what is the right way to back-up a substrate basepath? - amazon-s3

can anyone point me at best-practice guidance for substrate basepath backup and restore? specifically, i'm wondering about these things:
it's my experience that backing up the basepath while the substrate service is running, results in a corrupt database that cannot be used in a restore. is that expected? it's not all that surprising if so.
syncing while the node service is running produces errors and warnings (in the sync process) like this:
warning: Skipping file /var/lib/substrate/polkadot/chains/ksmcc3/db/full/642785.sst. File does not exist.
and
upload failed: ../../var/lib/substrate/polkadot/chains/ksmcc3/db/full/642836.sst to s3://calamari-kusama-smoothie-calamari-systems/var/lib/substrate/polkadot/chains/ksmcc3/db/full/642836.sst [Errno 2] No such file or directory: '/var/lib/substrate/polkadot/chains/ksmcc3/db/full/642836.sst'
a basepath restored from a backup taken while the node service was running, always errors (for me) like so:
Error: Service(Client(Backend("Invalid argument: Column families not opened: col11, col10, col9, col8, col7, col6, col5, col4, col3, col2, col1, col0")))
or:
Error: Service(Client(Backend("IO error: No such file or directory: While opening a file for sequentially reading: /var/lib/substrate/chains/calamari/db/full/MANIFEST-009085: No such file or directory")))
is rsyncing the basepath the right way to go about doing backups? for ec2 nodes, i currently sync to an s3 bucket like so (the exclusions omit node key files from the backup):
para=calamari
relay=ksmcc3
bucket=${para}-${relay}-${HOSTNAME//./-}
basepath=/var/lib/substrate
sudo systemctl stop ${para}.service
/usr/bin/aws s3 sync ${basepath} s3://${bucket}${basepath} \
--exclude "chains/${para}/network/*" \
--exclude "polkadot/chains/${relay}/network/*"
which files in the basepath are useful for a restore and should be backed up? as well as the block numbered *.sst and *.log files, this is what i see (on a recently started, still syncing node):
$ ls -hl --ignore *.sst --ignore *.log /var/lib/substrate/{polkadot/chains/${relay}/db/{full,full/parachains/db},chains/${para}/db/full/}
/var/lib/substrate/chains/calamari/db/full/:
total 23M
-rw-r--r-- 1 root root 16 Nov 15 17:13 CURRENT
-rw-r--r-- 1 root root 37 Nov 15 16:50 IDENTITY
-rw-r--r-- 1 root root 0 Nov 15 16:50 LOCK
-rw-r--r-- 1 root root 21M Nov 16 06:33 LOG
-rw-r--r-- 1 root root 1.5M Nov 16 06:23 MANIFEST-002019
-rw-r--r-- 1 root root 48K Nov 15 17:13 OPTIONS-001991
-rw-r--r-- 1 root root 48K Nov 15 17:13 OPTIONS-002022
-rw-r--r-- 1 root root 1 Nov 15 17:13 db_version
/var/lib/substrate/polkadot/chains/ksmcc3/db/full:
total 1.4G
-rw-r--r-- 1 root root 16 Nov 15 17:13 CURRENT
-rw-r--r-- 1 root root 37 Nov 15 16:50 IDENTITY
-rw-r--r-- 1 root root 0 Nov 15 16:50 LOCK
-rw-r--r-- 1 root root 1.4G Nov 16 06:35 LOG
-rw-r--r-- 1 root root 74M Nov 16 06:35 MANIFEST-008095
-rw-r--r-- 1 root root 48K Nov 15 17:13 OPTIONS-007788
-rw-r--r-- 1 root root 48K Nov 15 17:13 OPTIONS-008098
-rw-r--r-- 1 root root 1 Nov 15 17:13 db_version
drwxr-xr-x 3 root root 4.0K Nov 15 16:50 parachains
drwxr-xr-x 2 root root 4.0K Nov 15 17:13 pvf-artifacts
/var/lib/substrate/polkadot/chains/ksmcc3/db/full/parachains/db:
total 2.1M
-rw-r--r-- 1 root root 16 Nov 15 17:13 CURRENT
-rw-r--r-- 1 root root 37 Nov 15 16:50 IDENTITY
-rw-r--r-- 1 root root 0 Nov 15 16:50 LOCK
-rw-r--r-- 1 root root 2.1M Nov 16 06:33 LOG
-rw-r--r-- 1 root root 437 Nov 15 17:13 MANIFEST-000033
-rw-r--r-- 1 root root 24K Nov 15 17:13 OPTIONS-000031
-rw-r--r-- 1 root root 24K Nov 15 17:13 OPTIONS-000036
-rw-r--r-- 1 root root 1 Nov 15 17:13 parachain_db_version

