Planet Sysadmin               

          blogs for sysadmins, chosen by sysadmins...
(Click here for multi-language)

August 29, 2015

Trouble with tribbles

Tribblix meets MATE

One of the things I've been working on in Tribblix is to ensure that there's a good choice of desktop options. This varies from traditional window managers (all the way back to the old awm), to modern lightweight desktop environments.

The primary desktop environment (because it's the one I use myself most of the time) is Xfce, but I've had Enlightenment available as well. Recently, I've added MATE as an additional option.

OK, here's the obligatory screenshot:

While it's not quite as retro as some of the other desktop options, MATE has a similar philosophy to Tribblix - maintaining a traditional environment in a modern context. As a continuation of GNOME 2, I find it to have a familiar look and feel, but I also find it to be much less demanding both at build and run time. In addition, it's quite happy with older hardware or with VNC.

Building MATE on Tribblix was very simple. The dependencies it has are fairly straightforward - there aren't that many, and most of them you would tend to have anyway as part of a modern system.

To give a few hints, I needed to add dconf, a modern intltool, itstool, iso-codes, libcanberra, zenity, and libxklavier. Having downloaded the source tarballs, I built packages in this order (this isn't necessarily the strict dependency order, it was simply the most convenient):
  • mate-desktop
  • mate-icon-theme
  • eom (the image viewer)
  • caja (the file manager)
  • atril (the document viewer, disable libsecret)
  • engramap (the archive manager)
  • pluma (the text editor)
  • mate-menus
  • mateweather (is pretty massive)
  • mate-panel
  • mate-session
  • marco (the window manager)
  • mate-backgrounds
  • mate-themes (from 1.8)
  • libmatekbd
  • mate-settings-daemon
  • mate-control-center
The code is pretty clean, I needed a couple of fixes but overall very little needed to be changed for illumos.

The other thing I added was the murrine gtk2 theme engine. I had been getting odd warnings from applications for a while mentioning murrine, but MATE was competent enough to give me a meaningful warning.

I've been pretty impressed with MATE, it's a worthy addition to the available desktop environments, with a good philosophy and a clean implementation.

by Peter Tribble ( at August 29, 2015 11:27 AM

Aaron Johnson

Links: 8-28-2015

by ajohnson at August 29, 2015 06:30 AM

August 28, 2015

Ubuntu Geek

Evaggelos Balaskas


This is a list with podcasts I listen on a regular base

Tag(s): podcast

August 28, 2015 08:29 PM

Everything Sysadmin

Advice for people that teach system administration?

I've been asked to write an article that will be read by people that teach system administration (and people that research how to best teach system administration).

Sadly I'm having writers block. I have too much to say, so I don't know where to start, or how to narrow it down to 1-2 main points.

My solution is to crowdsource this a bit. So...

What would you tell professors that are studying how to best teach system administration? Or, more importantly: If there is one thing such teachers/researchers should be told, what would it be?

Tell in this Google Form (or in the commments, but I'd prefer the form)

Thanks! Tom

August 28, 2015 04:28 PM

Google Blog

Through the Google lens: Search Trends August 21-27

The terrible images from the WDBJ shooting in Virginia dominated Google searches over the last few days. Here's a look back at the week in search.

WDBJ tragedy
A small TV station in Roanoke, Va., is reeling after two of its journalists were shot and killed live on air Wednesday morning. Police identified the gunman as a former reporter for the station, and if his horrible crime was designed for maximum shock and attention, it worked. Searches for Bryce Williams—the on-air name former employee Vester Flanagan went by—ran into the tens of millions as people looked for information and video of what had happened.

Searches in the path of the storm
Thursday marked 10 years since Hurricane Katrina devastated New Orleans, but searchers in the U.S. over the last 48 hours have been looking ahead to another storm. Today, news outlets are reporting that Tropical Storm Erika has already been responsible for deaths in the Caribbean island of Dominica. As Florida’s governor declared a state of emergency ahead of Erika’s predicted U.S. landfall Monday, the city of Hialeah in South Florida is the top of the list of cities searching for information on the storm. But whether the storm searches are coming from the U.S. or the Caribbean, “Erika path” and related terms are up more than 1000 percent this week.
Reading the search tea leaves on Swift, Minaj and Styles
Get out the popcorn. MTV’s annual Video Music Awards is coming up this Sunday, and all eyes will be on Taylor Swift and Nicki Minaj following their much-buzzed about Twitter spat over nominations for Music Video of the Year. We turned to search to see if trends could show us whether people are leaning Team Swift or Team Minaj headed into the weekend. Tay-Tay’s music video “Blank Space” is in the lead in the Best Female Video category, followed by Minaj’s “Anaconda.” Though “Anaconda” was not nominated for Music Video of the Year—a category that Swift also leads for “Bad Blood,” according to Google searches—Minaj is top of the search pile in the Best Hip Hop Video category.

In other music news, a report that One Direction will be parting ways up brought a 200,000 search spike earlier in the week. “Are One Direction splitting up?” (perhaps we should make that “ARE ONE DIRECTION SPLITTING UP??!?! :(:(:(”) was the top search question, before the band clarified they are actually just taking a break. As former band member Zayn Malik has already decided to go solo, we read the search tea leaves to see what kind of popularity the current members have should the band, well, disband. Most likely to launch a successful solo career based on search buzz? Harry Styles is the resounding winner, taking a whopping 60 percent of the 1D searches. Our advice for Liam Payne: at 1 percent, don’t give up your day job.

by Google Blogs ( at August 28, 2015 04:37 PM

Everything Sysadmin

Usenix LISA Conversations: Episode 2 is up!

Ben Rockwood was the guest of Episode 2. He gave a great talk at LISA'14 and we invited him to discuss it, the reaction it got, and what's new in his thinking since. Ben's a funny guy and had a lot of insightful new things to say.

I wasn't able to attend, so Lee Damon cohosted with a great substitute David N. Blank-Edelman. I'll be back next month when Dan Klein will be our guest.

