July 2018
M T W T F S S
« Jun    
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Categories

WordPress Quotes

Life shrinks or expands in proportion to one's courage.
Anais Nin

Recent Comments

July 2018
M T W T F S S
« Jun    
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Short Cuts

2012 SERVER (64)
2016 windows (9)
AIX (13)
Amazon (30)
Ansibile (18)
Apache (125)
Asterisk (2)
cassandra (2)
Centos (208)
Centos RHEL 7 (254)
chef (3)
cloud (2)
cluster (3)
Coherence (1)
DB2 (5)
DISK (25)
DNS (9)
Docker (24)
Eassy (11)
EXCHANGE (3)
Fedora (6)
ftp (5)
GIT (3)
GOD (2)
Grub (1)
Hacking (10)
Hadoop (6)
horoscope (23)
Hyper-V (10)
IIS (15)
IPTABLES (15)
JAVA (6)
JBOSS (32)
jenkins (1)
Kubernetes (2)
Ldap (5)
Linux (189)
Linux Commands (167)
Load balancer (5)
mariadb (14)
Mongodb (4)
MQ Server (21)
MYSQL (82)
Nagios (5)
NaturalOil (13)
Nginx (29)
Ngix (1)
openldap (1)
Openstack (6)
Oracle (34)
Perl (3)
Postfix (19)
Postgresql (1)
PowerShell (2)
Python (3)
qmail (36)
Redis (12)
RHCE (28)
SCALEIO (1)
Security on Centos (29)
SFTP (1)
Shell (64)
Solaris (58)
Sql Server 2012 (4)
squid (3)
SSH (10)
SSL (14)
Storage (1)
swap (3)
TIPS on Linux (28)
tomcat (59)
Uncategorized (29)
Veritas (2)
vfabric (1)
VMware (28)
Weblogic (38)
Websphere (71)
Windows (19)
Windows Software (2)
wordpress (1)
ZIMBRA (17)

WP Cumulus Flash tag cloud by Roy Tanck requires Flash Player 9 or better.

Who's Online

21 visitors online now
3 guests, 18 bots, 0 members

Hit Counter provided by dental implants orange county

Star Matching Table in Tamil – for Boys & Girls

Star Matching Table in Tamil – for Boys & Girls

 

 

?.???
??? ????????????????? ?????????? ???? ??????????????
1.
?????? ????, ????????????, ??????????, ?????
2.
???? ??????, ??????, ?????????? 2, 3, 4, ?????????, ??????
3.
?????????? 1 ?? ????? ???????? 3, 4, ???????? 1, 2
4.
?????????? 2, 3, 4 ?? ???????? ??????, ???????? 1, 2, ??????, ???????? 3, 4
5.
?????? ???????????? 1, 2, ????????, ??????, ????????????
6.
???????????? 1, 2 ?? ???????? ?????????? 4, ??????, ?????????, ?????, ??????
7.
???????????? 3, 4 ?? ???????? ??????????, ??????????, ??????, ??????, ????????? 4, ?????
8.
?????????? ?????, ?????????? 1, ????????????, ???????????? 3, 4
9.
?????????? 1, 2, 3 ?? ???????? ?????, ??????, ???????, ????????????, ?????
10.
?????????? 4 ?? ????? ?????, ??????, ????, ??????
11.
????? ????????, ??????, ?????????? 4
12.
???????? ??????, ??????, ?????
13.
???? ????????, ???????? 3, 4
14.
????? ????????, ??????, ??????, ?????????? 1, ?????????
15.
???????? 1 ?? ????? ???????, ??????, ????????????, ?????
16.
???????? 2, 3, 4 ?? ???????? ???????, ?????????, ?????
17.
?????? ??????????, ????????????, ???????????? 3, 4
18.
???????? 1, 2 ?? ???????? ??????? 4, ?????????, ????????
19.
???????? 3, 4 ?? ???????? ???????, ?????????, ?????, ????????
20.
?????? ??????, ????????? 1, 2, 3, ?????????? 4, ?????
21.
??????? 1, 2, 3 ?? ???????? ?????, ????????
22.
??????? 4 ?? ????? ?????
23.
?????? ?????????? 2, 3, 4, ?????????, ?????, ????????
24.
?????? ?????????, ??????
25.
????? ????????, ?????????? 1, ???????????? 3, 4
26.
??????? ??????????, ?????????, ??????, ??????????, ??????, ???????? 2-3-4, ??????
27.
?????????? 1 ?? ????? ????, ???????????? 3, 4, ??????, ???????
28.
?????????? 2, 3, 4 ?? ???????? ????, ???????????? 1, 2
29.
????????? ????????????, ??????, ???????????? 1, 2, ??????
30.
???????? 1, 2 ?? ???????? ?????????? 4, ????????, ??????, ???????, ?????????
31.
???????? 3, 4 ?? ???????? ?????, ?????????? 1, 2, 3, ??????? 4
32.
????? ??????????, ????????????, ????, ??????? 4, ??????, ???????? 3, 4
33.
????????? 1, 2, 3 ?? ???????? ????????????, ??????, ?????, ??????, ???????
34.
????????? 4 ?? ????? ????????????, ???????, ?????????, ??????, ?????
35.
???????????? ?????, ??????????, ???????? 2, 3, 4, ??????????, ????????? 4
36.
????? ????, ?????, ??????, ???????, ????????????
?????? ????????? ????????? – ???????????
?.???
???? ????????????????? ?????????? ??? ??????????????
1.
?????? ????, ??????????, ?????, ???????, ?????????, ?????
2.
???? ??????????, ??????????, ?????, ??????
3.
?????????? 1 ?? ????? ?????
4.
?????????? 2, 3, 4 ?? ???????? ?????
5.
?????? ???????????? 1, 2, ?????????? 4, ???????? 1, ?????????, ????
6.
???????????? 1, 2 ?? ???????? ???????? 1, ?????????? 2, 3, 4, ?????????, ?????, ??????, ??????
7.
???????????? 3, 4 ?? ???????? ??????????, ????????, ??????, ?????, ?????????? 2, 3, 4, ?????, ????
8.
?????????? ?????, ???????, ????, ???????????? 3, 4
9.
?????????? 1, 2, 3 ?? ???????? ???????? 3, 4, ????????????, ???????????? 3, 4
10.
?????????? 4 ?? ????? ?????, ??????, ???????? 1, 2, ????????????, ????????????
11.
????? ????????, ??????, ??????, ??????? 1-2-3, ????????? 4, ?????, ??????????, ??????????
12.
???????? ????????, ???????? 1, 2
13.
???? ?????
14.
????? ???????? 1, ????????? 1, 2, 3, ??????
15.
???????? 1 ?? ????? ??????, ??????, ????, ??????, ?????, ?????
16.
???????? 2, 3, 4 ?? ???????? ??????, ???????, ??????, ?????, ?????
17.
?????? ???????, ?????????? 1, ?????, ????????????, ?????, ????????, ?????????? 2, 3, 4
18.
???????? 1, 2 ?? ???????? ?????????? 2, 3, 4, ????
19.
???????? 3, 4 ?? ???????? ?????????? 1, ????
20.
?????? ???????, ???????? 1, 2, ????, ???????????? 3, 4, ?????, ??????????
21.
??????? 1, 2, 3 ?? ???????? ???????? 1, 2, ???????? 3, 4
22.
??????? 4 ?? ????? ????????, ?????, ????????
23.
?????? ??????, ?????, ????????? 1, 2, 3, ??????, ??????????, ????????, ??????, ??????
24.
?????? ?????????? 2, 3, 4
25.
????? ????????????, ?????, ??????, ???????
26.
??????? ?????????, ?????????? 1, 2, 3, ????????, ?????
27.
?????????? 1 ?? ????? ????????????, ??????????, ?????, ???????, ??????, ??????
28.
?????????? 2, 3, 4 ?? ???????? ????????????, ????, ?????, ??????, ??????, ???????
29.
????????? ???????? 1, 2, ????????? 4, ????, ?????????? 4, ???????? 2, 3, 4, ????????, ??????, ???????
30.
???????? 1, 2 ?? ???????? ?????????? 1, ?????
31.
???????? 3, 4 ?? ???????? ??????????, ?????, ????, ?????
32.
????? ???????? 3, 4, ???????, ???????? 3, 4
33.
????????? 1, 2, 3 ?? ???????? ???????????? 1, 2, ??????, ??????
34.
????????? 4 ?? ????? ????????????, ????????????, ??????
35.
???????????? ?????, ??????????, ??????, ?????????? 1, 2, 3, ??????, ?????????, ?????????
36.
????? ????????????, ?????????? 1, 2, 3, ???????? 2, 3, 4, ??????, ????????????

????? ????????: ????? ????? ????? ???????????? ???? ??? / ???? ??????? ???????????? ???????? ?????? ??? ???????????? ??????????????????. ????????/???????? ???? ??????? ???????????? ?????????????????.

xfs centos 7

Environment :

    [root@oel7 ~]# uname -a
    Linux oel7.localdomain 3.8.13-55.1.6.el7uek.x86_64 #2 SMP Wed Feb 11 14:18:22 PST 2015 x86_64 x86_64 x86_64 GNU/Linux

Steps :

    1)  [root@oel7 ~]# df -h
    Filesystem                         Size  Used Avail Use% Mounted on
    /dev/mapper/root_vg-root           5.0G  4.5G  548M  90% /

    2)   

PV /dev/sda2   VG root_vg     lvm2 [6.00 GiB / 0    free]

    as here it shows that there is no space left on root_vg volume group, so first i need to extend VG 

    3)  [root@oel7 ~]# vgextend root_vg /dev/sdb5

      Volume group "root_vg" successfully extended

    4)  [root@oel7 ~]# pvscan

        PV /dev/sda2   VG root_vg     lvm2 [6.00 GiB / 0    free]
        PV /dev/sdb5   VG root_vg     lvm2 [2.00 GiB / 2.00 GiB free]

    5)  Now extend the logical volume 

    [root@oel7 ~]# lvextend -L +1G /dev/root_vg/root
      Size of logical volume root_vg/root changed from 5.00 GiB (1280 extents) to 6.00 GiB (1536 extents).
      Logical volume root successfully resized

    6)  [root@oel7 ~]# resize2fs /dev/root_vg/root

    resize2fs 1.42.9 (28-Dec-2013)
    resize2fs: Bad magic number in super-block while trying to open /dev/root_vg/root
    Couldn't find valid filesystem superblock.

    as root partition is not a ext* partiton so , you resize2fs will not work for you.

