How to create 1000s of small files in Linux for troubleshooting

 

You can use the following one liner to create thousands of smaller random size files on local block volume.

 

 

In this example we are creating 21099 smaller files of multiple KBs.

for n in {1..21099}; do dd if=/dev/urandom of=file$( printf %03d "$n" ).txt bs=1 count=$(( RANDOM + 1024 )); done

How to do faster copy and delete operations on EFS file systems

 

Issue: How to do faster copy and delete operations on EFS file systems.


Environment:

Amazon Linux
Ubuntu Server
Amazon EFS


Solution:


To optimize copy and delete operations on EFS file systems, you can use the GNU Parallel shell tool for executing jobs in parallel. By doing this you will be able to complete these tasks faster than using the normal serial method.


1.a. Install the NFS utilities and the GNU parallel package on Amazon Linux.

[ec2-user ~]$ sudo yum install nfs-utils -y
[ec2-user ~]$ sudo yum install parallel
 

1.b. Install the NFS utilities and the GNU parallel package on Ubuntu Server.
[ubuntu ~]$ sudo apt-get install nfs-common parallel -y


1.c. Install from source:

[ec2-user ~]$ cd /tmp; wget http://ftp.gnu.org/gnu/parallel/parallel-latest.tar.bz2
[ec2-user ~]$ tar -xvf parallel-20120122.tar.bz2; cd parallel-20170822
[ec2-user ~]$ sudo yum groupinstall 'development tools' -y
[ec2-user ~]$ make; ./configure && sudo make install


2. Create a temporary directory and mount the EFS filesystem.
[ec2-user ~]$ sudo mkdir /mnt/efs; sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 fs-XXXXXXXX.efs.REGION.amazonaws.com:/ /mnt/efs


3. Create ten thousand small files local in your instance.
[ec2-user ~]$ mkdir /tmp/efs; for each in $(seq 1 10000); do SUFFIX=$(mktemp -u _XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX); sudo dd if=/dev/zero of=/tmp/efs/${SUFFIX} bs=64k count=1; done


4. Copy the files from your instance to the EFS file system using the parallel method.
[ec2-user ~]$ cd /tmp/efs; find -L . -maxdepth 1 -type f | sudo parallel rsync -avR {} /mnt/efs/

5. Delete the files from the EFS file system using the parallel method.
[ec2-user ~]$ cd /mnt/efs; find -L . -maxdepth 1 -type f | sudo parallel rm -rfv {}

 

Test:
The following output is from my tests, using an EFS file system (General Purpose) mounted on a t2.micro instance type:


1. Copy ten thousand files from my EC2 instance to my EFS file system, using the normal serial method.
[ec2-user ~]$ cd /tmp/efs; time sudo find -L . -maxdepth 1 -type f -exec rsync -avR '{}' /mnt/efs/ \;

real 20m8.947s
user 0m0.060s
sys 0m0.980s

2. Copy ten thousand files from my EC2 instance to my EFS file system, using the parallel method.
[ec2-user ~]$ cd /tmp/efs; time find -L . -maxdepth 1 -type f | sudo parallel rsync -avR {} /mnt/efs/
real 5m34.264s
user 0m8.308s
sys 0m6.904s


3. Delete ten thousand files from my EFS file system, using the normal serial method.
[ec2-user ~]$ cd /mnt/efs; time sudo find -L . -maxdepth 1 -exec rm -rfv {} \;
real 2m24.799s
user 0m0.124s
sys 0m1.240s


4. Delete ten thousand files from my EFS file system, using the parallel method.
[ec2-user ~]$ cd /mnt/efs; find -L . -maxdepth 1 -type f | sudo parallel rm -rfv {}
real 1m55.153s
user 0m7.988s
sys 0m6.972s

Recursively copy :
To add to this amazing article as most us are using this as a sample for our customers I would like to mention that the examples above will copy all files from SRC only, not recursively into /SRC. If you need recursively copy you will have two option with rsync:

Loop:
find /SRC/ -type d | while read -r c; do cd "$c"; find -L . -maxdepth 1 -type f | parallel rsync --avR {} /DST; done

As the above allows you the possibility to run parallel copy and recursively copy the data from SRC/ to DST it also introduces a performance penalty as the loop have to read to each folder recursively and fire parallel copies only of the content of that location.

List Creation:
Create List
rsync -avR --dry-run /SRC /DST > lsit.log
 

Run the command:
cat list.log | parallel --will-cite -j 100 rsync -avR {} /DST/


The above is a much simpler approach, what basically do is to create a list of all files/folders recursively on /SRC and fire 100 parallel copies reading the path of the files to copy from the list. This allows the copies to be much more efficient as having less over the head.