More info about ULC including links to past and present videos is available at the homepage:

August 28, 2015 02:29 PM

August 27, 2015

Le blog de Carl Chenet

Liens intéressants Journal du hacker semaine #35

Suivez-moi aussi sur Diaspora* ou Twitter  ou sur Pour cette 35ème semaine de 2015, 5 liens intéressants que vous avez peut-être ratés, relayés cette semaine par le Journal Du Hacker, votre source d’informations pour le Logiciel Libre francophone ! Une avalanche de FUD sur Mozilla et Firefox APT : Début de simplification Lecteur de flux…

by Carl Chenet at August 27, 2015 08:30 PM

Server Density

10 Ways to Secure Your Webapp

While there is no such thing as 100% secure, you can take specific measures to mitigate against a wide range of attacks and secure your webapp as much as possible.

In this post we discuss some of the steps we’ve taken as part of our efforts to secure our server monitoring tool.

1. Cover the Basics

Before considering any of the suggestions listed here, make sure you’ve covered the basics. Those include industry best practices like protecting against SQL injection, filtering, session handling, and XSRF attacks.

Also check out the OWASP cheat sheets and top 10 lists to ensure you’re covered.

2. Use SSL only

When we launched Server Density in 2009, we offered HTTPS for monitoring agent postbacks but didn’t go as far as to block standard HTTP altogether.

Later on, when we made the switch to HTTPS-only, the change was nowhere near as onerous as we thought it would be.

SSL is often viewed as a performance bottleneck but that isn’t really true. In most situations, we see no reason not to force SSL for all connections right from the start.

Server Density v2 uses a new URL. As part of this, we can force SSL for new agent deployments and access to the web UI alike. We still support the old domain endpoint under non-SSL but will eventually be retiring it.

To get an excellent report on how good your implementation is, run your URL against the Qualys SSL server test. Here is ours:

SSL scan for our webapp

3. Support SSL with Perfect Forward Secrecy

Every connection to an SSL URL is encrypted using a single private key. If someone obtains that key they can decrypt and access the traffic of that URL.

Perfect forward secrecy addresses this risk by negotiating a new key with every session. A compromise of one key would therefore only affect the data in that one session.

To do this, you need to allow certain cipher suites in your web server configuration.

ECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA is compatible with most browsers (for more background and implementation details check out this post).

We terminate SSL at our nginx load balancers and implement SSL using these settings:

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers   on;
# prefer RC4-SHA to avoid BEAST
ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;

You can easily tell if you're connected using perfect forward secrecy. In Chrome, just click on the lock icon preceding the URL and look for ECDHE_RSA under the Connection tab:

TLS security

4. Use Strict Transport Security

Forcing SSL should be combined with HTTP Strict Transport Security. Otherwise you run a risk of users entering your domain without specifying a protocol.

For example, typing rather than and then being redirected to HTTPS. This redirect opens a security hole because there’s a short time when communication is still over HTTP.

You can address this by sending an STS header with your response. This forces the browser to do the HTTP to HTTPS conversion without issuing a request at all. Instead, it sends the header together with a time setting that the browser stores, before checking again:

strict-transport-security:max-age=315360000; includeSubdomains

Our header is set for 10 years and includes all subdomains because each account gets their own URL, for example:

5. Submit STS Settings to Browser Vendors

Even with STS headers in place there’s still a potential hole, because those headers are only sent after the first request.

One way to address this is by submitting your URL to browser vendors so they can force the browser to only ever access your URL over SSL.

You can read more about how this works and submit your URL for inclusion in Chrome. Firefox seeds from the Chrome list.

6. Enforce a Content Security Policy

Of the top 10 most common security vulnerabilities, cross site scripting (XSS) is number 3. This is where remote code is injected and executed on your site, usually through incorrect (or non-existing) filtering.

A good way to combat this is to whitelist the specific remote resources you want to allow. If a script URL is not matched by this list then browsers will block it.

It’s much easier to implement this on a new product because you can start out by blocking everything. You then open specific URLs as and when you add functionality.

Using browser developer tools you can easily see which remote hosts are being called. The CSP we use is:

content-security-policy:script-src 'self' 'unsafe-eval' https://* https://* https://* https://*; connect-src 'self' https://* https://* https://* https://*; frame-src 'self' https://* https://* https://* https://*; object-src 'none'

We have to specifically allow unsafe-eval here, as a number of third party libraries require this. You might not use any third party libraries—or the libraries you do use may not require unsafe eval—in which case you should not allow unsafe-eval.

script-src is a directive that controls a set of script-related privileges for a specific page. For more information on connect-src, script-src and frame-src this is a good introduction on CSP.

Be careful with wildcarding on domains which can have any content hosted on them. For example wildcarding * would allow anyone to host any script. This is Amazon’s CDN which everyone can upload files to!

Also note that Content-Security-Policy is the standard header but Firefox and IE only support X-Content-Security-Policy. See the OWASP documentation for more information about the header names and directives.

7. Enable HTTP security headers

You can enable some additional security features in certain browsers by setting the appropriate response headers. While not widely supported, they are still worth considering:

8. Setup passwords, “remember me” and login resets properly

This is the main gateway to your webapp, so make sure you implement all stages of logging-in properly. It only takes a short amount of time to research and design a secure process:

  • Registration and login should use salting and cryptographic functions (such as bcrypt) to store passwords, not plain text or MD5 hashing.
  • Password reset should use an out-of-band method to trigger resets, for example: requiring a username then emailing a one-time, expiring link to the on-record email address where the user can then choose a new password. Here is more guidance and a checklist.
  • "Remember me" functionality should use secure tokens to recognise the user, and not storing their credentials in cookies.

You can review your authentication process against this OWASP cheat sheet.

9. Offer Multi Factor Authentication

If your webapp is anything more than a trivial consumer product, you should implement—and encourage your users to use—multi factor authentication.

This requires them to authenticate using something they carry with them (token), before they can log in. An attacker would therefore need both this token (phone, RSA SecurID etc) and user credentials before they obtain access.

