2018. július 24., kedd

MySQL monitoring with Zabbix 3.4

If you install Zabbix Server 3.4 there is a nice template supplied with it which is called "    Template DB MySQL". That could be used for monitoring remote MySQL database performance. Unfortunately this will also not work out of the box... Your logs will get filled by " Error connecting to database: Access denied for user 'zabbix'@'localhost' to database" and...

So you should first create a database on a _remote_ mysql server for the sake of zabbix. This could be painful if security is a high concern for you but actually doesn't hold much risk.

mysql -u root -p
use mysql;
CREATE DATABASE `zabbix_db`;
GRANT ALL PRIVILEGES ON zabbix_db.* TO 'zabbixagent'@'localhost' IDENTIFIED BY 'XXXXXXYYX';

 Then create the required config files:
mkdir /var/lib/zabbix # this is defined in /etc/zabbix/zabbix_agentd.conf.d/userparameter_mysql.conf file. You must have it.
cd  /var/lib/zabbix
touch .my.cnf
chown zabbix:zabbix /var/lib/zabbix -R
chmod 600 .my.cnf

And here is the secret magic: its content should be:

Note: no special rights needed for zabbixuser for "mysqladmin". In this way all errors should be gone and you have a nice and clean MySQL performance monitoring. Tadaam.

2018. július 23., hétfő

Zabbix agent upgrade from 2.x to 3.4

It's not easy as it seems. After you execute the first steps...
wget http://repo.zabbix.com/zabbix/3.4/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.4-1+xenial_all.deb
dpkg -i zabbix-release_3.4-1+xenial_all.deb
apt update
apt install zabbix-agent -y

You suddenly realize that something is definitely wrong because the agent dies.

Jul 23 14:52:22 sss systemd[1]: Failed to start Zabbix Agent.
Jul 23 14:52:22
sss systemd[1]: zabbix-agent.service: Unit entered failed state.
Jul 23 14:52:22
sss systemd[1]: zabbix-agent.service: Failed with result 'exit-code'.
dpkg: error processing package zabbix-agent (--configure):
 subprocess installed post-installation script returned error exit status 1
Processing triggers for libc-bin (2.23-0ubuntu10) ...
Processing triggers for systemd (229-4ubuntu21.2) ...
Processing triggers for ureadahead (0.100.0-19) ...
Errors were encountered while processing:
E: Sub-process /usr/bin/dpkg returned an error code (1)

Some investigation shows /etc/zabbix/zabbix_agentd.conf.d directory does not exists and that's where the new agent looks for its configs and foolishly it does not create it. But you may have existing userparameter configs in existing /etc/zabbix/zabbix_agentd.d so the best way to continue the installation with:
ln -s /etc/zabbix/zabbix_agentd.d /etc/zabbix/zabbix_agentd.conf.d
service zabbix-agent restart
service zabbix-agent status

2018. május 11., péntek

Docker notes #2

docker ps -a = List docker containers including the stopped ones
docker logs -f [ID] = Show the logs wrote in a container
docker logs --tail 200 [ID]

docker commit [ID] (my_new_image) = Convert a container to image
(returns value: sha256:hash)

docker save -o /path/my_new_image.tar = Save a docker image to be ready to imported
docker load -i /path/my_new_image.tar = Import (load) a foreign image
docker run -it sha256:hash /bin/bash = Spin up the image and run a command in it
(you are inside the container now)

docker export [ID] > /path/ide.tar = Export a container into a .tar file
docker diff [ID] = Show the modified files inside a container since its start
docker cp [ID]:/var/log/apache2/access.log ./access.log = Copy a file from container to host

docker-compose build = Build the correctly setup container (in its directory)
docker-compose up -d = Run it
docker rm [ID] = removes an instance of the container that was run
docker rm `docker ps -a -q` = remove all stopped containers
docker rmi image-name = removes the docker image and its dependencies

docker inspect [ID] = See the details of a container
docker run -p 8080:80 = will redirect the container's port 80 to a port 8080 on the host machine's user port
docker port [ID] = will list the port mapping information

docker top [ID] = See the running processes inside of a container
docker history [IMAGE-NAME] = See the commands the container was originally created by

2018. március 26., hétfő

Systemd over NTP

Ever wondered how to setup an NTP client controlled by systemd? Here are some short steps.

