==
Firebox firewalls have a feature called Web Blocker which utilizes HTTPS Content Inspection. [http://www.watchguard.com/help/docs/help-center/en-US/content/en-us/Fireware/services/webblocker/webblocker_about_c.html WebBlocker] intercepts incoming traffic from the internet and analyzes it against a customizable table of rules to determine if it contains materials that violate the rules of the organization. Aside from the initial configuration, WebBlocker creates a problematic situation for any websites being served across SSL. It has to decrypt the HTTPS packets to analyze them for inappropriate content. This means that the firewall has to re-encrypt the pages with its own self-signed SSL certificate before passing it to the user, but the user doesn't automatically trust this certificate, and the average user does not know how to navigate this issue.

There are two possible solutions: you can distribute the self-signed certificate to each machine directly or replace the certificate with one signed by a third party certificate authority (CA).

Using a third party certificate authority (CA) is the best and most highly recommended option as, if you have to replace the firewall, it's going to have a completely different self-signed certificate and the clients will no longer trust it. This problem is irrelevant in the case of a third party CA as you only have to reissue / reinstall the certificate to the firewall, and it's implicitly trusted by the clients already.

== Certificate Authority ==
Setting up an enterprise CA can be a daunting task depending on your usecase. What we're aiming for here is to create a new [[Public Key Infrastructure|PKI]], where the root certificate is distributed to all client machines, and then the root certificate is used to sign a re-signing certificate (similar to an intermediary leaf in other, larger PKIs) that gets used to sign the content from inspected websites.

One system that fits this perfectly is the Windows Active Directory Certificate Services role.

Set up a machine in your AD domain and give it a static IP and hostname. Ensure that the hostname is exactly what you want it to be. '''Certificate Services breaks completely if you ever change it.'''

When installing the role, make sure the following are all set:

[[File:ADCSRoles.png|620x620px]]

When configuring the roles after the install, ensure that the options "Root CA" and "Enterprise CA" are selected. Root CA sets it to create a new root certificate which will be the start of our PKI. Enterprise distributes the root CA to all machines in the domain.

Also select the rest of the roles that were installed above when configuring. You don't have to do anything special to them, this just enables them.

It's a good idea to now run gpupdate /force and then reboot the machine.

Now, after you do this, open a web browser and navigate to http://[fqdn of the machine including domain]/certsrv. A login prompt at the top of your screen will appear. Log in with a domain administrator account. Make sure you include the domain prefix if you're using "Administrator" or else it will log in using the local admin privileges of that machine, which do NOT include "network admin" privileges.

== Generate the CSR ==
Now that we have our PKI infrastructure in place, we need to generate the signing certificate in the Fireware Web UI.

From the Fireware Web UI, go to '''System > Certificates''' and select '''Create CSR'''.

Press '''Next.'''

From the list of options that appears, select '''Proxy Authority''' (not ''Proxy Server'').

Fill out the following fields with either the defaults listed or with the information for your domain depending on the form.

At the end, you will have a CSR. Copy this and go to the url referenced previously, http://[fqdn of the machine including domain]/certsrv, and log in.

Select '''Request a certificate.'''

Choose '''advanced certificate request.'''

Paste your CSR into the box above and from the dropdown select '''Subordinate Certificate Authority.'''

From the results page, download the file as base 64.

Now, we also need to export the root CA and import it.

== Import Certificates ==
From certsrv, select '''Download a CA certificate, certificate chain, or CRL'''.

Select '''Download CA Certificate''' and download the file.

From the Fireware Web UI Certificate page we previously navigated to, select '''Import''' or '''Import Certificate'''. Select '''General Use'''. Import the root certificate we just downloaded. Repeat this procedure for the signing certificate, but select '''Proxy Authority.''' This will replace the existing Proxy Authority certificate and webblocker will now use your new one.

You may now test this by attempting to access invalid content.

== Troubleshooting Firefox ==
There's a very good chance that you will now discover that you still cannot view blocked content without being prompted with the bad certificate screen if you use Firefox on your client machine. This is because Firefox does not implicitly trust root enterprise certificates.

To test if your certificate is working at all, in the Firefox URL bar type about:config and press continue past the warning that appears. Search for "enterprise" and enable the enterprise roots rule, then restart Firefox and attempt again. It should now work, but you probably do not want to do this to every single computer running Firefox.

[https://community.spiceworks.com/how_to/138802-configure-firefox-to-use-windows-certificate-store-via-gpo This guide from spiceworks will allow you to fix this through GPO!]

ZFS Failed Disk Replacement

2024-10-08T17:39:10Z

Rosemark:

==Copy partitions from good disk sda to blank disk sdb==
sgdisk -R /dev/sdb /dev/sda # sgdisk -R /dev/sdb<Replicate to this disk> /dev/sda<From this disk> sgdisk -G /dev/sdb # randomize the GUID on the new disk since it was copied from the other drive.

==Using Parted to verify the partition table of /dev/sdl==
(parted) select /dev/sdl Using /dev/sdl
 (parted) p Model: ATA WDC WD2000FYYZ-0 (scsi) Disk /dev/sdl: 2000398934016B Sector size (logical/physical): 512B/512B Partition Table: gpt Disk Flags: Number Start End Size File system Name Flags
1 1048576B 2097151B 1048576B Grub-Boot-Partition bios_grub
2 2097152B 136314879B 134217728B fat32 EFI-System-Partition boot, esp
3 136314880B 2000397885439B 2000261570560B zfs PVE-ZFS-Partition

(Ok partitions copied)

==Copy data from /dev/sda1 to /dev/sdb1 and /dev/sda2 to /dev/sdb2==
dd if=/dev/sda1 of=/dev/sdb1 bs=512 #This is the bios boot partition
root@folkvang:~# dd if=/dev/sdk1 of=/dev/sdl1 bs=512
2014+0 records in
2014+0 records out
1031168 bytes (1.0 MB) copied, 0.10164 s, 10.1 MB/s

