Just a quick bash script
SNAP=backup-zfs_2026-04-24_10:34:38
POOL=tank
zfs list -H -o name -r $POOL | while read ds; do
if zfs list -H -t snapshot ${ds}@${SNAP} >/dev/null 2>&1; then
echo "[DATASET] $ds"
zfs diff ${ds}@${SNAP}
fi
done
Category: linux
Warpage and fail2ban via vector
A working version to block intruderce into warpgate
compose.yml
services:
warpgate:
container_name: warpgate
image: ghcr.io/warp-tech/warpgate
ports:
- 2222:2222
- 127.0.0.1:8888:8888
volumes:
- ./data:/data:Z
- ./sockets:/var/run
stdin_open: true
tty: true
restart: always
environment:
- WARPGATE__WEB__TRUST_PROXY_HEADERS=true
logging:
driver: json-file
options:
max-size: "50m"
max-file: "3"
vector:
image: timberio/vector:latest-alpine
container_name: vector
restart: unless-stopped
depends_on:
- warpgate
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./vector.yaml:/etc/vector/vector.yaml:ro
- /var/log/warpgate:/var/log/warpgate
command: ["--config", "/etc/vector/vector.yaml"]
vector.yaml
sources:
warpgate:
type: docker_logs
include_containers:
- warpgate
transforms:
to_fail2ban:
type: remap
inputs:
- warpgate
source: |
raw = string!(.message)
# ANSI Escape Codes entfernen (falls vorhanden)
msg = replace(raw, r'\x1b\[[0-9;]*m', "")
# --- 1) HTTP Login failed (401) ---
is_http_fail =
contains(msg, "WARN HTTP:") &&
contains(msg, "/@warpgate/api/auth/login") &&
contains(msg, "status=401") &&
contains(msg, "client_ip")
# --- 2) SSH Auth failed (Credentials/User/Password) ---
# Beispiel von dir:
# "ERROR SSH: Failed to verify credentials ... client_ip=::ffff:222.138.251.223"
is_ssh_fail =
contains(msg, "ERROR SSH:") &&
contains(msg, "Failed to verify credentials") &&
contains(msg, "client_ip")
if !(is_http_fail || is_ssh_fail) {
abort
}
# Zeitstempel robust
ts = format_timestamp!(now(), "%Y-%m-%dT%H:%M:%SZ")
# IP extrahieren
parsed = parse_regex!(msg, r'client_ip\s*=\s*(?P[0-9a-fA-F\.:]+)')
ip = parsed.ip
# IPv4-mapped IPv6 (::ffff:1.2.3.4) normalisieren -> 1.2.3.4
ip = replace(ip, r'^::ffff:', "")
# Ausgabezeile für fail2ban (einheitlich)
if is_http_fail {
.message = ts + " warpgate login failed (http) ip=" + ip
} else {
.message = ts + " warpgate login failed (ssh) ip=" + ip
}
sinks:
fail2ban_file:
type: file
inputs:
- to_fail2ban
path: "/var/log/warpgate/auth.log"
encoding:
codec: text
/etc/fail2ban/filter.d/warpgate.conf
[Definition] datepattern = ^%%Y-%%m-%%dT%%H:%%M:%%SZ failregex = ^.*warpgate login failed.* ip=\s*$ ignoreregex =
/etc/fail2ban/jail.d/warpgate.conf
[warpgate] enabled = true filter = warpgate logpath = /var/log/warpgate/auth.log maxretry = 5 findtime = 300 bantime = 900 banaction = iptables-docker-allports
/etc/fail2ban/action.d/iptables-docker-allports.conf
[Definition] # IPv4 actionstart = iptables -N f2b-|| true iptables -C DOCKER-USER -j f2b- || iptables -I DOCKER-USER -j f2b- iptables -A f2b- -j RETURN actionstop = iptables -D DOCKER-USER -j f2b- || true iptables -F f2b- || true iptables -X f2b- || true actioncheck = iptables -n -L DOCKER-USER | grep -q f2b- actionban = iptables -I f2b- 1 -s -j DROP actionunban = iptables -D f2b- -s -j DROP # IPv6 actionstart += ip6tables -N f2b- || true ip6tables -C DOCKER-USER -j f2b- || ip6tables -I DOCKER-USER -j f2b- ip6tables -A f2b- -j RETURN actionstop += ip6tables -D DOCKER-USER -j f2b- || true ip6tables -F f2b- || true ip6tables -X f2b- || true actioncheck += ip6tables -n -L DOCKER-USER | grep -q f2b- actionban += ip6tables -I f2b- 1 -s -j DROP actionunban += ip6tables -D f2b- -s -j DROP
fail2ban-regex /var/log/warpgate/auth.log /etc/fail2ban/filter.d/warpgate.conf
systemctl restart fail2ban
fail2ban-client status warpgate
ceph speed test
Schreiben (4K random write, 16 threads, 10 Sekunden)
rados bench -p10 write --no-cleanup --object-size=4096 --concurrent-ios=16
Lesen (4K random read, 16 threads)
rados bench -p10 rand --object-size=4096 --concurrent-ios=16
Schreib und Lese Test mit 4MB der default Größe für Ceph
rados bench -p10 write --no-cleanup --object-size 4194304 --concurrent-ios 16
benchmark
bash -lc '
set -euo pipefail
POOL="ceph-ds"
SIZE="10G"
RUNTIME="30"
IODEPTH="32"
NUMJOBS="4"
RWMIXREAD="70" # 70/30 read/write wie oft bei VM-Workloads
BS="4k"
IMG="fio-bench-$(hostname -s)-$(date +%Y%m%d-%H%M%S)"
DEV=""
cleanup() {
set +e
echo ""
echo "[CLEANUP] unmap + remove (falls vorhanden) ..."
if [ -n "${DEV:-}" ]; then
rbd unmap "$DEV" >/dev/null 2>&1 || true
else
# falls DEV nicht gesetzt wurde, versuchen wir es über showmapped
rbd showmapped 2>/dev/null | awk -v p="$POOL" -v i="$IMG" '"'"'$2==p && $3==i {print $5}'"'"' | while read -r d; do
[ -n "$d" ] && rbd unmap "$d" >/dev/null 2>&1 || true
done
fi
rbd rm "${POOL}/${IMG}" >/dev/null 2>&1 || true
echo "[CLEANUP] fertig."