Here are so pro tips around doing any kind of DB snapshots:
Always stop the node before backing up! Failing to do this will usually result in a corrupted DB.
Always exclude {basepath}/keystore and {basepath}/network from your backups or only ever explicitly backup {basepath}/
The entire db folder should be backed up. This can be rsynced directly but it can also be tar'd or compressed then backed up.

Related

Perl cgi script can not read a directory that has the same permission as its parent directory

I got a strange issue with our new Apache server.
When my cgi script tries to read a directory, the system gives me permission denied:
CGI Script:
#!/usr/bin/perl
print "Content-Type: Text/html\n\n";
# print `ls -altr / 2>&1`;
print `ls -altr /opt 2>&1`;
print `ls -altr /opt/NA 2>&1`;
this same code is working on our old apache server (v.2.2.15).
I can get output for “/”, and “/opt”, but when I try to list “/opt/NA”, I got Permission Denied.
And I can not see any difference between these 2 directories:
[root#myapache ~]# curl -k https://10.14.13.1/cgi-bin/listfile.cgi
total 12
drwxr-xr-x. 2 root root 6 Aug 25 2018 rh
drwxr-xr-x. 9 root root 110 Aug 18 15:17 . ##### this is the /opt
drwxr-xr-x. 5 root root 4096 Nov 18 14:22 chef
drwxr-xr-x. 5 root root 43 Nov 18 14:28 mcafee
drwxrwxr-x. 6 root root 4096 Nov 18 14:29 unified-monitoring-agent
drwxr-xr-x. 7 root root 80 Dec 16 14:59 McAfee
dr-xr-xr-x. 20 root root 4096 Dec 20 06:05 ..
drwxr-xr-x. 4 root root 32 Dec 20 06:05 isec
drwxr-xr-x. 4 root root 40 Jan 12 18:24 NA ##### this is the /opt/NA
ls: cannot open directory /opt/NA: Permission denied
Any idea how this has become a problem ?
Thanks for the advice from Dave Mitchell, I did that and update the Security Context bit:
[root#nccm-prod-dr-mt5 opt]# ls -Z
drwxr-xr-x. root root system_u:object_r:usr_t:s0 chef
drwxr-xr-x. root root system_u:object_r:usr_t:s0 isec
drwxr-xr-x. root root system_u:object_r:usr_t:s0 mcafee
drwxr-xr-x. root root system_u:object_r:usr_t:s0 McAfee
drwxr-xr-x. root root system_u:object_r:unlabeled_t:s0 NA
drwxr-xr-x. root root system_u:object_r:usr_t:s0 rh
drwxrwxr-x. root root system_u:object_r:usr_t:s0 unified-monitoring-agent
[root#nccm-prod-dr-mt5 opt]# chcon system_u:object_r:usr_t:s0 NA
[root#nccm-prod-dr-mt5 opt]# ls -Z
drwxr-xr-x. root root system_u:object_r:usr_t:s0 chef
drwxr-xr-x. root root system_u:object_r:usr_t:s0 isec
drwxr-xr-x. root root system_u:object_r:usr_t:s0 mcafee
drwxr-xr-x. root root system_u:object_r:usr_t:s0 McAfee
drwxr-xr-x. root root system_u:object_r:usr_t:s0 NA
drwxr-xr-x. root root system_u:object_r:usr_t:s0 rh
drwxrwxr-x. root root system_u:object_r:usr_t:s0 unified-monitoring-agent
And it is working now.

