In this project, I integrate S3 object storage with the Proxmox backup scheduler, copying resulting backups to a cloud storage service directly from the Proxmox system. The S3 protocol is ubiquitous among cloud object storage providers, so we aren’t tied to AWS - we can use any service such as Backblaze. In my case, I’m demonstrating this with Linode.

Proxmox VZDump hook scripting

Proxmox’s documentation mentions briefly that the --script argument can be passed to vzdump, the Proxmox backup utility. We can also add the line script <path_to_script> in the /etc/pve/jobs.conf file, and it will retain this script argument even if you modify the backup job from the GUI. You can’t add a script command from the GUI, but you need to initially create the job there.

Proxmox mentions a backup file (vzdump-hook-script.pl), but I was unable to find a copy easily. For your convenience, I’ve uploaded it to my site here for you to view. The tl;dr is that:

• The first argument to the script is the phase, which is one of:

  • job-start

  • job-end

  • job-abort

  • backup-start

  • backup-end

  • backup-abort

  • log-end

  • pre-stop

  • pre-restart

  • post-restart

• The ‘job’ type phases are called once for a job, while the rest are called for each backup in the job

• The backup mode (stop/suspend/snapshot) and vmid are passed as arguments to the non-job types

• Additional information is passed as environment variables for certain phases, including TARGET (the full path on the local system to the backup file), LOGFILE (the full path to the log file), and a few other useful attributes.

In our case, we are going to hook to the job-end, backup-end, and log-end phases and do the following:

• For backup-end, copy the file TARGET to the S3 bucket and delete the original

• For log-end, copy the file LOGFILE to the S3 bucket and delete the original

• For job-end, check if there are any backups which should be expired and remove them. This is done only once, even if there are multiple VMs to backup in a single job.

S3 Tools

There are a few different open source options for general purpose file management using the S3 protocol. The most common are s3cmd and s3fs-fuse. The first provides a command line utility to perform actions on an S3 bucket (ls, put, get, delete, …) and the second implements a filesystem backed by an S3 bucket. Since the S3 protocol can only replace files (not modify parts of a file), s3fs-fuse can be quite slow depending on how files are written/read. Given the use of hook scripts here, I’ve decided to use s3cmd. It’s easily installed by running apt install s3cmd on Proxmox.

Once s3cmd is installed, we need to configure it by running s3cmd --configure. It will ask you a few questions, and the answers will depend on your cloud storage provider. They should have a guide on configuring S3 access with their service (i.e. Linode’s is here). I’ve walked through my own setup in the video.

Once we run configure, it will generate a file called ~/.s3cfg which includes the access key and endpoint URL. Since we ran this as root, it will be /root/.s3cfg on our Proxmox host. That’s fine, since backup jobs run as root.

If you’re interested in the details, feel free to read the s3cmd docs here.

Once you’ve verified that you have s3cmd installed and can s3cmd ls and s3cmd put to the target bucket, we can add the s3 put’s to our backup script.

Backup Expiration Script

I found a script to handle expiration of files in S3. I’ve copied it here for reference. I named it s3cleanup.sh on my system.

#!/bin/bash

# Usage: ./s3cleanup.sh "bucketname" "7 days"

s3cmd ls s3://$1 | grep " DIR " -v | while read -r line;
  do
    createDate=`echo $line|awk {'print $1" "$2'}`
    createDate=$(date -d "$createDate" "+%s")
    olderThan=$(date -d "$2 ago" "+%s")
    if [[ $createDate -le $olderThan ]];
      then
        fileName=`echo $line|awk {'print $4'}`
        if [ $fileName != "" ]
          then
            printf 'Deleting "%s"\n' $fileName
            s3cmd del "$fileName"
        fi
    fi
  done;

Don’t forget to chmod +x it once you are done.

Final Backup Script

Here is the final backup script which you can copy to your system. Again, don’t forget to chmod +x it.

