Posts Tagged ‘long time’

Create Linux High Availability Load Balancer Cluster with Keepalived and Haproxy on Linux

Tuesday, March 15th, 2022

keepalived-logo-linux

Configuring a Linux HA (High Availibiltiy) for an Application with Haproxy is already used across many Websites on the Internet and serious corporations that has a crucial infrastructure has long time
adopted and used keepalived to provide High Availability Application level Clustering.
Usually companies choose to use HA Clusters with Haproxy with Pacemaker and Corosync cluster tools.
However one common used alternative solution if you don't have the oportunity to bring up a High availability cluster with Pacemaker / Corosync / pcs (Pacemaker Configuration System) due to fact machines you need to configure the cluster on are not Physical but VMWare Virtual Machines which couldn't not have configured a separate Admin Lans and Heartbeat Lan as we usually do on a Pacemaker Cluster due to the fact the 5 Ethernet LAN Card Interfaces of the VMWare Hypervisor hosts are configured as a BOND (e.g. all the incoming traffic to the VMWare vSphere  HV is received on one Virtual Bond interface).

I assume you have 2 separate vSphere Hypervisor Physical Machines in separate Racks and separate switches hosting the two VMs.
For the article, I'll call the two brand new brought Virtual Machines with some installation automation software such as Terraform or Ansible – vm-server1 and vm-server2 which would have configured some recent version of Linux.

In that scenario to have a High Avaiability for the VMs on Application level and assure at least one of the two is available at a time if one gets broken due toe malfunction of the HV, a Network connectivity issue, or because the VM OS has crashed.
Then one relatively easily solution is to use keepalived and configurea single High Availability Virtual IP (VIP) Address, i.e. 10.10.10.1, which would float among two VMs using keepalived so at a time at least one of the two VMs would be reachable on the Network.

haproxy_keepalived-vip-ip-diagram-linux

Having a VIP IP is quite a common solution in corporate world, as it makes it pretty easy to add F5 Load Balancer in front of the keepalived cluster setup to have a 3 Level of security isolation, which usually consists of:

1. Physical (access to the hardware or Virtualization hosts)
2. System Access (The mechanism to access the system login credetials users / passes, proxies, entry servers leading to DMZ-ed network)
3. Application Level (access to different programs behind L2 and data based on the specific identity of the individual user,
special Secondary UserID,  Factor authentication, biometrics etc.)

 

1. Install keepalived and haproxy on machines

Depending on the type of Linux OS:

On both machines
 

[root@server1:~]# yum install -y keepalived haproxy

If you have to install keepalived / haproxy on Debian / Ubuntu and other Deb based Linux distros

[root@server1:~]# apt install keepalived haproxy –yes

2. Configure haproxy (haproxy.cfg) on both server1 and server2

 

Create some /etc/haproxy/haproxy.cfg configuration

 

[root@server1:~]vim /etc/haproxy/haproxy.cfg

#———————————————————————
# Global settings
#———————————————————————
global
    log          127.0.0.1 local6 debug
    chroot       /var/lib/haproxy
    pidfile      /run/haproxy.pid
    stats socket /var/lib/haproxy/haproxy.sock mode 0600 level admin 
    maxconn      4000
    user         haproxy
    group        haproxy
    daemon
    #debug
    #quiet

#———————————————————————
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#———————————————————————
defaults
    mode        tcp
    log         global
#    option      dontlognull
#    option      httpclose
#    option      httplog
#    option      forwardfor
    option      redispatch
    option      log-health-checks
    timeout connect 10000 # default 10 second time out if a backend is not found
    timeout client 300000
    timeout server 300000
    maxconn     60000
    retries     3

#———————————————————————
# round robin balancing between the various backends
#———————————————————————

listen FRONTEND_APPNAME1
        bind 10.10.10.1:15000
        mode tcp
        option tcplog
#        #log global
        log-format [%t]\ %ci:%cp\ %bi:%bp\ %b/%s:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq
        balance roundrobin
        timeout client 350000
        timeout server 350000
        timeout connect 35000
        server app-server1 10.10.10.55:30000 weight 1 check port 68888
        server app-server2 10.10.10.55:30000 weight 2 check port 68888

listen FRONTEND_APPNAME2
        bind 10.10.10.1:15000
        mode tcp
        option tcplog
        #log global
        log-format [%t]\ %ci:%cp\ %bi:%bp\ %b/%s:%sp\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq
        balance roundrobin
        timeout client 350000
        timeout server 350000
        timeout connect 35000
        server app-server1 10.10.10.55:30000 weight 5
        server app-server2 10.10.10.55:30000 weight 5 

 

You can get a copy of above haproxy.cfg configuration here.
Once configured roll it on.

[root@server1:~]#  systemctl start haproxy
 
[root@server1:~]# ps -ef|grep -i hapro
root      285047       1  0 Mar07 ?        00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
haproxy   285050  285047  0 Mar07 ?        00:00:26 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid

Bring up the haproxy also on server2 machine, by placing same configuration and starting up the proxy.
 

[root@server1:~]vim /etc/haproxy/haproxy.cfg


 

3. Configure keepalived on both servers

We'll be configuring 2 nodes with keepalived even though if necessery this can be easily extended and you can add more nodes.
First we make a copy of the original or existing server configuration keepalived.conf (just in case we need it later on or if you already had something other configured manually by someone – that could be so on inherited servers by other sysadmin)
 

[root@server1:~]# mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.orig
[root@server2:~]# mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.orig

a. Configure keepalived to serve as a MASTER Node

 

[root@server1:~]# vim /etc/keepalived/keepalived.conf

Master Node
global_defs {
  router_id server1-fqdn # The hostname of this host.
  
  enable_script_security
  # Synchro of the state of the connections between the LBs on the eth0 interface
   lvs_sync_daemon eth0
 
notification_email {
        linuxadmin@notify-domain.com     # Email address for notifications 
    }
 notification_email_from keepalived@server1-fqdn        # The from address for the notifications
    smtp_server 127.0.0.1                       # SMTP server address
    smtp_connect_timeout 15
}

vrrp_script haproxy {
  script "killall -0 haproxy"
  interval 2
  weight 2
  user root
}

vrrp_instance LB_VIP_QA {
  virtual_router_id 50
  advert_int 1
  priority 51

  state MASTER
  interface eth0
  smtp_alert          # Enable Notifications Via Email
  
  authentication {
              auth_type PASS
              auth_pass testp141

    }
### Commented because running on VM on VMWare
##    unicast_src_ip 10.44.192.134 # Private IP address of master
##    unicast_peer {
##        10.44.192.135           # Private IP address of the backup haproxy
##   }

#        }
# master node with higher priority preferred node for Virtual IP if both keepalived up
###  priority 51
###  state MASTER
###  interface eth0
  virtual_ipaddress {
     10.10.10.1 dev eth0 # The virtual IP address that will be shared between MASTER and BACKUP
  }
  track_script {
      haproxy
  }
}

 

 To dowload a copy of the Master keepalived.conf configuration click here

Below are few interesting configuration variables, worthy to mention few words on, most of them are obvious by their names but for more clarity I'll also give a list here with short description of each:

 

  • vrrp_instance – defines an individual instance of the VRRP protocol running on an interface.
  • state – defines the initial state that the instance should start in (i.e. MASTER / SLAVE )state –
  • interface – defines the interface that VRRP runs on.
  • virtual_router_id – should be unique value per Keepalived Node (otherwise slave master won't function properly)
  • priority – the advertised priority, the higher the priority the more important the respective configured keepalived node is.
  • advert_int – specifies the frequency that advertisements are sent at (1 second, in this case).
  • authentication – specifies the information necessary for servers participating in VRRP to authenticate with each other. In this case, a simple password is defined.
    only the first eight (8) characters will be used as described in  to note is Important thing
    man keepalived.conf – keepalived.conf variables documentation !!! Nota Bene !!! – Password set on each node should match for nodes to be able to authenticate !
  • virtual_ipaddress – defines the IP addresses (there can be multiple) that VRRP is responsible for.
  • notification_email – the notification email to which Alerts will be send in case if keepalived on 1 node is stopped (e.g. the MASTER node switches from host 1 to 2)
  • notification_email_from – email address sender from where email will originte
    ! NB ! In order for notification_email to be working you need to have configured MTA or Mail Relay (set to local MTA) to another SMTP – e.g. have configured something like Postfix, Qmail or Postfix

b. Configure keepalived to serve as a SLAVE Node

[root@server1:~]vim /etc/keepalived/keepalived.conf
 

#Slave keepalived
global_defs {
  router_id server2-fqdn # The hostname of this host!

  enable_script_security
  # Synchro of the state of the connections between the LBs on the eth0 interface
  lvs_sync_daemon eth0
 
notification_email {
        linuxadmin@notify-host.com     # Email address for notifications
    }
 notification_email_from keepalived@server2-fqdn        # The from address for the notifications
    smtp_server 127.0.0.1                       # SMTP server address
    smtp_connect_timeout 15
}

vrrp_script haproxy {
  script "killall -0 haproxy"
  interval 2
  weight 2
  user root
}

vrrp_instance LB_VIP_QA {
  virtual_router_id 50
  advert_int 1
  priority 50

  state BACKUP
  interface eth0
  smtp_alert          # Enable Notifications Via Email

authentication {
              auth_type PASS
              auth_pass testp141
}
### Commented because running on VM on VMWare    
##    unicast_src_ip 10.10.192.135 # Private IP address of master
##    unicast_peer {
##        10.10.192.134         # Private IP address of the backup haproxy
##   }

###  priority 50
###  state BACKUP
###  interface eth0
  virtual_ipaddress {
     10.10.10.1 dev eth0 # The virtual IP address that will be shared betwee MASTER and BACKUP.
  }
  track_script {
    haproxy
  }
}

 

Download the keepalived.conf slave config here

 

c. Set required sysctl parameters for haproxy to work as expected
 

[root@server1:~]vim /etc/sysctl.conf
#Haproxy config
# haproxy
net.core.somaxconn=65535
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_syn_backlog = 10240
net.ipv4.tcp_max_tw_buckets = 400000
net.ipv4.tcp_max_orphans = 60000
net.ipv4.tcp_synack_retries = 3

4. Test Keepalived keepalived.conf configuration syntax is OK

 

[root@server1:~]keepalived –config-test
(/etc/keepalived/keepalived.conf: Line 7) Unknown keyword 'lvs_sync_daemon_interface'
(/etc/keepalived/keepalived.conf: Line 21) Unable to set default user for vrrp script haproxy – removing
(/etc/keepalived/keepalived.conf: Line 31) (LB_VIP_QA) Specifying lvs_sync_daemon_interface against a vrrp is deprecated.
(/etc/keepalived/keepalived.conf: Line 31)              Please use global lvs_sync_daemon
(/etc/keepalived/keepalived.conf: Line 35) Truncating auth_pass to 8 characters
(/etc/keepalived/keepalived.conf: Line 50) (LB_VIP_QA) track script haproxy not found, ignoring…

I've experienced this error because first time I've configured keepalived, I did not mention the user with which the vrrp script haproxy should run,
in prior versions of keepalived, leaving the field empty did automatically assumed you have the user with which the vrrp script runs to be set to root
as of RHELs keepalived-2.1.5-6.el8.x86_64, i've been using however this is no longer so and thus in prior configuration as you can see I've
set the user in respective section to root.
The error Unknown keyword 'lvs_sync_daemon_interface'
is also easily fixable by just substituting the lvs_sync_daemon_interface and lvs_sync_daemon and reloading
keepalived etc.

