Assuming you're using composite, otherwise 0 for coax
# v4l2-ctl -d /dev/video2 --set-input=1
We need to force the pixel format or you'll get discoloration
# ffmpeg -f v4l2 -channel 1 -input_format uyvy422 -video_size 720x480 -framerate 30000/1001 -i /dev/video2 -f alsa -thread_queue_size 1024 -i hw:1 -pix_fmt yuv420p -c:v libx264 -preset veryfast -crf 18 -c:a aac -b:a 192k /tmp/vhs_fixed.mp4
nfsd open file limits
Recently I came across a user who requested an increase to the ulimit settings for nfsd kernel processes.
root 1122 0.0 0.0 0 0 ? S 11:43 0:00 [nfsd]
# grep 'open file' /proc/1122/limits
Max open files 1024 4096 files
This appears to default to 1024/4096 soft/hard.
As you can see from the brackets surrounding nfsd, this is a kernel process spawned from kthreadd and thus won’t inherit limits from systemd (or limits.conf)
I decided to throw together a quick C++ program proving that these limits do not impact how many open files a client can utilize.
#include <iostream>
#include <fstream>
#include <dirent.h>
#include <chrono>
#include <thread>
#include<unistd.h>
using namespace std;
int main() {
DIR *dir;
struct dirent *entry;
string filename;
dir = opendir(path);
std::fstream fs[8194];
int count = 0;
chdir("/export");
while ((entry = readdir(dir)) != NULL) {
printf(" %s\n", entry->d_name);
fs[count].open(entry->d_name);
count++;
}
std::this_thread::sleep_for(std::chrono::milliseconds(100000));
closedir(dir);
return 0;
}
On the NFS server in question, I created 8192 files.
[root@nfs export]# for x in {1..8192}; do touch $x; done
I also ensured that only 1 [nfsd] thread was running (to rule out the open files being split between multiple nfsd threads).
On the client I made sure the user had appropriate ulimit settings
# ulimit -n
9000
Then I ran the above program to hold open all 8192 files. As you can see below, there was no problem doing so.
# lsof +D /export/ | wc -l
8191
Tested with NFSv3 (with lockd) and NFSv4.
Conclusion: The [nfsd] limits shown in /proc has no impact on the nfs clients.
Bluetooth headset with Qubes
NOTE: This was done with a bluetooth USB adapter. If you use your wireless card’s built in bluetooth you should be able to do the same, you’ll just need to do it on sys-net instead of a seperate qube
First, create a fedora ‘bluetooth’ qube that we will attach the USB adapter to
Install required packages:
# dnf install blueman udev-x11
Add the following to /etc/pulse/qubes-default.pa where 10.137.0.0/24 is your qube network (if different)
load-module module-bluetooth-discover
load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1,10.137.0.0/24 auth-anonymous=1
Add user to audio group
# usermod -a -G audio user
Create /etc/systemd/user/pulseaudio.service
[Unit] After=sound.target network.target avahi-daemon.service Requires=sound.target Wants=avahi-daemon.service Description=PulseAudio Sound System [Service] Type=dbus BusName=org.pulseaudio.Server BusName=org.PulseAudio1 ExecStart=/usr/bin/pulseaudio -vv ExecStop=/usr/bin/pulseaudio --kill Restart=always [Install] WantedBy=default.target
Reload systemd (or just reboot)
# systemctl daemon-reload
As user, enable it so pulseaudio is running at startup
# systemctl --user enable pulseaudio.service
Create a script to handle the blueman-applet in /root/bluetooth.sh
#!/bin/bash while [ true ]; do sudo -u user blueman-applet sleep 1 done
Make it executable
# chmod +x /root/bluetooth.sh
Add the following to /rw/config/rc.local
iptables -I INPUT -s <CLIENT IP> -j ACCEPT /root/bluetooth.sh &
Add firewall rule on sys-firewall qube in /rw/config/qubes-firewall-user-script
iptables -I FORWARD 2 -s <CLIENT IP> -d <BLUETOOTH IP> -j ACCEPT
On each client, add the following to /etc/profile to ensure your applications use your bluetooth qube for audio
export PULSE_SERVER=<BLUETOOTH IP>
Now when you attach the USB bluetooth adapter to the bluetooth qube the applet should appear and you’re good to go.
WordPress mod_proxy tips and tricks
We have an Apache server using mod_proxy to serve WordPress from another server. SSL is terminated on the Apache side.