[2] http://www.gnu.org/software/parallel/man.html#EXAMPLE:-Parallelizing-rsync

Block Volume Performance calculation

In the realm of modern computing, where data storage and retrieval speed are paramount, understanding the performance of storage solutions is crucial. One of the fundamental components of this landscape is Linux block volume performance calculation. Whether you're a system administrator, a developer, or an enthusiast, delving into the intricacies of block volume performance, including Fio-based tests, can empower you to make informed decisions about storage setups. In this blog post, we'll demystify the concepts behind Linux block volume performance calculation and explore the key factors that influence it, along with practical Fio-based tests.
 

Understanding Block Volumes:
Block volumes are a type of storage solution commonly used in modern IT infrastructures. They provide raw storage space that can be partitioned and formatted according to the user's needs. These volumes are often found in virtual machines, cloud instances, and even physical servers. They are characterized by their ability to handle data at the block level, meaning data is read from and written to storage in fixed-size blocks.
 

Factors Influencing Block Volume Performance:
Several factors play a pivotal role in determining the performance of Linux block volumes. Understanding these factors helps optimize storage systems for better efficiency and responsiveness.

1. I/O Operations Per Second (IOPS): IOPS refers to the number of input/output operations a storage device can handle in a second. It is a key metric in assessing storage responsiveness. The higher the IOPS, the faster the storage system can read from or write to the block volume.

2. Throughput: Throughput measures the amount of data that can be transferred between the storage device and the system in a given period. It's usually measured in megabytes or gigabytes per second. Throughput is a crucial metric when dealing with large data transfers.

3. Latency: Latency is the delay between initiating a data request and receiving the first byte of data. Lower latency indicates a more responsive storage system. Excessive latency can lead to delays in data-intensive operations.

4. Queue Depth: Queue depth refers to the number of I/O requests that can be in the queue to the storage device at a given time. A higher queue depth can lead to improved performance, especially in scenarios with concurrent I/O operations.

Calculating Block Volume Performance:
While calculating precise block volume performance can be intricate, here's a simplified approach:

1. IOPS Calculation: Determine the total IOPS required by considering the application's read and write demands. Divide this total by the number of block volumes to distribute the load. It's important to consider peak I/O requirements.

2. Throughput Calculation: Calculate the required throughput by estimating the data transfer needs of the application. Divide this by the number of block volumes for load distribution.

3. Latency Estimation: Latency is affected by various factors, including the speed of the storage media and the efficiency of the underlying technology. Faster media and optimized configurations lead to lower latency.

How to fix in-acessible instance in Oracle Cloud Infrastructure (OCI)

Steps to recover inaccessible OCI Compute instances, fix ssh configuration, update ssh key pairs, fix /etc/fstab entries, fix boot parameters and so on

Step-by-Step Guide

1. Stop the instance from the OCI Compute console.
 

2. Detach the volume from the OCI console: (let's call it broken volume) [1].
    - Select the instance from the OCI Compute Console.
    - Select 'Boot Volume' from the Resources.
    - Click the '...' on the boot volume snd select 'Detach'.
 

3. Launch a recovery instance in the same AD. (Lets call it recovery instance). You may use an existing instance in the same Availability domain.
 

4. Once the instance is started, attach the broken volume as Block Volumes.
    - Select 'Attached Block Volumes' from the Resources.
    - Click ' Attach Block Volume' and select the broken volume from the 'BLOCK VOLUME' tab.
    - Click Attach - just make sure you have selected READ/Write' and attach the volume as Paravirtualized one so that you do not have to run the iSCSI commands.
 

5. If you have attached the volume as iSCSI disk, connect to the disk to the recovery instance using iSCSI commands from the OCI console [2].
 

6. SSH into the recovery instance and follow the steps:

Important: Run the commands as root user.

If the disk is attached and connected properly, you should be able to view it using 'lsblk' or similar commands:

[opc@jay ~]$ lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT 
sda      8:0    0 46.6G  0 disk 
├─sda1   8:1    0  512M  0 part /boot/efi 
├─sda2   8:2    0    8G  0 part [SWAP] 
└─sda3   8:3    0 38.1G  0 part / 
sdb      8:16   0   47G  0 disk >>>>> the disk is detected as /dev/sdb 
├─sdb1   8:17   0  512M  0 part >>>>> Boot partition 
├─sdb2   8:18   0    8G  0 part 
└─sdb3   8:19   0 38.1G  0 part >>>>> Root partition

[opc@jay ~]$

7. Mount the root partition on the broken disk on the temporary directory.

# mkdir /recovery 
# mount /dev/sdb3 /recovery

• You might need to specify -o nouuid for some OS.

8. Analyze the logs and perform the recovery steps.


You have access to root volume of the broken instance under /recovery directory. You may now check the logs on the broken instance and apply the fixes accordingly.

• For ssh issues, I suggest checking logs under /recovery/var/log/secure (For RHEL/OEL/CentOS), /recovery/var/log/auth.log (Debian/Ubuntu).
• You can add a pubic key to the opc using by appending the key to file /recovery//home/opc/.ssh/authorized_keys file.
• For boot issues, check /recovery/var/log/boot.log, /recovery/var/log/messages, /recovery/var/log/dmesg log files.
• You can check and update the fstab entries here: /recovery/etc/fstab.

