Another thing you could do is put all nextcloud data into s3. You could then run automatic updates on the instance. If the instance ever shits the bed you can automate rebuild and connect it to S3.

Essentially still doing server maintenance but with alot less time involved and better reliability for the client. Then you bill them as you see fit for the management value.

It's fairly inexpensive, too. Let's say about $20 a month for instance and $5.99 a month for a TB in wasabi.

@Pete-S said in Can I use the first IP in a subnet, for instance 192.168.0.0?:

OK, I did some more research and made some test. I believe most people got this one wrong and for reasons that are historical.

Assume we have the network 192.168.1.0/24.
Subnet mask 255.255.255.0. The address range is 192.168.1.0 to 192.168.1.255.

192.168.1.0 is a valid host IP - contrary to what most people believe.
192.168.1.255 is reserved for directed broadcast.

Why?

An IP like 192.168.1.0 used to be excluded from use by a host in the past. This was obsoleted in conjunction with the introduction of classless subnets, CIDR. Mentioned in 1995, RFC 1878, which also obsoleted something related, which was the exclusion of certain subnets called subnet zero and the all-ones subnet.

In the past IPs like 192.168.1.0 has also been used as a broadcast address but that practice is also obsolete. RFC 1812 (also 1995) states that 192.168.1.255 should be used for directed broadcast in the 192.168.1.0/24 network and that 192.168.1.0 is forbidden to use for that purpose.

Problem when something becomes obsolete is that you still have old equipment, old protocols and old habits in use. So it takes many years before you can actually stop doing certain things that were needed in the past.

To test the state of things today I spun up some VMs. I used 172.16.0.0/24 as my network.

No problem setting 172.16.0.0 as IP address on CentOS or Debian for example. Everything works as you would expect.
centos_network_addr.png

You could however see some remnants of the past, like this:
broadcast_ping.png
As mentioned above, it was a long time since that was considered a broadcast address.

Windows 7 was however another story. You can't enter 172.16.0.0 as a valid IP address in network settings. But you can do it on the command line with netsh. And then it shows up as expected. Network works as expected too.
win7_network_addr.png

So all in all, it is technically OK to use the first IP as an host IP. It's not reserved anymore and hasn't been for more than two decades. Protocols that used that IP for broadcast or reserved for the network address are not in use anymore.

The biggest risk is probably to run into applications where they on purpose don't allow you to enter a specific "invalid" IP address.

That said, it would probably be very confusing for most people.

I would assume in a /24 network to not use x.x.x.0 when there are other networks, but in a bigger network, perfectly fine since it's inside the network range.

@Romo said in Does Windows 2016 Server have SSH?:

@Pete-S start and type winver

Awesome!

Unfortunately it's a version 1607 build 14393.3243.
So I can't install with powershell according to the article above.

@RojoLoco said in Experience with off-brand SAS cables?:

I think our external SAS cables came from monoprice or Cables 2 Go, both generic brands. No issues, and they are actually pretty well made.

Monoprice makes no sense up here due to exchange and duties.

We use C2G for network cables and some drive connectivity cables. We've used SuperMicro for their adaptive style cables for SATA and SAS as they are relatively inexpensive compared to any others out there and available in the distribution channel.

@Pete-S said in What PHP version does RHEL 7.7 come with?:

@scottalanmiller said in What PHP version does RHEL 7.7 come with?:

@Pete-S said in What PHP version does RHEL 7.7 come with?:

If Red Hat had more resources they could have released a major version each year and then supported it for ten years. Then you'd never have anything older than one year on a new inst

Yes, you would. If you use RHEL 7 and even if RHEL 8 came out th enext day, and RHEL 9 a week later... if you stay on RHEL 7 your code would not change.

I said "New install" Scott. You are saying the exact same thing as I did.

Oh I see what you are saying. No one does that, though, they have STS for that. Fedora, Ubuntu Current, Normal Windows 2019. They all do STS. LTS makes no sense in the real world if you are willing to use what is new at install time.

@Pete-S said in Firewalling IPsec tunnel traffic?:

So in summary, you can accomplish the same thing, set up a VPN tunnel and limit traffic over it, with both IPsec and OpenVPN but in slightly different ways.

Correct. But "slightly different" is so slight, that it is just the tools used. Like can you use a cardboard box or tupperware to transport your marbles from point A to point B? Yes. Both "work the same" as in that they are boxes that you place things in. What is different is just one has a plastic top that you "peel" open, the other has interleaving flaps. The differences are in how you "set them up", but not in what they do.

So in that way they vary like Windows and Linux vary. Both work in the same places, do the same things, but they just have different configuration commands and interfaces.

@JasGot said in Wi-Fi calling?:

@Pete-S said in Wi-Fi calling?:

I did some more research and it turns out that WiFi calling is using some familiar protocols but it's not the same as VoIP using SIP/RTP.

Actually another name for Wi-Fi Calling is the more official VoWiFi.
It's using a protocol called GAN (Generic Access Network) that is based on IMS, IPsec and ePDG. And IMS is using SIP for signaling.

Basically it's a way of sending the same packets that would go over the cell network over internet instead. It uses the SIM card for security and authentication. It's data is encapsulated in an IPsec tunnel - which is why it only works if IPsec ports and packets are allowed in the firewall.

Related technology that works in a very similar way is VoLTE, which is Voice over the 4G/LTE network.

Did you happen to learn if it uses the SS7 network? It would be very intersting if VoWiFi avoided the SS7.

Why do you care? That is a back-haul PSTN network between carriers that you have no access or say about.