Once keepalived is started and you can see the process on both machines running in process list.

[root@server1:~]ps -ef |grep -i keepalived
root     1190884       1  0 18:50 ?        00:00:00 /usr/sbin/keepalived -D
root     1190885 1190884  0 18:50 ?        00:00:00 /usr/sbin/keepalived -D

Next step is to check the keepalived statuses as well as /var/log/keepalived.log

If everything is configured as expected on both keepalived on first node you should see one is master and one is slave either in the status or the log

[root@server1:~]#systemctl restart keepalived

 

[root@server1:~]systemctl status keepalived|grep -i state
Mar 14 18:59:02 server1-fqdn Keepalived_vrrp[1192003]: (LB_VIP_QA) Entering MASTER STATE

[root@server1:~]systemctl status keepalived

● keepalived.service – LVS and VRRP High Availability Monitor
   Loaded: loaded (/usr/lib/systemd/system/keepalived.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Mon 2022-03-14 18:15:51 CET; 32min ago
  Process: 1187587 ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 1187589 (code=exited, status=0/SUCCESS)

Mar 14 18:15:04 server1lb-fqdn Keepalived_vrrp[1187590]: Sending gratuitous ARP on eth0 for 10.44.192.142
Mar 14 18:15:50 server1lb-fqdn systemd[1]: Stopping LVS and VRRP High Availability Monitor…
Mar 14 18:15:50 server1lb-fqdn Keepalived[1187589]: Stopping
Mar 14 18:15:50 server1lb-fqdn Keepalived_vrrp[1187590]: (LB_VIP_QA) sent 0 priority
Mar 14 18:15:50 server1lb-fqdn Keepalived_vrrp[1187590]: (LB_VIP_QA) removing VIPs.
Mar 14 18:15:51 server1lb-fqdn Keepalived_vrrp[1187590]: Stopped – used 0.002007 user time, 0.016303 system time
Mar 14 18:15:51 server1lb-fqdn Keepalived[1187589]: CPU usage (self/children) user: 0.000000/0.038715 system: 0.001061/0.166434
Mar 14 18:15:51 server1lb-fqdn Keepalived[1187589]: Stopped Keepalived v2.1.5 (07/13,2020)
Mar 14 18:15:51 server1lb-fqdn systemd[1]: keepalived.service: Succeeded.
Mar 14 18:15:51 server1lb-fqdn systemd[1]: Stopped LVS and VRRP High Availability Monitor

[root@server2:~]systemctl status keepalived|grep -i state
Mar 14 18:59:02 server2-fqdn Keepalived_vrrp[297368]: (LB_VIP_QA) Entering BACKUP STATE

[root@server1:~]# grep -i state /var/log/keepalived.log
Mar 14 18:59:02 server1lb-fqdn Keepalived_vrrp[297368]: (LB_VIP_QA) Entering MASTER STATE
 

a. Fix Keepalived SECURITY VIOLATION – scripts are being executed but script_security not enabled.
 

When configurating keepalived for a first time we have faced the following strange error inside keepalived status inside keepalived.log 
 

Feb 23 14:28:41 server1 Keepalived_vrrp[945478]: SECURITY VIOLATION – scripts are being executed but script_security not enabled.

 

To fix keepalived SECURITY VIOLATION error:

Add to /etc/keepalived/keepalived.conf on the keepalived node hosts
inside 

global_defs {}

After chunk
 

enable_script_security

include

# Synchro of the state of the connections between the LBs on the eth0 interface
  lvs_sync_daemon_interface eth0

 

5. Prepare rsyslog configuration and Inlcude additional keepalived options
to force keepalived log into /var/log/keepalived.log

To force keepalived log into /var/log/keepalived.log on RHEL 8 / CentOS and other Redhat Package Manager (RPM) Linux distributions

[root@server1:~]# vim /etc/rsyslog.d/48_keepalived.conf

#2022/02/02: HAProxy logs to local6, save the messages
local7.*                                                /var/log/keepalived.log
if ($programname == 'Keepalived') then -/var/log/keepalived.log
if ($programname == 'Keepalived_vrrp') then -/var/log/keepalived.log
& stop

[root@server:~]# touch /var/log/keepalived.log

Reload rsyslog to load new config
 

[root@server:~]# systemctl restart rsyslog
[root@server:~]# systemctl status rsyslog

 

rsyslog.service – System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/rsyslog.service.d
           └─rsyslog-service.conf
   Active: active (running) since Mon 2022-03-07 13:34:38 CET; 1 weeks 0 days ago
     Docs: man:rsyslogd(8)

           https://www.rsyslog.com/doc/
 Main PID: 269574 (rsyslogd)
    Tasks: 6 (limit: 100914)
   Memory: 5.1M
   CGroup: /system.slice/rsyslog.service
           └─269574 /usr/sbin/rsyslogd -n

Mar 15 08:15:16 server1lb-fqdn rsyslogd[269574]: — MARK —
Mar 15 08:35:16 server1lb-fqdn rsyslogd[269574]: — MARK —
Mar 15 08:55:16 server1lb-fqdn rsyslogd[269574]: — MARK —

 

If once keepalived is loaded but you still have no log written inside /var/log/keepalived.log

[root@server1:~]# vim /etc/sysconfig/keepalived
 KEEPALIVED_OPTIONS="-D -S 7"

[root@server2:~]# vim /etc/sysconfig/keepalived
 KEEPALIVED_OPTIONS="-D -S 7"

[root@server1:~]# systemctl restart keepalived.service
[root@server1:~]#  systemctl status keepalived

● keepalived.service – LVS and VRRP High Availability Monitor
   Loaded: loaded (/usr/lib/systemd/system/keepalived.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2022-02-24 12:12:20 CET; 2 weeks 4 days ago
 Main PID: 1030501 (keepalived)
    Tasks: 2 (limit: 100914)
   Memory: 1.8M
   CGroup: /system.slice/keepalived.service
           ├─1030501 /usr/sbin/keepalived -D
           └─1030502 /usr/sbin/keepalived -D

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

[root@server2:~]# systemctl restart keepalived.service
[root@server2:~]# systemctl status keepalived

6. Monitoring VRRP traffic of the two keepaliveds with tcpdump
 

Once both keepalived are up and running a good thing is to check the VRRP protocol traffic keeps fluently on both machines.
Keepalived VRRP keeps communicating over the TCP / IP Port 112 thus you can simply snoop TCP tracffic on its protocol.
 

[root@server1:~]# tcpdump proto 112

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:08:07.356187 IP server1lb-fqdn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 50, prio 53, authtype simple, intvl 1s, length 20
11:08:08.356297 IP server1lb-fqdn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 50, prio 53, authtype simple, intvl 1s, length 20
11:08:09.356408 IP server1lb-fqdn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 50, prio 53, authtype simple, intvl 1s, length 20
11:08:10.356511 IP server1lb-fqdn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 50, prio 53, authtype simple, intvl 1s, length 20
11:08:11.356655 IP server1lb-fqdn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 50, prio 53, authtype simple, intvl 1s, length 20

[root@server2:~]# tcpdump proto 112

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
​listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:08:07.356187 IP server1lb-fqdn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 50, prio 53, authtype simple, intvl 1s, length 20
11:08:08.356297 IP server1lb-fqdn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 50, prio 53, authtype simple, intvl 1s, length 20
11:08:09.356408 IP server1lb-fqdn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 50, prio 53, authtype simple, intvl 1s, length 20
11:08:10.356511 IP server1lb-fqdn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 50, prio 53, authtype simple, intvl 1s, length 20
11:08:11.356655 IP server1lb-fqdn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 50, prio 53, authtype simple, intvl 1s, length 20

As you can see the VRRP traffic on the network is originating only from server1lb-fqdn, this is so because host server1lb-fqdn is the keepalived configured master node.

It is possible to spoof the password configured to authenticate between two nodes, thus if you're bringing up keepalived service cluster make sure your security is tight at best the machines should be in a special local LAN DMZ, do not configure DMZ on the internet !!! 🙂 Or if you eventually decide to configure keepalived in between remote hosts, make sure you somehow use encrypted VPN or SSH tunnels to tunnel the VRRP traffic.

[root@server1:~]tcpdump proto 112 -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:36:25.530772 IP (tos 0xc0, ttl 255, id 59838, offset 0, flags [none], proto VRRP (112), length 40)
    server1lb-fqdn > vrrp.mcast.net: vrrp server1lb-fqdn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 50, prio 53, authtype simple, intvl 1s, length 20, addrs: VIPIP_QA auth "testp431"
11:36:26.530874 IP (tos 0xc0, ttl 255, id 59839, offset 0, flags [none], proto VRRP (112), length 40)
    server1lb-fqdn > vrrp.mcast.net: vrrp server1lb-fqdn > vrrp.mcast.net: VRRPv2, Advertisement, vrid 50, prio 53, authtype simple, intvl 1s, length 20, addrs: VIPIP_QA auth "testp431"

Lets also check what floating IP is configured on the machines:

[root@server1:~]# ip -brief address show
lo               UNKNOWN        127.0.0.1/8 
eth0             UP             10.10.10.5/26 10.10.10.1/32 

The 10.10.10.5 IP is the main IP set on LAN interface eth0, 10.10.10.1 is the floating IP which as you can see is currently set by keepalived to listen on first node.

[root@server2:~]# ip -brief address show |grep -i 10.10.10.1

An empty output is returned as floating IP is currently configured on server1

To double assure ourselves the IP is assigned on correct machine, lets ping it and check the IP assigned MAC  currently belongs to which machine.
 

[root@server2:~]# ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.526 ms
^C
— 10.10.10.1 ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.526/0.526/0.526/0.000 ms

[root@server2:~]# arp -an |grep -i 10.44.192.142
? (10.10.10.1) at 00:48:54:91:83:7d [ether] on eth0
[root@server2:~]# ip a s|grep -i 00:48:54:91:83:7d
[root@server2:~]# 

As you can see from below output MAC is not found in configured IPs on server2.
 

[root@server1-fqdn:~]# /sbin/ip a s|grep -i 00:48:54:91:83:7d -B1 -A1
 eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:48:54:91:83:7d brd ff:ff:ff:ff:ff:ff
inet 10.10.10.1/26 brd 10.10.1.191 scope global noprefixroute eth0

Pretty much expected MAC is on keepalived node server1.