Once the recovery processes are done, you may proceed to detach the volume and attach it back to the original instance as boot volume.
 

12. If you have attached the volume as iSCSI volume, logout from the iSCSI session using the commands available in the OCI console.
 

13. Detach the volume from the OCI console [3].
 

14. Attach the volume back to the original instance as boot volume.
    - Select the instance from the OCI Compute Console.
    - Select 'Boot Volume' from the Resources.
    - Click the '...' on the boot volume (it should be the same volume we detached earlier).
    - Select 'Attach'.
 

15. Start the instance.

16. Check if the issue has been fixed, if not you need to redo the above process to check the logs again and try to fix it.
 

17. Once the issue is fixed, you may terminate the recovery instance (if it was created for this troubleshooting).

More Information

[1] Detach Boot Volume: https://docs.us-phoenix-1.oraclecloud.com/Content/Block/Tasks/detachingabootvolume.htm
[2] Connecting to a Volume: https://docs.us-phoenix-1.oraclecloud.com/Content/Block/Tasks/connectingtoavolume.htm
[3] Disconnecting From a Volume: https://docs.us-phoenix-1.oraclecloud.com/Content/Block/Tasks/disconnectingfromavolume.htm
[4] Attaching a Boot Volume https://docs.us-phoenix-1.oraclecloud.com/Content/Block/Tasks/attachingabootvolume.htm

Pacemaker Cluster on OCI

Keepalived Configuration:

[root@vip1 ~]# cat /etc/redhat-release

CentOS release 6.9 (Final)

Simple Keepalived Configuration:

[root@vip1 keepalived]# cat /etc/keepalived/keepalived.conf

global_defs {

   notification_email {

     root@localhost

   }

   notification_email_from svr1@localhost

   smtp_server localhost

   smtp_connect_timeout 30

}

vrrp_instance VRRP1 {

#    debug 2

    state MASTER

#   Specify the network interface to which the virtual address is assigned

    interface eth0

#   The virtual router ID must be unique to each VRRP instance that you define

    virtual_router_id 41

    unicast_src_ip 10.0.0.3

    unicast_peer {

10.0.0.4

    }

#   Set the value of priority higher on the master server than on a backup server

    priority 200

    advert_int 1

    authentication {

        auth_type PASS

        auth_pass 1066

    }

    virtual_ipaddress {

        10.0.0.100/24

    }

    nopreempt

    notify_master /etc/keepalived/vip.sh

}

[root@vip1 keepalived]#

[root@vip1 keepalived]# cat vip.sh

VNIC=ocid1.vnic.oc1.phx.abyhqljstoq64rxxkzl4yf3f6jixbckjhtxkf22i5znfpqxi2aasqyxltsda

/root/bin/oci network vnic assign-private-ip --vnic-id $VNIC --ip-address 10.0.0.100 --unassign-if-already-assigned --region us-phoenix-1

—> Need Update

[root@vip1 keepalived]# cat keepalived.conf

global_defs {

   notification_email {

     root@localhost

   }

   notification_email_from svr1@localhost

   smtp_server localhost

   smtp_connect_timeout 30

}

vrrp_script chk_httpd {

    script "pidof httpd"

    interval 2

}

vrrp_instance VRRP1 {

#    debug 2

    state MASTER

#   Specify the network interface to which the virtual address is assigned

    interface eth0

#   The virtual router ID must be unique to each VRRP instance that you define

    virtual_router_id 41

    unicast_src_ip 10.0.0.3 # Private IP

    unicast_peer {

10.0.0.4 # Peer IP

    }

#   Set the value of priority higher on the master server than on a backup server

    priority 200

    advert_int 1

    authentication {

        auth_type PASS

        auth_pass 1066

    }

    track_script {

        chk_httpd

    }

    virtual_ipaddress {

        10.0.0.100/24

    }

    nopreempt

    notify_master /etc/keepalived/vip.sh

}

virtual_server 10.0.0.100 80 {

    delay_loop 6

    lb_algo wrr

    lb_kind DR

    nat_mask 255.255.255.0

    persistence_timeout 50

    protocol TCP

real_server 10.0.0.3 80 {

    weight 1

    #notify_down /etc/keepalived/check_httpd.sh

#    

# Health Check

    TCP_CHECK {

        connect_timeout 10

        nb_get_retry 3

        connect_port 80

}

}   

}

[root@vip1 keepalived]

[root@vip1 keepalived]# cat check_httpd.sh

#!/bin/bash

VNIC=ocid1.vnic.oc1.phx.abyhqljsmtjaqvakuivgjqs4fd3rltx2uc2epwicrj6j52fuzaopbgbcs33q

/root/bin/oci network vnic assign-private-ip --vnic-id $VNIC --ip-address 10.0.0.100 --unassign-if-already-assigned --region us-phoenix-1

Logs from Slave node which transitions to master.