We use the Google Authenticator standard because it has authentication apps available for all platforms, and has libraries for pretty much every platform.

It is quite onerous to install a custom, proprietary MFA app so we don’t recommend you implement your own system.

Be sure to re-authenticate for things like adding/removing MFA tokens. We require re-authentication for all user profile changes.

We do however have a timeout in place during which users won’t have to re-authenticate. This timeout applies for simple actions like changing passwords (adding or removing tokens requires authentication even during the timeout).

To sum up, MFA is crucial for any serious application as it’s the only way to protect against account hijacking.

10. Schedule Security Audits

We inspect security as part of our code review and deployment process (many eyes on the code). We also have regular reviews from external security consultants.

We recommend having one firm do an audit, implement their fixes, and then have another firm audit those changes.


Security is all about identifying and mitigating possible risks of attack. The operative word here is mitigation, since new threats are always emerging.

This is an ongoing exercise. Be sure to conduct regular reviews of all existing measures, check for new defence mechanisms and keep abreast of security announcements.

The post 10 Ways to Secure Your Webapp appeared first on Server Density Blog.

by David Mytton at August 27, 2015 02:00 PM

Google Blog

Improving Public Alerts for hurricane season

Ten years ago, Hurricane Katrina ravaged the Gulf Coast of the United States, flooding cities, displacing thousands of people, and causing billions of dollars worth of damage. It is the costliest natural disaster, and one of the deadliest hurricanes, in U.S. history.

After rescue efforts began in the immediate aftermath of Katrina, some Googlers wondered how they could connect people with useful information and resources related to the storm. With the help of many third-party organizations, small groups of our employees worked to display satellite imagery of affected areas in Google Earth and helped build searchable databases so people could check on the safety of friends and loved ones. These early efforts later became some of the standard actions taken today by the Google Crisis Response Team following natural disasters, from hurricanes to earthquakes to tsunamis.

As the U.S. enters hurricane season again, Katrina remains a stark reminder of the devastation a storm like that can cause. We want to be as prepared and as helpful as possible for the next one—no matter where it hits, or how big it is. So we’re always working to improve our Crisis Response efforts to help people stay safe and informed during these events.

With that in mind, we've launched some improvements to weather forecasts and Public Alerts in Google Search to track storms during this year's U.S. hurricane season. Now, when you search the web for information about particular storms or tornadoes, you may see:

  • A map showing your location in relation to the oncoming storm
  • Visualizations of its forecasted track, wind severity and arrival time, courtesy of NOAA
  • Concise instructions for preparing and staying safe, customized for the estimated intensity of the storm and its arrival time relative to your location, from FEMA and

The safety recommendations you receive will be tailored to reflect the current status of the event and your context. For example, if you search for a specific storm when it’s still several days away, you may see a map of the developing weather event and a recommendation to start preparing an emergency kit. If the storm is only hours away from your location, you might receive a reminder to start charging your phone in case power goes out. And if you search when the storm is nearby, you'll get the most urgent information, like how to avoid injury from fast-moving water or flying debris.

Tropical storm alert with precise location, wind details and customized safety checklist. Improved tropical storm alerts like this will appear in Search on mobile and desktop.

Not every storm is as devastating as Katrina was, but they all have the potential to cause damage, disrupt lives, and uproot communities. By providing useful, accurate, early-warning information, we want to do our part to help people prepare. More information won’t stop natural disasters from occurring, but it can go a long way to keeping people safe, and in some cases, could even save lives.

by Google Blogs ( at August 27, 2015 09:24 AM

August 26, 2015

Yellow Bricks

Startup intro: ZeroStack

Advertise here with BSA

A couple of months back one of the people I used to work a lot with in the DRS team reaches out to me. He told me that he started a company with some other people I knew and we spoke about the state of the industry and some of the challenges customers faced. Fast forward to today, ZeroStack just came out of stealth and announced to the world what they are building and an A round funding of roughly $ 5.6m.

At the head of the company as CEO we have Ajay Gulati, former VMware employee and most known for Storage IO Control, Storage DRS and DRS. Kiran Bondapalati is the CTO and some may recognize that name as he was a lead architect on Bromium. The DNA of the company is a mix of VMware, Nutanix, Bromium, Cisco, Google an more. Not a bad list I must say

So what are they selling? ZeroStack has developed a private cloud solution which is delivered in two parts:

  1. Physical 2U/4Node Appliance which comes with KVM preinstalled named ZS1000
  2. Management / Monitoring solution which is delivered in a SaaS model.

ZeroStack showed me a demo and getting their appliance up and running took about 15 minutes, the configuration wizard wasn’t unlike EVO:RAIL and looked very easy to run through. The magic however if you ask me isn’t in their configuration section, it is the SaaS based management solution. I stole a diagram from their website which immediately shows the potential.


The SaaS management layer provides you a single pane of glass of all the deployed appliances. These can be in a single site or in multiple sites. You can imagine that especially for ROBO deployments this is very useful, but also in larger environments. Now it doesn’t just show you the physical aspect, it also shows you all the logical constructs that have been created like “projects”.

At this part of the demo by the way I got reminded of vCloud Director a bunch of times, and AWS for that matter. ZeroStack allows you to create “tenants” and designate resources to them in the form of projects. These can even have a lease times, which is kind of similar to what vCloud Director offers also.

When looking at the networking aspects of ZeroStack’s solution it also has the familiar constructs like private networks and public networks etc. On top of that networking services like routing / firewall’ing are implemented also in a distributed fashion. And before I forget, everything you see in the UI can also be automated through the APIs which are fully Openstack compatible.

Last but not least we had a discussion about patching and updating. With most systems this is usually the most complicated part. ZeroStack took a very customer friendly approach. The SaaS layer is being updated by them, and this can happen as frequent as once every ten days. The team said they are very receptive to feedback and have a short turnaround time for implementing new functionality, as their goal is to provide most functionality through the SaaS layer. The appliance will be on a different patch/update scheme, probably once every 3 or 6 months, of course depending on the problems fixed and features introduced. The updates are done in a rolling fashion and non-disruptive to your workloads, as expected.