 

7. Testing keepalived on server1 and server2 maachines VIP floating IP really works
 

To test the overall configuration just created, you should stop keeaplived on the Master node and in meantime keep an eye on Slave node (server2), whether it can figure out the Master node is gone and switch its
state BACKUP to save MASTER. By changing the secondary (Slave) keepalived to master the floating IP: 10.10.10.1 will be brought up by the scripts on server2.

Lets assume that something went wrong with server1 VM host, for example the machine crashed due to service overload, DDoS or simply a kernel bug or whatever reason.
To simulate that we simply have to stop keepalived, then the broadcasted information on VRRP TCP/IP proto port 112 will be no longer available and keepalived on node server2, once
unable to communicate to server1 should chnage itself to state MASTER.

[root@server1:~]# systemctl stop keepalived
[root@server1:~]# systemctl status keepalived

● keepalived.service – LVS and VRRP High Availability Monitor
   Loaded: loaded (/usr/lib/systemd/system/keepalived.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Tue 2022-03-15 12:11:33 CET; 3s ago
  Process: 1192001 ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 1192002 (code=exited, status=0/SUCCESS)

Mar 14 18:59:07 server1lb-fqdn Keepalived_vrrp[1192003]: Sending gratuitous ARP on eth0 for 10.10.10.1
Mar 15 12:11:32 server1lb-fqdn systemd[1]: Stopping LVS and VRRP High Availability Monitor…
Mar 15 12:11:32 server1lb-fqdn Keepalived[1192002]: Stopping
Mar 15 12:11:32 server1lb-fqdn Keepalived_vrrp[1192003]: (LB_VIP_QA) sent 0 priority
Mar 15 12:11:32 server1lb-fqdn Keepalived_vrrp[1192003]: (LB_VIP_QA) removing VIPs.
Mar 15 12:11:33 server1lb-fqdn Keepalived_vrrp[1192003]: Stopped – used 2.145252 user time, 15.513454 system time
Mar 15 12:11:33 server1lb-fqdn Keepalived[1192002]: CPU usage (self/children) user: 0.000000/44.555362 system: 0.001151/170.118126
Mar 15 12:11:33 server1lb-fqdn Keepalived[1192002]: Stopped Keepalived v2.1.5 (07/13,2020)
Mar 15 12:11:33 server1lb-fqdn systemd[1]: keepalived.service: Succeeded.
Mar 15 12:11:33 server1lb-fqdn systemd[1]: Stopped LVS and VRRP High Availability Monitor.

 

On keepalived off, you will get also a notification Email on the Receipt Email configured from keepalived.conf from the working keepalived node with a simple message like:

=> VRRP Instance is no longer owning VRRP VIPs <=

Once keepalived is back up you will get another notification like:

=> VRRP Instance is now owning VRRP VIPs <=

[root@server2:~]# systemctl status keepalived
● keepalived.service – LVS and VRRP High Availability Monitor
   Loaded: loaded (/usr/lib/systemd/system/keepalived.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2022-03-14 18:13:52 CET; 17h ago
  Process: 297366 ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 297367 (keepalived)
    Tasks: 2 (limit: 100914)
   Memory: 2.1M
   CGroup: /system.slice/keepalived.service
           ├─297367 /usr/sbin/keepalived -D -S 7
           └─297368 /usr/sbin/keepalived -D -S 7

Mar 15 12:11:33 server2lb-fqdn Keepalived_vrrp[297368]: Sending gratuitous ARP on eth0 for 10.10.10.1
Mar 15 12:11:33 server2lb-fqdn Keepalived_vrrp[297368]: Sending gratuitous ARP on eth0 for 10.10.10.1
Mar 15 12:11:33 server2lb-fqdn Keepalived_vrrp[297368]: Remote SMTP server [127.0.0.1]:25 connected.
Mar 15 12:11:33 server2lb-fqdn Keepalived_vrrp[297368]: SMTP alert successfully sent.
Mar 15 12:11:38 server2lb-fqdn Keepalived_vrrp[297368]: (LB_VIP_QA) Sending/queueing gratuitous ARPs on eth0 for 10.10.10.1
Mar 15 12:11:38 server2lb-fqdn Keepalived_vrrp[297368]: Sending gratuitous ARP on eth0 for 10.10.10.1
Mar 15 12:11:38 server2lb-fqdn Keepalived_vrrp[297368]: Sending gratuitous ARP on eth0 for 10.10.10.1
Mar 15 12:11:38 server2lb-fqdn Keepalived_vrrp[297368]: Sending gratuitous ARP on eth0 for 10.10.10.1
Mar 15 12:11:38 server2lb-fqdn Keepalived_vrrp[297368]: Sending gratuitous ARP on eth0 for 10.10.10.1
Mar 15 12:11:38 server2lb-fqdn Keepalived_vrrp[297368]: Sending gratuitous ARP on eth0 for 10.10.10.1

[root@server2:~]#  ip addr show|grep -i 10.10.10.1
    inet 10.10.10.1/32 scope global eth0
    

As you see the VIP is now set on server2, just like expected – that's OK, everything works as expected. If the IP did not move double check the keepalived.conf on both nodes for errors or misconfigurations.

To recover the initial order of things so server1 is MASTER and server2 SLAVE host, we just have to switch on the keepalived on server1 machine.

[root@server1:~]# systemctl start keepalived

The automatic change of server1 to MASTER node and respective move of the VIP IP is done because of the higher priority (of importance we previously configured on server1 in keepalived.conf).
 

What we learned?
 

So what we learned in  this article?
We have seen how to easily install and configure a High Availability Load balancer with Keepalived with single floating VIP IP address with 1 MASTER and 1 SLAVE host and a Haproxy example config with few frontends / App backends. We have seen how the config can be tested for potential errors and how we can monitor whether the VRRP2 network traffic flows between nodes and how to potentially debug it further if necessery.
Further on rawly explained some of the keepalived configurations but as keepalived can do pretty much more,for anyone seriously willing to deal with keepalived on a daily basis or just fine tune some already existing ones, you better read closely its manual page "man keepalived.conf" as well as the official Redhat Linux documentation page on setting up a Linux cluster with Keepalived (Be prepare for a small nightmare as the documentation of it seems to be a bit chaotic, and even I would say partly missing or opening questions on what does the developers did meant – not strange considering the havoc that is pretty much as everywhere these days.)

Finally once keepalived hosts are prepared, it was shown how to test the keepalived application cluster and Floating IP does move between nodes in case if one of the 2 keepalived nodes is inaccessible.

The same logic can be repeated multiple times and if necessery you can set multiple VIPs to expand the HA reachable IPs solution.

high-availability-with-two-vips-example-diagram

The presented idea is with haproxy forward Proxy server to proxy requests towards Application backend (servince machines), however if you need to set another set of server on the flow to  process HTML / XHTML / PHP / Perl / Python  programming code, with some common Webserver setup ( Nginx / Apache / Tomcat / JBOSS) and enable SSL Secure certificate with lets say Letsencrypt, this can be relatively easily done. If you want to implement letsencrypt and a webserver check this redundant SSL Load Balancing with haproxy & keepalived article.

That's all folks, hope you enjoyed.
If you need to configure keepalived Cluster or a consultancy write your query here 🙂

Saint Holy Rightous Joachim and Anne the partents of The Virgin Mary Mother of God feast in the Eastern Orthodox Church

Thursday, December 9th, 2021

Saint-Joachim-and-Anna-and-Jesus-Virgin-Mary-the-Mother-of-God

Feast day is cebelrated today in our Mother Church the Holy Eastern Bulgarian Orthodox Church 9th on December 9th December.
The name Joachim as derived from (/ˈdʒoʊəkɪm/; Hebrew: יְהוֹיָקִיםYəhōyāqīm, means "he whom Yahweh has set up"; Greek Ἰωακείμ Iōākeím)..
Anne, alternatively spelled Ann, is a form of the Latin female given name Anna. This in turn is a representation of the Hebrew Hannah, which means 'favour' or 'grace'. Saint Joachim has been a descendent of the bloodline of Saint King David (the one to whom the Psalms section of the Bible are ascribed) and Anna descends out of the Aaron the brother of Moses (who is the father of priests family line in Judaism).

Saint Joachim and Saint Anne are two less known saints in nowatimes even though in the Middle Ages this feast has been enormously popuplar in Both the Orthodox Christian East and the Roman Catholic West.  

St. Joachim and St. Anne (Anna) has been called Holy Righteous by the Church for a good reason. For they have possessed immerce sanctity that only of the born on earth ever have. They were called Saint Holy and Righteous, for a reason, and perhaps little might know but their is a sanctity hierarchy in the Church and the reason this accent of 3 words of the Church fathers is to emphasize the couple of St. Joachim and St. Anne had exceeding grace.
Saint Joachim and Saint Anne just like the Holy Family of Holy Virgin Mary and Saint Joseph are the Christian model for perfect famly in virtues, which all Christian families should try to follow to their maximum. The celebration of St. Joachim and St. Anne feasts seems to have been on purpose put to be done during the Christmas Fasting period for a reason, as for another preparation for the Great feast of Christ-mass known in the Church as Nativity (which improperly is unknowingly profanized by many with the abbreviation XMAS).

Lets shortly see few details of the Earthly Living of the two saints and why the Holy Fathers who prepared their Living we read today, call them with this grandiose epithets – Saint, Holy and Righteous.


Holy

  • They have lived all their live in servitude for the sick poor the hungry and the weak and dedicated all their God given lifetime in service for all whose begged in need.
  • They have been praying regularly and longly for the goodness of Mankind and families all around
  • They have been strictly following God's Old Testamental Jewish laws


Righteous


The english word Righteous stems from the Word 'Right' for a good reason as in the light of the Holy scriptures the Right side has been always associated with Good and the Salvation for the reason we know from Revelations that when time comes for God to judge the nations and everyone's individual deeds and rights as Christ has told in the Gospel those who have been done right (e.g. they have done good) and persevered to do good things throughout their short lifetime, will be put on the Right side of God – those are the so called Sheeps of Christ, the Unrighteous one will be put at the Left hand on the Judgement and will be cast out of the face of God because of their own undesire to receive and reflect the light of Christ (just like the Moon reflects the Light of the Sun) and transfers it to the earth and gives Light at night, each mans eternal God's predestination is to be like this receivers and reflectors of the Grace of The Holy Spirit.
Saint Joachim and Saint Anne has been such reflectors in such a enormous size that most of the Light they have emitted from God was transferred to rest of their relatives and people to whom they were continuously at help and as we believe in the Orthodox Church this process of re-emission of light is continuing even today. As we believe those who have departed from this life and have been favorable for God are staying in front of the face of God and praying fervently incessantly to God for the good of mankind. 