[root@vip2 ~]# tail -50  /var/log/messages

Jun 30 09:47:28 vip2 Keepalived[2379]: Starting Keepalived v1.2.13 (03/19,2015)

Jun 30 09:47:28 vip2 Keepalived[2380]: Starting Healthcheck child process, pid=2381

Jun 30 09:47:28 vip2 Keepalived[2380]: Starting VRRP child process, pid=2382

Jun 30 09:47:28 vip2 Keepalived_vrrp[2382]: Netlink reflector reports IP 10.0.0.4 added

Jun 30 09:47:28 vip2 Keepalived_vrrp[2382]: Netlink reflector reports IP fe80::200:17ff:fe01:4eae added

Jun 30 09:47:28 vip2 Keepalived_vrrp[2382]: Registering Kernel netlink reflector

Jun 30 09:47:28 vip2 Keepalived_vrrp[2382]: Registering Kernel netlink command channel

Jun 30 09:47:28 vip2 Keepalived_vrrp[2382]: Registering gratuitous ARP shared channel

Jun 30 09:47:28 vip2 Keepalived_vrrp[2382]: Opening file '/etc/keepalived/keepalived.conf'.

Jun 30 09:47:28 vip2 Keepalived_vrrp[2382]: Configuration is using : 66719 Bytes

Jun 30 09:47:28 vip2 Keepalived_vrrp[2382]: Using LinkWatch kernel netlink reflector...

Jun 30 09:47:28 vip2 Keepalived_vrrp[2382]: VRRP_Instance(VRRP1) Entering BACKUP STATE

Jun 30 09:47:28 vip2 Keepalived_vrrp[2382]: VRRP sockpool: [ifindex(2), proto(112), unicast(1), fd(10,11)]

Jun 30 09:47:29 vip2 Keepalived_vrrp[2382]: VRRP_Script(chk_httpd) succeeded

Jun 30 09:47:29 vip2 kernel: IPVS: Registered protocols (TCP, UDP, SCTP, AH, ESP)

Jun 30 09:47:29 vip2 kernel: IPVS: Connection hash table configured (size=4096, memory=64Kbytes)

Jun 30 09:47:29 vip2 Keepalived_healthcheckers[2381]: Netlink reflector reports IP 10.0.0.4 added

Jun 30 09:47:29 vip2 Keepalived_healthcheckers[2381]: Netlink reflector reports IP fe80::200:17ff:fe01:4eae added

Jun 30 09:47:29 vip2 Keepalived_healthcheckers[2381]: Registering Kernel netlink reflector

Jun 30 09:47:29 vip2 Keepalived_healthcheckers[2381]: Registering Kernel netlink command channel

Jun 30 09:47:29 vip2 Keepalived_healthcheckers[2381]: Opening file '/etc/keepalived/keepalived.conf'.

Jun 30 09:47:29 vip2 Keepalived_healthcheckers[2381]: Configuration is using : 11990 Bytes

Jun 30 09:47:29 vip2 kernel: IPVS: ipvs loaded.

Jun 30 09:47:29 vip2 Keepalived_healthcheckers[2381]: Using LinkWatch kernel netlink reflector...

Jun 30 09:47:29 vip2 Keepalived_healthcheckers[2381]: Activating healthchecker for service [10.0.0.4]:80

Jun 30 09:47:29 vip2 kernel: IPVS: [wrr] scheduler registered.

Jun 30 09:50:42 vip2 Keepalived_vrrp[2382]: VRRP_Instance(VRRP1) Transition to MASTER STATE

Jun 30 09:50:43 vip2 Keepalived_vrrp[2382]: VRRP_Instance(VRRP1) Entering MASTER STATE

Jun 30 09:50:43 vip2 Keepalived_vrrp[2382]: VRRP_Instance(VRRP1) setting protocol VIPs.

Jun 30 09:50:43 vip2 Keepalived_healthcheckers[2381]: Netlink reflector reports IP 10.0.0.100 added

Jun 30 09:50:43 vip2 Keepalived_vrrp[2382]: VRRP_Instance(VRRP1) Sending gratuitous ARPs on eth0 for 10.0.0.100

Jun 30 09:50:44 vip2 ntpd[2238]: Listen normally on 6 eth0 10.0.0.100 UDP 123

Jun 30 09:50:48 vip2 Keepalived_vrrp[2382]: VRRP_Instance(VRRP1) Sending gratuitous ARPs on eth0 for 10.0.0.100

---

Pacemaker Corosync

1. Install Cluster packages:

#  yum install -y pacemaker pcs psmisc policycoreutils-python

2. Setup firewall:

# firewall-cmd --permanent --add-service=high-availability --add-service=http --add-service=https

# firewall-cmd --reload

Ports required to be opened:

TCP ports 2224, 3121, and 21064, and UDP port 5405.