Apache(80) -> WordPress(80)
Apache(443) -> WordPress(80)
.htaccess
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R,L]
wp-config.php
At the top of the file:
define('FORCE_SSL_ADMIN', true);
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
$_SERVER['HTTPS']='on';
plex mod_proxy (Proxy plex through Apache)
The below vhost assumes you’re using letsencrypt, just replace domain.fqdn with your hostname and PLEX-IP-HOST with the IP/hostname of your plex server. This is useful for connections that block odd ports like 32400 or only allow HTTP/HTTPS.
<VirtualHost *:80> ServerName plex.domain.fqdn Redirect / https://plex.domain.fqdn/ ErrorLog ${APACHE_LOG_DIR}/plex_error.log CustomLog ${APACHE_LOG_DIR}/plex.log combined <Location /> Order allow,deny Allow from all </Location> </VirtualHost> <VirtualHost *:443> ServerName plex.domain.fqdn ProxyRequests Off ProxyPreserveHost On SSLProxyEngine On SetEnv newrelic_appname "http-plex" php_value newrelic.appname "http-plex" ErrorLog ${APACHE_LOG_DIR}/plex_error.log CustomLog ${APACHE_LOG_DIR}/plex.log combined SSLEngine on SSLCertificateFile /etc/letsencrypt/live/plex.domain.fqdn/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/plex.domain.fqdn/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/plex.domain.fqdn/fullchain.pem <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / http://PLEX-IP-HOST:32400/ ProxyPassReverse / http://PLEX-IP-HOST:32400/ <Location /> Order allow,deny Allow from all </Location> </VirtualHost>
Apache + PHP-FPM on CentOS 6
Note: This assumes you have enabled the IUS repo (ius.io) for php 5.6. Steps should be the same no matter what version of php-fpm you use.
Install required packages
# yum install httpd mod_ssl php56u-fpm mod_proxy_fcgi # chkconfig httpd on &&chkconfig php-fpm on
Edit php-fpm configuration
/etc/php-fpm.d/www.conf
listen = 127.0.0.1:9000 listen.owner = apache listen.group = apache listen.mode = 0660 user = apache group = apache
Create /etc/httpd/conf.d/proxy.conf
DirectoryIndex index.php <Proxy "*"> Order allow,deny Aloow from all </Proxy> ProxyRequests Off ProxyPreserveHost On ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/html/$1
Start services
# service php-fpm start # service httpd start
Increase stripe_cache_size for mdadm/md devices permanently
Create /etc/udev/rules.d/60-md-stripe-cache.rules
SUBSYSTEM=="block", KERNEL=="md*", ACTION=="change", TEST=="md/stripe_cache_size", ATTR{md/stripe_cache_size}="16384"
Reload udev rules, will take effect immediately.
udevadm control --reload-rules udevadm trigger
Confirm (where md0 is your md device in question)
cat /sys/devices/virtual/block/md0/md/stripe_cache_size
ESXi 5.5 and Teaming on Cisco Switches (VLANs)
Create a basic port channel
interface Port-channel1 description ESX Port Channel switchport mode trunk interface GigabitEthernet0/8 description ESX team channel-group 1 mode on spanning-tree portfast trunk interface GigabitEthernet0/9 description ESX team channel-group 1 mode on spanning-tree portfast trunk
Configure NIC teaming (Configuration – Network – Properties – vSwitch Properties) with the following settings
Load Balancing: Route based on IP address Network Failover Detection: Link status only Notify Switche: Yes Failback: No
When you’re happy with the results, update your Management network settings to use NIC teaming as well.
Raspberry PI Phone Home
This can be done on any systemd based system, this example is on a Raspberry PI running Raspbian (jessie).
# apt-get install autossh
Generate SSH key and copy it over
# ssh-keygen
# ssh-copy-id root@server
Create /etc/systemd/system/autossh.service
[Unit] Description=AutoSSH service After=network.target [Service] User=root Environment=AUTOSSH_PIDFILE=/tmp/autossh.pid ExecStart=/usr/bin/autossh -M 0 -f -N -T -q -o ServerAliveInterval=30 -o ServerAliveCountMax=3 -R 9993:localhost:22 root@server PIDFile=/tmp/autossh.pid Restart=always [Install] WantedBy=multi-user.target
Reload systemd
# systemctl daemon-reload
Enable/Start Service
# systemctl enable autossh
# systemctl start autossh
Now from “server” you should be able to reach your PI
# ssh localhost -p 9993
GlusterFS MySQL my.cnf Settings
This doesn’t seem to be clearly documented, but to make this persistent add the following under your [mysqld] section of my.cnf
external_locking = TRUE delay_key_write = Off query_cache_size = 0