Saint-Anne-detail-national-from_Faras_National-Museum-Warsaw

Saint Anne fresco from Faras Gallery in Warsaw


True Saints

The saintship is a quality one receives as a Gift from God as we read in the patristic literature and cannot be attended by deeds, however the greatest gifts of God due to the practice were given to those who have persevered to suffer, greatest trials, persecution, shaming, hatred and lack of reception in society for their confession of the faith – this as we know in the New Testamental Church of Christ is mostly seen in the Holy Martyrs who confessed Christ to the degree they preferred to give out their life and bodies to martyrdom than to reject Christ.
Saint Joachim and Saint Anne even not a physical martyrs has the same perseverance even before the age of the Martyrs (that had been at highest degree in the first  centuries 1-st, 2nd, and Third century until Christianity has been legalized in the Roman Empire by Saint Constantine).

They longed for a child but remained childless into their old age (which can be equalled to martyrdom – many couples even today know how uneasy it is to live together for a very long time and not to be able to have inheritance).

Because of their continuous fasting periods they have followed, St. Joachim and St. Anne did not have much of physical intimacy (or sexual life) as we use to call it today, we know today that the lack of intimacy doesn't bring babies, plus the fact that it was obviously Gods desire for them be childless  until their very old age.
However  not realizing this once they have bring their Thanks Giving offerings according to Jewish law they have been ashamed by the Jewish Priest in the Solomon Temple in Jerusalen, even in their old age – (the jewish priests, just like our Christian priests are absolutely forbidden to insult anyone, and insulting an old person was a taboo back then just like it is considered bad today) being blamed for not being able to carry out a Child. 
Being shamed by a Priest at the community of jews was a terrible thing and some would even commit suicide.

Saint_Joakim_Joachim-Orthodox-icon

Others who had children jostled Joachim, thrusting him back as unworthy. In despair, he consulted the geneological records of the tribes of Israel and discovered every righteous man in the nation had been blessed with children, except him. 
This caused the aged saints great grief, and he and his wife left with heavy hearts.

However as the couple was saintly their reaction was to seclude from people and pray secretly to God. 
Saint Joachim went to the desert and fasted and prayed grieving with inhumally for 40 days, and saint Anne stayed and grieved in her garden thrice as first she has never had the chance to become a mother and she was publicly ashamed at their community and did not know where her Husband has been, perhaps thinking he might passed out somewhere because of his exceeding grief.

Sts. Joachim and Anna had been married for fifty years, and were barren. They lived devoutly and quietly, using only a third of their income for themselves and giving a third to the poor and a third to the Temple. Joachim had done this since he was 15-years-old, and God multiplied his flocks, so the couple was well provided for. 


The Miracle of Faith, Hope and Love – The Birth of the God-Mother the Queen of Heaven Virgin Mariam
 

Saint-Joachim-and-Anne-Chanter_Angelos_Akotandos_-_St_Anne_with_the_Virgin

God has seen the great grief of the two and as he is merciful worked a great miracle just like with  Abraham and Sarah, and give them a blessed child to comfort their old age, which will become later the Holy Virgin Mary (Theotokos / Богородица), to become the Mother and Hope and all Humanity from which the Light of the World and Saviour Christ was born. 

Holy-Righteous-Joachim-and-Saint-Anne-Birth-of-Virgin-Mary

God sent the Archangel Gabriel to each of them, who gave them tidings of the birth of "a daughter most blessed, by whom all the nations of the earth will be blessed, and through whom will come the salvation of the world." Each promised to have their child raised in the Temple as a holy vessel of God. The archangel told St. Joachim to return home, where he would find his wife waiting for him in the city gate. St. Anna he told to wait at the gate. When they saw one another, they embraced, and this image is the traditional icon of their feast.

Saint-Joachim-and-Anne-with-Holy-Virgin-Mary

St. Anna conceived shortly thereafter, and in the ninth month gave birth to the Blessed Virgin Mary. This Conception of the Most Holy Mother of God is celebrated by the Church on December 9 and the Nativity of the Theotokos is celebrated on September 8.

God sent the Archangel Gabriel to each of them, who gave them tidings of the birth of "a daughter most blessed, by whom all the nations of the earth will be blessed, and through whom will come the salvation of the world." Each promised to have their child raised in the Temple as a holy vessel of God. The archangel told St. Joachim to return home, where he would find his wife waiting for him in the city gate. St. Anna he told to wait at the gate. When they saw one another, they embraced, and this image is the traditional icon of their feast.

Ikona_Kopiya_Sveta_Pravednaya_Anna

St. Anna conceived shortly thereafter, and in the ninth month gave birth to the Blessed Virgin Mary. This Conception of the Most Holy Mother of God is celebrated by the Church on December 9 and the Nativity of the Theotokos is celebrated on September 8.

Sts. Joachim and Anna took Mary, at the age of three, to the temple to be dedicated to the service of the Lord, and presented her to the priest Zechariahs. The parents then, after offering up her sacrifice (according to the custom of the time), left the Virgin with other maidens in the apartments of the temple to be brought up therein. The Church commemorates the Presentation of the Theotokos on November 21.

 Although Anne receives little attention in the Latin Church prior to the late 12th century, dedications to Anne in Eastern Christianity occur as early as the 6th century.

Bistritsa Monastery of Saint Jaochim and Saint Anne (near Sofia, Bulgaria)

The Bistritsa monastery "St. Yoakim and Anna" is located in the Mali dol part of the Vitosha mountain, about 2 km to the south-east of the village of Bistritsa.

Bistrishki-monastery-st-Joachim-and-st-Anna

Short History

According to priest Dragomir Kotev, author of regional studies of Bistritsa, during the time of Tsar Boris I or later during the rule of Simeon, a great temple was built there and was expanded during the Second Bulgarian Kingdom. It was part of the monastery complex called "The Little Mount Athos."

Bistritsa-monastery-st_Ioakim-Anna-Church

During the siege of the Ottomans and after strong resistance, the fortress and monastery were destroyed, and during the Ottoman domination the ruins of the old monastery were buried deep in the ground. The site was marked by a stone cross and people continued to gather at the sacred place. During excavations in the 20 century, the cross was discovered erect placed in what is today's holy throne in the temple. Now the cross can be seen outside the church.

Saint-Joachim-and-Anne-Bistritsa-near-Sofia-monastery-Cross

During the period of the Bulgarian Revival the memory for the monastery continued to exist.
The monastery "St. Peter" which had existed on its present place in the IX—X century, was destroyed by the turks in the XIV century. Its foundations were discovered in 1925 and the present church was sancrified in 1950. After the Liberation of Bulgaria from Ottoman rule in 1878 the church was rebuilt as a chapel. The construction of the present monastery is connected with the visions of the prophet Bona Velinova. On Orthodox Sunday (the first Sunday of Lent) in 1925 she spent the night in fasting and prayer, and in the morning gave a detailed explanation of how the church destroyed by the Ottomans looked like. Bona ordered people to dig and foundations of the old temple were discovered. She said that it should be rebuilt, and called after the holy family pf Sts. Joachim and Anna. Since then, every year on Orthodox Sunday a solemn service takes place here. The new church was built with funds and volunteer work from local people in the period from 1936 to 1950 and was consecrated on August 6, 1950. Legend has it that the treasures of the last Bulgarian kings are buried somewhere around. Not far from the monastery there is a a spring. Here on Christian holidays, after services in the monastery, pilgrims come to drink water from the holy spring. They believe that this water cures eye diseases. 
During the period 1965-77 residential buildings were built. The complex consists of a parish church, the St. Ivan Rilski chapel and a massive building to its right, a kitchen and rooms. 

At present the monastery functions regularly. It is a complex including a church, one-nef, one-apse, with a cupola and inner and outer narthex, residential and farm buildings. The church was built over a mound necropolis, and under the church nef there is a preserved ancient vault from the end of the IV – the beginning of the V century (3,35 x 2,99 x 2,28 m), to which a stone staircase from the narthex.

Bistritsa-Monastery-saint-Joachim-and_Anne-near-Sofia-Church-view-to-altar

The iconostasis of on the picture is from the palace (chapel) of last Bulgarian King Boris III. It was brought to the monastery after 1944.

Let by the Holy Prayers of Saint Joachim and Saint Anne God grants mercy and Grace to All families everywhere and to everyone that is grieving
God provides his abundant consolation of the Holy Spirit so we can endure the temptations and hardships of life !

Amen

Saint Georgi of Sofia “the Newest” Bulgarian Confessor Christian saint martyred 1534 AD during reign of Turkish Sultan Selim in Medieval Serdika (Sofia)

Tuesday, June 1st, 2021

Saint-Martyr-George-of-Sofia-Georgi-Sofijski-in-traditional-wear-kalpak

Troparion, voice 4
With a soul wounded by the love of your God, the wise George the Glorious, he preached to the ungodly, Christ God, trampled with his feeth, the Turkish heresy; and when he adorned himself with the crown of martyrdom, you ascended to the heavenly multitudes: ask Christ God to preserve your homeland, this city (Sofia) and the people who always worship your deeds.

On 26-th of May the Bulgarian Orthodox Church celebrates the memory of one of the great Bulgarian Martyr saints Saint Georgi the Newest.
С~тый Геԝ̀ргїй Софїѝскїй Новѣ̀йшїй) St. Georgi (The Bulgarian equivalent name of George) is one of the 3 saints holding the name Georgi which has confessed Christianity refused to accept islam and accepted Martyrdom for Christ in period of 1396 till year 1530 and one of the 9 famous Sofia city saints. Saint Georgi of Sofia the Newest was named after the highly venerated in Bulgarian just like in whole Christian world saint George.

saint-Georgi-Sofijski-saint-great-martyr-George-and-The-Mother-of-God-iconostasis

St. Georgi was born in the city of Medieval Sofia (Sredetz), fortress of Serdika today’s Sofia in a family of Ivan and Maria – a wealthy and society recognized family of that time. He has born after a fervent and lengthly prayers of his parents who couldn’t have children for a long time and has been given a kid by the prayers of Saint Great Martyr George
It is important to say Georgi (the newest) celebrated on 26-th of May is a different saint from St. Georgi called “the new” whose memory in the Church is commemorated on 11-th of February.

saint-Georgi-Sofijski-noveishij-icon

Miracle making icon of saint Georgi Sofiyski (currently in the Church in yard of Alexandrovska Hospital Sofia)

The young Georgi quickly learned to write and read, a skills that only the most educated people usually coming from noble families could do. His favourite activity
in his free time when he was not in help of his parents was reading the Holy Scriptures.
He was grown by his parents in Christian goodness and fervency for the Christian faith.

Sveti_Georgi_Novi-Sofijski-wall-painting-icon-st-George-Sofia
Aged 25 he orphaned as his beloved father passed away to Christ. Georgi posessesed an extraordinary beauty, sharp mind and virtues, seeing the young man in his grief the local Turkish authorities tried as they usually do to attract the youngster to the islamic faith to make their way to interact with Georgi and do their business easier and most importantly have Georgi in their auhotirities congregation consisting only of people belonging to the islam as it was up to the Ottoman Turkish consistution law of the day.

To attract Georgi, turks first tried with hypocritical kindness and a care for the young to help him raise in the power of authorities of the city, not succeeding with that they have, they have forcefully wrapper the Muslim turban on his head and proclaimed him officially Muslim. Feeling offended by the ungodly deed of this enemies of Christ, immediately the saint throw the imposed turban on the ground and trampled on it.
The enraged muslim crowd seing his public offence for the prophet Muhammed handed him over to the Qadi in the court.