3. Start pcs daemon:

# systemctl start pcsd.service

# systemctl enable pcsd.service

ln -s '/usr/lib/systemd/system/pcsd.service' '/etc/systemd/system/multi-user.target.wants/pcsd.service’

4. Setup password for user hacluster:

# echo | passed --stdin hacluster

5. Configure Corosync:

On one of the nodes:

# pcs cluster auth node1 node2

Username: hacluster

Password:

node1: Authorized

node2: Authorized

# pcs cluster setup --name mycluster node1 node2

Shutting down pacemaker/corosync services...

Redirecting to /bin/systemctl stop  pacemaker.service

Redirecting to /bin/systemctl stop  corosync.service

Killing any remaining services...

Removing all cluster configuration files...

node1: Succeeded

node2: Succeeded

Start the cluster:

# pcs cluster start --all

node1: Starting Cluster...

node2: Starting Cluster...

[root@node1 ~]# corosync-cfgtool -s

Printing ring status.

Local node ID 1

RING ID 0

    id    = 10.0.0.12

    status    = ring 0 active with no faults

[root@node1 ~]# corosync-cmapctl  | grep members

runtime.totem.pg.mrp.srp.members.1.config_version (u64) = 0

runtime.totem.pg.mrp.srp.members.1.ip (str) = r(0) ip(10.0.0.12)

runtime.totem.pg.mrp.srp.members.1.join_count (u32) = 1

runtime.totem.pg.mrp.srp.members.1.status (str) = joined

runtime.totem.pg.mrp.srp.members.2.config_version (u64) = 0

runtime.totem.pg.mrp.srp.members.2.ip (str) = r(0) ip(10.0.0.14)

runtime.totem.pg.mrp.srp.members.2.join_count (u32) = 1

runtime.totem.pg.mrp.srp.members.2.status (str) = joined

[root@node1 ~]#

6. Disable Stonith:

# pcs property set stonith-enabled=false

# crm_verify -L -V

7. Add Floating IP:

Update IPaddr2 resource so that it will reassign Private IP on the OCI infrastructure as well.

sudo sed -i '64i\##### OCI vNIC variables\' /usr/lib/ocf/resource.d/heartbeat/IPaddr2

sudo sed -i '65i\server="`hostname -s`"\' /usr/lib/ocf/resource.d/heartbeat/IPaddr2

sudo sed -i '66i\node1vnic="ocid1.vnic.oc1.phx.abyhqljs2qwsjkgsi7ujg735xig3xfnq2w5h2slvl33lqw24wn5rtjpfqvia"\' /usr/lib/ocf/resource.d/heartbeat/IPaddr2

sudo sed -i '67i\node2vnic="ocid1.vnic.oc1.phx.abyhqljs6qpbs6w5peguzucokmx3eh6wvu7jauxwntsgz5zj2krfgrgzclzq"\' /usr/lib/ocf/resource.d/heartbeat/IPaddr2

sudo sed -i '68i\vnicip="10.0.0.200"\' /usr/lib/ocf/resource.d/heartbeat/IPaddr2

sudo sed -i '614i\##### OCI/IPaddr Integration\' /usr/lib/ocf/resource.d/heartbeat/IPaddr2

sudo sed -i '615i\        if [ $server = "node1" ]; then\' /usr/lib/ocf/resource.d/heartbeat/IPaddr2

sudo sed -i '616i\                /root/bin/oci network vnic assign-private-ip --unassign-if-already-assigned --vnic-id $node1vnic  --ip-address $vnicip \' /usr/lib/ocf/resource.d/heartbeat/IPaddr2

sudo sed -i '617i\        else \' /usr/lib/ocf/resource.d/heartbeat/IPaddr2

sudo sed -i '618i\                /root/bin/oci network vnic assign-private-ip --unassign-if-already-assigned --vnic-id $node2vnic  --ip-address $vnicip \' /usr/lib/ocf/resource.d/heartbeat/IPaddr2

sudo sed -i '619i\        fi \' /usr/lib/ocf/resource.d/heartbeat/IPaddr2

---

Updated IPaddr2 resource should contain 

[root@node2 ~]# grep -A5 OCI  /usr/lib/ocf/resource.d/heartbeat/IPaddr2

##### OCI vNIC variables

server="`hostname -s`"

node1vnic=“<Node1 VNIC OCID>"

node2vnic=“"

vnicip=“"

--

##### OCI/IPaddr Integration

        if [ $server = "node1" ]; then

                /root/bin/oci network vnic assign-private-ip --unassign-if-already-assigned --vnic-id $node1vnic  --ip-address $vnicip

        else

                /root/bin/oci network vnic assign-private-ip --unassign-if-already-assigned --vnic-id $node2vnic  --ip-address $vnicip

        fi

8. Setup Floating IP:

[root@node1 ~]# pcs resource create ClusterIP ocf:heartbeat:IPaddr2 ip=10.0.0.200 cidr_netmask=32 op monitor interval=30s

9. Specify resource stickiness:

# pcs resource defaults resource-stickiness=100

# pcs resource defaults

resource-stickiness: 100

10. Setup Nginx:

# yum install nginx

[root@node1 ~]# cat /usr/share/nginx/html/index.html

This is NODE1

Status page:

[root@node1 ~]# cat /usr/share/nginx/html/nginx_status

node1 is alive.