    7)  to check the filesystem type of a partition 

    [root@oel7 ~]# df -Th
    Filesystem                        Type      Size  Used Avail Use% Mounted on
    /dev/mapper/root_vg-root          xfs       6.0G  4.5G  1.6G  75% /
    devtmpfs                          devtmpfs  481M     0  481M   0% /dev
    tmpfs                             tmpfs     491M   80K  491M   1% /dev/shm
    tmpfs                             tmpfs     491M  7.1M  484M   2% /run
    tmpfs                             tmpfs     491M     0  491M   0% /sys/fs/cgroup
    /dev/mapper/data_vg-home          xfs       3.5G  2.9G  620M  83% /home
    /dev/sda1                         xfs       497M  132M  365M  27% /boot
    /dev/mapper/data_vg01-data_lv001  ext3      4.0G  2.4G  1.5G  62% /sybase
    /dev/mapper/data_vg02-backup_lv01 ext3      4.0G  806M  3.0G  22% /backup

    above command shows that root is an xfs filesystem , so we are sure that we need to use xfs_growfs command to resize the partition.

    8)  [root@oel7 ~]# xfs_growfs /dev/root_vg/root

    meta-data=/dev/mapper/root_vg-root isize=256    agcount=4, agsize=327680 blks
             =                       sectsz=512   attr=2, projid32bit=1
             =                       crc=0        finobt=0
    data     =                       bsize=4096   blocks=1310720, imaxpct=25
             =                       sunit=0      swidth=0 blks
    naming   =version 2              bsize=4096   ascii-ci=0 ftype=0
    log      =internal               bsize=4096   blocks=2560, version=2
             =                       sectsz=512   sunit=0 blks, lazy-count=1
    realtime =none                   extsz=4096   blocks=0, rtextents=0
    data blocks changed from 1310720 to 1572864

    [root@oel7 ~]# df -Th
    Filesystem                        Type      Size  Used Avail Use% Mounted on
    /dev/mapper/root_vg-root          xfs       6.0G  4.5G  1.6G  75% /

HOW TO MOVE AWS EC2 INSTANCE FROM ONE ACCOUNT TO ANOTHER

What is Amazon AMI?
An Amazon Machine Image (AMI) is a special type of pre-configured operating system and virtual application software which is used to create a virtual machine within the Amazon Elastic Compute Cloud (EC2). It serves as the basic unit of deployment for services delivered using EC2.
See https://aws.amazon.com/amis for more details about it.
Login to AWS console of account from which you want to move the instance, navigate to “Instances” pane. Right click on the instance to be moved and choose “Create Image (EBS AMI)”. Once done, you will receive a status message saying that request received and being processed to create image.
Enter the account id of the AWS account to which you want to expose this AMI. To find the account id; See “My Account / console > Security Credentials”.
Now switch to the another account’s AWS console. Navigate to “Instances” pane. Click the “Launch Instance” button, follow “Classic wizard”, in the “Community AMIs” tab, search by entering the AMI id. A sample id will look like “ami-abcd1234”.
Tip: If for some reason you couldn’t get the AMI listed in search result, try repeating the steps again or change the AMI permission to Public at the worst case.
Once the AMI is listed, you could follow on from here with the usual steps of Launching instance. In a few minutes you will have your server up and running.
In my case the instance i had to move had a Web server running Drupal site powered by Ubuntu.
As a follow up of this process, I had to open up the http, ssh and other needed ports. Also had to create an Elastic IP and bind the same to newly Launched instance.
Finally from domain registrar admin panel I had to change the DNS settings to use the new Elastic IP.
With this approach in a less than a couple of hours I was able to get my server switched form one account to another and start running as expected with least down time.

Cipher type 2018

Apache

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

nginx

ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_prefer_server_ciphers on; 
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s; 
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none; 

Lighttpd

ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.use-compression = "disable"
setenv.add-response-header = (
    "Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload",
    "X-Frame-Options" => "DENY",
    "X-Content-Type-Options" => "nosniff"
)
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"

Warning

These examples are meant for sysadmins who have done this before (and sysadmins are forced to support Windows XP with IE < 9, therefore des3cbc), as an easily copy-pastable example, not for newbies who have no idea what all this means. The settings are very secure, but if you don't know what you are doing might make your website and subdomains unavailable for a long, long time (see HSTS). Research what you are doing and think before you act. Hier niet poepen zegmaar. 
Other suggestions
  • sha256 certificates
  • 4096-bit private key
  • >2048 DH Pool size –
    openssl dhparam -out dhparams.pem 4096

Other Software

Pull requests for other software welcome

haproxy

global
   ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
   ssl-default-bind-ciphers AES128+EECDH:AES128+EDH

frontend http-in
      mode http
      option httplog
      option forwardfor
      option http-server-close
      option httpclose
      bind 192.0.2.10:80
      redirect scheme https code 301 if !{ ssl_fc }

frontend https-in
    option httplog
    option forwardfor
    option http-server-close
    option httpclose
    rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload
    rspadd X-Frame-Options:\ DENY
    bind 192.0.2.10:443 ssl crt /etc/haproxy/haproxy.pem ciphers AES128+EECDH:AES128+EDH force-tlsv12 no-sslv3

Postfix

smtpd_use_tls=yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file=/etc/ssl/postfix.cert
smtpd_tls_key_file=/etc/ssl/postfix.key
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = AES128+EECDH:AES128+EDH

Exim

tls_certificate = /etc/exim.cert
tls_privatekey = /etc/exim.key
tls_advertise_hosts = *
tls_require_ciphers = AES128+EECDH:AES128+EDH
openssl_options = +no_sslv2 +no_sslv3

ProFTPd

TLSEngine on
TLSLog /var/ftpd/tls.log
TLSProtocol TLSv1.2
TLSRequired on
TLSCipherSuite AES128+EECDH:AES128+EDH
TLSRSACertificateFile /etc/proftpd.cert
TLSRSACertificateKeyFile /etc/proftpd.key

Dovecot

ssl = yes
ssl_cert = </etc/dovecot.cert
ssl_key = </etc/dovecot.key
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = AES128+EECDH:AES128+EDH
ssl_prefer_server_ciphers = yes # >Dovecot 2.2.6
ssl_dh_parameters_length = 4096 # >Dovecot 2.2

Hitch TLS Proxy

ciphers = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
prefer-server-ciphers = on

Zarafa

These settings can be set in /etc/zarafa/server.cfg and gateway.cfg.

Medium security

server_ssl_protocols = !SSLv2 !SSLv3
server_ssl_ciphers = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL
server_ssl_prefer_server_ciphers = yes or no

High security

server_ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1  # >= Debian 7 / CentOS 7
server_ssl_ciphers = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
server_ssl_prefer_server_ciphers = yes or no

MySQL

[mysqld]
ssl-ca=/etc/mysql-ssl/ca-cert.pem
ssl-cert=/etc/mysql-ssl/server-cert.pem
ssl-key=/etc/mysql-ssl/server-key.pem
ssl-cipher=AES128+EECDH:AES128+EDH
# replication:
GRANT REPLICATION SLAVE ON *.* to ‘repl’@’%’ REQUIRE SSL;
STOP SLAVE;
CHANGE MASTER MASTER_SSL=1,
MASTER_SSL_CA=’/etc/mysql-ssl/ca-cert.pem’,
MASTER_SSL_CERT=’/etc/mysql-ssl/client-cert.pem’,
MASTER_SSL_KEY=’/etc/mysql-ssl/client-key.pem';
SHOW SLAVE STATUS\G;
START SLAVE;
SHOW SLAVE STATUS\G;

DirectAdmin

ssl_cipher=AES128+EECDH:AES128+EDH
SSL=1
cacert=/usr/local/directadmin/conf/cacert.pem
cakey=/usr/local/directadmin/conf/cakey.pem
carootcert=/usr/local/directadmin/conf/carootcert.pem

Postgresql

ssl = on
ssl_ciphers = 'AES128+EECDH:AES128+EDH'
password_encryption = on

OpenSSH Server

Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

OpenSSH Client

HashKnownHosts yes
Host github.com
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512
Host *
  ConnectTimeout 30
  KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
  Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
  ServerAliveInterval 10
  ControlMaster auto
  ControlPersist yes
  ControlPath ~/.ssh/socket-%r@%h:%p

LVM volume space scaling in XFS format in centos7

LVM volume space scaling in XFS format in centos7

 

Originally on my CentOS 7 virtual machine, I created 2 partitions:

sda1 for /boot
sda2 with 1 volume group “centos” with 5 logical volumes:
/
/home
/var
/tmp
swap

I noticed later that I had needed more space from /home lvm. It was 15GB, it was only using 1.5GB, so I decided to reduce it down to 5GB:

Code:
# lvreduce -L 5GB /dev/mapper/centos-home

It said successful so I rebooted.

Upon reboot, I was sent to emergency mode, and noticed /home was not listed under df, so I mounted everything in fstab but received an error:

Code:
#mount -a 
mount: /dev/mapper/centos-home: can't read superblock

So I ran an

Code:
# xfs_repair /dev/mapper/centos-home

It gave me same issues about not being able to read the superblock.