Neither the seductive promises of high office nor the cruel tortures could break the unshakable firmness of his Christian faith. The judge ordered that his body be cut into strips from head to toe and that the wounds received be scorched with dirty candles, which made the martyr’s body so hot that his face could not be seen. But all efforts were in vain.

The final verdict of the judge followed – Georgi to be hanged on the main barn in the city of Sofia, where there was a furnace for melting iron and copper ore. The execution command also stated that his body should remain on the gallows for three days in order to begin to decay, so that the faith of the Christians in the incorruptible relics of the saints and in the resurrection of the dead to be refuted and hence disgrace christianity. However, exhausted from his suffering mrtr. Georgi died at the hands of the executioners before they managed to hang him. To fulfill the command turks, anyhow hung him on a rope to show the sentence has been successfully carried out.

For three days the body hung on the gallows without any sign of decomposition, and on the contrary, an unusual fragrance of the holy relics of the martyr wafted through the barn. His mother sat under the gallows and grieving his beloved son hugged her son’s legs, staying next three three days to her son. The hanging took place on May 26, 1530 (according to other document sources in 1534). Thus on 26th of may the Church set a service in memoriam.

Ancient-Church-ROtonda-St-George-Sofia-Bulgaria

5-th Century Church of Rotonda St. George Centre of Sofia

The-Grave-of-Saint-Georgi-Sofiyski-Grobat-na-sv-Georgi-nai-novi

Saint Georgi Sofiyski / Saint George of Sofia the Newest grave near Rotonda Church Saint George in City Center of Sofia, Bulgari

After the expiration of the sentence, the kadi handed over the body of the martyr to be buried in a Christian way, and the burial was solemnly performed by the then Metropolitan of Sofia Jeremiah in the church “St. the great martyr George the Victorious ”. Now these relics are in obscurity. The mother of the martyr died on the 40th day of George’s death and was buried at her son’s feet.

These events took place during the reign of Sultan Suleiman I Kanuni (the Legislator) also known as Suleiman the Magnificent. This “Golden Age” for the Ottoman Empire was a time of unheard of atrocities against Christians in the territory of the empire and very difficult times for the Bulgarian people. The reign of Suleiman I and his father Selim I was a time of obscurantism and severe persecution of the Christian population, a time during which many Christian new martyrs on Balkans had the courage to defend their faith.

saint-Georgi-Sofijski-newest-icon-painting

The capture, trial and torture of St. George of Sofia The latest took place near the then Sofia. Today the place is located in the yard of the famous Alexandrovska Hospital which was a King’s hospital during the times of Kingdom of Bulgaria after liberation took place from the Turks in 1878 y.. The exact location where martyrdom occured is between street St. Georgi Sofiyski ”and“ Pencho Slaveykov ”Blvd.

There was a large stone cross with an inscription on the site, which a few years after 1944, due to the risk of being destroyed, was collected by Sofia priests and is still preserved in the altar of the church “St. Georgi Pobedonosets ”on Blvd. Partriarch Euthymius”. Until the 1940s, a liturgical procession was held from the place of death of the saint to the Rotunda on May 26.
Nowadays happily, the old Lithia tradition is being renewed and a small Lithia is conducted by Bulgarian Orthodox Christian clergy and layman.

In the garden next to the building of the Second Surgical Clinic there was a stone cross, which indicated the place and history of the martyrdom of the saint, and today a temple was built in honor of the saint.

Church-of-saint-Georgi-Sofijski-in-Alexandrovska-hospital-Sofia-Bulgaria-the-place-of-martyrdom-of-saint-Georgi-Sofijski
source: Lives of the Saints. Synodal Publishing House, Sofia, 1991, edited by Parthenius, Bishop of Lefkada and Archimandrite Dr. Athanasius (Bonchev).

Saint_Georgi-naj-novi_Sofijski

HOLY MARTYR GEORGE OF SOFIA THE NEWEST, PRAY GOD FOR US!

Deny DHCP Address by MAC on Linux

Thursday, October 8th, 2020

Deny DHCP addresses by MAC ignore MAC to not be DHCPD leased on GNU / Linux howto

I have not blogged for a long time due to being on a few weeks vacation and being in home with a small cute baby. However as a hardcore and a bit of dumb System administrator, I have spend some of my vacation and   worked on bringing up the the www.pc-freak.net and the other Websites hosted as a high availvailability ones living on a 2 Webservers running on a Master to Master MySQL Replication backend database, this is oll hosted on  servers, set to run as a round robin DNS hosts on 2 servers one old Lenove ThinkCentre Edge71 as well as a brand new real Lenovo server Lenovo ThinkServer SD350 with 24 CPUs and a 32 GB of RAM
To assure Internet Connectivity is having a good degree of connectivity and ensure websites hosted on both machines is not going to die if one of the 2 pair configured Fiber Optics Internet Providers Bergon.NET has some Issues, I've rented another Internet Provider Line is set bought from the VIVACOM Mobile Fiber Internet provider – that is a 1 Gigabit Fiber Optics Line.
Next to that to guarantee there is no Database, Webserver, MailServer, Memcached and other running services did not hit downtimes due to Electricity power outage, two Powerful Uninterruptable Power Supplies (UPS)  FPS Fortron devices are connected to the servers each of which that could keep the machine and the connected switches and Servers for up to 1 Hour.

The machines are configured to use dhcpd to distributed IP addresses and the Main Node is set to distribute IPs, however as there is a local LAN network with more of a personal Work PCs, Wireless Devices and Testing Computers and few Virtual machines in the Network and the IPs are being distributed in a consequential manner via a ISC DHCP server.

As always to make everything work properly hence, I had again some a bit weird non-standard requirement to make some of the computers within the Network with Static IP addresses and the others to have their IPs received via the DHCP (Dynamic Host Configuration Protocol) and add some filter for some of the Machine MAC Addresses which are configured to have a static IP addresses to prevent the DHCP (daemon) server to automatically reassign IPs to this machines.

After a bit of googling and pondering I've done it and some of the machines, therefore to save others the efforts to look around How to set Certain Computers / Servers Network Card MAC (Interfaces) MAC Addresses  configured on the LAN network to use Static IPs and instruct the DHCP server to ingnore any broadcast IP addresses leases – if they're to be destined to a set of IGNORED MAcs, I came up with this small article.

Here is the DHCP server /etc/dhcpd/dhcpd.conf from my Debian GNU / Linux (Buster) 10.4

 

option domain-name "pcfreak.lan";
option domain-name-servers 8.8.8.8, 8.8.4.4, 208.67.222.222, 208.67.220.220;
max-lease-time 891200;
authoritative;
class "black-hole" {
    match substring (hardware, 1, 6);
    ignore booting;
}
subclass "black-hole" 18:45:91:c3:d9:00;
subclass "black-hole" 70:e2:81:13:44:11;
subclass "black-hole" 70:e2:81:13:44:12;
subclass "black-hole" 00:16:3f:53:5d:11;
subclass "black-hole" 18:45:9b:c6:d9:00;
subclass "black-hole" 16:45:93:c3:d9:09;
subclass "black-hole" 16:45:94:c3:d9:0d;/etc/dhcpd/dhcpd.conf
subclass "black-hole" 60:67:21:3c:20:ec;
subclass "black-hole" 60:67:20:5c:20:ed;
subclass "black-hole" 00:16:3e:0f:48:04;
subclass "black-hole" 00:16:3e:3a:f4:fc;
subclass "black-hole" 50:d4:f5:13:e8:ba;
subclass "black-hole" 50:d4:f5:13:e8:bb;
subnet 192.168.0.0 netmask 255.255.255.0 {
        option routers                  192.168.0.1;
        option subnet-mask              255.255.255.0;
}
host think-server {
        hardware ethernet 70:e2:85:13:44:12;
        fixed-address 192.168.0.200;
}
default-lease-time 691200;
max-lease-time 891200;
log-facility local7;

To spend you copy paste efforts a file with Deny DHCP Address by Mac Linux configuration is here
/home/hipo/info
Of course I have dumped the MAC Addresses to omit a data leaking but I guess the idea behind the MAC ADDR ignore is quite clear

The main configuration doing the trick to ignore a certain MAC ALenovo ThinkServer SD350ddresses that are reachable on the Connected hardware switch on the device is like so:

class "black-hole" {
    match substring (hardware, 1, 6);
    ignore booting;
}
subclass "black-hole" 18:45:91:c3:d9:00;


The Deny DHCP Address by MAC is described on isc.org distribution lists here but it seems the documentation on the topic on how to Deny / IGNORE DHCP Addresses by MAC Address on Linux has been quite obscure and limited online.

As you can see in above config the time via which an IP is freed up and a new IP lease is done from the server is severely maximized as often DHCP servers do use a max-lease-time like 1 hour (3600) seconds:, the reason for increasing the lease time to be to like 10 days time is that the IPs in my network change very rarely so it is a waste of CPU cycles to do a frequent lease.

default-lease-time 691200;
max-lease-time 891200;


As you see to Guarantee resolving works always as expected I have configured – Google Public DNS and OpenDNS IPs

option domain-name-servers 8.8.8.8, 8.8.4.4, 208.67.222.222, 208.67.220.220;


One hint to make is, after setting up all my desired config in the standard config location /etc/dhcp/dhcpd.conf it is always good idea to test configuration before reloading the running dhcpd process.

 

root@pcfreak: ~# /usr/sbin/dhcpd -t
Internet Systems Consortium DHCP Server 4.4.1
Copyright 2004-2018 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Config file: /etc/dhcp/dhcpd.conf
Database file: /va/home/hipo/infor/lib/dhcp/dhcpd.leases
PID file: /var/run/dhcpd.pid
 

That's all folks with this sample config the IPs under subclass "black-hole", which are a local LAN Static IP Addresses will never be offered leasess anymore from the ISC DHCP.
Hope this stuff helps someone, enjoy and in case if you need a colocation of a server or a website hosting for a really cheap price on this new set High Availlability up described machines open an inquiry on https://web.www.pc-freak.net.

 

How to Remove Firefox TABS all time Moving Backward / Forward (Waiting) Wheel cursor – Browser and OS Wheel Ring cursor might affect hypnotically

Monday, September 7th, 2015

remove-firefox-tabs-all-time-annoying-moving-back-forward-waiting-wheel-cursor-browser-and-ring-cursor-might-affect-you-hypnotically

I've been annoying for quite a long time by the the Clockwise moving backward and Forward Wheel (Ring) on Top of browser Tabs everytime I navigate to a new Internet domain or request a resource on the Net.