# cat /etc/nginx/default.d/status.conf

location ^~ /nginx_status {

    allow 127.0.0.1;

    deny all;

}

[root@node1 ~]# cat /etc/nginx/nginx.conf

user nginx;

worker_processes auto;

error_log /var/log/nginx/error.log;

pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.

include /usr/share/nginx/modules/*.conf;

events {

    worker_connections 1024;

}

http {

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

                      '$status $body_bytes_sent "$http_referer" '

                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;

    tcp_nopush          on;

    tcp_nodelay         on;

    keepalive_timeout   65;

    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;

    default_type        application/octet-stream;

#    include /etc/nginx/conf.d/*.conf;

    server {

        listen       80 default_server;

        listen       [::]:80 default_server;

        server_name  _;

        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.

        include /etc/nginx/default.d/*.conf;

        location / {

        }

        error_page 404 /404.html;

            location = /40x.html {

        }

        error_page 500 502 503 504 /50x.html;

            location = /50x.html {

        }

}

11. Setup Nginx resource

[root@node1 ~]# pcs resource create webserver ocf:heartbeat:nginx configfile=/etc/nginx/nginx.conf status10url="http://localhost/nginx_status" status10regex="node[1-9] is alive." op monitor timeout="30s" interval="10s" op start timeout="40s" interval="0" op stop timeout="60s" interval="0"

[root@node1 ~]#

[root@node1 ~]# pcs resource

ClusterIP    (ocf::heartbeat:IPaddr2):    Started node2

webserver    (ocf::heartbeat:nginx):    Started node1

12. Create colocation constraint so that web server resource sticks with ClusterIP:

[root@node1 ~]# pcs constraint colocation add webserver with ClusterIP INFINITY

13. Setup resource startup order:

[root@node1 ~]# pcs constraint order ClusterIP then webserver

Adding ClusterIP webserver (kind: Mandatory) (Options: first-action=start then-action=start)

[root@node1 ~]# pcs status

Cluster name: mycluster

Stack: corosync

Current DC: node2 (version 1.1.18-11.el7_5.2-2b07d5c5a9) - partition with quorum

Last updated: Sat Jun 30 16:23:40 2018

Last change: Sat Jun 30 15:51:20 2018 by root via crm_resource on node2

2 nodes configured

2 resources configured

Online: [ node1 node2 ]

Full list of resources:

ClusterIP    (ocf::heartbeat:IPaddr2):    Started node2

webserver    (ocf::heartbeat:nginx):    Started node2

Daemon Status:

  corosync: active/disabled

  pacemaker: active/disabled

  pcsd: active/enabled

[root@node1 ~]# pcs constraint

Location Constraints:

  Resource: webserver

    Enabled on: node2 (score:INFINITY) (role: Started)

Ordering Constraints:

  start ClusterIP then start webserver (kind:Mandatory)

Colocation Constraints:

  webserver with ClusterIP (score:INFINITY)

Ticket Constraints: 

 

 

 

How to view httpd.conf file or any config files in Linux without coments

Hello,

Have you ever wondered how to view the Linux configurations files without those comments? Well those comments are indeed helpful, but think about configuration files such as httpd.conf and squid.conf files. These files have good amount of commented lines.

The issue with the httpd.conf file in particular is that not all commented lines starts with #. Some commented lines start after a tab.

Example:

# Further relax access to the default document root:

    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews

You could remove those tabbed comments as well using "sed" or using "egrep" with proper Regex.


# egrep -v "^$|*#" /etc/httpd/conf/httpd.conf

Or

# sed '/ *#/d; /^ *$/d' /etc/httpd/conf/httpd.conf


Hope this helps.

Regards,
Jay

Automatically encrypt Ephemeral volumes on AWS EC2 instances

Encrypting Data at rest if mandatory requirement compliance regulations such as PCI DSS and HIPAA. EBS, S3 has an option to encrypt the data stored in it. However, Instance Store volumes which provides temporary block level storage does have an option to encrypt the data stored in it. Customers need to use configure encryption using tools like dm-crypt.

Lets see how to automate encrypting the ephemeral volumes for Instance Store volumes on EC2 instances. I have written a user-data script which takes care of all the encryption setups.

The script will do the below to make it seamless for the customer:

- When you launch an instance or change the instance type, the script automatically detects the Ephemeral disks available to the instance type, setup encryption and make them available.

- Automatically installs the required packages for encryption if its not installed.

- The script also takes care of encryption in case of instance reboot or stop/start.

- The user-data script automatically take care of Stop/Start, Reboots and instance re-size.