Oddly enough, the lvdisplay /dev/mapper/centos-home works and now shows LV Size as 5.00GB down from 15.00GB with all the other information listed…

 

This article describes the real-time process of adjusting the LVM volume space for xfs under centos7.

Actual purpose:

1. Reduce the logical volume /dev/mapper/home from 178G to 10G

2, empty 168G divided into logical volumes /dev/mapper/root

Actual process:

1, back up important data in advance, xfs reduction will lead to data loss

Backup can use xfsdump, data can also be backed up outside the machine (slightly here)

Unmount the volume /dev/mapper/home

[root@localhost ~]# umount /home

3, reduce the volume / dev / mapper / homesize (this step will lead to data loss, see the first point)

[root@localhost ~]# lvreduce -L 5G /dev/mapper/home

WARNING: Reducing active logical volume to 10.00 GiB.

THIS MAY DESTROY YOUR DATA (filesystem etc.)

Do you really want to reduce cl/home? [y/n]:y

Size of logical volume cl/home changed from 178.25 GiB (45633 extents) to 10.00 GiB (2560 extents).

Logical volume cl/home successfully resized.

4, increase the volume /dev/mapper/root size

[root@localhost ~]# lvextend -l +100%FREE /dev/mapper/root

Size of logical volume cl/root changed from 50.00 GiB (12800 extents) to 218.26 GiB (55874 extents).

Logical volume cl/root successfully resized.

5, adjust the xfs file system size

[root@localhost ~]# xfs_growfs /dev/mapper/root

6, re-mount, restore data

If you directly mount an error message:

[root@localhost ~]# mount /dev/mapper/home/home/

Mount: /dev/mapper/home: can’t read superblock

Need to format first

[root@localhost ~]# mkfs.xfs -f /dev/mapper/home

Mount after formatting:

[root@localhost ~]# mount /dev/mapper/home/home/

Recover data after mounting

This step can be used xfsrestore, or manually copy (refer to the first point)

 

 

$lvremove -v /dev/centos/home

Which returned the remaining free space to the volume group.

I then used the $lvextend to extend the /root lv

$lvextend -L +900G /dev/centos/root

And

$xfs_growfs /dev/centos/root

CentOS 7.4 MariaDB Galera Cluster

Mariadb galera cluster installation:
Operating system: CentOS 7.4 version
Cluster number: 3 nodes
Host information: 192.168.153.142 node1 selinux=disabled firewalld Shutdown
192.168.153.143 node2 selinux=disabled firewalld Shut down
192.168.153.144 node3 selinux=disabled firewalld Shut down

Build steps

1. Hosts resolve each other: all three nodes must execute
vim /etc/hosts
192.168.153.142 node1
192.168.153.143 node2
192.168.153.144 node3

2. Install the software package

The first method: (yum install -y MariaDB-server MariaDB-client galera)
Configure yum installation source and configure mariadb galera installation source
yum source configuration hang iso
Set up mariadb yum source and install (all nodes are required)
Modify yum source file

vi /etc/yum.repos.d/mariadb.repo

[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.3.5/centos74-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
enabled=0
When installing galera software, it needs to resolve its dependencies: boost-program-options.x86_64 (direct yum source installation)

The second method: (rpm package installation) all three nodes need to be installed
to download the rpm package from the web: galera-25.3.23-1.rhel7.el7.centos.x86_64.rpm
MariaDB-10.3.5-centos74-x86_64-client .rpm
MariaDB-10.3.5-centos74-x86_64-compat.rpm
MariaDB-10.3.5-centos74-x86_64-common.rpm
MariaDB-10.3.5-centos74-x86_64-server.rpm
rpm -ivh MariaDB-10.3.5- Centos74-x86_64-compat.rpm –nodeps
rpm -ivh MariaDB-10.3.5-centos74-x86_64-common.rpm
rpm -ivh MariaDB-10.3.5-centos74-x86_64-client.rpm
yum install -y boost-program- Options.x86_64 (resolve to install galera dependencies)
rpm -ivh galera-25.3.23-1.rhel7.el7.centos.x86_64.rpm
rpm -ivh MariaDB-10.3.5-centos74-x86_64-server.rpm

3.mariadb initialization (the three nodes need to be executed) After the
installation is complete, it will prompt the need to initialize mariadb (set the password)
systemctl start mariadb
mysql_secure_installation (set the mysql password as prompted)
systemctl stop mariadb

4. Configure the galera
master node configuration file server.cnf
vim /etc/my.cnf.d/server.cnf
[galera]
wsrep_on=ON
wsrep_provider=/usr/lib64/galera/libgalera_smm.so
wsrep_cluster_address=”gcomm://192.168 .153.142,192.168.153.143,192.168.153.144 ”
wsrep_node_name = node1
wsrep_node_address = 192.168.153.142
binlog_format = Row
default_storage_engine = the InnoDB
innodb_autoinc_lock_mode = 2
wsrep_slave_threads. 1 =
the innodb_flush_log_at_trx_commit = 0
innodb_buffer_pool_size = 120M
wsrep_sst_method = the rsync
wsrep_causal_reads the ON =
copy of this file mariadb- 2, mariadb-3, and attention should wsrep_node_name wsrep_node_address into the corresponding node hostname and ip.

5. Start the cluster service:
Start the MariaDB Galera Cluster service:
[root@node1 ~]# /bin/galera_new_cluster The
remaining two nodes are started by:
[root@node1 ~]# systemctl start mariadb
Check the cluster status: (The cluster service uses 4567. And 3306 ports))
[root@node1 ~]# netstat -tulpn | grep -e 4567 -e 3306
tcp 0 0 0.0.0.0:4567 0.0.0.0: LISTEN 3557/mysqld
tcp6 0 0 :::3306 ::: LISTEN 3557/mysqld

6. Verify the cluster status:
Execute on node1:
[root@node1 ~]# mysql -uroot -p ##Enter the database to
see if galera plug-in is enabled to
connect to mariadb and check if galera plug-in
MariaDB is enabled [(none)]> show status like “wsrep_ready”;
+—————+——-+
| Variable_name | Value |
+————— +——-+
| wsrep_ready | ON |
+—————+——-+
1 row in set (0.004 sec)
present cluster machine Number
MariaDB [(none)]> show status like “wsrep_cluster_size”;
+——————–+——-+
| Variable_name | Value |
+——————–+——-+
| wsrep_cluster_size | 3 |
+————– ——+——-+
1 row in set (0.001 sec)
check the cluster status
MariaDB [(none)]> show status like “wsrep%”;
+——————————+—————— ———————————————-+
| Variable_name | Value |
+——————————+—————- ————————————————+
| wsrep_apply_oooe | 0.000000 |
| wsrep_apply_oool | 0.000000 |
| wsrep_apply_window | 1.000000 |
| wsrep_causal_reads | 14 |
| wsrep_cert_deps_distance | 1.200000 |
| wsrep_cert_index_size | 3 |
| wsrep_cert_interval | 0.000000 |
| wsrep_cluster_conf_id | 22 |
| wsrep_cluster_size | 3 | ## cluster members
| wsrep_cluster_state_uuid | b8ecf355-233a-11e8-825e-bb38179b0eb4 | ##UUID cluster unique tag
| wsrep_cluster_status | Primary | ##primary server
| wsrep_commit_oooe | 0.000000 |
| Wsrep_commit_oool | 0.000000 |
| wsrep_commit_window | 1.000000 |
| wsrep_connected | ON | ## currently connected in
| wsrep_desync_count | 0 |
| wsrep_evs_delayed | |
| wsrep_evs_evict_list | |
| wsrep_evs_repl_latency | 0/0/0/0/0 |
| wsrep_evs_state | the OPERATIONAL |
| wsrep_flow_control_paused | 0.000000 |
| wsrep_flow_control_paused_ns | 0 |
| wsrep_flow_control_recv | 0 |
| wsrep_flow_control_sent | 0 |
| wsrep_gcomm_uuid | 0eba3aff-2341-11e8-b45a-f277db2349d5 |
| wsrep_incoming_addresses | 192.168.153.142:3306,192.168.153.143:3306, 192.168.153.144:3306 | ## database in connection
| wsrep_last_committed | 9 | ##sql commit record
| wsrep_local_bf_aborts | 0 | ## is interrupted locally by the executing transaction process
| Wsrep_local_cached_downto | 5 |
| wsrep_local_cert_failures | 0 | ## local failed transaction
| wsrep_local_commits | 4 | sql ## local execution
| wsrep_local_index | 0 |
| wsrep_local_recv_queue | 0 |
| wsrep_local_recv_queue_avg | .057143 |
| wsrep_local_recv_queue_max | 2 |
| wsrep_local_recv_queue_min | 0 |
| wsrep_local_replays | 0 |
| wsrep_local_send_queue | 0 | local queue ## emitted
| wsrep_local_send_queue_avg | 0.000000 | ## queues averaging interval
| wsrep_local_send_queue_max |. 1 |
| wsrep_local_send_queue_min | 0 |
| wsrep_local_state |. 4 |
| wsrep_local_state_comment | Synced |
| wsrep_local_state_uuid | b8ecf355-233a-11e8-825e-bb38179b0eb4 | ##Cluster ID
| wsrep_protocol_version | 8 |
| wsrep_provider_name | Galera |
| wsrep_provider_vendor | Codership Oy <info@codership.com> |
| wsrep_provider_version | 25.3.23(r3789) |
| wsrep_ready | ON | ## Plug-In
Wsrep_received | 35 | ##Data Copy Recipients
| wsrep_received_bytes | 5050 |
| wsrep_repl_data_bytes | 1022 |
| wsrep_repl_keys | 14 |
| wsrep_repl_keys_bytes | 232 |
| wsrep_repl_other_bytes | 0 |
| wsrep_replicated |. 5 | ## as the number of copy emitted
| wsrep_replicated_bytes | 1600 | sent replication data word ## The number of sections
| wsrep_thread_count | 2 |
+——————————+———– ————————————————– —+
58 rows in set (0.003 sec)
View connected hosts
MariaDB [(none)]> show status like “wsrep_incoming_addresses”;
+————————–+—————————————————————-+
| Variable_name | Value |
+————————–+—————————————————————-+
| wsrep_incoming_addresses | 192.168.153.142:3306,192.168.153.143:3306,192.168.153.144:3306 |
+————————–+—————————————————————-+
1 row in set (0.002 sec)

7. Test whether the cluster mariad data is synchronized
MariaDB [(none)] create database lizk;
Query OK, 1 row affected (0.010 sec)

MariaDB [(none)]> show databases;
+——————–+
| Database |
+————– ——+
| china |
| hello |
| hi |
| information_schema |
| lizk |
| mysql |
| performance_schema |
| test |
+—————— –+
8 rows in set (0.001 sec)
You can see that the lizk library is synchronized on the other two nodes.