==Replace the failed partition in the zpool==
Find the ID of the failed block device
root@folkvang:~# zpool status
pool: rpool
state: DEGRADED
status: One or more devices could not be used because the label is missing or invalid. Sufficient replicas exist for the pool to continue functioning in a degraded state.
action: Replace the device using 'zpool replace'.
see: http://zfsonlinux.org/msg/ZFS-8000-4J
scan: scrub repaired 0 in 0h25m with 0 errors on Sun May 8 11:20:27 2016
config
NAME STATE READ WRITE CKSUM
rpool DEGRADED 0 0 0
mirror-0 DEGRADED 0 0 0
993077023721924477 FAULTED 0 0 0 was /dev/sdk2
sdk2 ONLINE 0 0 0
errors: No known data errors

==Call zpool to replace the failed device==
root@folkvang:~# zpool replace -f rpool 993077023721924477 /dev/sdl2

Make sure to wait until resilver is done before rebooting.
root@folkvang:~# zpool statuspool: rpool state: DEGRADED status: One or more devices is currently being resilvered. The pool will continue to function, possibly in a degraded state. action: Wait for the resilver to complete. scan: resilver in progress since Fri Sep 2 16:45:53 2016 13.2M scanned out of 8.83G at 902K/s, 2h50m to go 12.9M resilvered, 0.15% done config: NAME STATE READ WRITE CKSUM rpool DEGRADED 0 0 0 mirror-0 DEGRADED 0 0 0 replacing-0 UNAVAIL 0 0 0 993077023721924477 FAULTED 0 0 0 was /dev/sdk2 sdl2 ONLINE 0 0 0 (resilvering) sdk2 ONLINE 0 0 0 errors: No known data errors
After fixing the drive, we need to ensure that the boot sectors are configured.

grub-install /dev/sdk grub-install /dev/sdl update-grub

[[Category:Linux Tutorials]]
[[Category:Proxmox Tutorials]]

Main Page

2024-10-08T17:21:08Z

Rosemark:

Welcome to the Rosemark Networks Consultants Wiki.

== Categories ==

* [[:Category:Windows Tutorials|Windows Tutorials]]
** [[:Category:Active Directory|Active Directory Tutorials]]
* [[:Category:Linux Tutorials|Linux Tutorials]]
** [[:Category:Proxmox Tutorials|Proxmox Tutorials]]
* [[:Category:Software Tutorials|Software Tutorials]]
* [[:Category:Networking Tutorials|Networking Tutorials]]

ZFS Failed Disk Replacement

2024-10-08T17:19:54Z

Rosemark:

==Copy partitions from good disk sda to blank disk sdb==
sgdisk -R /dev/sdb /dev/sda # sgdisk -R /dev/sdb<Replicate to this disk> /dev/sda<From this disk> 
sgdisk -G /dev/sdb # randomize the GUID on the new disk since it was copied from the other drive. 

==Using Parted to verify the partition table of /dev/sdl==
(parted) select /dev/sdl 
Using /dev/sdl 
(parted) p 
:Model: ATA WDC WD2000FYYZ-0 (scsi) 
:Disk /dev/sdl: 2000398934016B 
:Sector size (logical/physical): 512B/512B 
:Partition Table: gpt 
:Disk Flags: 
 
:Number Start End Size File system Name Flags 
:1 1048576B 2097151B 1048576B Grub-Boot-Partition bios_grub 
:2 2097152B 136314879B 134217728B fat32 EFI-System-Partition boot, esp 
:3 136314880B 2000397885439B 2000261570560B zfs PVE-ZFS-Partition 

(Ok partitions copied)

==Copy data from /dev/sda1 to /dev/sdb1 and /dev/sda2 to /dev/sdb2==
dd if=/dev/sda1 of=/dev/sdb1 bs=512 #This is the bios boot partition 
root@folkvang:~# dd if=/dev/sdk1 of=/dev/sdl1 bs=512 
2014+0 records in 
2014+0 records out 
1031168 bytes (1.0 MB) copied, 0.10164 s, 10.1 MB/s 

==Replace the failed partition in the zpool==
Find the ID of the failed block device

: root@folkvang:~# zpool status
:: pool: rpool
:: state: DEGRADED
:: status: One or more devices could not be used because the label is missing or invalid. Sufficient replicas exist for the pool to continue functioning in a degraded state.
:: action: Replace the device using 'zpool replace'.
:: see: http://zfsonlinux.org/msg/ZFS-8000-4J
:: scan: scrub repaired 0 in 0h25m with 0 errors on Sun May 8 11:20:27 2016
:: config:

:: NAME STATE READ WRITE CKSUM
:: rpool DEGRADED 0 0 0
:: mirror-0 DEGRADED 0 0 0
:: 993077023721924477 FAULTED 0 0 0 was /dev/sdk2
:: sdk2 ONLINE 0 0 0
:: errors: No known data errors
==Call zpool to replace the failed device==

: root@folkvang:~# zpool replace -f rpool 993077023721924477 /dev/sdl2 
: Make sure to wait until resilver is done before rebooting. 
: root@folkvang:~# zpool status 
:: pool: rpool 
::: state: DEGRADED 
::: status: One or more devices is currently being resilvered. The pool will continue to function, possibly in a degraded state. 
::: action: Wait for the resilver to complete. 
::: scan: resilver in progress since Fri Sep 2 16:45:53 2016 
::: 13.2M scanned out of 8.83G at 902K/s, 2h50m to go 
::: 12.9M resilvered, 0.15% done 
::: config: 