Proper permissions for website directories and to enable rsync deployment

I'm setting up a new website on a new Ubuntu droplet at Digital Ocean. I set this up previously on a different droplet and rsynced the website contents to it. I followed directions I found on the web, but didn't keep detailed-enough notes. I'm just trying to replicate this on the new Droplet. But I've messed up somehow. My knowledge of permissions, etc. is rudimentary :-(
My server has: /var/www/html
This is what I did:
• sudo usermod -a -G www-data [myusername]
• sudo chown -R www-data:www-data /var/www
• sudo chmod -R g+rw /var/www
• sudo chmod -R g+rws /var/www
I then created “/var/www/howardmann.us/public_html” for my website.
(I didn't put the public_html directory in var/www/html. I didn't on my other Droplet. Perhaps I should.)
sudo ls -la /var/www
total 16
drwxrwsr-x 4 www-data www-data 4096 Feb 25 15:43 .
drwxr-xr-x 14 root root 4096 Feb 24 14:27 ..
drwxr-sr-x 3 root www-data 4096 Feb 25 15:43 howardmann.us
drwxrwsr-x 2 www-data www-data 4096 Feb 25 15:42 html
sudo ls -la /var/www/howardmann.us/public_html
total 8
drwxr-sr-x 2 root www-data 4096 Feb 25 15:43 .
drwxr-sr-x 3 root www-data 4096 Feb 25 15:43 ..
Now, excerpts of rsync script (successful to my other Droplet) result from my laptop now:
1.
howardm$ ./deploy.sh
sending incremental file list
rsync: failed to set times on "/var/www/howardmann.us/public_html/.": Operation not permitted (1)
rsync: recv_generator: mkdir "/var/www/howardmann.us/public_html/css" failed: Permission denied (13)
* Skipping any contents from this failed directory *
3.
rsync: mkstemp "/var/www/howardmann.us/public_html/.DS_Store.8zaaQg" failed: Permission denied (13)
Question: How do I fix ownership and permissions on the server directories for 1) proper permissions for a website and 2) permit a rsync deploy?
For comparison, here is the status of my current working web site on the other Droplet:
howardm#howardmann:~$ ls -la /var/www/
total 20
drwxrwxr-x 5 howardm www-data 4096 Mar 5 2016 .
drwxr-xr-x 13 root root 4096 Mar 28 2015 ..
drwxrwxr-x 4 howardm www-data 4096 Jun 8 2016 howardmann.us
drwxrwxr-x 2 howardm www-data 4096 Mar 29 2015 html
Thanks!
Howard
Well, I fixed this after reading some more about permissions for a website.
My website folder is titled howardmann.us, which contains a public_html folder with the website contents.
So: /var/www/howardmann.us/public_html. (/var/www also contains a html directory)
I achieved the relevant ownership/permissions with:
sudo chown -R howardm:www-data /var/www/
I'm the owner, and www-data the group.
sudo usermod -a -G www-data [myusersername]
I'm a member of the www-data group
sudo chmod -R 2775 /var/www/
This yields the proper permissions, I believe for a web site.
I made sure the same owner:group applied to all these directories:
ls -l /var/www
total 8
drwxr-sr-x 3 howardm www-data 4096 Feb 26 19:23 howardmann.us
drwxrwsr-x 2 howardm www-data 4096 Feb 25 15:42 html
ls -l /var/www/howardmann.us
total 4
drwxr-xr-x 11 howardm www-data 4096 Feb 5 2017 public_html
Now rsync works without errors.
If anyone believes these ownership/permissions for a website are (substantially) improper, please comment.
Howard

maxminddb module for apache 2.4 on ubuntu error: The MaxMind DB file contains invalid metadata

here is my system information:
$ apachectl -v
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2016-07-14T12:32:26
$ cat /etc/*release* | grep -i dist
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"
$ uname -r
4.4.0-57-generic
i wish to install mod_maxminddb. i installed geoipupdate as a prerequisites and configured it to include not only geolite database, but either commercial one (using this)
$ ls -l /etc/GeoIP.conf
-rw-r--r-- 1 root root 818 Dec 24 18:29 /etc/GeoIP.conf
$ ls -l /usr/share/GeoIP/
total 0
$ geoipupdate
$ ls -l /usr/share/GeoIP/
total 187444
-rw-r--r-- 1 root root 112192399 Dec 24 18:46 GeoIP2-City.mmdb
-rw-r--r-- 1 root root 3012279 Dec 24 18:46 GeoIP2-Country.mmdb
-rw-r--r-- 1 root root 47721533 Dec 24 18:46 GeoIPCity.dat
-rw-r--r-- 1 root root 1699494 Dec 24 18:45 GeoIP.dat
-rw-r--r-- 1 root root 4189407 Dec 24 18:45 GeoIPISP.dat
-rw-r--r-- 1 root root 4299547 Dec 24 18:45 GeoLiteASNum.dat
-rw-r--r-- 1 root root 17760694 Dec 24 18:45 GeoLiteCity.dat
-rw-r--r-- 1 root root 1054583 Dec 24 18:45 GeoLiteCountry.dat
then complied and installed the mod_maxminddb, and when apache is configured to use the commercial databases, the following error is thrown
$ apachectl -M
AH00526: Syntax error on line 12 of /etc/apache2/mods-enabled/maxminddb.conf:
MaxMindDBFile: Failed to open /usr/share/GeoIP/GeoIPCity.dat: The MaxMind DB file contains invalid metadata
but that is not the case when apache is configured to use the geolite databases.
any ideas?
You didn't include your Apache config, but you appear to be trying to use mod_maxminddb with GeoIPCity.dat (GeoIP Legacy). It only works with GeoIP2. Adjust line 12 of maxminddb.conf to use GeoIP2-City.mmdb instead.