8. Simulated Brain Fissure After Treatment
The following simulations show that in the case of packet loss in network jitter, the two nodes are disconnected and cause brain split. It was performed on 192.168.153.143 192.168.153.144 and two nodes:
iptables -A the INPUT -p TCP -j 4567 –sport the DROP
iptables -A the INPUT -p TCP -j 4567 –dport the DROP
more commands to disable the whole wsrep replication communication port 4567
to see node on 192.168.153.142:
MariaDB [(none)]> Show Status like “WS%”;
+ ——————— ———+—————————————- —-+
| Variable_name | Value |
+——————————+——– + ————————————
| wsrep_apply_oooe | 0.000000 |
| wsrep_apply_oool | 0.000000 |
| wsrep_apply_window | 1.000000 |
| wsrep_causal_reads | 16 |
| wsrep_cert_deps_distance | 1.125000 |
| wsrep_cert_index_size | 3 |
| Wsrep_cert_interval | 0.000000 |
| wsrep_cluster_conf_id | 18446744073709551615 |
| wsrep_cluster_size | 1 |
| wsrep_cluster_state_uuid | b8ecf355-233a-11e8-825e-bb38179b0eb4 |
| wsrep_cluster_status | non-Primary |
now split brain situation has occurred, and the cluster can not execute any commands.
In order to solve this problem, you can execute
set global wsrep_provider_options=”pc.bootstrap=true”;
This command is used to forcibly recover nodes that have split brain.
Verify:
MariaDB [(none)]> = wsrep_provider_options Global SET “to true pc.bootstrap =”;
Query the OK, 0 rows affected (0.015 sec)

MariaDB [(none)]> select @@wsrep_node_name;
+——————-+
| @@wsrep_node_name |
+———– ——–+
| node1 |
+——————-+
1 row in set (0.478 sec)
Finally we will node 192.168.153.143 and 192.168 .153.144 Recover, just clean up the iptables table (because my test environment, the production environment needs to delete the above rules can be):
[root@node3 mysql]# iptables-F
after the restoration to verify:
MariaDB [(none ]]> show status like “wsrep_cluster_size”;
+——————–+——-+
| Variable_name | Value |
+—- —————-+——-+
| wsrep_cluster_size | 3 |
+——————- -+——-+
1 row in set (0.001 sec)

9. Because of the fault, it is necessary to check the two nodes of the cluster and check whether the data can be synchronized after restarting the service.
To stop the operations of mariadb on 192.168.153.143 and 192.168.153.144:
[root@node2 mysql]# systemctl stop mariadb is
at 192.168. Insert data on node 153.142:
MariaDB [test]> select * from test1;
+——+
| id |
+——+
| 2 |
| 2 |
| 1 |
| 3 |
+– —-+
4 rows in set (0.007 sec)
Now restart the other two nodes in the cluster and see the data consistency, as with the master node.

10. Abnormal processing: When the room suddenly loses power, all galera hosts are shut down abnormally, and the galera cluster service cannot start properly when the phone is switched on. How to deal with?
Step 1: Open the mariadb service of the master host of the galera cluster.
Step 2: Start the mariadb service on the member host of the galera cluster.
Exception handling: The mysql service of the master host and member host of the galera cluster cannot be started. What should I do?
Solution one: Step 1. Delete the /var/lib/mysql/grastate.dat status file of
/ garlera master host /bin/galera_new_cluster to start the service. Start normally. Log in and check the wsrep status.
Step 2: Remove the /var/lib/mysql/grastate.dat status file from the galera member host
systemctl restart mariadb Restart the service. Start normally. Log in and check the wsrep status.
Solution two: Step 1, modify the /var/lib/mysql/grastate.dat status file in the main host of the garlera group to
start the service with 0 as 1 /bin/galera_new_cluster. Start normally. Log in and check the wsrep status.
Step 2: Modify the 0 in the /var/lib/mysql/grastate.dat state file in the galera member host to 1
systemctl restart mariadb to restart the service. Start normally. Log in and check the wsrep status.

Install and Configure PostgreSQL 10 on Fedora 27

add software source
rmohan.com@fedora1 ~ $ sudo dnf install https://download.postgresql.org/pub/repos/yum/10/fedora/fedora-27-x86_64/pgdg-fedora10-10-3.noarch.rpm
Last metadata expiration check: 7:30:40 ago on Tue 02 Jan 2018 10:32:40 AM CST.
pgdg-fedora10-10-3.noarch.rpm 6.9 kB/s | 8.8 kB 00:01
Dependencies resolved.
==============================================================================================================================================================================================================================================
Package Arch Version Repository Size
==============================================================================================================================================================================================================================================
Installing:
pgdg-fedora10 noarch 10-3 @commandline 8.8 k

Transaction Summary
==============================================================================================================================================================================================================================================
Install 1 Package

Total size: 8.8 k
Installed size: 3.2 k
Is this ok [y/N]: y
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : pgdg-fedora10-10-3.noarch 1/1
Verifying : pgdg-fedora10-10-3.noarch 1/1

Installed:
pgdg-fedora10.noarch 10-3

Complete!
1.2, install the server and client
rmohan.com@fedora1 ~ $ sudo dnf install postgresql10-server postgresql10
PostgreSQL 10 27 – x86_64 76 kB/s | 164 kB 00:02
Last metadata expiration check: 0:00:00 ago on Tue 02 Jan 2018 06:03:33 PM CST.
Dependencies resolved.
==============================================================================================================================================================================================================================================
Package Arch Version Repository Size
==============================================================================================================================================================================================================================================
Installing:
postgresql10 x86_64 10.1-1PGDG.f27 pgdg10 1.5 M
postgresql10-server x86_64 10.1-1PGDG.f27 pgdg10 4.4 M
Installing dependencies:
libicu x86_64 57.1-9.fc27 updates 8.4 M
postgresql10-libs x86_64 10.1-1PGDG.f27 pgdg10 354 k

Transaction Summary
==============================================================================================================================================================================================================================================
Install 4 Packages

Total download size: 15 M
Installed size: 54 M
Is this ok [y/N]: y
Downloading Packages:
(1/4): postgresql10-10.1-1PGDG.f27.x86_64.rpm 203 kB/s | 1.5 MB 00:07
(2/4): libicu-57.1-9.fc27.x86_64.rpm 3.8 MB/s | 8.4 MB 00:02
(3/4): postgresql10-libs-10.1-1PGDG.f27.x86_64.rpm 36 kB/s | 354 kB 00:09
(4/4): postgresql10-server-10.1-1PGDG.f27.x86_64.rpm 138 kB/s | 4.4 MB 00:32
———————————————————————————————————————————————————————————————————————————————-
Total 460 kB/s | 15 MB 00:32
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : libicu-57.1-9.fc27.x86_64 1/4
Running scriptlet: libicu-57.1-9.fc27.x86_64 1/4
Installing : postgresql10-libs-10.1-1PGDG.f27.x86_64 2/4
Running scriptlet: postgresql10-libs-10.1-1PGDG.f27.x86_64 2/4
Installing : postgresql10-10.1-1PGDG.f27.x86_64 3/4
Running scriptlet: postgresql10-10.1-1PGDG.f27.x86_64 3/4
Running scriptlet: postgresql10-server-10.1-1PGDG.f27.x86_64 4/4
Installing : postgresql10-server-10.1-1PGDG.f27.x86_64 4/4
Running scriptlet: postgresql10-server-10.1-1PGDG.f27.x86_64 4/4
Verifying : postgresql10-server-10.1-1PGDG.f27.x86_64 1/4
Verifying : postgresql10-10.1-1PGDG.f27.x86_64 2/4
Verifying : postgresql10-libs-10.1-1PGDG.f27.x86_64 3/4
Verifying : libicu-57.1-9.fc27.x86_64 4/4

Installed:
postgresql10.x86_64 10.1-1PGDG.f27 postgresql10-server.x86_64 10.1-1PGDG.f27 libicu.x86_64 57.1-9.fc27 postgresql10-libs.x86_64 10.1-1PGDG.f27

Complete!
What we have to say here is that dnf and yum are similar, and they are more efficient than yum in performance. This is also the mainstream package management tool for
RedHat ‘s distribution suites.