:: NAME STATE READ WRITE CKSUM 
:: rpool DEGRADED 0 0 0 
::: mirror-0 DEGRADED 0 0 0 
::: replacing-0 UNAVAIL 0 0 0 
::: 993077023721924477 FAULTED 0 0 0 was /dev/sdk2 
::: sdl2 ONLINE 0 0 0 (resilvering) 
::: sdk2 ONLINE 0 0 0 
:::
::: errors: No known data errors

(Just in case I did) 
grub-install /dev/sdk 
grub-install /dev/sdl 
update-grub
[[Category:Linux Tutorials]]
[[Category:Proxmox Tutorials]]

Folder Redirection

2024-10-08T17:05:44Z

Rosemark:

'''Folder Redirection''' is a GPO option in [[Windows Active Directory|Active Directory]] that allows an admin to select one or several folders from a list of Windows folders to be replicated from a Workstation or server to a corresponding folder on a network share.

== Overview ==
Folder Redirection is a Computer Configuration policy option set within a GPO.

This policy folder has individual policy options for each of the following folders, which receive their own policy:

* AppData/Roaming
* Contacts
* Desktop
* Documents
* Downloads
* Favorites
* Links
* Music
* Pictures
* Saved Games
* Searches
* Start Menu

* Videos

=== Share Permissions ===
It is important to ensure that the correct sharing permissions are met on the share that will host redirection. If not, several errors will occur and redirection will either not start, start and stop, or be inconsistent.
The share should have the following permissions:
[[File:Folder redireection share permissions.png|none|frame|Everyone: Full Control, Change, Read [Allow]]]

=== Share Security ===
In addition, the security tab on the folder should have the following settings:
[[File:Folder redirection security.png|none|frame]]
Where Users, Administrators, the singular Administrator, and SYSTEM all have Full control over all files. In addition, confirm that inheritance is disabled, and if there are any inherited permissions, reset them.

=== Offline Files ===
Offline Files is a feature that ensures that, if a host loses connection to the file server (say, during an update), there are local copies of the files onboard. It will automatically temporarily switch over to use those copies until the file server comes back online, then sync new changes to the file server. One can easily determine if Offline Files is enabled and working by whether or not they see this at the bottom of a File Explorer window:
[[File:Folder redirection offline files enabled.png|none|thumb|Offline Files is enabled and syncing]]
By default, Offline Files is enabled whenever Folder Redirection is enabled, but this does not apply to clients running Windows Server. Workstations running Windows 7, 10, 11 should automatically receive this.

It can be enabled forcefully using GPO: https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/enable-always-offline

== Setup ==

* The first step to setting up Folder Redirection on a domain is to create a Network Share on a server with sufficient storage. If you have a Domain Controller and a separate file server, the file server is the best place, but if you only have one server, acting as a DC, it'll work fine. Create a folder and go to Properties → Sharing and make sure that you add a dollar sign ($) to the end of the name. This ensures that the share is hidden and prevents both unwanted access and prevents clutter in the Network discovery tab. Under permissions, ensure that Everyone has Full Control, Read, and Change.
* In Active Directory Users and Computers, create an OU for Folder Redirection, where all users inside will have their selected folders synced. Folder Redirection is a '''user''' policy, not a computer policy. You're selecting the individual profiles.
* In Group Policy Management, right click the OU and select ''Create a GPO in this domain, and Link it here...''
* Right click the new GPO and select ''Edit...''
* Under the Editor, navigate to '''GPO → User Configuration → Policies → Windows System → Folder Redirection.''' For demonstration we'll use the Documents folder.
* Under '''Folder Redirection''' select '''Documents''' and select ''Properties'' from the right-click menu.
* Under Setting in the ''Documents Properties'' dialogue, choose ''Basic'' - ''Redirect everyone's folder to the same location.''
* This gives you the following two selections: ''Target folder location: Create a folder for each user under the root path'' ''Root Path: [empty string]''
* Set the Root Path to the network path of the share you created previously. For instance, '''''\\AD01\FolderRedirection$\'''''
* Underneath this, it will show you the hierarchy of the rest of the path, as such: ''For user Clair, this folder will be redirected to: '''\\AD01\FolderRedirection$\Clair\Documents'''''
* In the ''Settings'' tab, ensure that Policy Removal is set to ''"Redirect the folder back to the local userprofile location when policy is removed."'' This ensures that if Folder Redirection has to be taken out of production, the files are available locally.
* If necessary, follow the steps to put an Always Offline GPO in place as seen above.
* Close the GPO editor

Now that the GPO is created, wait for this to replicate to all ADs if there are several. Ensure that there are users in the redirection OU.

Then, either wait for each machine to run a GPO update, or to get immediate results, open an Administrator Powershell on each workstation and run gpudate (with or without the /force flag).

If all works, it will prompt a reboot. Allow this.

On reboot, as the machine comes back up, after logging in, it should display a message that Folder Redirection is being applied. When this is done, there should be a green sync circle next to the default shortcut on this folder. If not, this means Offline Files is not enabled, but redirection itself might be.
[[Category:Windows Tutorials]]
[[Category:Active Directory]]

Folder Redirection

2024-10-08T16:56:52Z

Rosemark:

Offline Uncorrectable Sectors

2024-10-08T16:37:39Z

Rosemark:

Current Pending Sector is the number of locations the disk knows about that needs to be reallocated but haven't reallocated yet.
Since the disk has no source for the data to be reallocated it will remain in this state until you write into that location.
Once that location is written to, the disk will automatically reallocate the area to another place and write the new data in the new place and the current pending sector count will decrease.

You can use diskscan on Linux or HD Tune on Windows to scan the disk for the bad locations and also attempt to "fix" the locations by making the software write into them in order to attempt the reallocation immediately.

