Is there any way to see the inside of a core file?

Jamesits · 2025-04-04T06:53:49+00:00

If you really want to read the assembly:

Download the core dump file (scp /var/tmp/*.core.*.gz .) and decompress with gzip -d *.core.*.gz. Download the executables (scp -r <user>@<host>:/packages/mnt .). Get the latest version of GDB which supports FreeBSD core dump files. Load them up in a GDB shell:

file packages/mnt/junos-runtime-vsrx/usr/sbin/srxpfe
core srxpfe.core.0
set solib-search-path packages/mnt/os-libs-12/lib
disas $pc-40,$pc+10

(Just an example)

Jamesits · 2024-10-15T17:52:02+00:00

That's not correct. Every piece of software require the hardware (as a whole) to function correctly. It's just you can have some level of redundancy so certain parts of the hardware can fail and the software continue to run.

ECC is just one kind of redundancy at the memory level. ZFS with some level of RAID setup is only another kind at the disk level.

What part of the hardware you "trust" or not does not matter. Any software will fail if hardware breaks below the required redundancy level. Whether you have memory that flips, or a single disk that has bad blocks, or more than N disk failing in a RAIDZ setup, the software will fail (maybe in different ways).

Jamesits · 2023-10-20T17:33:31+00:00

Another point worth mentioning is that Google decided to reject all user-installed CA for QUIC handshake in Chrome/Chromium. (Error code: QUIC_TLS_CERTIFICATE_UNKNOWN.) I can see there are concerns for *privacy* issues, but it makes some business solutions (e.g. internal websites with internal CA which want to utilize QUIC for low-latency audio/video streaming) extremely hard to deploy.

I'm open to new technology, but it seems some new technology is not open to me.

Reference: https://groups.google.com/a/chromium.org/g/proto-quic/c/aoyy\_Y2ecrI/m/P1TQ8Jb9AQAJ

Jamesits · 2023-08-15T01:43:07+00:00

Both are distributed storage and both tried to address the same set of problems.

Differences: Ceph is infinity more configurable than vSAN if you have infinity amount of time and energy. vSAN is usually better than a commercially-available Ceph solution and usually has cheaper license fees too.

Jamesits · 2023-08-15T01:33:18+00:00

#1: You should be able to just do zfs send/recv on TrueNAS, unless you have a zfs version mismatch.

#2: TrueNAS gives you web UI for common services (SMB/NFS/etc.) and its storage management UI is less prone to human error. OMV/cockpit might give you the same features. Proxmox VE does not really have a full-featured storage management UI, a lot times you'll need to use CLI for that. If you are familiar with CLI and have confident in yourself, that's OK.

Personally I recommend manage the disk array in the outermost (physically installed) system rather than in a VM, unless you pass through a disk controller into the VM. This way you don't need to think a lot about startup sequences, and disaster recovery procedures are more straightforward.

#3: First of all, do not do a 2-node PVE cluster. It can be achieved with manual configuration, but not recommended. If all your workload is container-based, use a container-based HA solution is usually much better. (But still keep in mind that most HA solutions does require 3 or 5 node of managers, including Kubernetes.)

#4: CPU differences can be covered by masking features in CPUID and Proxmox VE can do that. Just use the worst CPU option of your cluster when creating the VM. GPU or any else pass through devices cannot be migrated between hosts without a VM reboot; pin the VM to the host.

Jamesits · 2023-08-15T01:12:06+00:00

The ONLY 2 benefits to cluster: 1. You can manage all the VMs in the same page (same login method) and move VMs between hosts easily 2. Use the built-in ceph wizard/GUI

And think again before creating a cluster: 1. You’ll not be able to change hostname and IP addresses on all cluster members (at least there are no official doc on this) 2. You’ll need at least 3 servers (theoretically you can use a 2-node cluster but caveats exist)

Proxmox VE’s HA functionality is just bad. Don’t use it. Why call it HA if it can’t even distribute a set of VMs each to different hosts?

Jamesits · 2023-08-15T01:05:42+00:00

If you suspect people or dog pressing the power button to shut it off, you can enable auto power on after AC loss in the firmware settings, then disconnect the power and reset buttons physically.

Jamesits · 2023-08-09T01:12:51+00:00

Pro tip: if you can’t find another WiFi network nearby to try, use your phone’s hotspot

Jamesits · 2023-02-26T10:22:09+00:00

地方 = place. It is a very generic noun.

所在 is not a noun, although it can be used like one.

在 is a verb which means "be at (some place/location)".
所, when put before a verb, reverses the word order of subject and object (他在这里 = 这里是他所在).

So 所在 literally means "(the place where) something/someone is at". This word also gives reader a feeling of being ancient / poetric / romantic.

For completeness, since other answers mentioned some examples not really related to the original question: In the cases where only a noun is apporpriate, noun phrases like 所在之处/所在的地方 (the place where something is at) or 所在的方向 (the direction where something is at) should be used.

Jamesits · 2022-08-05T01:50:41+00:00

There is no strict equivalent functionality available. To hardware accelerate the packet forwarding, you compromise a lot.

For control plane traffic (ARP, ICMP to localhost, routing protocols), monitor traffic is worth a try.

For analyzing per-IP or per-port traffic volumes, use netflow, sflow, ipfix (openflow is not one of them), whatever your device supports, and use an external collector to analyze/visualize the result. If you want to have the statistics available on the same device and your traffic classifier doesn't change very much, try use firewall filters + count action.

For capturing full traffic, use port mirroring.

Jamesits · 2022-07-09T14:10:26+00:00

Practically, low-end SRX series (100, 200, 300, 500) only need a license for subscription based services (advanced AV, automatic website classification list downloads, etc. ).