1.3, initialization
rmohan.com@fedora1 ~ $ sudo /usr/pgsql-10/bin/postgresql-10-setup initdb
Initializing database … OK

rmohan.com@fedora1 ~ $ sudo systemctl enable postgresql-10.service
Created symlink /etc/systemd/system/multi-user.target.wants/postgresql-10.service ? /usr/lib/systemd/system/postgresql-10.service.
rmohan.com@fedora1 ~ $ sudo systemctl start postgresql-10.service
rmohan.com@fedora1 ~ $ sudo systemctl status postgresql-10.service
? postgresql-10.service – PostgreSQL 10 database server
Loaded: loaded (/usr/lib/systemd/system/postgresql-10.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2018-01-02 18:07:03 CST; 12s ago
Docs: https://www.postgresql.org/docs/10/static/
Process: 4654 ExecStartPre=/usr/pgsql-10/bin/postgresql-10-check-db-dir ${PGDATA} (code=exited, status=0/SUCCESS)
Main PID: 4659 (postmaster)
Tasks: 8 (limit: 4915)
CGroup: /system.slice/postgresql-10.service
??4659 /usr/pgsql-10/bin/postmaster -D /var/lib/pgsql/10/data/
??4660 postgres: logger process
??4662 postgres: checkpointer process
??4663 postgres: writer process
??4664 postgres: wal writer process
??4665 postgres: autovacuum launcher process
??4666 postgres: stats collector process
??4667 postgres: bgworker: logical replication launcher

Jan 02 18:07:03 fedora1 systemd[1]: Starting PostgreSQL 10 database server…
Jan 02 18:07:03 fedora1 postmaster[4659]: 2018-01-02 18:07:03.166 CST [4659] LOG: listening on IPv6 address “::1”, port 5432
Jan 02 18:07:03 fedora1 postmaster[4659]: 2018-01-02 18:07:03.166 CST [4659] LOG: listening on IPv4 address “127.0.0.1”, port 5432
Jan 02 18:07:03 fedora1 postmaster[4659]: 2018-01-02 18:07:03.168 CST [4659] LOG: listening on Unix socket “/var/run/postgresql/.s.PGSQL.5432”
Jan 02 18:07:03 fedora1 postmaster[4659]: 2018-01-02 18:07:03.170 CST [4659] LOG: listening on Unix socket “/tmp/.s.PGSQL.5432”
Jan 02 18:07:03 fedora1 postmaster[4659]: 2018-01-02 18:07:03.176 CST [4659] LOG: redirecting log output to logging collector process
Jan 02 18:07:03 fedora1 postmaster[4659]: 2018-01-02 18:07:03.176 CST [4659] HINT: Future log output will appear in directory “log”.
Jan 02 18:07:03 fedora1 systemd[1]: Started PostgreSQL 10 database server.
1.4, local access
postgres@fedora1 ~ $ psql
psql (10.1)
Type “help” for help.

postgres=# \l
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
———–+———-+———-+————-+————-+———————–
postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
(3 rows)

postgres=#
2, configuration
We know that under normal circumstances, you need to access the postgresql service on a host other than the host. However, by default, postgresql only provides local access. To allow other hosts to access, you need to configure the following.

2.1. Open support for non-local visits.
Postgresql configuration files in fedora’s distribution suite are mainly in the data directory, ie /var/lib/pgsql/10/data/

postgres@fedora1 ~ $ psql
psql (10.1)
Type “help” for help.

postgres=# \l
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
———–+———-+———-+————-+————-+———————–
postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
(3 rows)

postgres=# \q
postgres@fedora1 ~ $ ll /var/lib/pgsql/10/data/
total 136
drwx——. 20 postgres postgres 4096 Jan 2 18:07 .
drwx——. 4 postgres postgres 4096 Jan 2 18:06 ..
drwx——. 5 postgres postgres 4096 Jan 2 18:06 base
-rw——-. 1 postgres postgres 30 Jan 2 18:07 current_logfiles
drwx——. 2 postgres postgres 4096 Jan 2 18:08 global
drwx——. 2 postgres postgres 4096 Jan 2 18:07 log
drwx——. 2 postgres postgres 4096 Jan 2 18:06 pg_commit_ts
drwx——. 2 postgres postgres 4096 Jan 2 18:06 pg_dynshmem
-rw——-. 1 postgres postgres 4269 Jan 2 18:06 pg_hba.conf
-rw——-. 1 postgres postgres 1636 Jan 2 18:06 pg_ident.conf
drwx——. 4 postgres postgres 4096 Jan 2 18:12 pg_logical
drwx——. 4 postgres postgres 4096 Jan 2 18:06 pg_multixact
drwx——. 2 postgres postgres 4096 Jan 2 18:07 pg_notify
drwx——. 2 postgres postgres 4096 Jan 2 18:06 pg_replslot
drwx——. 2 postgres postgres 4096 Jan 2 18:06 pg_serial
drwx——. 2 postgres postgres 4096 Jan 2 18:06 pg_snapshots
drwx——. 2 postgres postgres 4096 Jan 2 18:06 pg_stat
drwx——. 2 postgres postgres 4096 Jan 2 18:21 pg_stat_tmp
drwx——. 2 postgres postgres 4096 Jan 2 18:06 pg_subtrans
drwx——. 2 postgres postgres 4096 Jan 2 18:06 pg_tblspc
drwx——. 2 postgres postgres 4096 Jan 2 18:06 pg_twophase
-rw——-. 1 postgres postgres 3 Jan 2 18:06 PG_VERSION
drwx——. 3 postgres postgres 4096 Jan 2 18:06 pg_wal
drwx——. 2 postgres postgres 4096 Jan 2 18:06 pg_xact
-rw——-. 1 postgres postgres 88 Jan 2 18:06 postgresql.auto.conf
-rw——-. 1 postgres postgres 22761 Jan 2 18:06 postgresql.conf
-rw——-. 1 postgres postgres 58 Jan 2 18:07 postmaster.opts
-rw——-. 1 postgres postgres 103 Jan 2 18:07 postmaster.pid
postgres@fedora1 ~ $
We first modify the configuration postgresql.conf, open the restrictions on non-host access, open the file with vim,

59 #listen_addresses = ‘localhost’ # what IP address(es) to listen on;
???
59 #listen_addresses = ‘*’ # what IP address(es) to listen on;

Then use vim to open the file pg_hba.conf, find 82 lines

82 host all all 127.0.0.1/32 ident
Add later

83 host all all 192.168.1.0/24 trust
At this point, restart the postgresql database.

postgres@fedora1 ~ $ vim /var/lib/pgsql/10/data/postgresql.conf
postgres@fedora1 ~ $ vim /var/lib/pgsql/10/data/pg_hba.conf
postgres@fedora1 ~ $ exit
logout
rmohan.com@fedora1 ~ $ sudo systemctl start postgresql-10.service
[sudo] password for rmohan.com:
lwk@fedora1 ~ $ sudo systemctl status postgresql-10.service
? postgresql-10.service – PostgreSQL 10 database server
Loaded: loaded (/usr/lib/systemd/system/postgresql-10.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2018-01-02 18:07:03 CST; 29min ago
Docs: https://www.postgresql.org/docs/10/static/
Process: 4654 ExecStartPre=/usr/pgsql-10/bin/postgresql-10-check-db-dir ${PGDATA} (code=exited, status=0/SUCCESS)
Main PID: 4659 (postmaster)
Tasks: 8 (limit: 4915)
CGroup: /system.slice/postgresql-10.service
??4659 /usr/pgsql-10/bin/postmaster -D /var/lib/pgsql/10/data/
??4660 postgres: logger process
??4662 postgres: checkpointer process
??4663 postgres: writer process
??4664 postgres: wal writer process
??4665 postgres: autovacuum launcher process
??4666 postgres: stats collector process
??4667 postgres: bgworker: logical replication launcher

Jan 02 18:07:03 fedora1 systemd[1]: Starting PostgreSQL 10 database server…
Jan 02 18:07:03 fedora1 postmaster[4659]: 2018-01-02 18:07:03.166 CST [4659] LOG: listening on IPv6 address “::1”, port 5432
Jan 02 18:07:03 fedora1 postmaster[4659]: 2018-01-02 18:07:03.166 CST [4659] LOG: listening on IPv4 address “127.0.0.1”, port 5432
Jan 02 18:07:03 fedora1 postmaster[4659]: 2018-01-02 18:07:03.168 CST [4659] LOG: listening on Unix socket “/var/run/postgresql/.s.PGSQL.5432”
Jan 02 18:07:03 fedora1 postmaster[4659]: 2018-01-02 18:07:03.170 CST [4659] LOG: listening on Unix socket “/tmp/.s.PGSQL.5432”
Jan 02 18:07:03 fedora1 postmaster[4659]: 2018-01-02 18:07:03.176 CST [4659] LOG: redirecting log output to logging collector process
Jan 02 18:07:03 fedora1 postmaster[4659]: 2018-01-02 18:07:03.176 CST [4659] HINT: Future log output will appear in directory “log”.
Jan 02 18:07:03 fedora1 systemd[1]: Started PostgreSQL 10 database server.
rmohan.com@fedora1 ~ $
2.1. Modify the firewall configuration.
Modifying the firewall configuration will add port number 5432 to the firewall whitelist. There are many ways to use ufw

rmohan.com@fedora1 ~ $ dnf list ufw
Last metadata expiration check: 0:00:36 ago on Tue 02 Jan 2018 06:41:47 PM CST.
Available Packages
ufw.noarch 0.35-9.fc27 fedora
rmohan.com@fedora1 ~ $ sudo dnf install ufw
Last metadata expiration check: 0:39:13 ago on Tue 02 Jan 2018 06:03:33 PM CST.
Dependencies resolved.
==============================================================================================================================================================================================================================================
Package Arch Version Repository Size
==============================================================================================================================================================================================================================================
Installing:
ufw noarch 0.35-9.fc27 fedora 222 k

Transaction Summary
==============================================================================================================================================================================================================================================
Install 1 Package

Total download size: 222 k
Installed size: 978 k
Is this ok [y/N]: y
Downloading Packages:
ufw-0.35-9.fc27.noarch.rpm 99 kB/s | 222 kB 00:02
———————————————————————————————————————————————————————————————————————————————-
Total 98 kB/s | 222 kB 00:02
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : ufw-0.35-9.fc27.noarch 1/1
Running scriptlet: ufw-0.35-9.fc27.noarch 1/1
Running as unit: run-rcf2b3a65bf7d43b78a6d1e515b174178.service
Verifying : ufw-0.35-9.fc27.noarch 1/1