This message was generated by the smartd daemon running on:

host name: host-example
DNS domain: example.local

The following warning/error was logged by the smartd daemon:

Device: /dev/sdf [SAT], 1 Offline uncorrectable sectors

Device info:
Micron_1100_MTFDDAK2T0TBN, S/N:17161B3C0923, WWN:5-00a075-11b3c0923, FW:M0MU031, 2.04 TB

For details see host's SYSLOG.

You can also use the smartctl utility for further investigation.
The original message about this issue was sent at Wed May 27 01:46:08 2020 EDT
Another message will be sent in 24 hours if the problem persists.

root@example:~# apt install diskscan

diskscan [options] /dev/sd
Options:
-v, --verbose - Increase verbosity, multiple uses for higher levels
-f, --fix - Attempt to fix near failures, nothing can be done for unreadable sectors
-s, --scan <mode> - Scan in order (seq, random)
-e, --size <size> - Scan size (default to 64K, must be multiple of 512)
-o, --output <file> - Output file (json)
-r, --raw-log <file> - Raw log of all scan results (json)
--force-mounted - Allow checking a read-only mounted disk
--force-mounted-rw - Allow checking a read-write mounted disk

root@example:~# diskscan /dev/sda
diskscan version 0.19

I: Validating path /dev/sda
I: Disk start temperature is 28
I: Opened disk /dev/sda sector size 512 num bytes 5000981077504
I: Scanning disk /dev/sda in 65536 byte steps
I: Scan started at: Thu May 25 11:23:35 2023

Disk scan | | ETA: 0h00m00s
E: Error when reading at offset 0 size 65536 read -1, errno=0: Success
I: Disk temperature changed from 30 to 31
E: Details: error=need_retry data=none 06/29/00
Disk scan |==== | ETA:10h18m51s
[[Category:Linux Tutorials]]

Offline Uncorrectable Sectors

2024-10-08T16:30:43Z

Rosemark:

Offline uncorrectable sectors

2024-10-08T15:03:11Z

Rosemark: Rosemark moved page Offline uncorrectable sectors to Offline Uncorrectable Sectors: Misspelled title

#REDIRECT [[Offline Uncorrectable Sectors]]

Offline Uncorrectable Sectors

2024-10-08T15:03:11Z

Rosemark: Rosemark moved page Offline uncorrectable sectors to Offline Uncorrectable Sectors: Misspelled title

Current Pending Sector is the number of locations the disk knows about that needs to be reallocated but haven't reallocated yet.
Since the disk has no source for the data to be reallocated it will remain in this state until you write into that location.
Once that location is written to, the disk will automatically reallocate the area to another place and write the new data in the new place and the current pending sector count will decrease.

You can use diskscan on Linux or HD Tune on Windows to scan the disk for the bad locations and also attempt to "fix" the locations by making the software write into them in order to attempt the reallocation immediately.

<nowiki>
This message was generated by the smartd daemon running on:

host name: hcss-pve03
DNS domain: heard.k12.ga.us

The following warning/error was logged by the smartd daemon:

Device: /dev/sdf [SAT], 1 Offline uncorrectable sectors

Device info:
Micron_1100_MTFDDAK2T0TBN, S/N:17161B3C0923, WWN:5-00a075-11b3c0923, FW:M0MU031, 2.04 TB

For details see host's SYSLOG.

You can also use the smartctl utility for further investigation.
The original message about this issue was sent at Wed May 27 01:46:08 2020 EDT
Another message will be sent in 24 hours if the problem persists.
</nowiki>

<nowiki>
root@folkvang:~# apt install diskscan

diskscan [options] /dev/sd
Options:
-v, --verbose - Increase verbosity, multiple uses for higher levels
-f, --fix - Attempt to fix near failures, nothing can be done for unreadable sectors
-s, --scan <mode> - Scan in order (seq, random)
-e, --size <size> - Scan size (default to 64K, must be multiple of 512)
-o, --output <file> - Output file (json)
-r, --raw-log <file> - Raw log of all scan results (json)
--force-mounted - Allow checking a read-only mounted disk
--force-mounted-rw - Allow checking a read-write mounted disk

root@folkvang:~# diskscan /dev/sda
diskscan version 0.19

I: Validating path /dev/sda
I: Disk start temperature is 28
I: Opened disk /dev/sda sector size 512 num bytes 5000981077504
I: Scanning disk /dev/sda in 65536 byte steps
I: Scan started at: Thu May 25 11:23:35 2023

Disk scan | | ETA: 0h00m00s
E: Error when reading at offset 0 size 65536 read -1, errno=0: Success
I: Disk temperature changed from 30 to 31
E: Details: error=need_retry data=none 06/29/00
Disk scan |==== | ETA:10h18m51s
</nowiki>

Offline Uncorrectable Sectors

2024-10-08T15:02:02Z

Rosemark: 1 revision imported

Current Pending Sector is the number of locations the disk knows about that needs to be reallocated but haven't reallocated yet.
Since the disk has no source for the data to be reallocated it will remain in this state until you write into that location.
Once that location is written to, the disk will automatically reallocate the area to another place and write the new data in the new place and the current pending sector count will decrease.

You can use diskscan on Linux or HD Tune on Windows to scan the disk for the bad locations and also attempt to "fix" the locations by making the software write into them in order to attempt the reallocation immediately.

<nowiki>
This message was generated by the smartd daemon running on:

host name: hcss-pve03
DNS domain: heard.k12.ga.us

The following warning/error was logged by the smartd daemon:

Device: /dev/sdf [SAT], 1 Offline uncorrectable sectors

Device info:
Micron_1100_MTFDDAK2T0TBN, S/N:17161B3C0923, WWN:5-00a075-11b3c0923, FW:M0MU031, 2.04 TB

For details see host's SYSLOG.