what is the difference between java-1.7.0-openjdk-i386 and java-7-openjdk-i386

when i install netbeans it gives me the option to select the java environment, i have 3 options, the oracle java and these two (java-1.7.0-openjdk-i386 and java-7-openjdk-i386). what is the difference between these two?The os if ubuntu.
The two OpenJDK are same. However OpenJDK is slightly different from Oracle JDK. Read this post for more clarification.
The reason why you are getting two options for OpenJDK is PROBABLY that you have two copies of OpenJDK installed (or two different references to the same directory on your system.)
For further investigation, try to ls -lh /usr/lib/jvm. The /usr/lib/jvm is usually the directory where Java gets installed. Check if one of them is a symbolic link. Also, check in netbeans the location of the two JDK and see if in fact you have two versions or references of Java on the system.
For example, here is the output of ls -lh on my system:
ls -lh
total 24K
lrwxrwxrwx 1 root root 26 Sep 10 13:41 default-java -> /usr/lib/jvm/java-7-oracle
lrwxrwxrwx 1 root root 18 Mar 13 2012 java-1.5.0-gcj -> java-1.5.0-gcj-4.6
drwxr-xr-x 7 root root 4.0K Aug 22 2012 java-1.5.0-gcj-4.6
lrwxrwxrwx 1 root root 19 Jun 26 2012 java-1.6.0-openjdk-i386 -> java-6-openjdk-i386
drwxr-xr-x 3 root root 4.0K Feb 15 10:52 java-6-openjdk-common
drwxr-xr-x 7 root root 4.0K Feb 15 10:52 java-6-openjdk-i386
drwxr-xr-x 8 ankit ankit 4.0K Jun 6 2012 java-6-sun
drwxr-xr-x 5 root root 4.0K Aug 22 2012 java-7-openjdk-i386
drwxr-xr-x 8 root root 4.0K Feb 20 10:40 java-7-oracle
lrwxrwxrwx 1 root root 12 Mar 13 2012 java-gcj -> java-gcj-4.6
lrwxrwxrwx 1 root root 18 Apr 16 2012 java-gcj-4.6 -> java-1.5.0-gcj-4.6
As you can see java-1.6.0-openjdk-i386 is just a symbolic link/reference to another directory named java-6-openjdk-i386
You installed it twice
From openjdk, following instructions from here
sudo apt-get install openjdk-7-jdk
From Stackoverflow, following instructions from here
sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get install oracle-java7-installer
Would recommend the second one and remvong the first one by typing
sudo apt-get remove openjdk-7-jdk.