Installed:
ufw.noarch 0.35-9.fc27

Complete!
rmohan.com@fedora1 ~ $
rmohan.com@fedora1 ~ $ sudo ufw status
Status: inactive
rmohan.com@fedora1 ~ $ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
rmohan.com@fedora1 ~ $ sudo ufw status
Status: active

To Action From
— —— —-
SSH ALLOW Anywhere
224.0.0.251 mDNS ALLOW Anywhere
SSH (v6) ALLOW Anywhere (v6)
ff02::fb mDNS ALLOW Anywhere (v6)

rmohan.com@fedora1 ~ $ sudo ufw allow 5432
Rule added
Rule added (v6)
rmohan.com@fedora1 ~ $ sudo ufw default deny
Default incoming policy changed to ‘deny’
(be sure to update your rules accordingly)
rmohan.com@fedora1 ~ $ sudo systemctl enable ufw.service
Created symlink /etc/systemd/system/basic.target.wants/ufw.service ? /usr/lib/systemd/system/ufw.service.
rmohan.com@fedora1 ~ $ sudo systemctl restart ufw.service
rmohan.com@fedora1 ~ $ sudo systemctl status ufw.service
? ufw.service – Uncomplicated firewall
Loaded: loaded (/usr/lib/systemd/system/ufw.service; enabled; vendor preset: disabled)
Active: active (exited) since Tue 2018-01-02 18:47:35 CST; 13s ago
Docs: man:ufw(8)
man:ufw-framework(8)
file://usr/share/doc/ufw/README
Process: 6171 ExecStart=/usr/libexec/ufw/ufw-init start (code=exited, status=0/SUCCESS)
Main PID: 6171 (code=exited, status=0/SUCCESS)

Jan 02 18:47:34 fedora1 systemd[1]: Starting Uncomplicated firewall…
Jan 02 18:47:35 fedora1 systemd[1]: Started Uncomplicated firewall.
rmohan.com@fedora1 ~ $ sudo ufw status
Status: active

To Action From
— —— —-
SSH ALLOW Anywhere
224.0.0.251 mDNS ALLOW Anywhere
5432 ALLOW Anywhere
SSH (v6) ALLOW Anywhere (v6)
ff02::fb mDNS ALLOW Anywhere (v6)
5432 (v6) ALLOW Anywhere (v6)

rmohan.com@fedora1 ~ $

CentOS 7 MongoDB 3.4

nstall MongoDB 3.4 process on yum under CentOS 7 system.

The first step to see if there is a MongoDB configuration yum source

Switch to the yum directory cd /etc/yum.repos.d/

View the file ls

The second part does not exist to add yum source

Create the file touch mongodb-3.4.repo

Edit this file vi mongodb-3.4.repo

content:

Cat /etc/yum.repos.d/mongodb-3.4.repos

[mongodb-org-3.4]

Name=MongoDB Repository

Baseurl=https://repo.mongodb.org/yum/ RedHat /$releasever/mongodb-org/3.4/x86_64/

Gpgcheck=1

Enabled=1

Gpgkey=https://www.mongodb.org/static/pgp/server-3.2.asc

You can modify gpgcheck=0 here to save gpg verification

Update all packages before installation: yum update (optional operation)

Then install: yum install -y mongodb-org

Check the mongo installation location whereis mongod

Check the modified configuration file: vi /etc/mongod.conf

Start mongod :systemctl start mongod.service

Stop mongod :systemctl stop mongod,service

External network access needs to shut down the firewall:

CentOS 7.0 uses firewall as the firewall by default, and it is changed to iptables firewall.

Close the firewall:

Systemctl stop firewalld.service #stop firewall

Systemctl disable firewalld.service #Disable firewall startup

Use mongodb : mongo 192.168.60.102:27017

>use admin

>show dbs

>show collections

After restarting Mongodb, log in to the admin account and create a super-privileged user

Use admin

db.createUser({user:’root’,pwd:’root’,roles:[{ “role” : “root”, “db” : “admin” }]});

Configuration

Fork=true ## allows programs to run in the background

#auth=true ## Start Authentication

Logpath=/data/db/mongodb/logs/mongodb.log logappend=true # Write log mode: set to true to append. The default is to override dbpath=/data/db/mongodb/data/ ## data storage directory

Pidfilepath=/data/db/mongodb/logs/mongodb.pid # Process ID. If not specified, there will be no PID file when starting. Default default.

Port=27017

#bind_ip=192.168.2.73 # Bind addresses. The default is 127.0.0.1. You can only change the data directory storage mode by setting the local connection # to true. Each database file is stored in a different folder in the DBPATH specified directory. # With this option, MongoDB can be configured to store data on different disk devices to increase write throughput or disk capacity. The default is false. # suggest to configure sub-options from the beginning

Directoryperdb=true # Disable log # Enable the operation log for the journal to ensure write consistency and data consistency. Create a journal directory in the dbpath directory

Nojournal = true ##

Max connections # The maximum number of connections. Default: Depends on system (ie ulimit and file descriptor) restrictions. # MongoDB does not limit its own connection. When the setting is greater than the system limit, it is invalid and the system limit prevails. # Set the value of this value higher than the size of the connection pool and the total number of connections to prevent connections at peak times. # Note: This value cannot be set greater than 20000. maxConns=1024

Application Load Balancer

 

 

Create an Application Load Balancer
The Application Load Balancer is a flavor of the Elastic Load Balancing (ELB) service. It works more or less the same as a Classic Load Balancer, however, it has several additional features and some new concepts you need to understand so this Lab will covers those first.
AWS has great documentation to help you get started, so let’s start by referencing it:

The load balancer serves as the single point of contact for clients. You add one or more listeners to your load balancer.

A listener checks for connection requests from clients, using the protocol and port that you configure, and forwards requests to one or more target groups, based on the rules that you define. Each rule specifies a target group, condition, and priority.
When the condition is met, the traffic is forwarded to the target group. You must define a default rule for each listener, and you can add rules that specify different target groups based on the content of the request (also known as content-based routing).
Each target group routes requests to one or more registered targets, such as EC2 instances, using the protocol and port number that you specify. You can register a target with multiple target groups. You can configure health checks on a per target group basis.
Health checks are performed on all targets registered to a target group that is specified in a listener rule for your load balancer.
The following diagram illustrates the basic components. Notice that each listener contains a default rule, and one listener contains another rule that routes requests to a different target group. One target is registered with two target groups.

 

Recommended Network ACL Rules for Your VPC

Recommended Rules for Scenario 1

Scenario 1 is a single subnet with instances that can receive and send Internet traffic. For more information, see Scenario 1: VPC with a Single Public Subnet.

The following table shows the rules we recommended. They block all traffic except that which is explicitly required.

Inbound
Rule # Source IP Protocol Port Allow/Deny Comments
100 0.0.0.0/0 TCP 80 ALLOW Allows inbound HTTP traffic from any IPv4 address.
110 0.0.0.0/0 TCP 443 ALLOW Allows inbound HTTPS traffic from any IPv4 address.
120 Public IPv4 address range of your home network TCP 22 ALLOW Allows inbound SSH traffic from your home network (over the Internet gateway).
130 Public IPv4 address range of your home network TCP 3389 ALLOW Allows inbound RDP traffic from your home network (over the Internet gateway).
140 0.0.0.0/0 TCP 32768-65535 ALLOW Allows inbound return traffic from hosts on the Internet that are responding to requests originating in the subnet.

This range is an example only. For information about choosing the correct ephemeral ports for your configuration, see Ephemeral Ports.

* 0.0.0.0/0 all all DENY Denies all inbound IPv4 traffic not already handled by a preceding rule (not modifiable).
Outbound
Rule # Dest IP Protocol Port Allow/Deny Comments
100 0.0.0.0/0 TCP 80 ALLOW Allows outbound HTTP traffic from the subnet to the Internet.
110 0.0.0.0/0 TCP 443 ALLOW Allows outbound HTTPS traffic from the subnet to the Internet.
120 0.0.0.0/0 TCP 32768-65535 ALLOW Allows outbound responses to clients on the Internet (for example, serving web pages to people visiting the web servers in the subnet).

This range is an example only. For information about choosing the correct ephemeral ports for your configuration, see Ephemeral Ports.

* 0.0.0.0/0 all all DENY Denies all outbound IPv4 traffic not already handled by a preceding rule (not modifiable).

Recommended Rules for IPv6

If you implemented scenario 1 with IPv6 support and created a VPC and subnet with associated IPv6 CIDR blocks, you must add separate rules to your network ACL to control inbound and outbound IPv6 traffic.

The following are the IPv6-specific rules for your network ACL (which are in addition to the rules listed above).

Inbound
Rule # Source IP Protocol Port Allow/Deny Comments
150 ::/0 TCP 80 ALLOW Allows inbound HTTP traffic from any IPv6 address.
160 ::/0 TCP 443 ALLOW Allows inbound HTTPS traffic from any IPv6 address.
170 IPv6 address range of your home network TCP 22 ALLOW Allows inbound SSH traffic from your home network (over the Internet gateway).
180 IPv6 address range of your home network TCP 3389 ALLOW Allows inbound RDP traffic from your home network (over the Internet gateway).
190 ::/0 TCP 32768-65535 ALLOW Allows inbound return traffic from hosts on the Internet that are responding to requests originating in the subnet.

This range is an example only. For information about choosing the correct ephemeral ports for your configuration, see Ephemeral Ports.

