Header Shadow Image

Adjusting Memory in Atlassian Confluence

Adjusted the bolded lines for optimum startup and performance:

# pwd
# cat setenv.sh
# Set the JVM arguments used to start Confluence.
# For a description of the vm options of jdk 8, see:
# http://www.oracle.com/technetwork/java/javase/tech/vmoptions-jsp-140102.html
# For a description of the vm options of jdk 11, see:
# https://docs.oracle.com/en/java/javase/11/tools/java.html
CATALINA_OPTS="-XX:+IgnoreUnrecognizedVMOptions ${CATALINA_OPTS}"
CATALINA_OPTS="-XX:-PrintGCDetails -XX:+PrintGCDateStamps -XX:-PrintTenuringDistribution ${CATALINA_OPTS}"
CATALINA_OPTS="-Xlog:gc+age=debug:file=$LOGBASEABS/logs/gc-`date +%F_%H-%M-%S`.log::filecount=5,filesize=2M ${CATALINA_OPTS}"
CATALINA_OPTS="-Xloggc:$LOGBASEABS/logs/gc-`date +%F_%H-%M-%S`.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=2M ${CATALINA_OPTS}"
CATALINA_OPTS="-Djava.awt.headless=true ${CATALINA_OPTS}"
CATALINA_OPTS="-Datlassian.plugins.enable.wait=300 ${CATALINA_OPTS}"
CATALINA_OPTS="-Xms1024m -Xmx6144m -XX:+UseG1GC ${CATALINA_OPTS}"
CATALINA_OPTS="-Dsynchrony.enable.xhr.fallback=true ${CATALINA_OPTS}"
CATALINA_OPTS="-Dorg.apache.tomcat.websocket.DEFAULT_BUFFER_SIZE=32768 ${CATALINA_OPTS}"
CATALINA_OPTS="-Djdk.tls.server.protocols=TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2 ${CATALINA_OPTS}"
CATALINA_OPTS="-XX:ReservedCodeCacheSize=256m -XX:+UseCodeCacheFlushing ${CATALINA_OPTS}"


# ps -ef|grep -Ei confluence
conflue+ 22167     1 99 22:18 ?        00:00:35 /atlas/atlassian/confluence/jre//bin/java -Djava.util.logging.config.file=/atlas/atlassian/confluence/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -XX:ReservedCodeCacheSize=256m -XX:+UseCodeCacheFlushing -Djdk.tls.server.protocols=TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2 -Dconfluence.context.path= -Datlassian.plugins.startup.options= -Djava.locale.providers=JRE,SPI,CLDR -Dorg.apache.tomcat.websocket.DEFAULT_BUFFER_SIZE=32768 -Dsynchrony.enable.xhr.fallback=true -Xms1024m -Xmx6144m -XX:+UseG1GC -Datlassian.plugins.enable.wait=300 -Djava.awt.headless=true -XX:G1ReservePercent=20 -Xloggc:/atlas/atlassian/confluence/logs/gc-2021-07-13_22-18-48.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=2M -Xlog:gc+age=debug:file=/atlas/atlassian/confluence/logs/gc-2021-07-13_22-18-48.log::filecount=5,filesize=2M -XX:-PrintGCDetails -XX:+PrintGCDateStamps -XX:-PrintTenuringDistribution -XX:+IgnoreUnrecognizedVMOptions -Dignore.endorsed.dirs= -classpath /atlas/atlassian/confluence/bin/bootstrap.jar:/atlas/atlassian/confluence/bin/tomcat-juli.jar -Dcatalina.base=/atlas/atlassian/confluence -Dcatalina.home=/atlas/atlassian/confluence -Djava.io.tmpdir=/atlas/atlassian/confluence/temp org.apache.catalina.startup.Bootstrap start
root     22391 12708  0 22:19 pts/0    00:00:00 grep –color=auto -Ei confluence
# pwd
# cat setenv.sh




ERR – dse_check_file – The backup file /etc/dirsrv/slapd-NIX-MDS-XYZ/dse.ldif.bak has zero length, refusing to restore it.

Recover the backup from the OK copy, literally:

/etc/dirsrv/slapd-NIX-MDS-XYZ# ls -altri
total 1904
     2076 -rw——-. 1 dirsrv root   197845 May 24  2020 dse.ldif.ipa.b22658eb606be0d2
   249372 -rw-r–r–. 1 dirsrv root   197954 May 24  2020 dse.ldif.modified.out
   130281 -rw——-. 1 dirsrv dirsrv 197835 Mar  7 15:50 dse.ldif.startOK
   456855 -rw——-. 1 dirsrv dirsrv      0 May 17 03:12 dse.ldif.bak-backup
/etc/dirsrv/slapd-NIX-MDS-XYZ# cp -ip dse.ldif.startOK dse.ldif.bak


/etc/dirsrv/slapd-NIX-MDS-XYZ#ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Starting smb Service
Starting winbind Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful


OpenVpn: Can’t browse web when connected and VPN is active.