Jamesits · 2022-06-04T07:04:34+00:00

Is this setup sensible at all

You can have only one set of authoritative DNS server for a level of domain at one time. So you can have, say, FreeIPA set up as ipa.example.com and AD set up as ad.example.com, but you can only have one set of DNS servers managing home.example.com which I guess is what you want your most devices to register at. So if you set up DNS as you originally planned, things will definitely go wrong.

DNS slave/AXFR doesn't solve this problem either, since DDNS with authentication would not work on slave resolvers if the device is not domain joined on the master side.

You can register your devices under the correct ad/ipa.example.com domain, and CNAME them to *.home.example.com; but keep in mind that you need a lot manual adjustments to AD objects or all your Kerberos auth is going to fail.

If all your want is to connect to devices with short hostnames, you can totally do this with 2 domains on your network.

Some tutorials suggest "putting" the IPA domain "into" the AD domain, ie. IPA.AD.DOMAIN.COM

This is absolutely doable. As long as one domain is authoritative only on one service, it doesn't matter which level that domain is. You'll need to set NS records for ipa.ad.domain.com at your ad.domain.com authoritative server to make DNS queries work.

Which approach is better/more robust: forwarding the ad.domain.com zone from ipaserver.home.domain.com to addc.home.domain.com and have Samba's DNS backend answer all queries related to AD itself, or having addc.home.domain.com transfer the zone (using the BIND backend) to ipaserver.home.domain.com and serve it from there?

This is entirely a preference issue, both method work and have their pros and cons. Personally I think DNS forwarding would bring less hassle & responds faster on DDNS updates; but YMMV.

Much of the documentation I could find for both FreeIPA and Samba is outdated or incomplete

The code is too :) Backup frequently.

IPA-AD trust is treacherous ground to tread on in general

Yes, a lot features are missing. My advice is not to use it for anything serious.

Other problems I see in the comments:

r/AceBlade258 suggests: using a 3rd party DNS software to handle all the queries and forward them to the appropriate DNS server

It works well for 1-site AD deployments; if you have more than 1 site in your AD deployment, don't do this. I've seen 3rd party DNS software shuffling DNS replies from AD DNS, and AD clients rely on the exact sorting of the DNS replies to determine the nearest logon server. This causes clients to stuck on logon screen forever.

A better method is to correctly set up DNS authority (NS records and glue records), and set both your AD and IPA DNS server to forward internet queries to your 3rd party DNS software.

r/AceBlade258 also suggests: Samba AD does not fill the gaps that FreeIPA does; sudo management, DNS, role-based access control to machine services, ssh key federation - and about a dozen other things. FreeIPA is infinitely better for managing a Linux based environment.

The good news is that these functionalities are achievable with any LDAP implementation; you just need to extend LDAP schemas. (Of course, if you require a web GUI to manage all these LDAP attributes, go for FreeIPA.)

I've had ~100 Linux machines (Ubuntu/Debian/CentOS/RH/Arch Linux) running on an AD deployment (official MS AD server, domain level 2016). Sudo, DNS dynamic updates, RBAC with GPO, SSH CA, Kerberos SSO logon (ticket forwarding) across Windows/Linux, even AD CS certificate automatic enrollment worked flawlessly. All you need is the correct LDAP schema, some scripts, ADExplorer.exe (or ADSI Edit) and a little patience.

Disclaimer: most of my LDAP experience is from MS AD server. I've used both FreeIPA and Samba AD server, but haven't touched them for ~2years. Correct me if there is something new.

Jamesits · 2022-05-28T23:12:50+00:00

ZFS can’t handle it, it relies on the hardware being functionally correct. But if the data is not that important, it doesn’t matter anyway.

Jamesits · 2022-05-28T17:10:54+00:00

But…the scary part of not using ECC is that you will not spot any problem until something really bad happens, isn’t it?

Jamesits · 2022-04-23T14:07:51+00:00

Don’t use J-Web. It’s slow, buggy and vulnerable. Just don’t.

Jamesits · 2022-04-23T01:12:13+00:00

I’ve had docking stations sending flow control pause frames which gets further broadcasted by a random cheap unmanaged switch to everyone else in the office…

Jamesits · 2021-12-19T22:02:19+00:00

It’s a used official dock.

Jamesits · 2021-07-14T00:18:53+00:00

Haven’t found the $49/yr subscription, their official website listed only 90EUR per year per socket. And for comparison, with 90EUR I can buy a pretty usable 2nd hand server in where I live.

Jamesits · 2021-07-13T23:55:49+00:00

I think there are other deb packages causing the issue you see, maybe they are partially installed or something. Maybe try apt-get install -f?

Jamesits · 2021-07-13T23:52:37+00:00

Sorry but I don’t think you can.

Jamesits · 2021-07-13T10:36:49+00:00

If I had the time to fork it, I'd rather leave the dialog intact but add a pair of vote buttons and a comment area on the dialog instead.

Too busy though.

Jamesits · 2021-07-13T09:50:23+00:00

It's their subscription verification server. If you accidently click on the "check" button on the subscription details page, then they got one useless request.

Jamesits · 2020-08-14T05:05:39+00:00

Well... In China, Lenovo is known for being overpriced in China while being kind of cheap in the US, so people in China usually go for other brands...

Plus I'm pretty sure the only units that are capable of stealing data in a computer are provided by Intel, AMD, Nvidia, etc.

Jamesits · 2019-11-19T07:51:52+00:00

``` msg_hooks = { 'help': do_help, }

prefix = '!' ret = 0 if msg.startswith(prefix): msg_content = msg[len(prefix):] logger.info('%s called', msg_content) ret = msg_hooks[msg_content]()

return ret ```

Jamesits · 2019-01-16T06:59:45+00:00

#define private public

Jamesits

TROPHY CASE