#!/usr/bin/perl -w
# Hook script for vzdump to backup to an S3 bucket
# 2022 Andrew Palardy
# Based on example hook script from Proxmox

use strict;

# Define the name of your bucket here
my $bucket = "apalrd-proxmox";
# The S3 endpoint comes from the s3cmd --configure setup, it is not set here

# Define the number of days to retain backups in the bucket
# Only accepts days, doesn't check hours/minutes
my $retain = 30;


#Uncomment this to see the hook script with arguments (not required)
#print "HOOK: " . join (' ', @ARGV) . "\n";

#Get the phase from the first argument
my $phase = shift;

#For job-based phases
#Note that job-init was added in PVE 7.2 or 7.3 AFAIK
if (    $phase eq 'job-init'  ||
        $phase eq 'job-start' || 
        $phase eq 'job-end'   || 
        $phase eq 'job-abort') { 

        #Env variables available for job based arguments
        my $dumpdir = $ENV{DUMPDIR};

        my $storeid = $ENV{STOREID};

        #Uncomment this to print the environment variables for debugging
        #print "HOOK-ENV: dumpdir=$dumpdir;storeid=$storeid\n";

        #Call s3cleanup at job end
        if ($phase eq 'job-end') {
                system ("/root/s3cleanup.sh $bucket \"$retain days\"");
        }
#For backup-based phases
} elsif ($phase eq 'backup-start' || 
         $phase eq 'backup-end' ||
         $phase eq 'backup-abort' || 
         $phase eq 'log-end' || 
         $phase eq 'pre-stop' ||
         $phase eq 'pre-restart' ||
         $phase eq 'post-restart') {

        #Data available to backup-based phases
        my $mode = shift; # stop/suspend/snapshot

        my $vmid = shift;

        my $vmtype = $ENV{VMTYPE}; # lxc/qemu

        my $dumpdir = $ENV{DUMPDIR};

        my $storeid = $ENV{STOREID};

        my $hostname = $ENV{HOSTNAME};

        my $tarfile = $ENV{TARGET};

        my $logfile = $ENV{LOGFILE}; 

        #Uncomment this to print environment variables
        #print "HOOK-ENV: vmtype=$vmtype;dumpdir=$dumpdir;storeid=$storeid;hostname=$hostname;tarfile=$tarfile;logfile=$logfile\n";

        # During backup-end, copy the target file to S3 and delete the original on the system
        if ($phase eq 'backup-end') {
                #S3 put
                my $result = system ("s3cmd put $tarfile s3://$bucket/");
                #rm original
                system ("rm $tarfile");
                #Die of error returned
                if($result != 0) {
                        die "upload backup failed";
                }
        }

        # During log-end, copy the log file to S3 and delete the original on the system (same as target file)
        if ($phase eq 'log-end') {
                my $result = system ("s3cmd put $logfile s3://$bucket/");
                system ("rm $logfile");
                if($result != 0) {
                        die "upload logfile failed";
                }
        }
#Otherwise, phase is unknown
} else {

        die "got unknown phase '$phase'";

}

exit (0);

src :

• https://www.apalrd.net/posts/2022/pve_backup/

• https://github.com/andrizan/proxmox-ve-backup-cloud

Sequences in PostgreSQL are special kinds of database objects designed to generate unique numeric identifiers. These identifiers are often used as primary keys in tables. A sequence is essentially a counter that can be incremented or decremented, and it ensures that each value it generates is unique and not reused.

When you create a sequence, you can specify various parameters such as the starting value, increment step, minimum and maximum values, and whether the sequence should cycle when it reaches its limit. You can also control the caching behavior to improve performance.

To use a sequence, you can call the nextval function, which increments the sequence and returns the next value. The currval function returns the current value of the sequence, and the setval function allows you to set the sequence to a specific value.

Sequences are particularly useful in multi-user environments where multiple transactions might need to generate unique identifiers concurrently. By using sequences, PostgreSQL ensures that each transaction gets a unique identifier without conflicts or the need for complex locking mechanisms.

In summary, sequences in PostgreSQL provide a robust and efficient way to generate unique numeric identifiers, making them an essential tool for database design and management.

Query for calibrate Sequences

DO $$
DECLARE
i TEXT;
BEGIN
  FOR i IN (
    SELECT 'SELECT SETVAL('
        || quote_literal(quote_ident(PGT.schemaname) || '.' || quote_ident(S.relname))
        || ', COALESCE(MAX(' ||quote_ident(C.attname)|| '), 1) ) FROM '
        || quote_ident(PGT.schemaname)|| '.'||quote_ident(T.relname)|| ';'
      FROM pg_class AS S,
           pg_depend AS D,
           pg_class AS T,
           pg_attribute AS C,
           pg_tables AS PGT
     WHERE S.relkind = 'S'
       AND S.oid = D.objid
       AND D.refobjid = T.oid
       AND D.refobjid = C.attrelid
       AND D.refobjsubid = C.attnum
       AND T.relname = PGT.tablename
  ) LOOP
      EXECUTE i;
  END LOOP;
END $$;