- After stop/start you will lose all the data and configuration on the ephemeral volumes. This is expected, the user-data script will automatically detect this and setup encryption  on the new disks and mounts it.

- When the instance is rebooted, the data persists. On a reboot we just need to decrypt the filesystem and mount it.

- The user data script will encrypt the volume and create a filesystem if its not already encrypted (These actions will be taken if you launch a fresh instance with this user-data or when you do a stop & start of your instance).

Now, if the volumes are already encrypted (this will happen on an instance reboot), the script will simply initialize the encrypted volume and mount it on the respective directory.

- The script will encrypt all the ephemeral volumes, create EXT4 filesystem and mount them under /encrypted_X (X being the last letter of the device name of the NVMe device name).
You may change the filesystem type, mount point as per your requirement, but you will need to update the logic to map volumes to correct mount point on the script.

- The encryption key/passphrase used is encrypted using AWS KMS and kept in a file in your S3 bucket. This is a one time setup and you could use the same encrypted passphrase file for your future installations. Instance need to be attached with an IAM instance profile with permission to download files from the S3 bucket.









Here are the step by step instructions:
1. Create an S3 Bucket for storing encrypted password file (or use an existing bucket in your account).

2. Create a IAM policy with the below policy document, this policy is going to be used for instance profile to allow it download the password file from s3 bucket:

Sign in to the AWS Management Console and navigate to the IAM console: https://console.aws.amazon.com/iam/home?region=us-east-1#/home
In the navigation pane, choose Policies, choose Create Policy, select Create Your Own Policy, name and describe the policy, and paste the following policy. Choose Create Policy.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1478729875000",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::/LuksInternalStorageKey"
            ]
        }
    ]
}

 

---> Replace with the one you created/selected in step 1.



3. Create an EC2 role with the above policy.

In the IAM console, choose Roles, and then choose Create New Role.
In Step 1: Role Name, type your role name, and choose Next Step.
In Step 2: Select Role Type, choose Amazon EC2 and choose Next Step.
In Step 3: Established Trust, choose Next Step.
In Step 4: Attach Policy, choose the policy you created in Step 1

4. Create a KMS Key and add usage permission for the role you created above from the KMS console: https://console.aws.amazon.com/iam/home?region=us-east-1#/encryptionKeys/us-east-1
Step 1: Click ‘Create key’.
Step 2: Provide an Alias and Description.
Step 3: Add IAM role you created above as Key user under - ‘Define Key Usage Permissions’.

5. Create a secret password, encrypt it with KMS and store it in S3.

# aws --region us-east-1 kms encrypt --key-id 'alias/EncFSForEC2InternalStorageKey' --plaintext "ThisIs-a-SecretPassword" --query CiphertextBlob --output text | base64 --decode > LuksInternalStorageKey

--> Replace 'alias/EncFSForEC2InternalStorageKey' with the id of the KMS key you created above. The IAM user as which you run the above command should have permission to access the KMS key as well.
—> You should also replace the string “ThisIs-a-SecretPassword" with some strong passphrase.

6. Upload the encrypted key file to S3.

# aws s3 cp LuksInternalStorageKey s3:///LuksInternalStorageKey

7. Add the below userdata script to your instance at launch time. You can add/modify the user-data on a stopped instance as well.

I3, F1 instance type provides NVMe based instance store volumes and those disks are detected as /dev/nvmeXn1, X being the NVMe device number. Other instance types provides HDD/SSD based instance store volumes which gets detected as /dev/sdX. The user-data script detect the device names from EC2 meta-data in case of HDD/SSD and using nvme tool in case of NVMe based disks. I have written separate user data script for these volume types.

Use - user-data_NVMe_InstanceStore.txt for I3, F1 instances with NVMe disks.
Use - user-data_InstanceStore.txt for other instance types.

8. Once the instance is launched, you need to update the cloud-init configuration to make sure the user data runs every time the instance boots.

On Amazon Linux AMI based instances:
# sed -i 's/scripts-user/[scripts-user, always]/' /etc/cloud/cloud.cfg.d/00_defaults.cfg

On RHEL/CentOS instances:
# sed -i 's/scripts-user/[scripts-user, always]/' /etc/cloud/cloud.cfg


9. On Amazon Linux AMI instances, you might need disable crypt module on boot time to make sure the encrypted filesystems are not detected on the early boot stages:
# sed -i 's/#omit_dracutmodules+=""/omit_dracutmodules+="crypt"/' /etc/dracut.conf
# dracut --force
 

User Data Scripts:

-- user-data_InstanceStore.txt

#!/bin/bash

REGION=
S3_Bucket=

# Install required packages if not installed
[ $(which unzip) ] || yum -y install unzip
[ $(which aws) ] || "$(/usr/bin/curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip" ; /usr/bin/unzip -o awscli-bundle.zip; ./awscli-bundle/install -b /usr/bin/aws ; rm -rf /awscli-bundle*)"
[ $(which cryptsetup) ] || yum install -y cryptsetup