}
trap cleanup EXIT INT TERM
echo "[1/4] Create RBD image: ${POOL}/${IMG} (${SIZE})"
rbd create "${POOL}/${IMG}" --size "${SIZE}"
echo "[2/4] Map RBD image"
DEV="$(rbd map "${POOL}/${IMG}")"
echo " -> mapped as: ${DEV}"
echo "[3/4] fio VM-like test (randrw ${BS}, iodepth=${IODEPTH}, numjobs=${NUMJOBS}, rwmixread=${RWMIXREAD}, runtime=${RUNTIME}s)"
fio --name="ceph-rbd-${IMG}" \
--filename="${DEV}" \
--direct=1 --ioengine=libaio \
--rw=randrw --rwmixread="${RWMIXREAD}" \
--bs="${BS}" --iodepth="${IODEPTH}" --numjobs="${NUMJOBS}" \
--runtime="${RUNTIME}" --time_based=1 \
--group_reporting --eta=never
echo "[4/4] Done. Cleanup will run automatically."
'
Proxmox Cannot migrate conntrack state, target node is lacking support. Active network connections might get dropped.
As a quick fix. no reboot needed. On all your cluster nodes
Open each hosts console and run
modprobe nf_conntrack echo nf_conntrack >> /etc/modules
no matching MAC found. Their offer: hmac-sha2-512,hmac-sha2-256
A quicksolutiuon to this is to add MACs hmac-sha2-512,hmac-sha2-256
Host buggyhost.lan
User git
IdentityFile ~/.ssh/mykey
CheckHostIP no
MACs hmac-sha2-512,hmac-sha2-256
Ip bringing Interfaces Up Down
using ip
# ip link set dev <interface> down
ip link set dev eth0 down
# ip link set dev <interface> up
ip link set dev eth0 up
using ipconfig
# /sbin/ifconfig <interface> up
# /sbin/ifconfig <interface> down
Ceph Cruch Map
crunch map
ceph osd crush add-bucket left rack
ceph osd crush add-bucket right rack
ceph osd crush move left root=default
ceph osd crush move right root=default
ceph osd crush move node-1 rack=right
ceph osd crush move node-2 rack=right
ceph osd crush move node-3 rack=right
ceph osd crush move node-4 rack=left
ceph osd crush move node-5 rack=left
ceph osd crush move node-6 rack=left
ceph osd tree
revert changes to default
ceph osd crush move node-1 root=default
ceph osd crush move node-2 root=default
ceph osd crush move node-3 root=default
ceph osd crush move node-4 root=default
ceph osd crush move node-5 root=default
ceph osd crush move node-6 root=default
List All Crontabs
getent passwd | awk -F: '{ print $1 }' | sudo xargs -n1 crontab -l -u | grep -v '^#' | grep -v '^no crontab for'
Journalctl Tricks
journalctl command
vacuum / clean
journalctl --disk-usage
journalctl --vacuum-size=1G
--vacuum-size=BYTES Reduce disk usage below specified size
--vacuum-files=INT Leave only the specified number of journal files
--vacuum-time=TIME Remove journal files older than specified time
read old journal
journcalctl --file /var/log/.../dsdsdsdsdsdsdsds.journal~
goto end of log
sudo journalctl -e
journalctl -e -u certbot.service
journalctl -xeu redis-server.service
list old boots
journalctl --list-boots
Alle Meldungen mit Kennzeichnung error, critical, alert oder emergency anzeigen
journalctl -p err -b
kernel messages only
journalctl -k -e
systemctl list-unit-files
systemctl --failed
# or
systemctl list-units --state=failed
journalctl -xb
Ceph Reset Error
Display a list of messages:
ceph crash ls
read a message:
ceph crash info <id>
mark message as read
ceph crash archive <id>
or mark all as read
ceph crash archive-all
Archive for category linux
Archives by Month:
- May 2026
- April 2026
- March 2026
- October 2025
- September 2025
- May 2025
- March 2025
- February 2025
- January 2025
- December 2024
- November 2024
- October 2024
- August 2024
- April 2024
- January 2024
- December 2023
- November 2023
- July 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- October 2022
- September 2022
- August 2022
- July 2022
- May 2022
- March 2022
- February 2022
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- February 2021
- January 2021
- August 2020
- July 2020
- June 2020
- April 2020
- January 2020
- December 2019
- November 2019
- October 2019
- May 2019
- April 2019
- March 2019
- January 2019
- October 2018
- August 2018
- June 2018
- April 2018
- March 2018
- February 2018
- November 2017
- June 2017
- April 2017
- February 2017
- January 2017
- November 2016
- September 2016
- May 2016
- February 2016
- September 2015
- August 2015
- July 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- July 2014
- June 2014
- April 2014
- January 2014
- December 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- August 2012
- July 2012
- June 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009