* ::/0 all all DENY Denies all inbound IPv6 traffic not already handled by a preceding rule (not modifiable).
Outbound
Rule # Dest IP Protocol Port Allow/Deny Comments
130 ::/0 TCP 80 ALLOW Allows outbound HTTP traffic from the subnet to the Internet.
140 ::/0 TCP 443 ALLOW Allows outbound HTTPS traffic from the subnet to the Internet.
150 ::/0 TCP 32768-65535 ALLOW Allows outbound responses to clients on the Internet (for example, serving web pages to people visiting the web servers in the subnet).

This range is an example only. For information about choosing the correct ephemeral ports for your configuration, see Ephemeral Ports.

* ::/0 all all DENY Denies all outbound IPv6 traffic not already handled by a preceding rule (not modifiable).

Recommended Rules for Scenario 2

Scenario 2 is a public subnet with instances that can receive and send Internet traffic, and a private subnet that can’t receive traffic directly from the Internet. However, it can initiate traffic to the Internet (and receive responses) through a NAT gateway or NAT instance in the public subnet. For more information, see Scenario 2: VPC with Public and Private Subnets (NAT).

For this scenario you have a network ACL for the public subnet, and a separate one for the private subnet. The following table shows the rules we recommend for each ACL. They block all traffic except that which is explicitly required. They mostly mimic the security group rules for the scenario.

ACL Rules for the Public Subnet

Inbound
Rule # Source IP Protocol Port Allow/Deny Comments
100 0.0.0.0/0 TCP 80 ALLOW Allows inbound HTTP traffic from any IPv4 address.
110 0.0.0.0/0 TCP 443 ALLOW Allows inbound HTTPS traffic from any IPv4 address.
120 Public IP address range of your home network TCP 22 ALLOW Allows inbound SSH traffic from your home network (over the Internet gateway).
130 Public IP address range of your home network TCP 3389 ALLOW Allows inbound RDP traffic from your home network (over the Internet gateway).
140 0.0.0.0/0 TCP 1024-65535 ALLOW Allows inbound return traffic from hosts on the Internet that are responding to requests originating in the subnet.

This range is an example only. For information about choosing the correct ephemeral ports for your configuration, see Ephemeral Ports.

* 0.0.0.0/0 all all DENY Denies all inbound IPv4 traffic not already handled by a preceding rule (not modifiable).
Outbound
Rule # Dest IP Protocol Port Allow/Deny Comments
100 0.0.0.0/0 TCP 80 ALLOW Allows outbound HTTP traffic from the subnet to the Internet.
110 0.0.0.0/0 TCP 443 ALLOW Allows outbound HTTPS traffic from the subnet to the Internet.
120 10.0.1.0/24 TCP 1433 ALLOW Allows outbound MS SQL access to database servers in the private subnet.

This port number is an example only. Other examples include 3306 for MySQL/Aurora access, 5432 for PostgreSQL access, 5439 for Amazon Redshift access, and 1521 for Oracle access.

140 0.0.0.0/0 TCP 32768-65535 ALLOW Allows outbound responses to clients on the Internet (for example, serving web pages to people visiting the web servers in the subnet).

This range is an example only. For information about choosing the correct ephemeral ports for your configuration, see Ephemeral Ports.

150 10.0.1.0/24 TCP 22 ALLOW Allows outbound SSH access to instances in your private subnet (from an SSH bastion, if you have one).
* 0.0.0.0/0 all all DENY Denies all outbound IPv4 traffic not already handled by a preceding rule (not modifiable).

ACL Rules for the Private Subnet

Inbound
Rule # Source IP Protocol Port Allow/Deny Comments
100 10.0.0.0/24 TCP 1433 ALLOW Allows web servers in the public subnet to read and write to MS SQL servers in the private subnet.

This port number is an example only. Other examples include 3306 for MySQL/Aurora access, 5432 for PostgreSQL access, 5439 for Amazon Redshift access, and 1521 for Oracle access.

120 10.0.0.0/24 TCP 22 ALLOW Allows inbound SSH traffic from an SSH bastion in the public subnet (if you have one).
130 10.0.0.0/24 TCP 3389 ALLOW Allows inbound RDP traffic from the Microsoft Terminal Services gateway in the public subnet.
140 0.0.0.0/0 TCP 1024-65535 ALLOW Allows inbound return traffic from the NAT device in the public subnet for requests originating in the private subnet.

For information about specifying the correct ephemeral ports, see the important note at the beginning of this topic.

* 0.0.0.0/0 all all DENY Denies all IPv4 inbound traffic not already handled by a preceding rule (not modifiable).
Outbound
Rule # Dest IP Protocol Port Allow/Deny Comments
100 0.0.0.0/0 TCP 80 ALLOW Allows outbound HTTP traffic from the subnet to the Internet.
110 0.0.0.0/0 TCP 443 ALLOW Allows outbound HTTPS traffic from the subnet to the Internet.
120 10.0.0.0/24 TCP 32768-65535 ALLOW Allows outbound responses to the public subnet (for example, responses to web servers in the public subnet that are communicating with DB servers in the private subnet).

This range is an example only. For information about choosing the correct ephemeral ports for your configuration, see Ephemeral Ports.

* 0.0.0.0/0 all all DENY Denies all outbound IPv4 traffic not already handled by a preceding rule (not modifiable).

Recommended Rules for IPv6

If you implemented scenario 2 with IPv6 support and created a VPC and subnets with associated IPv6 CIDR blocks, you must add separate rules to your network ACLs to control inbound and outbound IPv6 traffic.

The following are the IPv6-specific rules for your network ACLs (which are in addition to the rules listed above).

ACL Rules for the Public Subnet

Inbound
Rule # Source IP Protocol Port Allow/Deny Comments
150 ::/0 TCP 80 ALLOW Allows inbound HTTP traffic from any IPv6 address.
160 ::/0 TCP 443 ALLOW Allows inbound HTTPS traffic from any IPv6 address.
170 IPv6 address range of your home network TCP 22 ALLOW Allows inbound SSH traffic over IPv6 from your home network (over the Internet gateway).
180 IPv6 address range of your home network TCP 3389 ALLOW Allows inbound RDP traffic over IPv6 from your home network (over the Internet gateway).
190 ::/0 TCP 1024-65535 ALLOW Allows inbound return traffic from hosts on the Internet that are responding to requests originating in the subnet.

This range is an example only. For information about choosing the correct ephemeral ports for your configuration, see Ephemeral Ports.

* ::/0 all all DENY Denies all inbound IPv6 traffic not already handled by a preceding rule (not modifiable).
Outbound
Rule # Dest IP Protocol Port Allow/Deny Comments
160 ::/0 TCP 80 ALLOW Allows outbound HTTP traffic from the subnet to the Internet.
170 ::/0 TCP 443 ALLOW Allows outbound HTTPS traffic from the subnet to the Internet
180 2001:db8:1234:1a01::/64 TCP 1433 ALLOW Allows outbound MS SQL access to database servers in the private subnet.

This port number is an example only. Other examples include 3306 for MySQL/Aurora access, 5432 for PostgreSQL access, 5439 for Amazon Redshift access, and 1521 for Oracle access.

200 ::/0 TCP 32768-65535 ALLOW Allows outbound responses to clients on the Internet (for example, serving web pages to people visiting the web servers in the subnet)

This range is an example only. For information about choosing the correct ephemeral ports for your configuration, see Ephemeral Ports.

210 2001:db8:1234:1a01::/64 TCP 22 ALLOW Allows outbound SSH access to instances in your private subnet (from an SSH bastion, if you have one).
* ::/0 all all DENY Denies all outbound IPv6 traffic not already handled by a preceding rule (not modifiable).

ACL Rules for the Private Subnet

Inbound
Rule # Source IP Protocol Port Allow/Deny Comments
150 2001:db8:1234:1a00::/64 TCP 1433 ALLOW Allows web servers in the public subnet to read and write to MS SQL servers in the private subnet.

This port number is an example only. Other examples include 3306 for MySQL/Aurora access, 5432 for PostgreSQL access, 5439 for Amazon Redshift access, and 1521 for Oracle access.

170 2001:db8:1234:1a00::/64 TCP 22 ALLOW Allows inbound SSH traffic from an SSH bastion in the public subnet (if applicable).
180 2001:db8:1234:1a00::/64 TCP 3389 ALLOW Allows inbound RDP traffic from a Microsoft Terminal Services gateway in the public subnet, if applicable.
190 ::/0 TCP 1024-65535 ALLOW Allows inbound return traffic from the egress-only Internet gateway for requests originating in the private subnet.

This range is an example only. For information about choosing the correct ephemeral ports for your configuration, see Ephemeral Ports.

* ::/0 all all DENY Denies all inbound IPv6 traffic not already handled by a preceding rule (not modifiable).
Outbound
Rule # Dest IP Protocol Port Allow/Deny Comments
130 ::/0 TCP 80 ALLOW Allows outbound HTTP traffic from the subnet to the Internet.
140 ::/0 TCP 443 ALLOW Allows outbound HTTPS traffic from the subnet to the Internet.
150 2001:db8:1234:1a00::/64 TCP 32768-65535 ALLOW Allows outbound responses to the public subnet (for example, responses to web servers in the public subnet that are communicating with DB servers in the private subnet).

This range is an example only. For information about choosing the correct ephemeral ports for your configuration, see Ephemeral Ports.

* ::/0 all all DENY Denies all outbound IPv6 traffic not already handled by a preceding rule (not modifiable).

Recommended Rules for Scenario 3

Scenario 3 is a public subnet with instances that can receive and send Internet traffic, and a VPN-only subnet with instances that can communicate only with your home network over the VPN connection. For more information, see Scenario 3: VPC with Public and Private Subnets and AWS Managed VPN Access.

For this scenario you have a network ACL for the public subnet, and a separate one for the VPN-only subnet. The following table shows the rules we recommend for each ACL. They block all traffic except that which is explicitly required.