You can also use the smartctl utility for further investigation.
The original message about this issue was sent at Wed May 27 01:46:08 2020 EDT
Another message will be sent in 24 hours if the problem persists.
</nowiki>

<nowiki>
root@folkvang:~# apt install diskscan

diskscan [options] /dev/sd
Options:
-v, --verbose - Increase verbosity, multiple uses for higher levels
-f, --fix - Attempt to fix near failures, nothing can be done for unreadable sectors
-s, --scan <mode> - Scan in order (seq, random)
-e, --size <size> - Scan size (default to 64K, must be multiple of 512)
-o, --output <file> - Output file (json)
-r, --raw-log <file> - Raw log of all scan results (json)
--force-mounted - Allow checking a read-only mounted disk
--force-mounted-rw - Allow checking a read-write mounted disk

root@folkvang:~# diskscan /dev/sda
diskscan version 0.19

I: Validating path /dev/sda
I: Disk start temperature is 28
I: Opened disk /dev/sda sector size 512 num bytes 5000981077504
I: Scanning disk /dev/sda in 65536 byte steps
I: Scan started at: Thu May 25 11:23:35 2023

Disk scan | | ETA: 0h00m00s
E: Error when reading at offset 0 size 65536 read -1, errno=0: Success
I: Disk temperature changed from 30 to 31
E: Details: error=need_retry data=none 06/29/00
Disk scan |==== | ETA:10h18m51s
</nowiki>

ZFS Failed Disk Replacement

2024-10-08T15:02:02Z

Rosemark: 1 revision imported

root@Chn-pve01:~# cat ZFS_Replace-Boot-Disk.txt
==Copy partitions from good disk sda to blank disk sdb==
sgdisk -R /dev/sdb /dev/sda # sgdisk -R /dev/sdb<Replicate to this disk> /dev/sda<From this disk> 
sgdisk -G /dev/sdb # randomize the GUID on the new disk since it was copied from the other drive. 

==Using Parted to verify the partition table of /dev/sdl==
(parted) select /dev/sdl 
Using /dev/sdl 
(parted) p 
:Model: ATA WDC WD2000FYYZ-0 (scsi) 
:Disk /dev/sdl: 2000398934016B 
:Sector size (logical/physical): 512B/512B 
:Partition Table: gpt 
:Disk Flags: 
 
:Number Start End Size File system Name Flags 
:1 1048576B 2097151B 1048576B Grub-Boot-Partition bios_grub 
:2 2097152B 136314879B 134217728B fat32 EFI-System-Partition boot, esp 
:3 136314880B 2000397885439B 2000261570560B zfs PVE-ZFS-Partition 

(Ok partitions copied)

==Copy data from /dev/sda1 to /dev/sdb1 and /dev/sda2 to /dev/sdb2==
dd if=/dev/sda1 of=/dev/sdb1 bs=512 #This is the bios boot partition 
root@folkvang:~# dd if=/dev/sdk1 of=/dev/sdl1 bs=512 
2014+0 records in 
2014+0 records out 
1031168 bytes (1.0 MB) copied, 0.10164 s, 10.1 MB/s 

==Replace the failed partition in the zpool==
Find the ID of the failed block device

: root@folkvang:~# zpool status
:: pool: rpool
:: state: DEGRADED
:: status: One or more devices could not be used because the label is missing or invalid. Sufficient replicas exist for the pool to continue functioning in a degraded state.
:: action: Replace the device using 'zpool replace'.
:: see: http://zfsonlinux.org/msg/ZFS-8000-4J
:: scan: scrub repaired 0 in 0h25m with 0 errors on Sun May 8 11:20:27 2016
:: config:

:: NAME STATE READ WRITE CKSUM
:: rpool DEGRADED 0 0 0
:: mirror-0 DEGRADED 0 0 0
:: 993077023721924477 FAULTED 0 0 0 was /dev/sdk2
:: sdk2 ONLINE 0 0 0
:: errors: No known data errors
==Call zpool to replace the failed device==

: root@folkvang:~# zpool replace -f rpool 993077023721924477 /dev/sdl2 
: Make sure to wait until resilver is done before rebooting. 
: root@folkvang:~# zpool status 
:: pool: rpool 
::: state: DEGRADED 
::: status: One or more devices is currently being resilvered. The pool will continue to function, possibly in a degraded state. 
::: action: Wait for the resilver to complete. 
::: scan: resilver in progress since Fri Sep 2 16:45:53 2016 
::: 13.2M scanned out of 8.83G at 902K/s, 2h50m to go 
::: 12.9M resilvered, 0.15% done 
::: config: 

:: NAME STATE READ WRITE CKSUM 
:: rpool DEGRADED 0 0 0 
::: mirror-0 DEGRADED 0 0 0 
::: replacing-0 UNAVAIL 0 0 0 
::: 993077023721924477 FAULTED 0 0 0 was /dev/sdk2 
::: sdl2 ONLINE 0 0 0 (resilvering) 
::: sdk2 ONLINE 0 0 0 
:::
::: errors: No known data errors

(Just in case I did) 
grub-install /dev/sdk 
grub-install /dev/sdl 
update-grub

Firebox Content Inspection

2024-10-08T15:02:02Z

Rosemark: 1 revision imported

[[Category:Heard County School District]]
The following guide describes the system in place that allows Heard County School District to allow / deny HTTP(S) content coming from the internet.