I'm aware that seeing the wheel all the time move back and forward is a very bad manipulation technique that is often used in advertisements in old movies and some advertisements in the start of the video . I'm talking about the infamous backward counting technique in a Circle (it was moer commonly used in the dawn of Television) aiming to induce watchers mind into hypnotic state …

back-counting-10-9-8-7-manipulation-technique-to-make-your-mind-susceptible

Those who have a degree in psychology or have been into marketing or human resources fields or any field involved where you have to influence the masses are already aware of the backward counting methology which has been practiced heavily by hypnosis practisioners such as Sigmund Freud, to induce any kind of hypnotic state the hypnotist always asks the object of hypnotism to watch closely into a moving back and forwards clock, often accompanied by counting backwards …

Well my Theory here is that the same techniques is well aware of those who planned Windows OS in which if you remember the Sand Clock has been substituted in Windows 7 / 8 and Windows 10 with the rotating back and foward Wheel for the reason that this aims to influence people mind to go into Alpha state from Beta state and thus make them feel more relaxed while doing stuff on the PC.

One thing to mention here is Back and Forward wheel is not only into OS level it has been heavily adopted by leading Software as a Service (SAS) UIs such as Google's and probably more importantly Youtube (have you noticed the Cycling Wheel when waiting for a Youtube movie to Load), the Wheel is also heavily incoruprated in most if not all biggest Websites on the Net. Even If you have noticed these days Google's Cycling (Waiting) Wheel is not only Cycling but has the colorful programming incorporated.

google-wheel-color-programming-example

Well probably many people who use computers daily did not really realize that the Computer OS and Programs GUI Interface they're using is influencing their mind and some famous psychological methods such as color programming and hypnotic tricks could be used more or less.

In that regard as a Firefox user I decided to change tne Back and Forward Wheel with another one which will not trigger my subconsciousness / mind all the time while browing on the Net into Alpha State. As I'm not a Firefox expert and my quick research on search Engines on how to achieve changing or removing the Browser Tabs all time turning wheel did not led me to nothing positive, I've consulted the experts in irc.freenode.net #firefox.

As always the guys were helpful and pointed me out to UserStyles.org website's Static-Throbbler CSS. I've mirrored the CSS script under a name remove-firefox-tab-wheel-script.css in case if UserSpace.org disappears in future, below is also a paste of the script:

@namespace url(https://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul); @-moz-document url(chrome://browser/content/browser.xul) { .tab-throbber { list-style-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAB5lBMVEUAAADMzMzr6+v////t7e1paWmYmJiampqPj4+IiIiQkJCgoKCPj49qamqQkJB2dnacnJyAgIBfX19aWlpZWVlgYGB/f399fX2Hh4eFhYWZmZlycnJaWlpjY2Nubm56enp6enptbW1XV1dxcXGbm5uAgIBiYmKenp5ra2taWlpxcXGLi4uXl5eKioqPj4+NjY1wcHBZWVlra2uYmJhiYmKBgYFbW1t1dXWSkpKEhIR6enpsbGyBgYFubm6CgoKZmZlzc3NYWFiPj4+YmJhmZmaLi4uGhoagoKC4uLi0tLSnp6eIiIhmZmafn5+RkZFcXFx1dXWZmZl8fHzt7e3////r6+uUlJRycnJbW1uQkJCHh4d4eHiKioqxsbFubm6NjY15eXlYWFiHh4dXV1d4eHiGhoZycnKvr6+JiYl4eHiGhoaOjo6MjIxxcXHq6uqjo6N5eXmVlZVzc3OcnJxfX1+JiYl7e3tra2upqamIiIiNjY1kZGReXl6YmJiOjo59fX1YWFiSkpKAgIB2dnaYmJh0dHRoaGhqamqSkpKSkpKLi4uWlpaPj49wcHBpaWlhYWGCgoKamppwcHBjY2Nubm57e3tiYmKYmJiZmZl9fX1ZWVl+fn6bm5t1dXWOjo6GhoaNjY3///+wXn5TAAAAoXRSTlMAAAAAAAYLIzM6MiENBgEII0ZzeXtzRgcBByZhe29iWFlhe2ElBwYiY3pgRzMwNkZfemIkBUZ7XzktHyAdICs3X3sMI29KLgkJCApFbSAxe2E2IAQBAzVgeTE7WjUIHTFZejp8WzIiBy5YOzM1IwMKIDVgInRKMSALKUducyINSHw6LRo2XwZjMi0vNUhgYwYHJWFuYVhuJiNGeUUjCDI6MyoACaoAAAABYktHRAMRDEzyAAABFklEQVQY02NgYGBkZWPn4OTk4ubhZWIAAj5+AUEhYRERYVExdnEJZgZGSSlpGVk5eQVFWSVlFVUmBjV1DU0tbR1dXT19A0MjYxMGNlMzcwtLK2sbWzt7B0cxJwZnURdXNxt3D08vaztvH1FfBj//gMAg92DmkFAv27DwiEiGKLPoGJtYZgaGkNi4+ITEJIao5JTUNA+gAHO6dUamYRZDtpl0Tq5XXghzaH5BYZGmH0NxiUtpWXlFuqdXXGVVdU0tQ119g3Rjk5V1c0FlS6uIIBtDm3G7iFZVR2dXd0+vYZ96PwPLhImTlCZPUZg6ZZrIpOmSjAzMEuIzZorOcnScVTN7zlw+kHeZeJ18582fv6CWjZWRgQEA0vJCZaR0FWsAAAAldEVYdGRhdGU6Y3JlYXRlADIwMTMtMDYtMjhUMDc6NDE6NDItMDY6MDC7fUviAAAAJXRFWHRkYXRlOm1vZGlmeQAyMDEzLTA2LTI4VDA3OjQxOjUxLTA2OjAwN2LpXQAAABN0RVh0U29mdHdhcmUASmFwbmcgcjExOSfos2EAAAAASUVORK5CYII=') !important; animation-name: none !important; } .tab-throbber[progress] { list-style-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAABs1BMVEUAAAAAkwAAnwAAmAAAmQAAnQAAiQAAkgAAkAAEnAQHogcHpwcHpgcGogYEmwQAkAAAkQAAiAAAjAAAkQAEnQQMqwwhwiEhxyEiyCIgwiAMrAwEnQQAkQAEnAQauRohyCEdxh0SwRIRvxEPvw8ZxRkjyCMFnQUEnAQVuhUhyCESwRIFuAUBsAEArQABrwEBsAEMuQwRwREjyCMVuRUEnAQNrQ0TwRMBsAEAqwAAqAABsAERwREiyCIQrhAexh4CuAIDtwMbxhsgwiAEmwQGogYjxiMTwhMBrwETwRMhxiEGoQYMqAwhxyEOvg4ArQAArwAPvg8kyCQMpwwnyCcPvg8AqgAArAAOvg4hxyEMqAwGoQYkxyQVwhUBrgEBrwEjxiMGogYEmwQhwiEcxhwMuQwArQAAqwAGuAYexh4gwiAEnAQRrhEjyCMRwREBrwEBrwETwRMixyINrQ0EnAQVuRUjyCMSwRIDuAMBrgEArAAKuAohyCEEmwQFnAUauRoZxRkSwRIRvxERwREcxRwhyCEEnAQAkAAMqwwhxiEixyIgwiAMqwwHpQcHpgcHoQcEmwT////fHmrrAAAAkHRSTlMAAAAAAAAHIzBXbHZ1bFMxJAcNJ1iAo6amooBZJl2Zpp6Ui4mep11WmKWSZygXFylmk6aYWYCRMQkKL5Kngp1iZ52jVG6nkyeUpm53qo0WF4uodqqMExOMqXZwp5UmJKhvVaSfag0MaZ6kWISplC4wk6iCWpqolWklEmanV1+boJeNlqCoXyeDqKmlgnh5blghd7i+AAAAAWJLR0SQeAqODAAAAPRJREFUGNNjYGBgY+fg5OLm4eXjFxBkAAIhYRFRMXEJCXFJKWkZIaC8jKycvIKikrKiiqqcmrAgg4C6hqaWto6unr6BoZGxiQADh6mEmbkFIwMDk6WVtY0tPwOnmJ29BQMYWDo4OjkzuLi6uTNCBJj1PTy9GLx9fP0YoMA/IDCIwTs4JBQmEBYeEckQFR0TywLhs8Z5xCcwJCYlp6RCBNLSMzKzGPizc3LzUkHWpuUXFBbxMwgUl5SWlVeEVsZVKVaX1AgwCArX1uXUN4Q3NjW31LW2sQE9J1PcntnRWdjR1W0iLAQyS1CAP9Grp7evn58dKA8Ayh0xsydWuvQAAAAldEVYdGRhdGU6Y3JlYXRlADIwMTMtMDYtMjhUMDc6NDE6NTEtMDY6MDBGP1HhAAAAJXRFWHRkYXRlOm1vZGlmeQAyMDEzLTA2LTI4VDA3OjQxOjUyLTA2OjAwBorzwAAAABN0RVh0U29mdHdhcmUASmFwbmcgcjExOSfos2EAAAAASUVORK5CYII=') !important; } }

To use the script you will first need to install the Stylish FF plugin, then:

Stylish-FireFox-plugin-screenshot-Windows-7-OS
 

1. Enable Stylish plugin and Restart firefox when prompted
2. Click on Write New Style
3. Paste above CSS script and click on Save button

 

stylish-static-throbbler-css-script-change-back-forward-rotating-tab-wheel-on-Firefox-howto

Now instead of the moving wheel you will get just a circle appearing as a static image while the page is loading.

If you want to absolutely remove any circles or images and show nothing when loading, e.g. not have any mean to monitor whether page is loaded or not, but also make it easier for the eye I even finally decided to completely remove the all time moving Wheel from Firefox Tabs even the static picture out using below CSS script with Stylish:
 

@namespace url(https://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul); @-moz-document url(chrome://browser/content/browser.xul) { .tab-throbber { list-style-image: none !important; animation-name: none !important; } .tab-throbber[progress] { list-style-image: none !important; } }

After all even after removing the FF Tabs wheel, there is the Status being printed down the webpage, showing text based the connection status. I find this kind of page loading status much less agressive and preferrable, than the current verions Firefox 4 onwards ..

One other thing I do to prevent the annoying Windows OS default Theme wheel is to change it to the old fashioned sand clock as well as bring back the theme of Windows 7 / 8 to Classic Theme of Win 2000, as I believe this reduced the level of zoombification the PC imposes on self 🙂

Enjoy!

Resume sftp / scp cancelled (interrupted) network transfer – Continue (large) partially downloaded files on Linux / Windows

Thursday, April 23rd, 2015

resume-sftp-scp-cancelled-interrupted-file-transfer-download-upload-network-transfer-continue-large-partially-downloaded-file-howto-linux-windows
I've recentely have a task to transfer some huge Application server long time stored data (about 70GB) of data after being archived between an old Linux host server and a new one to where the new Tomcat Application (Linux) server will be installed to fit the increased sites accessibility (server hardware overload).

The two systems are into a a paranoid DMZ network and does not have access between each other via SSH / FTP / FTPs and even no Web Access on port (80 or SSL – 443) between the two hosts, so in order to move the data I had to use a third HOP station Windows (server) which have a huge SAN network attached storage of 150 TB (as a Mapped drive I:/).