But the correct answer is, "not while the call is a 'Vo' (Voice over) anything." At that point it is traveling over data networks. Which, by definition, cannot be switched telephone signalling.

@StorageNinja said in TPM module - what is it used for?:

Real encryption keeps the keys in a remote KIMP server (what you'll see for any DISA/STIG system etc).

I've seen shops that require a human to apply the key every time.

@StorageNinja said in Veeam with NetApp?:

Netapp E-Series is the same as the old Dell MD36xxx or the LSI enginio code base (IBM also sold a similar low-end modular array). These things were wicked fast/cost-effective at streaming workloads (got used for Lustre clusters a lot as the DAS on the nodes). Dell's abandoned reselling them for Seagate (Dothill) but they still around

Not wicked fast compared to building your own. And the staggering lack of internal support if anything goes wrong is a big deal... storage is one of those things you want to have work, especially at these price ranges. Having been a NetApp customer, I know that their support is helpless when it comes to trying to do high performance, their crap just falls over and so do their engineers.

This is an example of a jbod expansion chassi. 88 drive bays total (both front and back).

Data flows between the server and the jbod chassi over SAS cables. Only thing needed to use a jbod chassis is a RAID/HBA card in your server with external ports.
jbod.png

Notice the SAS connectors to the right of the power supplies. Usually several JBODs can be connected together, aka daisy-chained, without putting more RAID cards in the server.
jbod_backside.png

I really like Pluralsight. The Udemy courses I've taken have been okay, but haven't really been designed in a way to optimize learning.

@Dashrender said in Backup strategy for customer data?:

@scottalanmiller said in Backup strategy for customer data?:

@Pete-S said in Backup strategy for customer data?:

Bit error is 1 in 10^19 bits (enterprise HDDs are 1 in 10^15). That's actually 10,000 times better than HDDs. And 30 years of archival properties.

yeah, the tech behind LTO8 is freaking fantastic. And unlike HDD where research is stagnating, tape keeps advancing.

Would you really call it stagnating? They are basically at the atomic level already...

That's the primary cause of the stagnation. They are really struggling to keep moving forward with advances. That's exactly what stagnation means.

@Pete-S maybe if you gave a concrete example of where you see replacing good five year old drives with new drives as good we'd see what you mean. Under normal circumstances, I'd replace the old drives with the same size drives today (don't want to lose speed or reconfigure) and just lose money.

@scottalanmiller said in RAID5 on SSD in 2019?:

@Obsolesce said in RAID5 on SSD in 2019?:

@scottalanmiller said in RAID5 on SSD in 2019?:

As long as this is for capacity this is viable, if this is for performance, you'll find that no hardware controller is likely to be able to handle that many SSDs at full speed.

How much data can, for example, a PERC H840 move? All I can find is that it's 12 Gbps PER PORT, with 8GB NV Cache, seems like it'd easily handle 10x SSDs in a RAID 10.

You have to buy one and test it. No one releases those numbers 🙂

xByte has done that in the past.

Sure, if you buy me the server and drives, I'll get the PERC and test it! :face_without_mouth:

@Dashrender said in Naming convention for VMs?:

Wow - those are all boring.. I name my servers after warships. 😉

I onced named everything on a network after characters from the 5th Element.

Well except the badge machine. That was named MultiPass.. Technically not a character.

@scottalanmiller said in Why does some key combinations not work over ssh?:

@Pete-S said in Why does some key combinations not work over ssh?:

@scottalanmiller said in Why does some key combinations not work over ssh?:

So the issue is that SSH uses the ASCII definitions for what can be passed, and things like Control-Shift aren't defined in the ASCII C0 control set.

https://en.wikipedia.org/w/index.php?title=C0_and_C1_control_codes&oldid=869654887#C0_controls

So they aren't passed because they aren't part of the character set of the protocol. So yes, it's SSH not passing it because it doesn't exist to SSH 😞

That's too bad.

Do you have any link where it says that ssh uses these definitions? Maybe there is a way around it.

Can't find one, not with OpenSSH. Tectia supports it, but is crap in general. If you search on it, everyone talks about the ASCII limits of SSH. You'll find SFTP / SCP have the ASCII / Binary option for connections because of the underlying ASCII protocol in use.

Thanks, I'll dig around and see if I can find something. Otherwise I'll just have accept that it is what it is 🙂

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/logical_volume_manager_administration/lvm_cache_volume_creation

LVM has some of that stuff, too.

using ssh to tunnel rdp is quite handy as well.

@black3dynamite said in Where can I learn more about SSL certs?:

This is 5-part article about setting up your CA is pretty good.
https://devcentral.f5.com/s/articles/building-an-openssl-certificate-authority-introduction-and-design-considerations-for-elliptical-curves-27720

Blog posts on Altaro.
https://www.altaro.com/hyper-v/public-key-infrastructure/
https://www.altaro.com/hyper-v/wsl-offline-root-certificate-authority-windows-pki/
https://www.altaro.com/hyper-v/windows-ssl-certificate-templates/
https://www.altaro.com/hyper-v/request-ssl-windows-certificate-server/
https://www.altaro.com/hyper-v/view-revoke-manually-approve-certificates/

Thanks! I've started to read the info.

@JaredBusch said in Was mangolassi down earlier today?:

@Pete-S said in Was mangolassi down earlier today?:

@scottalanmiller said in Was mangolassi down earlier today?:

ML costs about $80/mo to run on Linode or Vultr

So that would that be something like 16GB RAM, 6 vCPUs?

I believe it is multiple instances. The database server is a separate incidents from the web server

It's all in one, reduces latency. We are able to get enough threads in a single instance so works out well.