# Get the encrypted password file from s3
/usr/bin/aws s3 cp s3://${S3_Bucket}/LuksInternalStorageKey .
# Decrypt and store the passphrase in a variable
LuksClearTextKey=$(/usr/bin/aws --region {REGION} kms decrypt --ciphertext-blob fileb://LuksInternalStorageKey --output text --query Plaintext | base64 --decode)

for ephemeral in $(curl -s http://169.254.169.254/latest/meta-data/block-device-mapping/ |grep ephemeral)
do
DEV=$(curl -s http://169.254.169.254/latest/meta-data/block-device-mapping/$ephemeral |sed 's/s/\/dev\/xv/g')
DEV_1=`echo "${DEV: -1}"`

[ "$(/bin/mount | grep -i ${DEV})" ] && /bin/umount ${DEV}

TYPE=`/usr/bin/file -sL ${DEV} | awk '{print $2}'`

if [ $TYPE == "LUKS" ]
then
    # Open and initialize the encryped volume
    /bin/echo "$LuksClearTextKey" | /sbin/cryptsetup luksOpen ${DEV} encfs_${DEV_1}
    # Check and create mount point if not exists
    [ -d /encrypted_${DEV_1} ] || /bin/mkdir /encrypted_${DEV_1}
    # Mount the filsystem
    /bin/mount /dev/mapper/encfs_${DEV_1} /encrypted_${DEV_1}
else
     # Encrypt the volume sub
     /bin/echo "$LuksClearTextKey" | cryptsetup -y luksFormat ${DEV}
     # Open and initialize the encryped volume
    /bin/echo "$LuksClearTextKey" | cryptsetup luksOpen ${DEV} encfs_${DEV_1}
    # create a filesystem on the encrypted volume, mount it on the required directory
    /sbin/mkfs.ext4 /dev/mapper/encfs_${DEV_1}
    [ -d /encrypted_${DEV_1} ] || /bin/mkdir /encrypted_${DEV_1}
    /bin/mount /dev/mapper/encfs_${DEV_1} /encrypted_${DEV_1}
fi
done
# Unset the passphrase variable and remove the encrypted password file.
unset LuksInternalStorageKey
rm LuksInternalStorageKey

-- user-data_NVMe_InstanceStore.txt

#!/bin/bash

#set -x

REGION=
S3_Bucket=

# Install required packages if not installed
[ $(which unzip) ] || yum install -y zip unzip
[ $(which python) ] || yum install -y python
[ $(which aws) ] || "$(/usr/bin/curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip" ; /usr/bin/unzip -o awscli-bundle.zip; ./awscli-bundle/install -b /usr/bin/aws ; rm -rf /awscli-bundle*)"
[ "$(which cryptsetup)" ] || yum install -y cryptsetup
[ "$(which nvme)" ] || yum install -y nvme-cli

# Get the encrypted password file from s3
/usr/bin/aws s3 cp s3://${S3_Bucket}/LuksInternalStorageKey .
# Decrypt and store the passphrase in a variable
LuksClearTextKey=$(/usr/bin/aws --region ${REGION} kms decrypt --ciphertext-blob fileb://LuksInternalStorageKey --output text --query Plaintext | base64 --decode)

for ephemeral in $(nvme list | grep dev | awk {'print $1'})
do
DEV_1=$(echo "${ephemeral:9:1}")

[ "$(/bin/mount | grep -i ${ephemeral})" ] && /bin/umount ${ephemeral}

TYPE=`/usr/bin/file -sL ${ephemeral} | awk '{print $2}'`

if [ $TYPE == "LUKS" ]
then
    # Open and initialize the encryped volume
    /bin/echo "$LuksClearTextKey" | /sbin/cryptsetup luksOpen ${ephemeral} encfs_${DEV_1}
    # Check and create mount point if not exists
    [ -d /encrypted_${DEV_1} ] || /bin/mkdir /encrypted_${DEV_1}
    # Mount the filsystem
    /bin/mount /dev/mapper/encfs_${DEV_1} /encrypted_${DEV_1}
else
     # Encrypt the volume sub
     /bin/echo "$LuksClearTextKey" | cryptsetup -y luksFormat ${ephemeral}
     # Open and initialize the encryped volume
    /bin/echo "$LuksClearTextKey" | cryptsetup luksOpen ${ephemeral} encfs_${DEV_1}
    # create a filesystem on the encrypted volume, mount it on the required directory
    /sbin/mkfs.ext4 /dev/mapper/encfs_${DEV_1}
    [ -d /encrypted_${DEV_1} ] || /bin/mkdir /encrypted_${DEV_1}
    /bin/mount /dev/mapper/encfs_${DEV_1} /encrypted_${DEV_1}
fi
done
# Unset the passphrase variable and remove the encrypted password file.
unset LuksInternalStorageKey
rm LuksInternalStorageKey

Regards,
Jay