@gjacobse said in Eaton Rack Mount 5P: power on issue:

@NHCSAdmin said in Eaton Rack Mount 5P: power on issue:

@gjacobse Is the power input set to the correct voltage? We ran into something similar with the 9p line where the power from the street was 208 but of course the generator was at 240. With the UPS set to 208 and the batteries not at 100% it would not turn on while the UPS was running. We found it out the hardway when the power went on and the generator did not kick on and the batteries drained down. Then the generator repair tech got the generator on but it didnt matter since we couldnt turn on the unit since it was set to 208. Confirmed it with Eaton and all.

That's a good call - but sadly no.

I pulled it out of the rack - thankful for the use of a lift as pulling it down from twelve-fifteen feet up on a step-ladder would have been no joy.

Walked it across the warehouse and plugged it back in and noticed that the reported state of charge on the battery was 88%.

Wait, what now? you lost twelve percent, powered off and no load while I walked across the building? That can't be right.

Unit's going back RMA as failed..

Lead acid batteries (VRLA) can't be left uncharged for long periods of time. It cause sulphation on the cells and destroys the battery. Recommended storage time without charging is 6 months at room temperature.

So having an UPS sitting on a shelf is a bad idea. It should be hooked up at least every 6 month.

So this has nothing to do with Eaton. It's just how the battery chemistry works.

If you had the UPS sitting for a long time without installing it, this could be a factor.

@travisdh1 Installation note from Oliver

olivierlambertolivierlambert VATES 🪐 FOUNDER & CEO 🦸 Jun 30, 2021, 12:27 PM
@gskger To answer about the availability: in fact, it's already working, but very very very basic for now. I'd like to have something "not ugly" to start, even with not a lot of features, so let's say end of this summer 🙂

But if you can't hold until then, it's pretty easy to test:

Create a /opt/xensource/www/xolite.html file
Put that inside:
<!DOCTYPE html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8" />
<meta
name="viewport"
content="width=device-width, initial-scale=1, shrink-to-fit=no"
/>
<meta name="theme-color" content="#cc584c" />
<title>XoLite</title>
</head>
<body>
<noscript>You need to enable JavaScript to run this app.</noscript>
<div id="root">The application is loading…</div>
<script src="https://lite.xen-orchestra.com/dist/index.js"></script>
</body>
</html>
Go in your host IP address <host address>/xolite.html
That's it!

edit: until the XAPI fix is in 8.2 or 8.3, consoles only work with Chrome.

Examples in known open source worlds...

If you run ProxMox with DRBD on the Debian (host) layer, it's RLS assuming ProxMox has local disks.

If you then make that block storage available over the network, it becomes a SAN (a traditional / physical SAN.) A SAN with replication for resiliency.

If you run ProxMox and make a VM of Ubuntu and in that VM install DRBD it may or may not be RLS depending on where the host is getting its storage from for that VM. To the VM it will appear as if it is RLS, but we really don't know unless we check the stack. It's just the replication piece here.

If you then make that DRBD block layer in the VM available over the network, it becomes a vSAN.

@scottalanmiller said in ZeroTier rules to limit freelancer access:

@Pete-S said in ZeroTier rules to limit freelancer access:

Or you can just rely on authentication and authorization for every service and have no network segmentation. More risky but less work.

To me this is what makes more sense. I get the value is DOUBLE protection. But at a minimum this should be there first, ZT only as a completely additional layer of protection.

I agree. Network access control and segmentation is just to make it freakishly hard to traverse for malicious actors and software.

@Obsolesce said in User migration to azure:

The alternative to signing into the web browser to sync is so much worse, even in the off chance you chose to use 4 web browsers at the same time, and sign into them all with your work account to sync. Any other method is going to end up costing way more effort in the end anyways.

No real arguement from me there. But it's still 3 (IE is dead and as far as I know never had sync) accounts, one for each browser.

I use three browsers - I personally use FF, I have to use Chrome/Edge for our EMR - it refuses FF, and I use Chrome and Edge because I have need for multiple sessions in the EMR as different users... now I could do profiles in Chrome for that - but that's like making multiple accounts in Chrome.. so - meh.

@dagors said in Configure ZTE F670L for NAT on LAN Ethernet Ports:

This was it. What a dumb way to have that worded!!

Sorry, google translate.
But it's good that it was fixed.

I mean dumb way that ZTE worded it.

We find that if we rename the PC, then allow more than a day to go by before restarting, this can happen.

Also, if we rename a PC, then the user allows the PC to go into Lock mode (screen saver timeout with login required to return) they will encounter this upon wake up/re-logon.

In the above two cases a reboot usually resolves it, when it doesn't, we go in as local admin and disjoin then rejoin the domain to resolve it.

Also, in the above two cases, we did not lose the computer in active directory, so after the disjoin/rejoin you'd want to remove the orphan computer from AD.

There's an article online somewhere about why you should NOT disjoin and rejoin the domain in this case, but we have always done it this way and have never experienced ill effects.