== Overview ==
Firebox firewalls have a feature called Web Blocker which utilizes HTTPS Content Inspection. [http://www.watchguard.com/help/docs/help-center/en-US/content/en-us/Fireware/services/webblocker/webblocker_about_c.html WebBlocker] intercepts incoming traffic from the internet and analyzes it against a customizable table of rules to determine if it contains materials that violate the rules of the organization. Aside from the initial configuration, WebBlocker creates a problematic situation for any websites being served across SSL. It has to decrypt the HTTPS packets to analyze them for inappropriate content. This means that the firewall has to re-encrypt the pages with its own self-signed SSL certificate before passing it to the user, but the user doesn't automatically trust this certificate, and the average user does not know how to navigate this issue.

There are two possible solutions: you can distribute the self-signed certificate to each machine directly or replace the certificate with one signed by a third party certificate authority (CA).

Using a third party certificate authority (CA) is the best and most highly recommended option as, if you have to replace the firewall, it's going to have a completely different self-signed certificate and the clients will no longer trust it. This problem is irrelevant in the case of a third party CA as you only have to reissue / reinstall the certificate to the firewall, and it's implicitly trusted by the clients already.

== Certificate Authority ==
Setting up an enterprise CA can be a daunting task depending on your usecase. What we're aiming for here is to create a new [[Public Key Infrastructure|PKI]], where the root certificate is distributed to all client machines, and then the root certificate is used to sign a re-signing certificate (similar to an intermediary leaf in other, larger PKIs) that gets used to sign the content from inspected websites.

One system that fits this perfectly is the Windows Active Directory Certificate Services role.

Set up a machine in your AD domain and give it a static IP and hostname. Ensure that the hostname is exactly what you want it to be. '''Certificate Services breaks completely if you ever change it.'''

When installing the role, make sure the following are all set:

[[File:ADCSRoles.png|620x620px]]

When configuring the roles after the install, ensure that the options "Root CA" and "Enterprise CA" are selected. Root CA sets it to create a new root certificate which will be the start of our PKI. Enterprise distributes the root CA to all machines in the domain.

Also select the rest of the roles that were installed above when configuring. You don't have to do anything special to them, this just enables them.

It's a good idea to now run gpupdate /force and then reboot the machine.

Now, after you do this, open a web browser and navigate to http://[fqdn of the machine including domain]/certsrv. A login prompt at the top of your screen will appear. Log in with a domain administrator account. Make sure you include the domain prefix if you're using "Administrator" or else it will log in using the local admin privileges of that machine, which do NOT include "network admin" privileges.

== Generate the CSR ==
Now that we have our PKI infrastructure in place, we need to generate the signing certificate in the Fireware Web UI.

From the Fireware Web UI, go to '''System > Certificates''' and select '''Create CSR'''.

Press '''Next.'''

From the list of options that appears, select '''Proxy Authority''' (not ''Proxy Server'').

Fill out the following fields with either the defaults listed or with the information for your domain depending on the form.

At the end, you will have a CSR. Copy this and go to the url referenced previously, http://[fqdn of the machine including domain]/certsrv, and log in.

Select '''Request a certificate.'''

Choose '''advanced certificate request.'''

Paste your CSR into the box above and from the dropdown select '''Subordinate Certificate Authority.'''

From the results page, download the file as base 64.

Now, we also need to export the root CA and import it.

== Import Certificates ==
From certsrv, select '''Download a CA certificate, certificate chain, or CRL'''.

Select '''Download CA Certificate''' and download the file.

From the Fireware Web UI Certificate page we previously navigated to, select '''Import''' or '''Import Certificate'''. Select '''General Use'''. Import the root certificate we just downloaded. Repeat this procedure for the signing certificate, but select '''Proxy Authority.''' This will replace the existing Proxy Authority certificate and webblocker will now use your new one.

You may now test this by attempting to access invalid content.

== Troubleshooting Firefox ==
There's a very good chance that you will now discover that you still cannot invalid content without being prompted with the bad certificate screen if you use Firefox on your client machine. This is because Firefox does not implicitly trust root enterprise certificates.

To test if your certificate is working at all, in the Firefox URL bar type about:config and press continue past the warning that appears. Search for "enterprise" and enable the enterprise roots rule, then restart Firefox and attempt again. It should now work, but you probably do not want to do this to every single computer running Firefox.

[https://community.spiceworks.com/how_to/138802-configure-firefox-to-use-windows-certificate-store-via-gpo This guide from spiceworks will allow you to fix this through GPO!]