That sounds pretty cool right? Well as always with a 1.0 version there is still some functionality missing. Functionality that is missing in 1.0 is for instance a “high availability” feature for your workloads. If a host fails then you as an admin will need to restart those VMs. Also when it comes to load balancing, there is no “DRS-alike” functionality today. Considering the background of the team though, I can imagine both of those showing up at some point in the near future. It does however mean that for some workloads the 1.0 version may not be the right solution for now. Nevertheless, test/dev and things like cloud native apps could land on it.

All in all, a nice set of announcements and some cool functionality coming. These guys are going to be at VMworld so make sure to stop by their booth if you want to see what they are working on.

"Startup intro: ZeroStack" originally appeared on Follow me on twitter - @DuncanYB.

by Duncan Epping at August 26, 2015 05:50 PM

SysAdmin's Diary

Red Hat Forum 2015, Kuala Lumpur

It’s been a long long time since my last time attending Red Hat event. So, shall we meet at Red Hat Forum 2015, Kuala Lumpur? Register here.

by irwan at August 26, 2015 03:40 PM

Standalone Sysadmin

Great Open Positions at Northeastern CCIS

I’ve landed in Los Angeles, and I’m getting settled in temporary housing until I find my own place, but it’s been a really busy couple of weeks, and I just realized that I didn’t get a chance to post about the open positions that my (now former) team has.

First, more obviously, there’s my old position, that of the Networking & Virtualization Administrator. The position is officially posted on Northeastern’s Careers page, but I can tell you that you’d be responsible for a medium-sized relatively flat network infrastructure. There are a few dozen VLANs, all statically routed from the core switches, and around a thousand lit switchports. The hardware is mostly Cisco Catalyst, with the core being Cisco Nexus 5548s, although there are some virtual PFsense boxes running around too.  You would be working with the (pretty friendly and competent) central ITS network admin to coordinate staff and faculty moves around the infrastructure, and with the university’s security officer (who is also surprisingly friendly, given his line of work) whenever something weird pops up.

The role is also responsible for the VMware cluster, which currently consists of around 15 ESXi nodes and two vCenter instances (one for “production” use which has the vSphere Essentials Plus license) and the educational cluster, built out using VMware Academic licenses for classroom and academic use. They’re backed by NetApp and Nimble storage, and it’s this part of the job responsibilities that gives you a little more creativity to solve problems, since professors usually want interesting things. I’ve built some useful stuff in PowerShell, but there’s no reason you have to use that long-term, if you want to solve the problems yourself.

Anyway, I really enjoyed my time in this position, and to be honest, I really miss the other staff members and students there.

In addition, the CCIS staff is growing. We got a new dean a little over a year ago, and one of the things she wants to do is to offer management of researchers’ clusters in a more active manner, so we are looking for another Linux sysadmin (pretty much all of the researchers do work on Linux).

This position will involve a lot working with our current Linux admin to bring over the technology he has built to deal with our “managed” machines to help with our “unmanaged” or “soon to be managed” researcher-owned machines. Basically, there’s nothing like this right now, so you would be inventing the role as you go. Exciting! Challenging! Rewarding!

Anyway, please, if you’re looking for a position in Boston somewhere, take a look at Northeastern. It’s easy to get to, there’s free tuition for you, your spouse, and your children, and I feel like the staff that I worked with there are my family, and I miss them :-)

If you have any questions, please drop me an email and I’ll be happy to help. Thanks!

by Matt Simmons at August 26, 2015 03:11 PM


How to Force Your Android Device to Power Off

These tips may help you unfreeze your Android device when all else seems to fail.

android unable to start

If your Android powered smartphone comes with a removable battery – take it out, then pop it back in and start your phone as normal. If you don’t have a removable battery, keep reading.

On most Android devices (phones and tablets), you can force restart your device by holding the Power button while holding the Volume Down button at the same time. Hold them down until the phone goes ‘blank’ (finally powers off) and then boots up (starts) again.

Android device being forced to powered off

On a few Android phones, you have to hold down the Power button and both Volume buttons.

If none of the above steps work for you, visit Google and run a search for your phone model and then the word “manual” (to find a digital copy of your phones operating manual) or search for your phones specific model with the phrase “force power off”. To determine your exact phone model, follow these 3 quick steps:

  1. If you’re able to operate your phone at all, tap the Settings button.
  2. android settings button

  3. Locate and select the About device section.
  4. the About Android setting section

  5. Now find the Model number section.
  6. Android Model Settings section

  7. Use the exact Model number (letters, dashes and all) when running a search that includes the word (or phrase) “manual” or “force restart”.

If your device is completely frozen and you aren’t able to figure out the exact model number, search for the device name (example, “Samsung Galaxy S4 force restart” (which by the way, happens to be the ‘default’ hold down Power and Volume Down at the same time).

by Ross McKillop at August 26, 2015 01:37 PM


Freexian’s report about Debian Long Term Support, July 2015

A Debian LTS logoLike each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In July, 79.50 work hours have been dispatched among 7 paid contributors. Their reports are available:

Evolution of the situation

August has seen a small decrease in terms of sponsored hours (71.50 hours per month) because two sponsors did not pay their renewal invoice on time. That said they reconfirmed their willingness to support us and things should be fixed after the summer. And we should be able to reach our first milestone of funding the equivalent of a half-time position, in particular since a new platinum sponsor might join the project.

DebConf 15 happened this month and Debian LTS was featured in a talk and in a work session. Have a look at the video recordings:

In terms of security updates waiting to be handled, the situation is better than last month: the dla-needed.txt file lists 20 packages awaiting an update (4 less than last month), the list of open vulnerabilities in Squeeze shows about 22 affected packages in total (11 less than last month). The new LTS frontdesk ensures regular triage of CVE reports and the difference between both counts dropped significantly. That’s good!

