Validate haproxy.cfg - haproxy

Is there any way to validate the HAProxy haproxy.cfg file before restarting the HAProxy service? For example: There might be a small spelling/syntax error in a larger haproxy.cfg file. I searched through several forums, but was unable to find anything in relation to validating the haproxy.cfg files for syntax errors.
As of now, I use a trial and error basis on a developer machine before I upload the changes to a Production Server.

The official HaProxy configuration file check was buried in the help sections.
/usr/local/sbin/haproxy --help
There are two ways to check the haproxy.cfg syntax is to use..
One way is the /usr/local/sbin/haproxy -c -V -f /etc/haproxy/haproxy.cfg
which validates the file syntax. The -c switch in the command represents the Check, while the others denote "Verbose" & "file".
Another way is to sudo service haproxy configtest
I hope this helps anyone looking to check the syntax of the haproxy.cfg file before restarting the service.

We are using this command
sudo haproxy -f /etc/haproxy/haproxy.cfg -c

Related

Mongo Procedures Dependencies Cause Neo4j Connection Issues

I am using Neo4j on a remote server (ubuntu 20.4) and would like to stream data from MongoDB to Neo4j. I followed the instructions here. I tried both ways by using the following approaches:
Use the following command:
sudo wget https://github.com/neo4j-contrib/neo4j-apoc-procedures/releases/tag/4.3.0.7/apoc-mongodb-dependencies-4.3.0.7.jar -O /mnt/neo4j/plugins/apoc-mongodb-dependencies-4.3.0.7.jar
Note that the plugins directory has a different path due to mounting. I changed the path in the configuration file accordingly. This should not be causing any problems because I had the same problem before mounting.
Also, I tried to match the same release as the apoc-core file (4.4.0.3) in a separate attempt with no better outcome.
Changing the ownership and read permissions as follows didn't help either:
sudo chown neo4j:neo4j apoc-mongodb-dependencies-4.4.0.3.jar
sudo chmod 755 apoc-mongodb-dependencies-4.4.0.3.jar
Use the following commands:
sudo wget https://repo1.maven.org/maven2/org/mongodb/mongo-java-driver/3.12.11/mongo-java-driver-3.12.11.jar -O /mnt/neo4j/plugins/mongo-java-driver-3.12.11.jar
sudo wget https://repo1.maven.org/maven2/org/mongodb/mongodb-driver/3.12.11/mongodb-driver-3.12.11.jar -O /mnt/neo4j/plugins/mongodb-driver-3.12.11.jar
sudo wget https://repo1.maven.org/maven2/org/mongodb/mongodb-driver-core/4.7.1/mongodb-driver-core-4.7.1.jar -O /mnt/neo4j/plugins/mongodb-driver-core-4.7.1.jar
sudo wget https://repo1.maven.org/maven2/org/mongodb/bson/4.7.1/bson-4.7.1.jar -O /mnt/neo4j/plugins/bson-4.7.1.jar
Note that I used the latest versions. I tried the versions available in the instructions as well with no difference in the outcome.
Now when restarting the neo4j.service, I no longer can access the cypher-shell nor the browser. In the first case, I get "connection refused", while I get a blank page in the browser case. When I check the status, the service is active and running. But I noticed that it is missing a line compared to when I don't have the dependencies.
Starting...
This instance is ServerId{#}
======== Neo4j 4.4.5 ======== (This line is missing with the dependencies downloaded!)
When I delete the dependencies from the plugins directory and restart, everything goes back to normal and functions as expected. One more thing to note is that apoc-core procedures work just fine!
I don't know if I'm doing something wrong here or if there is some sort of underlying problem!

MongoDB - can't run because of SELinux is preventing mongod from open access on the file /proc/sys/net/ipv4/tcp_fastopen