ACL Rules for the Public Subnet

Inbound
Rule # Source IP Protocol Port Allow/Deny Comments
100 0.0.0.0/0 TCP 80 ALLOW Allows inbound HTTP traffic to the web servers from any IPv4 address.
110 0.0.0.0/0 TCP 443 ALLOW Allows inbound HTTPS traffic to the web servers from any IPv4 address.
120 Public IPv4 address range of your home network TCP 22 ALLOW Allows inbound SSH traffic to the web servers from your home network (over the Internet gateway).
130 Public IPv4 address range of your home network TCP 3389 ALLOW Allows inbound RDP traffic to the web servers from your home network (over the Internet gateway).
140 0.0.0.0/0 TCP 32768-65535 ALLOW Allows inbound return traffic from hosts on the Internet that are responding to requests originating in the subnet.

This range is an example only. For information about choosing the correct ephemeral ports for your configuration,see Ephemeral Ports.

* 0.0.0.0/0 all all DENY Denies all inbound IPv4 traffic not already handled by a preceding rule (not modifiable).
Outbound
Rule # Dest IP Protocol Port Allow/Deny Comments
100 0.0.0.0/0 TCP 80 ALLOW Allows outbound HTTP traffic from the subnet to the Internet.
110 0.0.0.0/0 TCP 443 ALLOW Allows outbound HTTPS traffic from the subnet to the Internet.
120 10.0.1.0/24 TCP 1433 ALLOW Allows outbound MS SQL access to database servers in the VPN-only subnet.

This port number is an example only. Other examples include 3306 for MySQL/Aurora access, 5432 for PostgreSQL access, 5439 for Amazon Redshift access, and 1521 for Oracle access.

140 0.0.0.0/0 TCP 32768-65535 ALLOW Allows outbound IPv4 responses to clients on the Internet (for example, serving web pages to people visiting the web servers in the subnet)

This range is an example only. For information about choosing the correct ephemeral ports for your configuration, see Ephemeral Ports.

* 0.0.0.0/0 all all DENY Denies all outbound traffic not already handled by a preceding rule (not modifiable).

ACL Settings for the VPN-Only Subnet

Inbound
Rule # Source IP Protocol Port Allow/Deny Comments
100 10.0.0.0/24 TCP 1433 ALLOW Allows web servers in the public subnet to read and write to MS SQL servers in the VPN-only subnet.

This port number is an example only. Other examples include 3306 for MySQL/Aurora access, 5432 for PostgreSQL access, 5439 for Amazon Redshift access, and 1521 for Oracle access.

120 Private IPv4 address range of your home network TCP 22 ALLOW Allows inbound SSH traffic from the home network (over the virtual private gateway).
130 Private IPv4 address range of your home network TCP 3389 ALLOW Allows inbound RDP traffic from the home network (over the virtual private gateway).
140 Private IP address range of your home network TCP 32768-65535 ALLOW Allows inbound return traffic from clients in the home network (over the virtual private gateway)

This range is an example only. For information about choosing the correct ephemeral ports for your configuration,see Ephemeral Ports.

* 0.0.0.0/0 all all DENY Denies all inbound traffic not already handled by a preceding rule (not modifiable).
Outbound
Rule # Dest IP Protocol Port Allow/Deny Comments
100 Private IP address range of your home network All All ALLOW Allows all outbound traffic from the subnet to your home network (over the virtual private gateway). This rule also covers rule 120; however, you can make this rule more restrictive by using a specific protocol type and port number. If you make this rule more restrictive, then you must include rule 120 in your network ACL to ensure that outbound responses are not blocked.
110 10.0.0.0/24 TCP 32768-65535 ALLOW Allows outbound responses to the web servers in the public subnet.

This range is an example only. For information about choosing the correct ephemeral ports for your configuration, see Ephemeral Ports.

120 Private IP address range of your home network TCP 32768-65535 ALLOW Allows outbound responses to clients in the home network (over the virtual private gateway).

This range is an example only. For information about choosing the correct ephemeral ports for your configuration, see Ephemeral Ports.

* 0.0.0.0/0 all all DENY Denies all outbound traffic not already handled by a preceding rule (not modifiable).

Recommended Rules for IPv6

If you implemented scenario 3 with IPv6 support and created a VPC and subnets with associated IPv6 CIDR blocks, you must add separate rules to your network ACLs to control inbound and outbound IPv6 traffic.

The following are the IPv6-specific rules for your network ACLs (which are in addition to the rules listed above).

ACL Rules for the Public Subnet

Inbound
Rule # Source IP Protocol Port Allow/Deny Comments
150 ::/0 TCP 80 ALLOW Allows inbound HTTP traffic from any IPv6 address.
160 ::/0 TCP 443 ALLOW Allows inbound HTTPS traffic from any IPv6 address.
170 IPv6 address range of your home network TCP 22 ALLOW Allows inbound SSH traffic over IPv6 from your home network (over the Internet gateway).
180 IPv6 address range of your home network TCP 3389 ALLOW Allows inbound RDP traffic over IPv6 from your home network (over the Internet gateway).
190 ::/0 TCP 1024-65535 ALLOW Allows inbound return traffic from hosts on the Internet that are responding to requests originating in the subnet.

This range is an example only. For information about choosing the correct ephemeral ports for your configuration, see Ephemeral Ports.

* ::/0 all all DENY Denies all inbound IPv6 traffic not already handled by a preceding rule (not modifiable).
Outbound
Rule # Dest IP Protocol Port Allow/Deny Comments
150 ::/0 TCP 80 ALLOW Allows outbound HTTP traffic from the subnet to the Internet.
160 ::/0 TCP 443 ALLOW Allows outbound HTTPS traffic from the subnet to the Internet.
170 2001:db8:1234:1a01::/64 TCP 1433 ALLOW Allows outbound MS SQL access to database servers in the private subnet.

This port number is an example only. Other examples include 3306 for MySQL/Aurora access, 5432 for PostgreSQL access, 5439 for Amazon Redshift access, and 1521 for Oracle access.

190 ::/0 TCP 32768-65535 ALLOW Allows outbound responses to clients on the Internet (for example, serving web pages to people visiting the web servers in the subnet)

This range is an example only. For information about choosing the correct ephemeral ports for your configuration, see Ephemeral Ports.

* ::/0 all all DENY Denies all outbound IPv6 traffic not already handled by a preceding rule (not modifiable).

ACL Rules for the VPN-only Subnet

Inbound
Rule # Source IP Protocol Port Allow/Deny Comments
150 2001:db8:1234:1a00::/64 TCP 1433 ALLOW Allows web servers in the public subnet to read and write to MS SQL servers in the private subnet.

This port number is an example only. Other examples include 3306 for MySQL/Aurora access, 5432 for PostgreSQL access, 5439 for Amazon Redshift access, and 1521 for Oracle access.

* ::/0 all all DENY Denies all inbound IPv6 traffic not already handled by a preceding rule (not modifiable).
Outbound
Rule # Dest IP Protocol Port Allow/Deny Comments
130 2001:db8:1234:1a00::/64 TCP 32768-65535 ALLOW Allows outbound responses to the public subnet (for example, responses to web servers in the public subnet that are communicating with DB servers in the private subnet).

This range is an example only. For information about choosing the correct ephemeral ports for your configuration, see Ephemeral Ports.

* ::/0 all all DENY Denies all outbound IPv6 traffic not already handled by a preceding rule (not modifiable).

Recommended Rules for Scenario 4

Scenario 4 is a single subnet with instances that can communicate only with your home network over a VPN connection. For a more information, see Scenario 4: VPC with a Private Subnet Only and AWS Managed VPN Access.

The following table shows the rules we recommended. They block all traffic except that which is explicitly required.

Inbound
Rule # Source IP Protocol Port Allow/Deny Comments
100 Private IP address range of your home network TCP 22 ALLOW Allows inbound SSH traffic to the subnet from your home network.
110 Private IP address range of your home network TCP 3389 ALLOW Allows inbound RDP traffic to the subnet from your home network.
120 Private IP address range of your home network TCP 32768-65535 ALLOW Allows inbound return traffic from requests originating in the subnet.

This range is an example only. For information about choosing the correct ephemeral ports for your configuration, see Ephemeral Ports.

* 0.0.0.0/0 all all DENY Denies all inbound traffic not already handled by a preceding rule (not modifiable).
Outbound
Rule # Dest IP Protocol Port Allow/Deny Comments
100 Private IP address range of your home network All All ALLOW Allows all outbound traffic from the subnet to your home network. This rule also covers rule 120; however, you can make this rule more restrictive by using a specific protocol type and port number. If you make this rule more restrictive, then you must include rule 120 in your network ACL to ensure that outbound responses are not blocked.
120 Private IP address range of your home network TCP 32768-65535 ALLOW Allows outbound responses to clients in the home network.

This range is an example only. For information about choosing the correct ephemeral ports for your configuration, see Ephemeral Ports.

* 0.0.0.0/0 all all DENY Denies all outbound traffic not already handled by a preceding rule (not modifiable).

Recommended Rules for IPv6

If you implemented scenario 4 with IPv6 support and created a VPC and subnet with associated IPv6 CIDR blocks, you must add separate rules to your network ACL to control inbound and outbound IPv6 traffic.

In this scenario, the database servers cannot be reached over the VPN communication via IPv6, therefore no additional network ACL rules are required. The following are the default rules that deny IPv6 traffic to and from the subnet.

ACL Rules for the VPN-only Subnet

Inbound
Rule # Source IP Protocol Port Allow/Deny Comments
* ::/0 all all DENY Denies all inbound IPv6 traffic not already handled by a preceding rule (not modifiable).
Outbound
Rule # Dest IP Protocol Port Allow/Deny Comments
* ::/0 all all DENY Denies all outbound IPv6 traffic not already handled by a preceding rule (not modifiable).
Page 10 of 180« First...89101112...203040...Last »