Thanks to our sponsors

Thanks to Sig-I/O, a new bronze sponsor, which joins our 35 other sponsors.

No comment | Liked this article? Click here. | My blog is Flattr-enabled.

by Raphaël Hertzog at August 26, 2015 09:14 AM

August 25, 2015


How to Root the Samsung Galaxy Tab A

This step by step guide will take you all of the way from start to finish through the process of “rooting” your Samsung Galaxy Tab A tablet.

There are all kinds of reasons you may want to root your Samsung Galaxy Tab A
– whatever yours may be, this is the tutorial for you! :)

What you’ll need:

  • A Windows PC running Vista, Windows 7, 8.x or 10. Note to Mac users: If you’re going to try this in a virtual environment, using VirtualBox or Parallels Desktop, it’s probably not going to work. It did not work using VirtualBox running Windows 10. You may have more luck with Parallels.
  • Some free software, all of which can be downloaded via this tutorial
  • Your Tab A and a USB cable
  • About half an hour
    1. Start out by downloading the Samsung Android USB Driver for Windows (link opens in a new window/tab). If you have any problem downloading the file from the previous link, here’s a alternate download.
    2. After the download has completed, open the zip file and run the SAMSUNG_USB_Driver_for_Mobile_Phones.exe driver installation package.
    3. The installation might seem like it ‘stalls’ – don’t worry, just give it a few minutes. Click Finish when you’re done.
    4. Now download Odin3 – a small program that’s used to root your Tab A. This tutorial uses version 3.10.6. There has since been a newer release (3.10.7) – we still suggest you use 3.10.6 since we know for certain it works. If the previous link doesn’t work, here’s a direct download for Odin3 v3.10.6.
    5. Now grab your Galaxy Tab A and tap the Settings button.
    6. android settings button

    7. Locate and select About device
    8. Now scroll to the Model number section and make note of yours. Based on your model, you’ll need to download one of two files.
    9. If you have the SM-T550, the SM-P550 or the SM-P555 – download this file. If you have the SM-T350, the SM-P550 or the SM-P555, download this file. Save the file in your Downloads folder. Note: many thanks to ashyx for creating these files!
    10. Now extract the contents of the Odin3 file, and then open the (just created) Odin3 v3.10.6 folder.
    11. Run the Odin3 v3.10.6 app.
    12. Welcome to Odin3! Select the Options tab and then make sure there are ‘check marks’ in the boxes labelled Auto Reboot and F. Reset Time. Make sure there are no check marks in all of the other boxes/options. Then click the AP button.
    13. Navigate to the .tar file that you downloaded back in Step #8 (above). Select it by clicking on it once, and then click the Open button.
    14. Grab your Galaxy Tab A again and power it completely off.
    15. At this point we’re going to boot (start up) your tablet into Download Mode. Press and hold the Volume Down, Home, and Power buttons at the same time.
    16. You’ll know you’ve successfully booted into Download Mode when a blue screen with a large Warning message is displayed. Tap the Volume UP button to continue.

    17. click to enlarge

    18. Once again, grab your Tab A and this time use your USB cable and plug it into your Windows PC/laptop.
    19. Back in Odin3, click the Start button.

    20. In the left column of Odin3, you’ll see a bunch of text appear.
    21. At some point your Tab A is going to reboot. When it comes back up, don’t be at all surprised if there’s (unintelligible) text on the screen etc.
    22. Eventually (doesn’t take that long) Odin3 will display a large green PASS! notification (see screenshot below).
    23. Congratulations, your Galaxy Tab A has now been rooted!
    24. To completely confirm everything went successfully, download and install Root Checker from the Google Play Store (it’s a free App).
    25. Launch it from your Tab A and click the “Green Circle” button in the bottom right corner of the App.
    26. Tap the Grant button to check to see if your Tab A was rooted correctly.
    27. Close the Ad that probably appeared right after you tapped Grant, and in the upper-left corner of the Root Checker App, confirm that the Status is Rooted.
    28. You’re all done!

    by Ross McKillop at August 25, 2015 08:10 PM

    Yellow Bricks

    Virtual SAN Ready Nodes taking charge!

    Advertise here with BSA

    Yes that is right, Virtual SAN Ready Nodes are taking charge! As of today when you visit the VMware Compatibility Guide for Virtual SAN it will all revolve around Virtual SAN Ready Nodes instead of individual components. You may ask yourself why that is, well basically because we want to make it easier for you to purchase the hardware needed while removing the complexity of selecting components. This means that if you are a Dell customer and want to run Virtual SAN you can simply select Dell in the VMware Compatibility Guide and then look at the different models there are of the different sizes. It is very easy as can be seen in the screenshot below.

    virtual san ready nodes

    Traditionally there were 3 different sizes for “Server Virtualization”, but with the full overhaul of the VSAN VCG a new size was added. The naming of the sizing has also changed. Let me explain what it looks like now, note that these “sizing profiles” are the same across all vendors so comparing HP to Dell or IBM (etc) was never easier!

    New NameOld Name
    HY-2Hybrid Server Low
    HY-4** new **
    HY-6Hybrid Server Medium
    HY-8Hybrid Server High
    HY-8Hybrid VDI Linked Clones
    Hybrid VDI Full Clones
    AF-6All Flash Server Medium
    AF-8All Flash Server High
    AF VDI Linked Clones
    AF VDI Full Clones

    The new model introduced is HY-4 Series, the reason this model was introduced is because some customers felt that the price difference between HY-2 and H&-6 was too big. By introducing a model in between we now cover all price ranges. Note that it is still possible when selecting the models to make changes to the configuration. If you want model HY-2 with an additional 2 disks, or with 128GB of memory instead of 32GB then you can simply request this.

    So what are we talking about in terms of capacity etc? Of course this is all documented and listed on the VCG as well, but let me share it with you here also for your convenience. Note that performance and VM numbers may be different for your scenario, this of course will depend on your workload and the size of your VMs etc.