After install, my mongod server was running well. I have created user and restart the server without issue.
But now when modified gonfi file by adding 0.0.0.0 to bindip, server wont restart.
Error message are
Jan 24 11:59:53 localhost.localdomain setroubleshoot[4656]: failed to retrieve rpm info for /proc/sys/net/ipv4/tcp_fastopen
Jan 24 11:59:54 localhost.localdomain setroubleshoot[4656]: SELinux is preventing mongod from open access on the file /proc/sys/net/ipv4/tcp_fastopen. For complete SELinux messag>
Jan 24 11:59:54 localhost.localdomain setroubleshoot[4656]: SELinux is preventing mongod from open access on the file /proc/sys/net/ipv4/tcp_fastopen.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that mongod should be allowed open access on the tcp_fastopen file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mongod' --raw | audit2allow -M my-mongod
# semodule -X 300 -i my-mongod.pp
ausearch -c 'mongod' --raw | audit2allow -M my-mongod
semodule -X 300 -i my-mongod.pp
does not solved the problem.
Mongodb doc say that version 4 activate by default use of tcp_fastopen
I can't find out how to apply semanage permissive to use tcp_fastopen.
Thanks in advance
If you're running on RHEL, CentOS, or Oracle Linux, follow the instructions for the official SELinux policy for the MongoDB server:
sudo yum install -y git make checkpolicy policycoreutils selinux-policy-devel
git clone https://github.com/mongodb/mongodb-selinux
cd mongodb-selinux
make
sudo make install
Verify your operating system is supported by MongoDB.
Install a vanilla version of your operating system, do not change any settings, use published MongoDB documentation to install MongoDB and get it working.
Identify differences between your current installation and the vanilla installation.
Update your question with findings.
I couldn't find an answer to this exact error. I was starting to pull my hair out. I ended up looking at the mongod.log file. It had a permission denied error in there. journalctl showed the tcp_fastopen, so I was troubleshooting SELinux while it was actually a permission denied error. Hopefully this will help someone else running into this error.
I had the same problem after upgrading mongod to 4.4.6.
I ended up applying what is suggested here, compiling the module manually.
Now it works!
I did many tries, so I am not 100% sure that what I did is more than necessary.
The audit2allow command does not include the rule
allow mongod_t sysctl_net_t:file { getattr read open };
# cat > mongodb_sysctl_net.te << EOF
module mongodb_sysctl_net 1.0;
require {
type mongod_t;
type sysctl_net_t;
class dir search;
class file { getattr read open };
}
#============= mongod_t ==============
allow mongod_t sysctl_net_t:dir search;
allow mongod_t sysctl_net_t:file { getattr read open };
EOF
# checkmodule -M -m -o mongodb_sysctl_net.mod mongodb_sysctl_net.te
# semodule_package -o mongodb_sysctl_net.pp -m mongodb_sysctl_net.mod
# semodule -i mongodb_sysctl_net.pp
# systemctl start mongod.service
NOTE: I already had policy modules installed from the previous installation written according to the mongodb documentation
I had the same issue (semodule error about accessing tcp_fastopen) with a mongo 4.4 replica-set configuration. It couldn't be an os (oracle linux 8) issue, since I had the error on just one of three identical replica-set nodes (same update status).
The system already had the selinux configuration as suggested in the official documentation, with
semodule -l | grep mongo
returning
mongodb
mongodb_cgroup_memory
mongodb_proc_net
Digging inside mongod.log I finally found:
"Failed to unlink socket file","attr":{"path":"/tmp/mongodb-27017.sock","error":"Operation not permitted"}}
I don't know which condition led to this status, but when I unlinked the socket (as root), the mongo daemon started again without errors so far.

modify haproxy systemd configuration

I'm running Ubuntu 18.04 and I've installed haproxy 1.8.8. I want to modify the config so that the "-f" option will read a directory rather than a single haproxy.cfg file.
I see /lib/systemd/system/haproxy.service and also /etc/init.d/haproxy were installed. I think systemd is managing haproxy. But I've read that I'm not supposed to modify the installed haproxy.service.
I copied haproxy.service to /etc/systemd/system/ and edited it there. The changes I made were not picked up when I ran sudo systemctl daemon-reload; sudo service haproxy restart.
Which file do I need to modify and then get systemd to recognize the changes? TIA
As you suspected, you should not edit the unit-files (provided by the OS packager) directly. You can supply a drop-in-snippet using the command
systemctl edit haproxy
and customize the relevant directives (ExecStart)

Logstash service failure CentOS7 - Some newbie questions

I am really struggling to launch logstash as a service on CentOS 7. Since I cannot figure out what or where to set the
-DJava.io.tmpdir= variable (which apparently would solve my issue), I am trying to create a little script to launch the logstash command line on boot.
The following line works manually for me:
sudo /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d
That successfully loads and opens port 5000.
So I am trying to create a boot time script to run that line and start logstash.
My problem is that I think I need the sudo command as it fails to run without it. Does anyone know how I can get this to work?
I have the following files /etc/systemd/system/mylogstash.service:
[Unit]
After=network.target
[Service]
ExecStart=/usr/local/bin/disk-space-check.sh
[Install]
WantedBy=default.target
and also /usr/local/bin/mylogstashstart.sh:
#!/bin/bash
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d
To make the script executable I have done:
chmod 744 /usr/local/bin/mylogstash.sh
and
chmod 664 /etc/systemd/system/mylogstash.service
It fails to execute as there are insufficient permissions. How do I replicate the Sudo in the script without storing a password and do I even need to?
Can anyone tell me where I have gone wrong please? I'm getting pretty desperate, and no-one likes to see a man desperate...
Thanks,
QR

Issues using Snort on Ubuntu

I installed snort on Ubuntu 14.04 but am having issues seeing the alerts. I also want it to log the alerts to a GUI but am having issues also with MySQL database. Please guide.
You can test your installation running snort -v. Make sure you run snort as root user or else you will get an error as shown below.
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
ERROR: Failed to lookup interface: no suitable device found. Please specify one with -i switch
Fatal Error, Quitting..
If snort -v is working then try running the basic IDS mode using
snort -d -l ./log -c snort.conf
where log is the directory where you want to store the log and alert files. snort.conf is the name of your snort configuration file. It should contain the your snort rules.
If you don’t specify an
output directory for the program, it will default to /var/log/snort
Here is the manual. https://www.snort.org/documents/snort-users-manual