Configured your OpenVPN, however now you can't browse the web when connected?  Turns out the following NAT rule was missing from the F/W configuration on the OpenVPN router:

iptables -t nat -I POSTROUTING -s -j SNAT --to $(nvram get wan_ipaddr)

Our VPN subnet is but no rule existed to route traffic to the WAN interface.  Meaning no external traffic was passed to the external IP address resulting in no web connectivity with the outside world.  The rule above fixes this.  In case you're wondering what nvram get wan_ipaddress does.  It is busy box ( DD-WRT ) custom firmware command used on various routers.  It is a replacement for the standard Web UI on routers.  If DD-WRT is not used, the default external IP of the router will do.


OpenShift w/ Kubernetes Setup: Installing using the UPI Method

Building an OpenShift Kubernetes Cluster. Method used here will be the UPI installation method.  Start off by loading the official page from RedHat:


Before you begin, ensure the following files are downloaded off the RedHat OpenShift pages (see links in the above document):

/root/openshift # ls -altri
total 439680
201572861 -rw-r–r–.  1 root        root              706 Apr 25 04:15 README.md
201572704 -rwxr-xr-x.  1 root        root        360710144 Apr 25 04:15 openshift-install
201572859 -rw-rw-r–.  1 tom@mds.xyz tom@mds.xyz      2775 May  8 22:53 pull-secret.txt
201572858 -rw-rw-r–.  1 tom@mds.xyz tom@mds.xyz  89491042 May  8 22:55 openshift-install-linux.tar.gz
201572850 drwxr-xr-x.  3 root        root             4096 May  8 23:58 .
201326721 dr-xr-x—. 12 root        root             4096 May  9 08:43 ..

Extract the .tar.gz using:

tar -zxf openshift-install-linux.tar.gz

Read the rest of this entry »

Firewalld. Add VLAN’s to allowed trusted / public zone rules.

Short list of commands for adding VLAN's to trusted zones:

firewall-cmd –zone=trusted –add-source=
firewall-cmd –zone=trusted –add-source=
firewall-cmd –zone=trusted –add-source=
firewall-cmd –zone=trusted –add-source=
firewall-cmd –zone=trusted –add-source=
cat /etc/firewalld/zones/public.xml
firewall-cmd –runtime-to-permanent
cat /etc/firewalld/zones/public.xml

Result of this is:

cat /etc/firewalld/zones/trusted.xml
<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT">
  <description>All network connections are accepted.</description>
  <source address=""/>
  <source address=""/>
  <source address=""/>
  <source address=""/>
  <source address=""/>



ImportError: cannot import name ‘setup’

Getting this?

[root@rmq01 ~]# pip3 install –user git+https://github.com/powerline/powerline.git@master
WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3 install –user` instead.
Collecting git+https://github.com/powerline/powerline.git@master
  Cloning https://github.com/powerline/powerline.git (to master) to /tmp/pip-i_onc12r-build
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-i_onc12r-build/setup.py", line 11, in <module>
        from setuptools import setup, find_packages
    ImportError: cannot import name 'setup'

Solve it by running this:

[root@rmq01 ~]# yum reinstall python3-setuptools.noarch

Seems package files were corrupted.  


User is not allowed to run sudo on server.  This incident will be reported.

Receiving the following when using FreeIPA to manage sudo rules?

-sh-4.2$ sudo su –
[sudo] password for tom@mds.xyz: 
tom@mds.xyz is not allowed to run sudo on idmipa04.  This incident will be reported.

On a working node:

# ipa-compat-manage status
Directory Manager password: 

Plugin Enabled

and on a non-working node:

# ipa-compat-manage status
Directory Manager password: 

Plugin Disabled
# ipa-compat-manage enable
Directory Manager password: 

Enabling plugin
This setting will not take effect until you restart Directory Server.
# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

ipa-compat-manage status
Directory Manager password: 

Plugin Disabled

Enable the plugin:

# ipa-compat-manage enable
Directory Manager password: 

Enabling plugin
This setting will not take effect until you restart Directory Server.
# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

And try the sudo to root again:  All sudo rules should be visible using the following commands:

dapsearch -Y GSSAPI -b "dc=mws,dc=mds,dc=xyz" dn |grep -Ei sudo|grep -v "#"

ipa sudorule-find All

on both servers.  Verify on clients:

$ sudo su –
[sudo] password for tom@mds.xyz: 
tom@mds.xyz is not allowed to run sudo on azure-r01wn01.  This incident will be reported.
$ su –
Last login: Thu Jan 28 21:53:55 EST 2021 on pts/0
[root@azure-r01wn01 ~]# systemctl restart sssd^C
[root@azure-r01wn01 ~]# rm -f /var/lib/sss/db/*
[root@azure-r01wn01 ~]# systemctl restart sssd
[root@azure-r01wn01 ~]# logout
$ sudo su –
[sudo] password for tom@mds.xyz: 
Last login: Fri Jan 29 00:51:40 EST 2021 on pts/1
[root@azure-r01wn01 ~]# 


CalledProcessError: Command ‘/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_12728 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem’ returned non-zero exit status 1

Getting one of these messages in the HTTPD error_log of a FreeIPA server? 

[Thu Jan 28 23:32:39.440152 2021] [:error] [pid 12728] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Thu Jan 28 23:32:39.440345 2021] [:error] [pid 12728] ipa: DEBUG: WSGI login_password.__call__:
[Thu Jan 28 23:32:39.442215 2021] [:error] [pid 12728] ipa: DEBUG: Obtaining armor in ccache /var/run/ipa/ccaches/armor_12728
[Thu Jan 28 23:32:39.442377 2021] [:error] [pid 12728] ipa: DEBUG: Initializing anonymous ccache
[Thu Jan 28 23:32:39.442660 2021] [:error] [pid 12728] ipa: DEBUG: Starting external process
[Thu Jan 28 23:32:39.442815 2021] [:error] [pid 12728] ipa: DEBUG: args=/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_12728 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
[Thu Jan 28 23:32:39.646898 2021] [:error] [pid 12728] ipa: DEBUG: Process finished, return code=1
[Thu Jan 28 23:32:39.647109 2021] [:error] [pid 12728] ipa: DEBUG: stdout=
[Thu Jan 28 23:32:39.647256 2021] [:error] [pid 12728] ipa: DEBUG: stderr=kinit: Preauthentication failed while getting initial credentials
[Thu Jan 28 23:32:39.647281 2021] [:error] [pid 12728] 
[Thu Jan 28 23:32:39.647613 2021] [:error] [pid 12728] [remote] mod_wsgi (pid=12728): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Thu Jan 28 23:32:39.647727 2021] [:error] [pid 12728] [remote] Traceback (most recent call last):
[Thu Jan 28 23:32:39.647840 2021] [:error] [pid 12728] [remote]   File "/usr/share/ipa/wsgi.py", line 59, in application
[Thu Jan 28 23:32:39.648086 2021] [:error] [pid 12728] [remote]     return api.Backend.wsgi_dispatch(environ, start_response)
[Thu Jan 28 23:32:39.648143 2021] [:error] [pid 12728] [remote]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267, in __call__
[Thu Jan 28 23:32:39.648852 2021] [:error] [pid 12728] [remote]     return self.route(environ, start_response)
[Thu Jan 28 23:32:39.648901 2021] [:error] [pid 12728] [remote]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279, in route
[Thu Jan 28 23:32:39.648952 2021] [:error] [pid 12728] [remote]     return app(environ, start_response)
[Thu Jan 28 23:32:39.648989 2021] [:error] [pid 12728] [remote]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937, in __call__
[Thu Jan 28 23:32:39.649034 2021] [:error] [pid 12728] [remote]     self.kinit(user_principal, password, ipa_ccache_name)
[Thu Jan 28 23:32:39.649076 2021] [:error] [pid 12728] [remote]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973, in kinit
[Thu Jan 28 23:32:39.649121 2021] [:error] [pid 12728] [remote]     pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
[Thu Jan 28 23:32:39.649165 2021] [:error] [pid 12728] [remote]   File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127, in kinit_armor
[Thu Jan 28 23:32:39.649365 2021] [:error] [pid 12728] [remote]     run(args, env=env, raiseonerr=True, capture_error=True)
[Thu Jan 28 23:32:39.649407 2021] [:error] [pid 12728] [remote]   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run
[Thu Jan 28 23:32:39.650151 2021] [:error] [pid 12728] [remote]     raise CalledProcessError(p.returncode, arg_string, str(output))
[Thu Jan 28 23:32:39.650286 2021] [:error] [pid 12728] [remote] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_12728 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1

This prevented Web UI logins as well:

Login failed due to an unknown reason.