    ModelCPU / MemStorage CapStorage PerfVMs per node
    HY-21 x 6 core / 32GB2TB4000 IOPSUp to 20
    HY-42 x 8 core / 128GB4TB10K IOPSUp to 30
    HY-62 x 10 core / 256GB8TB20K IOPSUp to 50
    HY-82 x 12 core / 348GB12TB40K IOPSUp to 100
    AF-62x12 core / 256GB8TB50K IOPSUp to 60
    AF-82x12 core / 348GB12TB80K IOPSUp to 120

    In my opinion, this new “Ready Node” driven VMware Compatibility Guide driven approach is definitely 10 times easier then focusing on individual components. You pick the ready node that comes close to what you are looking for, provide your OEM with the SKU listed and tell them about any modifications needed in terms of CPU/Mem or Disk Capacity. PS: If you want to access the “old school HCL” then just click on the “Build Your Own based on Certified Components” link on the VCG page.

    "Virtual SAN Ready Nodes taking charge!" originally appeared on Follow me on twitter - @DuncanYB.

    by Duncan Epping at August 25, 2015 01:51 PM

    Google Blog

    New (School) Year resolutions with #GoogleEdu

    The tradition of ringing in each New Year with resolutions (whether we stick to them or not) is always an opportunity to reflect and start the year ahead on the right foot. As students and teachers around the world return to campuses and classrooms this fall, we’re embarking on a different kind of fresh start: a New (School) Year. And we want to help you make the most of it. So we’ve put together a few resolution ideas, plus tips to help you stick to them. We’ve also made a resolution of our own: to bring the best of Google technology to education.
    The best of Google, for education
    Like many resolutions, ours might sound familiar—and that’s because the Google for Education team has been working on it for a while. Over the last few years, we’ve spent a lot of time with teachers and students, witnessing firsthand how technology is helping in the classroom and learning about challenges that are yet unsolved. With feedback from schools, we’ve improved products like Google Apps for Education and Docs, building in new features specifically useful for education. We’ve also created new learning experiences like Google Classroom—a sort of mission control for teachers and students, offering a single place to keep track of all class materials, eliminating paperwork and making it easy for teachers to collaborate with students, and students to collaborate with each other.

    So as part of our resolution this school year, we’re launching some new features in Google Classroom. Teachers can now easily ask students questions in Classroom, alongside all the other class materials in the stream. Teachers also told us that they want more ways for students to engage with each other, and flex their critical thinking muscles. So now students can comment on each other’s answers in Classroom and have open-ended discussions. In the next month, we'll also make it possible for teachers to add assignments, due dates and field trips to a shared calendar.

    So what’s your resolution?
    We’re sure you’ve already set some big goals for the year ahead—from acing AP Bio to landing that killer internship. Whatever your plans, it can be tough to stick with those goals once assignments and social commitments start to pile up. So we’ve collected 50+ tips from more than 15 Google products to help you follow through with your resolutions. Here are some ideas:
    Resolution 1. Get (and stay) organized
    When you’re bogged down by clutter, it can be tough to get stuff done. Make this your year to be more organized. Never miss another study group with help from Google Calendar. Use Google Sheets to keep all your classmates' info in one place, and better manage your inbox by emailing everyone at once with a Google group.

    Resolution 2. Get (mentally) fit
    Push yourself to take your studies to the next level. Teach yourself how to code with Made with Code. Make the most of language class by saving your most used words and phrases with Google Translate or magically translating webpages with Google Chrome.

    Resolution 3. Get some worldly perspective
    Not studying abroad this year? No problem. You can still unleash your inner explorer with Google Maps Treks and visit the Pyramids of Giza or the Great Barrier Reef without leaving your room. Or bring your art history class to life by seeing those masterpieces up close and in perfect detail with Cultural Institute.

    We hope these give you new ideas for how you can make this school year your best yet. Over the next few weeks, we’ll be announcing more tips and other updates—so follow along with #GoogleEdu and on Google+. We’ll be doing our homework to stick to our resolution, so we can hopefully give you what you need to do the same. Now go hit those books!

    Over the last few years, we’ve spent a lot of time with teachers and students, witnessing firsthand how technology is helping in the classroom and learning about challenges that are yet unsolved.

    by Google Blogs ( at August 25, 2015 06:00 AM

    August 24, 2015

    Everything Sysadmin

    LISA Schedule published!

    This year's committee has done a bang-up job!

    See the entire schedule! Register today!

    August 24, 2015 02:27 PM

    mikas blog

    DebConf15: “Continuous Delivery of Debian packages” talk

    At the Debian Conference 2015 I gave a talk about Continuous Delivery of Debian packages. My slides are available online (PDF, 753KB). Thanks to the fantastic video team there’s also a recording of the talk available: WebM (471MB) and on YouTube.

    by mika at August 24, 2015 12:15 PM

    Google Webmasters

    #NoHacked: Fixing the Injected Gibberish URL Hack

    Today in our #NoHacked campaign, we’ll be discussing how to fix the injected gibberish URL hack we wrote about last week. Even if your site is not infected with this specific type of hack, many of these steps can be helpful for fixing other types of hacks. Follow along with discussions on Twitter and Google+ using the #NoHacked tag. (Part 1, Part 2, Part 3, Part 4)

    Temporarily Take your Site Offline

    Taking your site offline temporarily will prevent your site’s visitors from going to hacked pages and give you time to properly fix your site. If you keep your site online, you run the risk of getting compromised again as you clean up your site.

    Treating your Site

    The next few steps require you to be comfortable making technical changes to your site. If you aren’t familiar or comfortable enough with your site to make these changes, it might be best to consult with or hire someone who is. However, reading through these steps will still be helpful.

    Before you start fixing your site, we advise that you back up your site. (This backed up version will still contain hacked content and should only be used if you accidentally remove a critical file.) If you’re unsure how to back up your site, ask your hosting provider for assistance or consult your content management system (CMS) documentation. As you work through the steps, any time you remove a file, make sure to keep a copy of the file as well.