Check

Select nextval(pg_get_serial_sequence('my_table', 'id')) as new_id;

src :

• https://stackoverflow.com/questions/35734701/postgresql-change-all-sequences-with-for-loop

• https://stackoverflow.com/questions/18232714/postgresql-next-serial-value-in-a-table

primary : This is the most used color in the application

onPrimary : This color is used to color the elements on top of the primary color such as text, icons, etc.

secondary : This defines a secondary color, often used for less prominent elements like filter chips, toggle buttons, or background elements that need to stand out from the primary color but not overpower it.

onSecondary : This color is used to color the elements on top of the secondary color.

error : This is the color used for error messages or alerts, like a flashing red light to indicate a problem.

onError : This is the text color that goes well on the error color, like white text on a red sign for easy reading.

background : The primary background color for your entire application. Think of this as the canvas upon which all other UI elements are placed.

onBackground : This color is used to color the elements on top of the background color.

surface : Used as the base color for elevated UI elements like cards, sheets, dialogs, etc.

onSurface : use to color the elements on top of the surface color.

src : https://medium.com/@nikhithsunil/theme-your-flutter-app-a-guide-to-themedata-and-colorscheme-d8bca920a6b5

https://medium.com/@madampitige90/provider-state-management-in-flutter-3bc555a1eafb

https://www.dhiwise.com/post/achieving-optimal-performance-with-flutter-provider-state-management

https://nureddineraslan.medium.com/understanding-state-management-with-provider-in-flut-e74e0b9e49d9

https://medium.com/bancolombia-tech/flutter-provider-what-is-it-what-is-it-for-and-how-to-use-it-47d6941860d7

https://medium.com/skyshidigital/state-management-dengan-provider-ddcaeef2ce5d

Button

https://stackoverflow.com/questions/49991444/create-a-rounded-button-button-with-border-radius-in-flutter

localization

https://phrase.com/blog/posts/flutter-localization/

Modal Bottom Sheet

showModalBottomSheet(
  context: context,
  isScrollControlled: true,
  builder: (BuildContext context) {
    return Wrap(
      children: [
        Container(
          padding: EdgeInsets.only(
              bottom: MediaQuery.of(context).viewInsets.bottom),
          decoration: BoxDecoration(
            borderRadius: const BorderRadius.only(
              topLeft: Radius.circular(10),
              topRight: Radius.circular(10),
            ),
            color: Theme.of(context).colorScheme.background,
          ),
          child: Container(
            margin: const EdgeInsets.symmetric(
                horizontal: 15, vertical: 10),
            child: Column(
              mainAxisSize: MainAxisSize.min,
              children: <Widget>[
                Center(
                  child: Container(
                    height: 5,
                    width: 36,
                    decoration: BoxDecoration(
                      borderRadius: BorderRadius.circular(8),
                      color: Theme.of(context)
                          .colorScheme
                          .secondary
                          .withOpacity(0.4),
                    ),
                  ),
                ),
                Column(
                  children: [
                    Container(
                      decoration: BoxDecoration(
                        borderRadius: BorderRadius.circular(8.0),
                        border: Border.all(
                          width: 1,
                          color: Theme.of(context)
                              .colorScheme
                              .secondaryContainer,
                        ),
                      ),
                      padding: const EdgeInsets.all(15),
                      margin: const EdgeInsets.symmetric(
                        vertical: 10,
                      ),
                      child: Column(
                        children: [
                          Align(
                            alignment: Alignment.centerLeft,
                            child: Text(
                              "TITLE",
                              style: TextStyle(
                                color: Theme.of(context)
                                    .colorScheme
                                    .onSecondary,
                                fontWeight: FontWeight.w700,
                                fontSize: 14,
                                fontFamily: FontFamily.mukta,
                              ),
                            ),
                          ),
                          Container(
                            margin: const EdgeInsets.symmetric(
                                vertical: 5),
                            alignment: Alignment.centerLeft,
                            child: Text(
                              'DESC',
                              style: TextStyle(
                                color: Theme.of(context)
                                    .colorScheme
                                    .secondary,
                                fontWeight: FontWeight.w400,
                                fontSize: 12,
                                fontFamily: FontFamily.mukta,
                              ),
                            ),
                          ),
                          Container(
                            margin: const EdgeInsets.symmetric(
                                vertical: 5),
                            alignment: Alignment.centerLeft,
                            child: Text(
                              'PRICE',
                              style: TextStyle(
                                color: Theme.of(context)
                                    .colorScheme
                                    .primary,
                                fontWeight: FontWeight.w700,
                                fontSize: 14,
                                fontFamily: FontFamily.mukta,
                              ),
                            ),
                          ),
                        ],
                      ),
                    ),
                  ],
                ),
              ],
            ),
          ),
        ),
      ],
    );
  },
);