Mar 26 19:24:43 lokalhost systemd-timesyncd[403]: Timed out waiting for reply from (0.debian.pool.ntp.org).
Mar 26 19:24:54 lokalhost systemd-timesyncd[403]: Timed out waiting for reply from (0.debian.pool.ntp.org).
Mar 26 19:25:04 lokalhost systemd-timesyncd[403]: Timed out waiting for reply from (0.debian.pool.ntp.org).
Mar 26 19:25:14 lokalhost systemd-timesyncd[403]: Timed out waiting for reply from (0.debian.pool.ntp.org).
Mar 26 19:25:24 lokalhost systemd-timesyncd[403]: Timed out waiting for reply from (1.debian.pool.ntp.org).
Mar 26 19:25:35 lokalhost systemd-timesyncd[403]: Timed out waiting for reply from (1.debian.pool.ntp.org).
Mar 26 19:25:45 lokalhost systemd-timesyncd[403]: Timed out waiting for reply from (1.debian.pool.ntp.org).
Mar 26 19:25:55 lokalhost systemd-timesyncd[403]: Timed out waiting for reply from (1.debian.pool.ntp.org).
Mar 26 19:26:05 lokalhost systemd-timesyncd[403]: Timed out waiting for reply from (2.debian.pool.ntp.org).

1. nano /etc/systemd/timesyncd.conf
2. Set your NTP server, e.g.: NTP=
3. systemctl restart systemd-timesyncd.service 
4. timedatectl set-ntp true
5. Check with: timedatectl status

2018. március 8., csütörtök

Powershell applet form

It's a little known fact that it is possible to build a complete application form with pure Powershell. (Being based on .NET.). Here is an awesome example, called login.ps1. This is an applet starts a window that cannot be closed with the regular control buttons (as they are disabled) and asks two data from the user. Then it validates the data and if the data found to be invalid, flashes the input fields with red and returns to the initial state. Yeah, this was the hardest part of the development. If the data are all OK, it flashes the input fields with green color and pushes the data to the event log. This is a very very very special use case and only useful for me, but may help someone out who is just looking for a similar data input solution and gets here with google.

[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objForm = New-Object System.Windows.Forms.Form
$objForm.Text = "Long Change Answer File Information"
$objForm.Size = New-Object System.Drawing.Size(455,265)
$objForm.StartPosition = "CenterScreen"

# set this to $True to enable "close" button
$objForm.ControlBox = $false
$objForm.KeyPreview = $True

# Add Ok Button
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(180,185)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = "OK"
    # some tricky regex to validate our very custom input data
    If( $ChangeTextBox.Text -match "\b([Cc][0-9a-zA-Z]{9}|OST#?[0-9]{6})\b" -And $LoginTextBox.Text -match "\b[a-zA-Z]\w{2,19}\b") # Valid -match "^\d{0,10}$"
        $LoginTextBox.BackColor = "lime";
        $ChangeTextBox.BackColor = "lime";
        Start-Sleep -Milliseconds 600;

    # we have two input fields and both are required to be validated
    ElseIf (-Not ($LoginTextBox.Text -match "\b[a-zA-Z]\w{2,19}\b") -And ($ChangeTextBox.Text -match "\b([Cc][0-9a-zA-Z]{9}|OST#?[0-9]{6})\b"))   # Invalid
        #$ErrorProvider.SetError($LoginTextBox, "Please enter valid name");
        $LoginTextBox.BackColor = "pink";
        $ChangeTextBox.BackColor = "lime";
    # strange logic but this is the simpliest way in this case, here we get back to reset the form
    ElseIf (-Not ($ChangeTextBox.Text -match "\b([Cc][0-9a-zA-Z]{9}|(OST|ost)#?[0-9]{6})\b") -And ($LoginTextBox.Text -match "\b[a-zA-Z]\w{2,19}\b"))
        $ChangeTextBox.BackColor = "pink";
        $LoginTextBox.BackColor = "lime";
        # visual warning to the user
        $ChangeTextBox.BackColor = "pink";
        $LoginTextBox.BackColor = "pink";

# Add Textbox Label
$FontBold = new-object System.Drawing.Font("Arial",8,[Drawing.FontStyle]'Bold' )

#UserID label
$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Size(10,20)
$objLabel.Size = New-Object System.Drawing.Size(425,20)
$objLabel.Font = $fontBold
$objLabel.text = "Please enter Your UserID"