Production log not working

In the past I thought I was just crazy. I may be, but my production log is not at all responding to some requests. I am POSTing images to my rails app from a mobile client, then GETting a refreshed view in a web browser. The changed record is plainly visible. None of the above is showing up in my production log, but similar requests were logged an hour ago. I haven't changed any config files. I haven't restarted my server. Any suggestions as to why this is happening?
Check what value is set to
config.log_level = :warn
in your
/rails_app/config/enviroments/production.rb
FYI
The available log levels are: :debug,
:info, :warn, :error, :fatal.
So if you set the level to fatal only serious errors will be logged. If you set it to debug almost everything will be logged. By default in production it is set to warn. This is with good reason. As you don't want huge log files piling up on your production server for no reason.
In my case first i added config.log_level = :debug to production.rb file then i had to create the production.log file (in the log folder), then giving appropriate permissions with chmod command.
In my case I had the following gem rails_12factor in my Gemfile for production.
So I had to
Remove rails_12factor from my Gemfile
gem uninstall rails_12factor
bundle install
And on the next push to production the logs worked for me. FYI: I am using rails 5.2.1, but the rails web app started in rails 3.
Low memory is the most likely cause that I have been able to come up with. I will post here if I can prove it.
I solved the Problem by putting
Rails.logger.instance_variable_get(:#logger).instance_variable_get(:#log_dest).sync = true if Rails.logger
into my config/initializers/...
I was having the same problem. Tried everything out there on this website.
Finally i checked the value of Rails.logger in console. It gave following output.
#<RailsStdoutLogging::StdoutLogger:0x00007fe3b5bc3540
#default_formatter=#<Logger::Formatter:0x00007fe3b5bc3658 #datetime_format=nil>,
#formatter=#<ActiveSupport::Logger::SimpleFormatter:0x00007fe3b5bc34c8 #datetime_format=nil>,
#level=0,
#logdev=
#<Logger::LogDevice:0x00007fe3b5bc3608
#dev=#<IO:<STDOUT>>,
#filename=nil,
#mon_count=0,
#mon_mutex=#<Thread::Mutex:0x00007fe3b5bc35b8>,
#mon_mutex_owner_object_id=70307991657220,
#mon_owner=nil,
#shift_age=nil,
#shift_period_suffix=nil,
#shift_size=nil>,
#progname=nil>
Then I crosschecked with some other rails project and that gave the below output
#<ActiveSupport::Logger:0x00005566367b77c0 #level=0,
#progname=nil,
#default_formatter=#<Logger::Formatter:0x00005566367b7950 #datetime_format=nil>, #formatter=#<Logger::Formatter:0x00005566367b7770 #datetime_format=nil>,
#logdev=#<Logger::LogDevice:0x00005566367b7900 #shift_period_suffix=nil, #shift_size=nil,
#shift_age=nil, #filename=nil,
#dev=#<File:/home/rajanverma/workspace/aarvy/log/production.log>,
#mon_mutex=#<Thread::Mutex:0x00005566367b7888>, #mon_mutex_owner_object_id=46948744543360,
#mon_owner=nil, #mon_count=0>>
You can clearly see that both projects were using different loggers to show output. I don't want to output log on STDOUT so I changed my logger to ActiveSupport by creating an initializer file.
config/initializer/logger.rb
Rails.logger = ActiveSupport::Logger.new('log/production.log')
Now it started logging on production.log.
EDIT: I tried doing the same in production.rb, but don't know why it always got overwritten. So i decided to put in initializer. I don't know weather it has any performance issues. Also I don't know how it was changing automatically to #<RailsStdoutLogging::StdoutLogger:0x00007fe3b5bc3540 as writing on production.log should be a default behaviour. Please let me know if you know better reason.
I had the same problem related to production log.
To trace back issue with web server:
tail -f /var/log/apache2/error.log
Message from application: Permission denied - /var/www/APPLICATION-NAME/log/invitation.log (Errno::EACCES)
cd /var/www/APPLICATION-NAME/log
using the comman ll you will get log permissions
total 28
drwxr-sr-x 2 www-data www-data 4096 Sep 18 03:55 ./
drwxrwsr-x 14 www-data www-data 4096 Sep 24 23:52 ../
-rw-r--r-- 1 root www-data 71 Sep 18 03:55 agent_invitation.log
-rwxrwxrwx 1 root www-data 71 Sep 18 03:55 email.log*
-rw-r--r-- 1 root www-data 71 Sep 18 03:55 invitation.log
-rw-r--r-- 1 root www-data 71 Sep 18 03:55 messages.log
-rw-r--r-- 1 root www-data 51 Sep 13 01:32 production.log
Solution:
Have to change owner from root to other user:
chown www-data:www-data ./ -R
Now use ll to see the permissions
total 28
drwxr-sr-x 2 www-data www-data 4096 Sep 18 03:55 ./
drwxrwsr-x 14 www-data www-data 4096 Sep 24 23:52 ../
-rw-r--r-- 1 www-data www-data 71 Sep 18 03:55 agent_invitation.log
-rwxrwxrwx 1 www-data www-data 71 Sep 18 03:55 email.log*
-rw-r--r-- 1 www-data www-data 71 Sep 18 03:55 invitation.log
-rw-r--r-- 1 www-data www-data 71 Sep 18 03:55 messages.log
-rw-r--r-- 1 www-data www-data 51 Sep 13 01:32 production.log
Restart you web server:
sudo service apache2 restart
now check production logs.