Fixes

sudo chmod 600 /etc/netplan/your_config_file.yaml

# run this then
$ sudo apt-get install openvswitch-switch-dpdk

you may need to check installation by run these command again

after the installation complete, no annoying WARNING shows again:

$ sudo netplan try

Run

git config --global credential.helper store

then

git pull

provide a username and password and those details will then be remembered later. The credentials are stored in a file on the disk, with the disk permissions of "just user readable/writable" but still in plaintext.

If you want to change the password later

git pull

Will fail, because the password is incorrect, git then removes the offending user+password from the ~/.git-credentials file, so now re-run

git pull

to provide a new password so it works as earlier.

Origin = https://stackoverflow.com/a/35942890

scp <source> <destination>

To copy a file from B to A while logged into B:

scp /path/to/file username@a:/path/to/destination

To copy a file from B to A while logged into A:

scp username@b:/path/to/file /path/to/destination

To copy a file from B to A while logged into B. NON STANDARD PORT:

scp -P 2200 /path/to/file username@a:/path/to/destination

download file:

scp riski@192.168.10.8:~/minio .

https://unix.stackexchange.com/questions/106480/how-to-copy-files-from-one-machine-to-another-using-ssh

The procedure to create a tar.gz file on Linux is as follows:

1. Open the terminal application in Linux

2. Run tar command to create an archived named file.tar.gz for given directory name by running: tar -czvf file.tar.gz directory

3. Verify tar.gz file using the ls command and tar command

Let us see all commands and options in details.

Linux create tar.gz file with tar command

Say you want to create tar.gz file named projects.tar.gz for directory called $HOME/projects/:

ls -l $HOME/projects/
Sample outputs from the ls command:

total 8
drwxr-xr-x 2 vivek vivek 4096 Oct 30 22:30 helloworld
drwxr-xr-x 4 vivek vivek 4096 Oct 30 13:16 myhellowebapp

The syntax for the tar command is as follows:

tar -czvf filename.tar.gz /path/to/dir1 tar -czvf filename.tar.gz /path/to/dir1 dir2 file1 file2 # Create a tar.gz file from all pdf (".pdf") files tar -czvf archive.tgz *.pdf

tar -czvf projects.tar.gz $HOME/projects/

Verification

Next verify newly created tar.gz file in Linux using the ls command:

ls -l projects.tar.gz
Example outputs:

-rw-r--r-- 1 vivek vivek 59262 Nov  3 11:08 projects.tar.gz

One can list the contents of a tar or tar.gz file using the tar command:

tar -ztvf projects.tar.gz

How to extract a tar.gz compressed archive on Linux

The syntax is follows to extract tar.gz file on Linux operating system:

tar -xvf file.tar.gz tar -xzvf file.tar.gz tar -xzvf projects.tar.gz

The syntax is follows to extract tar.gz file on Linux operating system:

tar -xzvf projects.tar.gz -C /tmp/
Sample outputs:

home/vivek/projects/myhellowebapp/
home/vivek/projects/myhellowebapp/hellowebapp.working/
home/vivek/projects/myhellowebapp/hellowebapp.working/db.sqlite3
home/vivek/projects/myhellowebapp/hellowebapp.working/manage.py
home/vivek/projects/myhellowebapp/hellowebapp.working/collection/
home/vivek/projects/myhellowebapp/hellowebapp.working/collection/models.py
home/vivek/projects/myhellowebapp/hellowebapp.working/collection/admin.py
home/vivek/projects/myhellowebapp/hellowebapp.working/collection/__init__.py
home/vivek/projects/myhellowebapp/hellowebapp.working/collection/tests.py
home/vivek/projects/myhellowebapp/hellowebapp.working/collection/static/
home/vivek/projects/myhellowebapp/hellowebapp.working/collection/static/css/
home/vivek/projects/myhellowebapp/hellowebapp.working/collection/static/css/style.css
...
..
...
home/vivek/projects/myhellowebapp/hellowebapp/hellowebapp/__pycache__/urls.cpython-36.pyc
home/vivek/projects/myhellowebapp/hellowebapp/hellowebapp/wsgi.py
home/vivek/projects/myhellowebapp/hellowebapp/hellowebapp/settings.py
home/vivek/projects/helloworld/