On the Windows HOP station which is giving me access via Citrix Receiver to the DMZ-ed network I'm using mobaxterm so I have the basic UNIX commands such as sftp / scp already existing on the Windows system via it.
Thus to transfer the Chronos Tomcat application stored files .tar.gz archived I've sftp-ed into the Linux host and used get command to retrieve it, e.g.:

 

sftp UserName@Linux-server.net
Password:
Connected to Linux-server.
sftp> get Chronos_Application_23_04_2015.tar.gz

….


The Secured DMZ Network seemed to have a network shaper limiting my get / Secured SCP download to be at 2.5MBytes / sec, thus the overall file transfer seemed to require a lot of time about 08:30 hours to complete. As it was the middle of day about 13:00 and my work day ends at 18:00 (this meant I would be able to keep the file retrieval session for a maximum of 5 hrs) and thus file transfer would cancel when I logout of the HOP station (after 18:00). However I've already left the file transfer to continue for 2hrs and thus about 23% of file were retrieved, thus I wondered whether SCP / SFTP Protocol file downloads could be resumed. I've checked thoroughfully all the options within sftp (interactive SCP client) and the scp command manual itself however none of it doesn't have a way to do a resume option. Then I thought for a while what I can use to continue the interrupted download and I remembered good old rsync (versatile remote and local file copying tool) which I often use to create customer backup stragies has the ability to resume partially downloaded files I wondered whether this partially downloaded file resume could be done only if file transfer was only initiated through rsync itself and luckily rsync is able to continue interrupted file transfers no matter what kind of HTTP / HTTPS / SCP / FTP program was used to start file retrievalrsync is able to continue cancelled / failed transfer due to network problems or user interaction activity), that turned even pretty easy to continue failed file transfer download from where it was interrupted I had to change to directory where file is located:
 

cd /path/to/interrupted_file/


and issue command:
 

rsync -av –partial username@Linux-server.net:/path/to/file .


the –partial option is the one that does the file resume trick, -a option stands for –archive and turns on the archive mode; equals -rlptgoD (no -H,-A,-X) arguments and -v option shows a file transfer percantage status line and an avarage estimated time for transfer to complete, an easier to remember rsync resume is like so:
 

rsync -avP username@Linux-server.net:/path/to/file .
Password:
receiving incremental file list
chronos_application_23_04_2015.tar.gz
  4364009472   8%    2.41MB/s    5:37:34

To continue a failed file upload with rsync (e.g. if you used sftp put command and the upload transfer failed or have been cancalled:
 

rsync -avP chronos_application_23_04_2015.tar.gz username@Linux-server.net:/path/where_to/upload


Of course for the rsync resume to work remote Linux system had installed rsync (package), if rsync was not available on remote system this would have not work, so before using this method make sure remote Linux / Windows server has rsync installed. There is an rsync port also for Windows so to resume large Giga or Terabyte file archive downloads easily between two Windows hosts use cwRsync.

Improve Websites SEO: Optimize images to Increase website loading performance on Linux server – Image Compress tools

Friday, December 5th, 2014

Optimize-website-images-pictures-to-Increase-website-loading-performance-on-Linux-server_Image_Compress_tools-Improve-Websites_SEO
Part of our daily life as Web hosting system adminstrators is to constantly strive to better utilize our Linux / Windows hosting servers hardware.
Therefore it is our constant task to look for new better ways to optimize our Apache Sites and Webservers in order to return served application content light fast to keep the Boss and customers happy 🙂

There are things to tune up for better server performance and better CPU / memory utilization on both server Application server side as well as the website programming code backend, html and pictures / images

Thus it is critically important to not only keep the Webserver / PHP engine optimized but keep hosted sites  stored images and source code clean and efficient.

We as admins usually couldn't directly interfere with clearning the source code and often we have to host a crappy written sites with picture upload forms with un-optimized Image files that was  produced on old Photo Cameras, "Ancient" Mobile Mobiles, Win XP MS Paint, various versions Photoshop, Gimp etc.).

It is a well known fact that a big part from a Website User Experience is how fast the user loads a page, thus if HTML / CSS loaded images loads slow has a negative impact on user look & feel about website

Therefore by optimizing the size of hosted sites Images, you Save Network bandwidth and in some cases when Large Gallery sites HDD disk space.

On Linux, there are already a many command line tools to inspect and optimize (compress) the size of PNG, JPEG, GIF, BMP, PNM, Tiff Images, most famous ones are:

  • optipng – PNG optimizer that recompresses image files to a smaller size, without losing any information.
  • jpegoptim –   lossless JPEG optimization (based on optimizing the Huffman tables) and "lossy" optimization based on setting a maximum quality factor.
  • pngcrush – Recommended tool to use by Stoyan Stefanov (Yahoo Yslow Developer)
  • jpegtran – Recommended to use by Google 
  • gifsicle –  command-line tool for creating, editing, and getting information about GIF images and animations. 

It is hence useful to first run manually availale Linux image optimization tools (to get an idea what they do) and later automate them to run as scripts to optimize server stored images size and make pictures load faster on websites and thus improve End Users Experience and speed up Image content delivery to GoogleBot / YahooBot / Bing Crawlers which will make Search Engines to position server hosted sites better (more SEO Friendly).

 

  • How much percents of  space (Mega / Gigabytes ) Pictures compress can save you?

If you run it on 500MB image directory, you can probably save about 20 to 50MB of size, so don't expect extraordinary file reduce, however 5% to 10% reduce in size is not bad too. If you host 100 sites each with half gigas of data this would mean saving of 5GB of data and some 5GB from backups 🙂 At extraordinary cases you can expect 20% to 30% of storage reduce. For even better image compression you can try out GIMP's – Save for Web option.
 

  • Installing jpegtran, optpng, jpegoptim, pngcrush gifsicle on Debian / Ubuntu (deb based) Linux
     

apt-get install –yes libjpeg-progs optipng jpegoptim pngcrush gifsicle

 

  • Installing  jpegtran, optpng, jpegoptim, pngcrush, gifsicle on Fedora / CentOS / RHEL (RPM based distros)
     

yum -y install pngcrush libjpeg-turbo-utils opt-jpg opt-png opt-gif


gifsicle is not availale by default on Redhacks 🙂 but there is a RPM package for fedora from http://pkgs.repoforge.org/gifsicle/

 

Some examples of running image compression on GNU / Linux

  • optipng and jpegoptim optimize for all files in directory
     

cd /home/sites/

find . -iname '*.png' -print0 | xargs -0 optipng -o7 -preserve
find . -iname '*.jpg' -print0 |
 xargs -0 jpegoptim –max=90 –strip-all –preserve –totals


In jpegoptim command, the option –strip-all will strip any metadata including Exif data from images. For websites JPEG metadata is usually not needed, so usually its ok to strip them.

Above jpegoptim example will decrease slightly JPEG image quality to 90%. quality level of 90 is still high enough and website visitors are unlikely to spot any visible quality reduction / defects in the image.

 

  • pngcrush all files in a directory example
     

cd /home/sites/

for png in `find $IMG_DIR -iname "*.png"`; do
    echo "crushing $png …"
        pngcrush -rem alla -reduce -brute "$png" temp.png

 

    # preserve original on error
    if [ $? = 0 ]; then
        mv -f temp.png $png
        else
        rm temp.png
        fi
done

  • Run jpegtran on sites directory
     

find /home/sites -name "*.jpg" -type f -exec jpegtran -copy none -optimize -outfile {} {} ;

 

  • Set a script to compress / reduce size of Sites Images


Here is a basic optimize_images.sh which I used earlier before and was reducing the overall images size just 5 to 10%, then I found the much improved version of optimize images shell script  (useful to  clear up EXIF picture data / And Comments from JPG / PNG files). The script execution could take very long time on large image directories and thus could cause a high HDD disk I/O, however if ran once a week at night time its not such a big deal. 

To set it to run on your server as a cronjob:
 

cd /usr/sbin/
wget -q https://www.pc-freak.net/bshscr/optimize_images2.sh
crontab -u root -e 


Sample cron job to run once a month on 10th and 27th in 3 o'clock AM:
 

 00 3 10,27 * * /usr/sbin/optimize_images2.sh 2>&1 >/dev/null


Also if you need to further optimize million of tiny sized PNG files Yahoo Smush.it service could be helpful. For compression maniacs its worthy to check out also TinyPNG Service (however be awre that this service compresses files with significant quality loss) making picture quality visibly deteriorated.

Besides optimizing server stored Pictures, here are some other stuff that helps in increasing server utilization / lower webpages loading time.

Starting up with the installation (when site is to use Apache + PHP) for its backend, the first thing to on the freshlyinstalled Linux server is to implement the following list of Apache common Timeout variables that help better scale the webserver for the CMS-es hosted, enable Webserver caching with (mod_deflate), enable eAccelerator tune PHP common php variable etc.

Other thing  I sometimes use to speed-up performance of Apache child responce time up to 20-30  is to Include into Virtualhost / httpd.conf Apache configuration any htacces mod_rewrite rules.

On too heavily loaded sites On-line stores / Large Company website portals with more than 60 000 – 100 000 unique IP visitors a day it is useful tip to disable completely Apache logging in access.log / error.log.

Often when old architecture websites are moved from older Linux OS version to a newer one with newer versions of Apache / PHP often sites are working without major code rework, but use many functions which are already obsolete and thus many WARNING messages crap is logged into php_error.log / error.log. Thus to save disk space and decrease hard disk I/O operations it is good to Disable PHP Notices and Warnings messages
 

Joomla 1.5 fix news css problem partial text (article text not completely showing in Joomla – Category Blog Layout problem)

Monday, October 20th, 2014

joomla-fix-weird-news-blog-article-text-incompletely-shown-category-blog-website-layout-problem

I’m still administrating some old archaic Joomla website built on top of Joomla 1.5. Recently there were some security issues with the website so I first tried using jupgrade (Upgrade Joomla 1.5 to Joomla 2.5) plugin to try to resolve the issues. As there were issues with the upgrade, because of used template was not available for Joomla 2.5, I decided to continue using Joomla 1.5 and applied the Joomla 1.5 Security Patch. I also had to disable a couple of unused joomla components and the contact form in order to prevent spammers of randomly spamming through the joomla … the Joomla Security Scanner was mostly useful in order to fix the Joomla security holes ..