$objLabel1 = New-Object System.Windows.Forms.Label
$objLabel1.Location = New-Object System.Drawing.Size(30,47)
$objLabel1.Size = New-Object System.Drawing.Size(65,50)
$objLabel1.Text = "UserName:"

#UserID textbox
$LoginTextBox = New-Object System.Windows.Forms.TextBox
$LoginTextBox.Location = New-Object System.Drawing.Size(120,45)
$LoginTextBox.Size = New-Object System.Drawing.Size(260,20)
#$LoginTextBox.BackColor = "green"

#CH label
$objLabel2 = New-Object System.Windows.Forms.Label
$objLabel2.Location = New-Object System.Drawing.Size(10,100)
$objLabel2.Size = New-Object System.Drawing.Size(425,20)
$objLabel2.Font = $fontBold
$objLabel2.Text = "Please enter change number"

$objLabel3 = New-Object System.Windows.Forms.Label
$objLabel3.Location = New-Object System.Drawing.Size(30,120)
$objLabel3.Size = New-Object System.Drawing.Size(65,40)
$objLabel3.Text = "CH number:"

#CH textbox
$ChangeTextBox = New-Object System.Windows.Forms.TextBox
$ChangeTextBox.Location = New-Object System.Drawing.Size(120,120)
$ChangeTextBox.Size = New-Object System.Drawing.Size(260,20)

# Add Validation Control
$ErrorProvider = New-Object System.Windows.Forms.ErrorProvider

$objForm.Topmost = $True
[void] $objForm.ShowDialog()

$change= $ChangeTextBox.TEXT
$login = $LoginTextBox.TEXT

Write-EventLog -Source "Winlogon" -LogName "Application" -EventId 666 -Message "Impersonated user logged as $login for $change implementation"

2018. január 2., kedd

User import from foreign LDAP into own AD - PART2

The script continues with STEP3

$WinUsers = "C:\quser\ad-userimport-scripts\winjumpusers.txt"

# we have some test users which must not be disabled
$ToIgnore = "user1","user2","user3","master1","master2"

$GrA = @() # needed!
$GrA = import-csv $InFile # external LDAP group members
$GrB = gc $WinUsers # external LDAP group members who has additional administrative permission to be imported here
$GrC=(Get-ADGroupMember -identity jumpusers).SamAccountName # members who are already in the local AD

$Gone = $GrC | where {$GrA.uid -notcontains $_ } # members who are already in the local AD but not in the foreign AD - seems like deleted there and already left the team
$ToDelete=(Compare-Object $Gone $ToIgnore).InputObject # generating the user list who are to be deleted locally
# some checks to avoid stupid errors - too short list means we caught only some error message
 $i=@(Get-Content $InFile).Length
 if ( $i  -lt 15 ) {
  write-host "There is something wrong with the list, CHECK IT !" | Out-File $LogFile -Append
  exit 1
    $i=@(Get-Content $WinUsers).Length
 if ( $i  -lt 10 ) {
  write-host "There is something wrong with the list, CHECK IT !" | Out-File $LogFile -Append
  exit 1

# logging
Get-Date | Out-File $LogFile -Append
# handling users who are gone meanwhile from the external LDAP
if ( $ToDelete -ne $null ) {
        $ToDelete | ForEach-Object {
            #Delete-ADaccount -Member $_ -Confirm:$false # delete
            #Remove-ADGroupMember -Identity jumpusers -Member $_ -Confirm:$false # removes from the group
            Disable-ADAccount -identity $_ # disable the user
           Write-Host "DISABLED:" $_ | Out-File $LogFile -Append
# Collecting the users into external data file who are not added yet locally. This is the trickiest part of the script because here we just find the loginID of the user. The first and the last names come from the second list! So the loginID (SAMaccount name) needs to be found in the second list and the realname comes with that from there. 

$result = $GrB | Where {$GrC -NotContains $_}
$GrA.uid|ForEach-Object {
    $uidja = $_
    $ndx = [array]::IndexOf($GrA.uid,$uidja)
    $result|Foreach-Object {
        if ($_ -match $uidja ) {
      $GrA.FirstName[$ndx] $GrA.LastName[$ndx]
         $uidja+","+$GrA.FirstName[$ndx]+","+$GrA.LastName[$ndx] | Out-File $OutFile -Append

# This is where the safe import is happening for the new users. The password is generated locally because that can't be exported from the external LDAP so won't be identical.