Solve it by reenabling PKINIT, if it was disabled earlier for reasons that escape me:

# ipa-pkinit-manage status
PKINIT is disabled
The ipa-pkinit-manage command was successful
# ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
The ipa-pkinit-manage command was successful
# ls -altri /var/kerberos/krb5kdc/kdc.crt /var/kerberos/krb5kdc/kdc.key /var/kerberos/krb5kdc/
201364201 -rw——-. 1 root root 1708 Jan 29 00:18 /var/kerberos/krb5kdc/kdc.key
201364200 -rw-r–r–. 1 root root 1635 Jan 29 00:18 /var/kerberos/krb5kdc/kdc.crt

total 32
201645664 -rw——-. 1 root root   22 Nov 27  2019 kadm5.acl
134764626 drwxr-xr-x. 4 root root   31 Mar 31  2020 ..
201364197 -rw-r–r–. 1 root root 1448 Jan  8 21:13 kdc.crt-backup
201328018 -rw——-. 1 root root 1708 Jan 28 23:42 kdc.key-backup
201657540 -rw——-. 1 root root  626 Jan 28 23:59 kdc.conf
201364201 -rw——-. 1 root root 1708 Jan 29 00:18 kdc.key
201364200 -rw-r–r–. 1 root root 1635 Jan 29 00:18 kdc.crt
201645673 drwxr-xr-x. 2 root root 4096 Jan 29 00:18 .
201657542 -rw-r–r–. 1 root root 2578 Jan 29 00:18 cacert.pem

Note, prior to the reenabling PKINIT, the size of the kdc.crt was wrong and contained this:

# ls -altri /var/kerberos/krb5kdc/kdc.crt /var/kerberos/krb5kdc/kdc.key
201657540 -rw——-. 1 root root 1708 Jan 28 23:42 /var/kerberos/krb5kdc/kdc.key
201657541 -rw-r–r–. 1 root root 1448 Jan 28 23:42 /var/kerberos/krb5kdc/kdc.crt
# df -h 
Filesystem               Size  Used Avail Use% Mounted on
devtmpfs                 1.9G     0  1.9G   0% /dev
tmpfs                    1.9G  4.0K  1.9G   1% /dev/shm
tmpfs                    1.9G   17M  1.9G   1% /run
tmpfs                    1.9G     0  1.9G   0% /sys/fs/cgroup
/dev/mapper/centos-root   41G  5.1G   35G  13% /
/dev/mapper/centos-home   20G   33M   20G   1% /home
/dev/sda1                497M  298M  200M  60% /boot
tmpfs                    379M     0  379M   0% /run/user/155601104
# openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -noout -text 
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=MWS.MDS.XYZ, CN=idmipa03.mws.mds.xyz
            Not Before: Jan 29 04:42:04 2021 GMT
            Not After : Jan 29 04:42:04 2022 GMT
        Subject: O=MWS.MDS.XYZ, CN=idmipa03.mws.mds.xyz
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Subject Alternative Name: 
                othername:<unsupported>, othername:<unsupported>
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication,
            X509v3 Basic Constraints: critical
            X509v3 Subject Key Identifier: 
    Signature Algorithm: sha256WithRSAEncryption

Hope this help!


Low volume on Asus ROG Laptop

Low volume on your laptop?  Even when set to the maximum it's still very low?  Ensure the Loudness Equalization is checked off in Realtek HD Audio Manager.  



Decomission or Recomission a host using Cloudera 6.X API Calls: /api/v3/cm/commands/hostsOfflineOrDecommission

Need to decomission a host?  Just call this:

curl -u admin:pAsS –insecure -X POST –header 'Content-Type: application/json' –header 'Accept: application/json' -d '{"items":[“cm-r01wn02.mws.mds.xyz”]}'    'https://cm-c01.mws.mds.xyz:7183/api/v3/cm/commands/hostsOfflineOrDecommission'
  "id" : 17256,
  "name" : "HostsDecommission",
  "startTime" : "2021-01-05T02:49:37.220Z",
  "active" : true,
  "children" : {
    "items" : [ ]

Need to recomission a host?  Just call this:

curl -u admin:pAsS –insecure -X POST –header 'Content-Type: application/json' –header 'Accept: application/json' -d '{"items":[“cm-r01wn02.mws.mds.xyz”]}'    'https://cm-c01.mws.mds.xyz:7183/api/v33/cm/commands/hostsRecomission'

How this maps to the ApiHostNameLlst specification: https://archive.cloudera.com/cm6/6.2.0/generic/jar/cm_api/apidocs/json_ApiHostNameList.html


REF: https://archive.cloudera.com/cm6/6.3.0/generic/jar/cm_api/swagger-html-sdk-docs/java/docs/ClouderaManagerResourceApi.html#hostsDecommissionCommand
REF: https://cm-c01.mws.mds.xyz:7183/static/apidocs/ui/index.html#!/ClouderaManagerResource/hostsDecommissionCommand

  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License