@Pete-S said in WordPress Site Lost Its Mind - Ten Minutes of Maintenance Over and Over Again:

This is how you do that:
https://developer.wordpress.org/plugins/cron/hooking-wp-cron-into-the-system-task-scheduler/

Nice, good info. Thanks.

@scottalanmiller said in Bind Linux Process to Well Known Web Ports When Not Root:

If you have ever tried to run a user space program on Linux with a port below 1024 you know that this is a security problem and you are not allowed to do so. There is a simple fix for this, but it is not well known.

Once you know the binary that you will be using to open the low number (well known) port you can use this command to grant it permission to use these ports without otherwise compromising security.

setcap cap_net_bind_service+ep /my/binary/file

Now you can run your application. This is most commonly used for user space web applications that want to use port 80 or 443 without requiring that you run a reverse proxy in front of them.

Good to know!

I found this as an example of how to use it and also commands to remove the permission:
https://cwiki.apache.org/confluence/display/HTTPD/NonRootPortBinding

The setcap utility seems to be available in the libcap2-bin package on debian distros.

I haven't checked if it's installed by default.

@IRJ said in Helpdesk - PC replacement routines:

@scottalanmiller said in Helpdesk - PC replacement routines:

@IRJ said in Helpdesk - PC replacement routines:

The Helpdesk team exists to be a human shield for users. Your main job is keep users away from the rest of IT. Customer service and user support is the job. Since your Helpdesk should be made up of entry level with fair turnover, I'm not sure you're gonna ever be efficient nor is that really the goal.

I started in Helpdesk as did many others I've met in higher IT positions. The employees that you have that are really good are not meant to stay there too long. If your company doesn't have the foresite to promote top performers, they will just leave and go somewhere else.

The TLDR is Helpdesk is supposed to be a a human shield for IT. It should be a starting place for aspiring IT professionals, and if they are knowledgeable enough to improve these processes they won't be around long (one way or another).

That said, some people like the interaction and choose to stay there. But that's not the norm. But even then, it's a customer service role for sure and "performance" will always be difficult. In fact, you might dislike performance if it means less human interactions with end users.

Yep. I've seen it. There's one guy that I worked with that just loved everything about Helpdesk. Far more capable than the desk. He could be working with servers, cloud, etc. He just decided he loved what he was doing and stayed there for many years. I kept in touch for many years beyond us working together and he was always there. Big fish in little pond so to speak, and I think he likes that.

We've had staff like that. Pure gold if you find them. Someone actually happy with "what they are doing."

@Danp said in How to use different accounts on the same website/service with profiles:

With Firefox, you also have the option of using the Multi-Account Containers extension.

been using this for 3+ years - damn I just wish Chrome supported it.

@jt1001001

Thank you, about what I expected…. Just needed confirmation.

@JaredBusch said in Fedora 33 SSH Access Denied But Webmin Works Fine:

@scottalanmiller said in Fedora 33 SSH Access Denied But Webmin Works Fine:

Root is disabled by default in SSH configs most of the time.

Not until the last couple years. Sure we always disabled it, but it was not default that way until recently.

Ubuntu disabled it by default in 14.04 (2014) and Debian in version 8 (2015).

This probably coincide when openssh developers decided that disabled should be the default in the source code.

It's up to the distro to set defaults for installed packages so RedHat based distros like Fedora might have been much later.

@scottalanmiller said in Proxmox hates security:

@Pete-S said in Proxmox hates security:

@scottalanmiller said in Proxmox hates security:

@Pete-S said in Proxmox hates security:

I'm not saying Proxmox is insecure, I'm just saying it wasn't designed with security as it's primary focus.
KVM by default for instance is managed by libvirt and by default doesn't open any tcp ports at all. That gives the administrator the option to decide what level of security versus convenience they want.

Ignoring "by default" in that, ProxMox can be the same. You can close everything up and only manage however you like. You don't have to use the web interface on it, it can be totally shut down. Obviously defeating lots of the purpose, but plausible.

I spend far more time on ProxMox via command line via MeshCentral than via the web interface and the web interface, while we don't lock it down from the LAN in most cases (we run a LOT of ProxMox these days) we primarily access it from the PM host itself from a jump box running on top of it for the cases when the web interface is needed. So while we don't go to the degree of locking it off from the LAN, we could and we wouldn't notice the difference most of the time.

That's not a default, so obviously totally different. But it's a really simple setting.

That's good to know.

We don't use gui anymore either but we're moving away from pre-packaged hypervisors and to pure KVM with libvirt compatible management tools.

We have found that to be the best solution for our use case (high degree of automation and customization).

I'd like to see that for sure. There's a lot of benefit to that, potentially at least.

We're automating a lot.

But the real problem is not the automation itself. The real problem is that automation and standardization is time consuming.

New quotes this week...

Planning is only useful when it can be used for preparation.

and

When deploying software we should never be concerned with how long the vendor will continue to provide support, but rather by how soon we get to update.

@JasGot said in What to use for new Windows network domain:

No need for split DNS this way.

That is a huge reason.

Thanks guys, I'll check out AHK.