=== blackboxsw is now known as blackboxsw_away
axisysgot a new server hp dl360 gen 9 with 12 SSD of 800G each. I need little bit of space for OS and rest will be for /home and /var and /var/log04:51
axisysany suggestion on partitioning? may be a raid 1 of two and raid 10 of the rest 10 in the hardware raid controller?04:52
axisysany suggestion SSD related?04:52
=== Guest36807 is now known as lordievader
lordievaderGood morning07:35
=== ogra_ is now known as ogra
=== lifeless_ is now known as lifeless
drabaxisys: it really depends on what you're trying to achieve/workload14:14
draband whether speed, data integrity/resiliancy etc are most important14:14
drabaxisys: per yesterday's convo, if those are consumers ssds, overprovisioning would be a good thing to do, to help with perf long term14:15
draband to make sure that trim is ran regularly14:16
drabregarding the raid controller, one thing that matters ime is whether you have more spare hw like that/and backups to restore in case the controller fails14:17
drabbecause most likely disks won't just work on a diff controller14:17
qman__highly dependent on the hardware14:18
qman__some manufacturers are pretty consistent with their structure and it'll work on most controllers by the same manufacturer, others not so much14:18
ndboosthow can i run sftp on a seperate port and match only to users in group "sftp"?16:44
ndboosti get an error "Directive 'Subsystem' is not allowed within a Match block"16:45
tomreynndboost: use Match to restrict the set of options certain users or user groups have when connecting to the server. don't try to use it to provide those with elevated access. The 'Subsystem' directive is available on the global scope only.16:53
ndboostthx tomreyn this is what i ended up with but chroot aint working ... https://gist.github.com/mikedevita/2e545c5d0438ad0ed39c70db9021f85616:54
tomreynsftp is a subsystem of ssh, i.e. users need to be able to connect to the ssh daemon using the ssh protocol first, then shift the protocol to sftp16:54
ndboostthat makes sense16:54
ndboostlooks liek bad perms16:55
tomreynndboost: welcome, but have you now achieved to prevent that the sftp users (those in Group 'sftp') are no longer able to authenticate to port 22 and operate there without restrictions?17:09
ndboosti have 22 locked down17:09
ndboostwhat else would i need, i have Port 22 and Port 2222 in sshd_config, then that block i showed you17:10
tomreynok, i wonder how you locked down 22 then17:10
ndboostand sftp users are set to /bin/false as their shell, and are in sftp group17:10
ndboostjust firewall17:10
tomreynoh so sshd listens on 22 but the firewall prevents access to it form all or most source locations17:11
tomreyni guess this works.17:11
ndboosti have a select few of IPs whitelisted17:11
ndboostfor 2217:11
ndboostand all ipv4/6 on 222217:12
tomreynconsider doing it the other way around if you want to do users a favor17:12
tomreynbut other than that, sounds good to me.17:12
tomreynyou might want to allow only public key authentication on the 'admin' port (where users can get a shell)17:13
ndboostyeah but then i get tons of hits on 2217:13
ndboosti only allow pubkey auth on ssh17:13
ndboostand the users are editing web docs n stuff, they should be competent enough to use 222217:14
tomreyntotally not ;)17:14
tomreynbut your config sounds good to me.17:14
patdk-l2why would you use port 2222?18:32
patdk-l2I have a few friends that use port 222 or 2222 isntead of 22, to stop attacks18:33
patdk-l2their logs show just as many attempts as mine on port 22, in the same ip space18:33
=== ivoks_ is now known as ivoks
=== SvenDowideit is now known as Guest25455
axisysdrab: well this server will be used a for tons of scripts .. mostly cpu and mem intensive..20:11
axisysbased on the current build on the old server20:12
axisysdrab: ^20:12
axisysso do I need to build a raid5/6 with many spares.. or just a raid1 (2 disks) and a raid10 (10 disks) will do?20:13
axisysI suppose running trim is a must since these are all SSDs and do I need a discard in fstab?20:13
axisysalso found this https://wiki.debian.org/SSDOptimization .. and probably applies to ubuntu as well since it is made from debian?20:14
drabaxisys: if the workload is mostly cpu/mem intensive I don20:34
drab't see the benefits of a configuration that adds to io perf (raid10)20:35
drabsince you don't need the extra perf I'd go for extra reliability and build a raid620:35
drabwith as many spares as you can afford, but I'd say one is plenty considering you20:35
drab're already got 2 drives safety net20:35
axisysdrab: good point20:36
drabat which point no need to split the raid1 on its own, just have one raid6 which makes the whole system much more resiliant20:36
axisysso a raid1 and a raid6 .. where raid1 will be just for OS?20:36
axisysah.. :-)20:36
drabif you split your os can only rtake 1 disk failure, after which it's out20:37
drabif it's on on raid6 with a spare the whole thing can survive 3 disks20:37
drabwhich is a heck of a lot20:37
axisysas for swap.. I see not to use SSD for swap.. and I see current system (retired onces the new one built) swappiness is 020:38
axisysbut swap went up to about 2G in May when we had some network dependency broke. and restored since then.. but swap stayed at flat line 1.6G per our monitor20:39
drabthere's a ton of arguments on using no swap on the webs, that swap is bad, blah blah blah, and it's true that swap is the killer, but ime it's saner to make a small swap partition and monitor it, treating any sign of swappiness as something to fix, rather than to avoid swap altogether "because your app should never swap"20:40
axisysso obviously swap not in use in normal situation.. so since SSD is a no no for swap.. may be use RAM for swap (tmpfs) ?20:40
axisysI have 64G ram on new one.. and old one has 32G ram and 80% in use in avg per monitor20:41
drabyou could do that, even tho swap on ram is as much of a practical joke as it gets :P20:41
drabI don't necesasrily see why swap is a no no for SSD, especially knowing that it almost never happens20:42
axisysdrab: right..20:42
drabI'd rather "throw away" 2GB of SSD than 2GB of ram on a mem intensive workload20:42
axisysI am not leaning to any direction.. discussing20:42
axisysI just did a swapoff -a && swapon -a on the old system since I have 20G ram available..20:44
axisysso I guess I can run that routinely20:45
axisysyes it does check if enough mem available before running the off/on.. with a script20:45
axisys.. if enough mem available to take over the used swap ..20:46
axisysdrab: so you are saying use tmpfs on ssd ?20:46
axisysdrab: just making sure I am following it correctly20:46
axisysoh one more question.. should I still use LVM in this scenario?20:47
* axisys brb20:48
* axisys back21:11
axisysdo I still need lvm.. probably should ask in a different channel?21:11
drabaxisys: I dind't understand the swapon/off comment. I'd just setup a small (4GB tops) swap partition on the SSDs, I don't see a problem with it and it seems better than using RAM (on a mem heavy workload machine)21:52
drabaxisys: the main benefit of LVM is if you think you'll need to add/expand the storage21:52
drabif you're already using all the bays and you're likely to not be wanting to readjust partitions, then no need21:52
drabgiven that you want to use /var/ and /var/log, my guess would be you're better off to use it as things may change and you may need to reallocate space21:53
drabI've personally been bitten by this allocation issue enough times that I don't do it anymore, it's just one big partition except for home fileservers where /homes are indeed separate with quotas21:55
drabaltho as I'm migrating everything to zfs that's also no longer something I have to worry about21:56
=== Guest25455 is now known as SvenDowideit

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!