Zabbix

2024-10-07T18:55:05Z

Rosemark: 1 revision imported

=Zabbix model=
Zabbix is an [[Open Source Software|open source]] network monitoring software comprised of several components in a Client-Server model.
==Zabbix Server==
A central node running Zabbix Server is responsible for managing a MySQL database and performing passive checks on its clients, called Hosts.
=Overview=
Zabbix Server can be installed in several ways but the two most efficient ways to set one up are through either Linux packages or through an appliance, though the appliance is not meant for production usage.
==Installation from packages==
This guide / reference assumes Debian 11 (Bullseye), but the concept can be applied nearly identically to any distro, so long as you adjust one or two steps due to package manager differences. Also, make sure you have a MySQL server setup beforehand. On that note, before we get ahead of ourselves, we're most likely going to use the lxc-turnkey-mysql container template within Proxmox, and so there's one single extra step before we install Zabbix:
===Pre-emptive en_US UTF8 Fix===
The default configuration of MySQL / MariaDB in the turnkey container is missing a specific locale file that, if missing, just completely busts Zabbix's MySQL integration beyond comprehension. Easy fix though. From your MySQL database, run dpkg-reconfigure locales and select en_US UTF8. For good measure run update-locales after.
===Get Zabbix server repositorry===
The first step is to add Zabbix' repository to our server. For Zabbix 6.4 on Debian 11, this looks like this:
: wget https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian11_all.deb 
: dpkg -i zabbix-release_6.4-1+debian11_all.deb 
: apt update 
===Install server, frontend, and agent===
The next step is to install several packages from that repository. Server is the core of Zabbix, the frontend gives us access to the web interface, and agent is installed onto the server for self-diagnostics. This can be done as a one liner. 
: apt install zabbix-server-mysql zabbix-frontend-php zabbix-apache-conf zabbix-sql-scripts zabbix-agent 
Most of these are self-explanatory but zabbix-sql-scripts is particularly important in the next step.
===Create database===
Zabbix, on a broad enough scale, can be understood to be a layer on top of an SQL database, so naturally we need to create a database for it to connect to. The official instructions have a few vague points that I'm adjusting. Before we can create the database we should copy the files that zabbix-sql-scripts generated over to the server. Use SCP to copy /usr/share/zabbix-sql-scripts/mysql/server.sql.qz from Zabbix Server to the MySQL server. 
Open MySQL using mysql -uroot -p and then run the following SQL query commands: 
: create database zabbix character set utf8mb4 collate utf8mb4_bin; 
: create user 'zabbix'@'IPOFZABBIXSERVER' identified by 'DBPASSWORD' 
: grant all privileges on zabbix.* to 'zabbix'@'IPOFZABBIXSERVER'; 
: set global log_bin_trust_function_creators = 1; 
: quit; 
Then, from the database server's shell, we need to use zcat to import a pre-defined database schema into MySQL. This is more or less the last step. Please note that this command has no stdout as it's piped into the MySQL command, so it may seem like it's hanging. It takes a few minutes at the least, up to 20 on slow machines. This is normal. Just leave it open. 
: zcat /path/to/server.sql.qz | mysql --default-character-set = utf8mb4 -uzabbix -p zabbix 
When this is done, open mysql using -uroot -p again, and set global log_bin_trust_functioin_creators = 0. 
Lastly, on the Zabbix server open /etc/zabbix/zabbix_server.conf and add DBPassword=[password] 
Enable and restart the server, agent, and frontend. 
: systemctl enable zabbix-server zabbix-agent apache2 
: systemctl restart zabbix-server zabbix-agent apache2 
Visit the frontend at http://[ip]/zabbix/ for the last few installation steps, which are explained on-screen (essentially just giving Zabbix Server the IP of the MySQL database.)
==Zabbix Proxy==
The process for Zabbix Proxy is very similar, but it needs a separate database, on a separate MySQL install rather than just a different MySQL database itself - I believe this has to do with MySQL socket locking and naming conflicts. In theory, this could be hacked around a bit, using a different zabbix user, but I haven't confirmed this and it's not officially supported, and I have confirmed it simply does not function otherwise. The process is very similar, so here are some condensed instructions.
Create a separate MySQL / MariaDB installation, either as a separate container or as an install on the proxy itself. Make sure to perform the UTF8 fix as described above.
: create database zabbix_proxy character set utf8mb4 collate utf8mb4_bin; 
: create user 'zabbix'@'IPOFZABBIXPROXY' identified by 'DBPASSWORD' 
: grant all privileges on zabbix_proxy.* to 'zabbix'@'IPOFZABBIXPROXY'; 
: set global log_bin_trust_function_creators = 1; 
: quit; 
Copy /usr/share/zabbix-sql-scripts/mysql/proxy.sql from the proxy to the DB.
: cat zabbix-sql-scripts/mysql/proxy.sql | mysql --default-character-set=utf8mb4 -uzabbix -p zabbix_proxy 
: set global log_bin_trust_function_creators = 0; 
Set the DBPassword field in /etc/zabbix/zabbix_proxy.conf
: systemctl restart zabbix-proxy
: systemctl enable zabbix-proxy
==Post-install Configuration Changes==
These initial installations of Zabbix Server and Zabbix Proxy are missing a few configuration changes that render them useless. Here's a rundown of the ones that matter first:
===/etc/zabbix/zabbix_server.conf===
: DBName=zabbix (name of the SQL database
: DBUser=zabbix (name of the MySQL user Zabbix interacts through - I think this might be the source of conflicts with Proxy. Will test later.)
: DBPassword=Password (as set for MySQL previously. Wonder if there's a way to have this be a hidden variable.)
: StartDiscoverers can be set to anything between 0 and 1000. This is the number of subprocesses that polls the network on a regular basis (see "Zabbix Autodiscovery") for agents.
===/etc/zabbix/zabbix_proxy.conf===
: ProxyMode=0 (0 is Active mode, 1 is Passive mode - Active is preferred)
: Server=SERVERIP (IP or DNS name for the Server the Proxy is a slave to)
: Hostname=zabbixProxy (This is SUPER important - the hostname is used in some communication somewhere between Server and Proxy and if this is mismatched / not known to the Server literally nothing works!)
: DBHost=MySQLServerIP (defaults to localhost.)
: DBName=zabbix_proxy
: DBUser=zabbix
: DBPassword=password

==Zabbix Agent==
Installing agent on a host is really straight forward. Install the repository as before...
: wget https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian11_all.deb 
: dpkg -i zabbix-release_6.4-1+debian11_all.deb 
: apt update 
: apt install zabbix-agent 
Important settings in /etc/zabbix/zabbix_agentd.conf:
: Server=IPOFSERVERORPROXY
: ServerActive=IPOFSERVERORPROXY (especially important with proxies)
: hostname is the hostname of the host you're configuring agent on - must match Zabbix Server host configuration
There's really not much else you have to do for Agent.
: systemctl restart zabbix-agent 
: systemctl enable zabbix-agent 
==Using Zabbix templates and monitoring items==
[[Category:Appliances]]

Proxy Server

2024-10-07T18:55:05Z

Rosemark: 1 revision imported

A proxy server is a server that stands between two network devices, a client and a sender. The client sends a request to the proxy, which then forwards it to a target server. The target server responds to the proxy, which then responds to the client on behalf of the target. The target server never sees the IP of the client. There are several applications and purposes for proxy servers, most notably including [[#Proxy_Server|reverse proxies.]]