    Checking your .htaccess file

    In order to manipulate your site, this type of hack creates or alters the contents of your .htaccess file. If you’re not sure where to find your .htaccess file, consult your server or CMS documentation.

    Check the contents of your .htaccess file for any suspicious content. If you’re not sure how to interpret the contents of the .htaccess file, you can read about it on the documentation, ask in a help forum, or you can consult an expert. Here is an example of a .htaccess modified by this hack:

    • <IfModule mod_rewrite.c> 
    •   RewriteEngine On  
    •   #Visitors that visit your site from Google will be redirected  
    •   RewriteCond %{HTTP_REFERER} google\.com 
    •   #Visitors are redirected to a malicious PHP file called happypuppy.php 
    •   RewriteRule (.*pf.*) /happypuppy.php?q=$1 [L] 
    • </IfModule>

    Identifying other malicious files

    The most common types of files that are modified or injected by this hack are JavaScript and PHP files. Hackers typically take two approaches: The first is to insert new PHP or JavaScript files on your server. The inserted files can sometimes be named something very similar to a legitimate file on your site like wp-cache.php versus the legitimate file wp_cache.php. The second approach is to alter legitimate files on your server and insert malicious content into these files. For example, if you have a template or plugin JavaScript file on your site, hackers might add malicious JavaScript to the file.

    For example, on a malicious file named happypuppy.php, identified earlier in the .htaccess file, was injected into a folder on the site. However, the hackers also corrupted a legitimate JavaScript file called json2.js by adding malicious code to the file. Here is an example of a corrupted json2.js file. The malicious code is highlighted in red and has been added to the very bottom of the json2.js file:

    To effectively track down malicious files, you’ll need to understand the function of the JavaScript and PHP files on your site. You might need to consult your CMS documentation to help you. Once you know what the files do, you should have an easier time tracking down malicious files that don’t belong on your site.

    Also, check your site for any recently modified files. Template files that have been modified recently should be thoroughly investigated. Tools that can help you interpret obfuscated PHP files can be found in the Appendix.

    Removing malicious content

    As mentioned previously, back up the contents of your site appropriately before you remove or alter any files. If you regularly make backups for your site, cleaning up your site might be as easy as restoring a clean backed-up version.

    However, if you do not regularly back up your site, you have a few alternatives. First, delete any malicious files that have been inserted on your site. For example, on, you would delete the happypuppy.php file. For corrupted PHP or JavaScript files like json2.js, you’ll have to upload a clean version of those files to your site. If you use a CMS, consider reloading a fresh copy of the core CMS and plugin files on your site.

    Identifying and Fixing the Vulnerability

    Once you’ve removed the malicious file, you’ll want to track down and fix the vulnerability that allowed your site to be compromised, or you risk your site being hacked again. The vulnerability could be anything from a stolen password to outdated web software. Consult Google Webmaster Hacked Help for ways to identify and fix the vulnerability. If you’re unable to figure out how your site was compromised, you should change your passwords for all your login credentials,update all your web software, and seriously consider getting more help to make sure everything is ok.

    Next Steps

    Once you’re done cleaning your site, use the Fetch as Google tool to check if the hacked pages still appear to Google. You'll need to bring your site back online to test with Fetch as Google. Don’t forget to check your home page for hacked content as well. If the hacked content is gone, then, congratulations, your site should be clean! If the Fetch as Google tool is still seeing hacked content on those hacked pages, you still have work to do. Check again for any malicious PHP or JavaScript files you might have missed.

    Bring your site back online as soon as you’re sure your site is clean and the vulnerability has been fixed. If there was a manual action on your site, you’ll want to file a reconsideration request in Search Console. Also, think about ways to protect your site from future attacks. You can read more about how to secure your site from future attacks in the Google Hacked Webmaster Help Center.

    We hope this post has helped you gain a better understanding of how to fix your site from the injected gibberish URL hack. Be sure to follow our social campaigns and share any tips or tricks you might have about staying safe on the web with the #nohacked hashtag.

    If you have any additional questions, you can post in the Webmaster Help Forums where a community of webmasters can help answer your questions. You can also join our Hangout on Air about Security on August 26.


    These are tools that may be useful. Google doesn't run or support them.

    PHP Decoder, UnPHP: Hackers will often distort PHP files to make them harder to read. Use these tools to clean up the PHP files so you understand better what the PHP file is doing.

    by Google Webmaster Central ( at August 24, 2015 10:56 AM

    August 23, 2015

    Evaggelos Balaskas

    forwarding logs with Fluentd

    Server_A —> Server_B —> Server_C

    Let’s say that we have our elasticsearch/kibana setup on Server_C
    but Server_A can’t talk to Server_C.


    # tail /etc/rsyslog.d/20_central_logging.conf 
    *.*      @
    & ~


    install fluentd

    # wget -c
    # rpm -ivh td-agent-2.2.1-0.el6.x86_64.rpm

    configure fluentd

    # vim /etc/td-agent/td-agent.conf
      type syslog
      port 42185
      tag  rsyslog
    <match ***>
      type forward
      send_timeout 10s
      recover_wait 10s
      heartbeat_interval 1s
      phi_threshold 16
      hard_timeout 60s

    Server C

    install fluentd

    # wget -c
    # rpm -ivh td-agent-2.2.1-0.el6.x86_64.rpm

    configure fluentd

    # vim /etc/td-agent/td-agent.conf
    <match ***>
      type elasticsearch
      flush_interval 10s # for testing
      logstash_format true

    PLZ Dont forget your iptables rules !!!!
    UDP & TCP

    Tag(s): Fluentd

    August 23, 2015 04:28 PM

    Matt Brock

    Monitoring HP ProLiant DL360 hardware in CentOS, with Nagios (optional)

    My original post for monitoring HP storage hardware in CentOS is now out of date, so I decided to write an updated post for monitoring all hardware, not just storage hardware, and for optionally including this hardware monitoring in Nagios.