So far so good this Joomla solved security but just recently I was asked to add a new article the Joomla News section – (the news section is configure to serve as a mini site blog as there are only few articles added every few months). For my surprise all of a sudden the new joomla article text started displaying text and pictures partially. The weirdly looking newly added news looked very much like some kind of template or css problem. I tried debugging the html code but unfortunately my knowledge in CSS is not so much, so as a next step I tried to temper some settings from Joomla Administrator in hope that this would resolve the text which was appearing from article used to be cut even though the text I’ve placed in artcle seemed correctly formatted. I finally pissed off trying to solve the news section layout problem so looked online too see if anyone else didn’t stick out to same error and I stumbled on Joomla’s forum explaining the Category Blog Layout Problem

The solution to the Joomla incomplete text showing in article is – To go to Joomla administrator menus:

1. Menus -> Main Menu -> (Click on Menu Item(s) – Edit Menu Item(s)) button
2. Click on News (section)
In Parameters section (on the botton right) of screen you will see #Leading set to some low number for example it will be something like 8 or 9. The whole issue in my case was that I was trying to add more than 8 articles and I had a Leading set to 8 and in order to add more articles and keep proper leading I had to raise it to more. To prevent recent leading errors, I’ve raised the Leading to 100 like shown in below screenshot
joomla-blog-layout-basic-parameters-screenshot-fix-joomla-news-cut-text-problem-screenshot

After raising to some high number click Apply and you’re done your problem is solved 🙂
For those curious what the above settings from screenshot mean:

# Leading Articles -> This refers to the number of articles that are to be shown to the full width
# Intro Articles -> This refers to the number of articles that are not to be shown to full width
# Columns -> This refers to the number of columns in which the articles will be shown that are identified as #Intro. If #Intro is zero this setting has no effect
# Links -> Number of articles that are to be shown as links. The number of articles should exceed #leading + #Intro

N.B. Solving this issue took me quite a long time and it caused me a lot of attempts to resolve it. I tried creating the article from scratch, making copy from an old article etc. I even messed few of the news articles one time so badly that I had to recreate them from scratch, before doing any changes to obsolete joomlas always make database and file content backup otherwise you will end up like me in situation loosing 10 hours of your time ..

The bitter experiences once again with Joomla convinced me when I have time I have to migrate this Joomla CMS to WordPress. My so far experience with Joomla prooved to me just for one time the time and nerves spend to learn joomla and built a multi-lingual website with it as well as to administer it with joomla obscure and hard to cryptic interfaces and multiple security issues., makes this CMS completely unworthy to study or use, its hardness to upgrade from release to release, besides its much slow and its less plugins if compared to WordPress makes wordpress much better (and easier to build use platform than Joomla).
So if you happen to be in doubt where to use Joomla or a WordPress to build a new company / community website or a blog my humbe advise is – choose WordPress!

Fixing Clamav error: “WARNING: Can’t download daily.cvd from database.clamav.net”

Thursday, June 6th, 2013

On one of the Debian Squeeze Servers, where I have Running QMAIL Server, I haven't checked logs for a long time. Cause Qmail is configured and all runs smoothly. Just today while checking logs, I've noticed in /var/log/clamav/clamav.log, clamav database fails to be updated with an error, e.g.:

qmail:~# tail -n 28 /var/log/clamav/clamav.log

ClamAV update process started at Thu Jun 6 20:47:14 2013
main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
WARNING: getpatch: Can't download daily-16682.cdiff from db.local.clamav.net
WARNING: getpatch: Can't download daily-16682.cdiff from db.local.clamav.net
WARNING: getpatch: Can't download daily-16682.cdiff from db.local.clamav.net
WARNING: getpatch: Can't download daily-16682.cdiff from db.local.clamav.net
ERROR: getpatch: Can't download daily-16682.cdiff from db.local.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
ERROR: Can't download daily.cvd from db.local.clamav.net
Giving up on db.local.clamav.net…
ClamAV update process started at Thu Jun 6 20:47:15 2013
main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
WARNING: getpatch: Can't download daily-16682.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-16682.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-16682.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-16682.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-16682.cdiff from database.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
WARNING: Can't download daily.cvd from database.clamav.net
Trying again in 5 secs…
ClamAV update process started at Thu Jun 6 20:47:20 2013
main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
WARNING: getpatch: Can't download daily-16682.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-16682.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-16682.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-16682.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-16682.cdiff from database.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
WARNING: Can't download daily.cvd from database.clamav.net

On host Freshclam is configured to run in background as a service i.e.:

qmail:~#
 ps ax|grep -i fresh|grep -v grep
13615 ? Ss 0:02 /usr/bin/freshclam -d –quiet
 

I stopped clamav and tried running it manually through its script: qmail:~# /etc/init.d/clamav-freshclam restart

The error was reoccuring, so I decided to kill it and try running freshclam manually:

qmail:~# kill -9 freshclam

qmail:~# freshclam
I got same error again:
 

Thu Jun 6 16:46:20 2013 -> ClamAV update process started at Thu Jun 6 16:46:20 2013 Thu Jun 6 16:46:20 2013 -> main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven) Thu Jun 6 16:46:20 2013 -> WARNING: getpatch: Can't download daily-16682.cdiff from database.clamav.net Thu Jun 6 16:46:20 2013 -> WARNING: getpatch: Can't download daily-16682.cdiff from database.clamav.net Thu Jun 6 16:46:20 2013 -> WARNING: getpatch: Can't download daily-16682.cdiff from database.clamav.net Thu Jun 6 16:46:20 2013 -> WARNING: getpatch: Can't download daily-16682.cdiff from database.clamav.net Thu Jun 6 16:46:20 2013 -> ERROR: getpatch: Can't download daily-16682.cdiff from database.clamav.net Thu Jun 6 16:46:20 2013 -> WARNING: Incremental update failed, trying to download daily.cvd Thu Jun 6 16:46:20 2013 -> ERROR: Can't download daily.cvd from database.clamav.net Thu Jun 6 16:46:20 2013 -> Giving up on database.clamav.net… Thu Jun 6 16:46:20 2013 -> Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/support/mirror-problem for possible reasons.

The solution was to delete clamav database filedaily.cvd and then run another freshclam Clamav DB virus update:

qmail:~# rm -f /var/lib/clamav/daily.cvd
qmail:~# freshclam
root@pcfreak:/etc/init.d# freshclam ClamAV update process started at Thu Jun 6 22:07:21 2013
main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
Downloading daily.cvd [100%]
daily.cvd updated (version: 17309, sigs: 1302714, f-level: 63, builder: neo)
bytecode.cld is up to date (version: 214, sigs: 41, f-level: 63, builder: neo)
Database updated (2347142 signatures) from db.local.clamav.net (IP: 195.222.33.229)

Finally, to make freshclam work as daemon, restarted init script:

qmail:~# /etc/init.d/clamav-freshclam restart
[ ok ] Stopping ClamAV virus database updater: freshclam.
[ ok ] Starting ClamAV virus database updater: freshclam.

 

Create ASCII Art Text banners in GNU / Linux console and terminal with figlet and toilet

Tuesday, January 15th, 2013

Create fun and colorful text ASCII art banner logos on Linux (figlet and toilet)

As an old school hobbyist, I'm a kind of ASCII art freak. Free Software is just great for this text / console maniacs like me, who spend their youth years in a DOS (Disk Opearting System) command prompt.
For long time, I'm researching the cool programs which has to do somehow with ASCII Art, in that relation I decided to write few ones of figlet and toilettwo nice programs capable of generating ASCII art text beautiful banners based on a typed in text string. Obviously toilet developer Sam Hocevar had a great sense of humor 🙂

To play with figlet and toilet install them, according to (rpm or deb based package manager on distro) with yum / apt-get.

yum -y install toilet figlet
....

apt-get --yes install toilet figlet
....

There are no native tool packages for Slackware, so Slackaware Linux users need to compile figlet from source code – available on figlet's home page figlet.org

Once figlet and toilet are installed, here is few sample use cases;
 

hipo@noah:~/Desktop$ figlet hello world!             

figlet ascii art banner hello world
 

hipo@noah:~/Desktop$ figlet -f script Merrcy Christmas

figlet merry christmas text in ascii art with script font linux

Plenty of figlet font examples are available on Figlet's website example section – very cool stuff btw 🙂 To take a quick look on all fonts available for toilet – ascii art banner creation. Type in your console tty or terminal; for i in $(dpkg -L toilet-fonts|grep -i /usr/share/figlet); do toilet -f $(echo $i|sed -e "s#.tlf##g" -e "s#/usr/share/figlet/##g") test; done

On below picture, I made a screenshot of my gnome terminal with most fonts installed by toilet-fonts (fonts package).

ascii art banner create generate program linux figlet toilet with fonts on debian linux screenshot pic - how to create ascii banners linux

There are about 150 fonts, most of which needs to be downloaded and installed manually. A quick search online led me to a fonts collection of 263 figlet ascii art fonts – you can download a mirror of the file figletfonts40.zip here. To aid up toilet and  with those 263 extra fonts (on Debian) do; wget https://www.pc-freak.net/files/figletfonts40.zip cd /usr/share/figlets unzip figletfonts40.zip Note: you have to have installed unzip in advance, unzip is not in default install, so if you don't have it fetch it with; apt-get install --yes unzip toilet and figlet are partially compatible, between each other so most fonts should work okay on both.

figlet supports, also simple formatting of ASCII art banner, here is few examples with formatting; a.) format to center  

$ figlet -c bla bla

figlet centered ascii art text bla bla screenshot

b.) format to left


figlet ascii art banner left formatted text debian gnu linux

c. right formatting


figlet ascii art banner right formatted ascii art text debian linux generator

d. format to terminal width By default text that figlet generates is to suit for 80 rows terminals, normally on higher resolution in gnome-terminal and other Linux environments, terminals are not dimensioned 80×25, thus it is useful for longer sentences text to display text in accordance to terminal size;

figlet ascii art banner sentence phrase to terminal width banner debian gnu linux

The cool thing and advantage of toilet over figlet is toilet can print out ASCII art banners in colors – very very cool stuff; To quickly test all filters issue; for i in $(toilet -F list|awk '{ print $1 }'|grep -v Available|sed -e 's#"##g'); do toilet -F $i pC-fREAK; done Change text pC-fREAK with whatever you like;

> using toilet to create funny ascii-art banners linux pc-freak logo pictures

Very nice use of toilet or figlet, can be if it is placed to produce some nice message in ASCII banner on each user login. Other nice fun applications  is together with cowsay.

apt-cache show cowsay|grep -i description -A 5 Description: A configurable talking cow Cowsay (or cowthink) will turn text into happy ASCII cows, with speech (or thought) balloons. If you don't like cows, ASCII art is available to replace it with some other creatures (Tux, the BSD daemon, dragons, and a plethora of animals, from a turkey to an elephant in a snake).

In case interested in using cowsay on system logins, I suggest you check out my tiny cowrand script which uses cowsay and shows random cow ASCII art picture on each user login.

Also a good use if you're Christian is to combine, some nice Holy Scriptures  verse in text ascii with  some encouraging daily bible phrase from verse or fortune.

Apart from fun, common use of ASCII art slogans is in e-mail or blog comments ASCII art signatures, also they are certainly good for creating unusual (text) advertisements and even can be used to save printer ink:) cause text generated in ASCII art logo is not massive like most text fonts are 🙂 Last but not least  ASCII art banners are useful in generation of ASCII slogans as an art; after all ASCII art is one of innovative arts of 21st century 🙂