==Reverse Proxies==
In a reverse proxy, the proxy faces a web server on its own network. The web server isn't accessible from the internet, but the proxy is, potentially through port forwarding. An internet user sends a request for information to the proxy server, and the proxy server then relays that to the web server. The web server returns the information back to the proxy, which then returns it to the internet. The important detail here is that the reverse proxy can accept or reject requests depending on certain criteria. This adds a helpful point in which to add authorization measures, such as [[Authelia]].

MySQL

2024-10-07T18:55:05Z

Rosemark: 1 revision imported

=Overview=
MySQL is an [[RDBMS]] database standard most commonly implemented as MySQL Server or its modern, cross-compatible counterpart, MariaDB. Due to its more modern nature, this guide assumes at all points that the DB in question is MariaDB. There's no meaningful difference for the sake of this documentation unless explicitly stated. MySQL is one of the most popular database backends in the industry, and is the database of preference for [[MediaWiki]] and [[Zabbix|both Zabbix Server and Proxy]].
MySQL uses its own dialect of [[SQL]]. MariaDB exactly matches MySQL's API calls and SQL variety, though newer features diverge from traditional MySQL. (investigate this!)
=Installation and Initial Database Creation Steps=
See [[Unix Package Managers]] for non-APT repositories. Assumes Debian / Ubuntu. 
: apt update
: apt install mariadb-server
The default MySQL database has nothing in it, and one user, 'root'@'localhost'. Users are defined by host. 
Due to its compatibility with standard MySQL, you can use the MySQL command as well as third party applications that refer to MySQL. 
To enter the MySQL console: 
: (sudo) mysql -uroot -p
* -u is a prefix following the name of the user. You can have a space between it and the username, but it seems convention is to leave it out.
* The above stipulation applies to all options except -p, which signifies the password. The password MUST immediately follow it. If the password is left blank, the stdin will poll you for it, then follow after authentication.
* The default password seems to be the password of the account that installs and starts MySQL.
Let's create a simple database, give it a table, give it two entries, and then move on. 
From the console, type: 
: CREATE DATABASE testDatabase;
This creates the database.
: USE testDatabase;
This sets testDatabase as the currently active database - one MySQL installation can house multiple databases.
: CREATE TABLE thisIsATestTable (testColumn1_ID int, testColumn2_Name varchar(255));
This creates a table in testDatabase with two columns, one integer and one 255 character string.
Let's add two entries:
: INSERT INTO thisIsATestTable VALUES (1, 'Hello');
: INSERT INTO thisIsATestTable VALUES (2, 'World');
We use the INSERT INTO keyword to select the table we're adding the entries to, and then VALUES acts sort of like a function taking a set of values as parameters to insert, following the schema of the table. If you wish to only insert into one column (or any partial collection of the table's columns) you may use the following format:
: INSERT INTO thisIsATestTable(testColumn2_name) VALUES ('from the otherside');
In this situation, the columns we don't add values to will be null. Case in point: 
: SELECT * FROM thisIsATestTable; 
:: 1 - Hello
:: 1 - World
:: null - from the otherside
We could, of course, set this up to auto increment by entry, by defining our table as such: 
: CREATE TABLE thisIsATestTable (testColumn1_ID int NOT NULL AUTO_INCREMENT, testColumn2_Name varchar(255), PRIMARY KEY(testColumn1_ID));
After doing this, we use null instead of a number when adding a whole entry, or if partial, we specify all columns except the ID. Once it enters into the database, it will get an ID by order of insertion.
=Backups using automysqlbackup=
We can backup our MySQL databases through automysqlbackup, a third party package we can download that converts our databases into sql files that first create the database, table, etc, then populate their values. The next subsection covers the restoration process.
First, install automysqlbackup:
: apt update
: apt install automysqlbackup
We can then run it just by itself:
: automysqlbackup
The results appear in /var/lib/automysqlbackup/ with the first backup done appearing in the /var/lib/automysqlbackup/daily directory. Each individual database appears as its own directory, and in these directories are SQL script files, packaged as [[Gunzip|gzips]].
=Formatting databases through piping=
We can use SQL script files to restore a backup. Since the SQL scripts are just SQL that reconstructs the database from scratch, we can use the MySQL command and pipe these scripts into it. This method assumes the database itself is already created, but empty. This can be preceded just by using CREATE DATABASE name. The formula for this is essentially using gunzip to unzip the file and piping them in:
: gunzip -c file.sql.gz | mysql -uroot -p
=Users and remote access=
Last major note here, access to a given database and tables within it are assumed blocked for all users by default and need to be specified. Further, users are differentiated by both name and host, so that for example, a non-root user on the localhost might have higher permissions than the same non-root user communicating from an on-site workstation, and higher still than the same non-root user communicating offsite. Here's an example:
: CREATE USER 'maeve'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;
: GRANT ALL PRIVILEGES ON testDatabase.* TO 'Maeve'@'localhost';
: CREATE USER 'maeve'@'192.168.4.25' IDENTIFIED BY 'password';
: GRANT ALL PRIVILEGES ON testDatabase.thisIsATestTable TO 'Maeve'@'192.168.4.25';
This is mostly self explanatory but I will mention that WITH GRANT OPTION specifies that, logged in as 'maeve'@'localhost', the user could grant the same permissions to another user, essentially allowing for delegation.
==Notes==
* In MySQL, double quotes aren't used for string delimination. We use single quotes instead, and two single quotes together for a single quote within a string, such as a possessive apostrophe.
[[Category:Infrastructure]]

Folder Redirection

2024-10-07T18:55:05Z

Rosemark: 1 revision imported