    This is written primarily for CentOS 6. It should be largely fine for CentOS 5 and CentOS 7 too, although one or two modifications may be needed. It should also work with some other HP ProLiant servers such as the DL380.

    smartd for (supposedly) predicting drive failure

    Before we get onto the HP software, it's worth taking a minute to install smartd, which you can obtain by installing the smartmontools package in CentOS. This software uses the SMART system to attempt to predict when drives are going to fail. It's easy to configure so that smartd supposedly emails you as soon as problems are detected with drives.

    Here's an older example of an /etc/smartd.conf file on a server which has two SAS disks arranged into a single RAID partition:

    /dev/cciss/c0d0 -d cciss,0 -a -m
    /dev/cciss/c0d0 -d cciss,1 -a -m

    Here's a more recent example of an /etc/smartd.conf file on a server which has two SSDs configured as RAID 1:

    /dev/sda -a -m

    However, I've never found smartd to be very useful. It starts up fine and indicates via syslog that it's monitoring the disks, but I've never had smartd give a warning before a drive failure even though I'm quite sure it's configured correctly.

    HP software for hardware monitoring

    So, onto the really useful stuff. If you try to do this using the official methods as advised by HP, you'll probably end up installing a whole bunch of awful bloated software that you don't need taking up resources on your servers. In fact there are only two or three fairly small components which you actually need.

    Previously it was necessary to get the first two of these from the HP Service Pack For ProLiant, but HP have recently changed everything once again, so now it's necessary to get the Management Component Pack for CentOS 6 (also known as hp-mcp) from CentOS 6 Downloads on the Support section of the HP website; this provides the the hp-health (previously known as hpasm) and hpssacli (previously known as hpacucli) components that you'll need.

    If you have SSDs installed, you'll also want to get the HP Smart Storage Administrator Diagnostic Utility (also known as HP SSADU or hpssaducli, previously known as hpadu) from the Software - System Management section in Red Hat Enterprise Linux 6 Server (x86-64) Downloads on the Support section of the HP website.

    Sorry if that all seems a bit longwinded, but HP do have a way of making things complicated.

    When you extract the hp-mcp tarball after downloading the Management Component Pack for CentOS 6, you'll find a subdirectory called something like mcp/CentOS/6/x86_64/10.10 in which there are a bunch of RPM files. Upload the hp-health and hpssacli RPMs to your servers, along with the hpssaducli RPM you got from the HP Smart Storage Administrator Diagnostic Utility if you have SSDs. Then install them the usual way, with rpm -i ... etc.

    Checking server hardware with hpasmcli

    Once these are installed you can check server hardware by running hpasmcli. Once in, if you type show then you'll see what things you can check. For example, show powersupply gives you up to date information on - unsurprisingly - the power supplies:

    Power supply #1
            Present  : Yes
            Redundant: Yes
            Condition: Ok
            Hotplug  : Supported
            Power    : 40 Watts
    Power supply #2
            Present  : Yes
            Redundant: Yes
            Condition: Ok
            Hotplug  : Supported
            Power    : 30 Watts

    Type help to get more information.

    Checking storage hardware with hpssacli

    Next, to check the RAID controller and installed drives, use a command like the following:

    hpssacli ctrl all show status ; hpssacli ctrl slot=0 ld all show status ; 
    hpssacli ctrl slot=0 pd all show status

    That command should show something like this:

    Smart Array P440ar in Slot 0 (Embedded)
       Controller Status: OK
       Cache Status: Not Configured
       Battery/Capacitor Status: OK
       logicaldrive 1 (111.8 GB, 1): OK
       physicaldrive 1I:1:1 (port 1I:box 1:bay 1, 120 GB): OK
       physicaldrive 1I:1:2 (port 1I:box 1:bay 2, 120 GB): OK

    Type hpssacli help to get more information on how to use it.

    Checking SSDs with hpssaducli

    If you have SSDs and you installed hpssaducli, you can also check SSD status with this command:

    hpssaducli -ssd -txt -f /tmp/ssd.txt ; cat /tmp/ssd.txt

    That should show you a bunch of information about wear on the SSDs, e.g:

    Smart Array P440ar in Embedded Slot : Internal Drive Cage at Port 1I : Box 1 : Physical Drive (120 GB SATA SSD) 1I:1:1 : SmartSSD Wear Gauge
       Status                               OK
       Supported                            TRUE
       Log Full                             FALSE
       Utilization                          0.000000
       Power On Hours                       47
       Has Smart Trip SSD Wearout           FALSE

    Integrating HP hardware monitoring with Nagios

    If you're not using Nagios then obviously you can stop reading now!

    Server hardware

    I've always used the check_hpasm plugin for checking server hardware, and it's worked well for me. Just follow their instructions to install it, then you can integrate it into your Nagios configuration as needed.

    Note that you'll need to add the following line to your /etc/sudoers so that it has permission to run:

    nrpe              ALL=NOPASSWD: /sbin/hpasmcli

    Storage hardware

    I've always used the check_hparray plugin for checking storage hardware, and it's always worked perfectly for me, notifying me every time there's been a drive failure. However, I see that it apparently hasn't worked for some people, and it's not clear why not, so use at your own risk.

    Note that it does need to be modified now that HP have changed the name of their software, so just replace all instances of "hpacucli" in the script with "hpssacli" then it should work fine. Put the script in your Nagios plugins folder, then you can integrate it into your Nagios configuration as needed.

    Note that you'll need to add the following line to your /etc/sudoers so that it has permission to run:

    nrpe              ALL=NOPASSWD: /sbin/hpssacli


    To check the wear status of SSDs, I wrote a simple Nagios plugin which you can obtain from my GitHub repository. You'll need to install the dos2unix command if it's not already installed (with yum -y install dos2unix). Just install the plugin in your Nagios plugins directory, then you can integrate it into your Nagios configuration as needed.

    August 23, 2015 12:08 PM

    Administered by Joe. Content copyright by their respective authors.