Understanding tar command options

https://www.cyberciti.biz/faq/how-to-create-tar-gz-file-in-linux-using-command-line/

nano /etc/ssh/sshd_config

change

#AuthorizedKeysFile      .ssh/authorized_keys .ssh/authorized_keys2

#TO

AuthorizedKeysFile      .ssh/authorized_keys .ssh/authorized_keys2

allow root remote

#PermitRootLogin prohibit-password
# TO
PermitRootLogin yes

restart ssh

systemctl restart ssh

The first thing you need to do is to update the package list and to install BIND9.

sudo apt update 
sudo apt install bind9

BIND9 configuration

cd /etc/bind/

The main configuration file is named.conf.options

sudo nano named.conf.options

acl LAN {
        192.168.1.0/24;
};

options {
        dnssec-validation auto;

        listen-on-v6 { any; };

        directory "/var/cache/bind"; // default directory
        max-cache-size 10m;
        allow-query { localhost; LAN;}; // allow queries from localhost and 192.168.1.0-192.168.1.255

        forwarders {
                1.1.1.1;
                1.0.0.1;
        }; // use CloudFlare 1.1.1.1 DNS as a forwarder

        recursion yes;  // allow recursive queries
        auth-nxdomain no;    # conform to RFC1035
        allow-recursion {
                LAN;
        };
};

Create RPZ (Response Policy Zones)

create rpz database.

cp db.local db.blocked
sudo nano db.blocked

;
; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     blocked.local. root.blocked.local. (
                         2309111627     ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      blocked.local.
@       IN      A       192.168.1.222
xxx.xxx IN    CNAME     @ # blocked domain

register database to zone

sudo nano named.conf.local

zone "blocked" {
    type master;
    file "/etc/bind/db.blocked";
    allow-query {any;};
    allow-update {none;};
};

; === https://github.com/andrizan/partial-output ===
zone "trust-aa" {
    type master;
    file "/etc/bind/db.trust-aa";
    allow-query {any;};
    allow-update {none;};
};

zone "trust-ab" {
    type master;
    file "/etc/bind/db.trust-ab";
    allow-query {any;};
    allow-update {none;};
};

zone "adultaa" {
    type master;
    file "/etc/bind/db.adultaa";
    allow-query {any;};
    allow-update {none;};
};

zone "adultab" {
    type master;
    file "/etc/bind/db.adultab";
    allow-query {any;};
    allow-update {none;};
};

zone "adultac" {
    type master;
    file "/etc/bind/db.adultac";
    allow-query {any;};
    allow-update {none;};
};

zone "adultad" {
    type master;
    file "/etc/bind/db.adultad";
    allow-query {any;};
    allow-update {none;};
};

zone "adultae" {
    type master;
    file "/etc/bind/db.adultae";
    allow-query {any;};
    allow-update {none;};
};
zone "adultaf" {
    type master;
    file "/etc/bind/db.adultaf";
    allow-query {any;};
    allow-update {none;};
};

zone "adultag" {
    type master;
    file "/etc/bind/db.adultag";
    allow-query {any;};
    allow-update {none;};
};

zone "malware" {
    type master;
    file "/etc/bind/db.malware";
    allow-query {any;};
    allow-update {none;};
};

Register the zone to the response policy.

sudo nano named.conf.options

acl LAN {
        192.168.1.0/24;
};

# accept all connection
# acl all {
#        0.0.0.0/0;
# };

options {
        dnssec-validation auto;

        listen-on-v6 { any; };

        directory "/var/cache/bind"; // default directory
        max-cache-size 10m;
        cleaning-interval 480; // clean cache every 8 hours
        allow-query { localhost; LAN;}; // allow queries from localhost and 192.168.1.0-192.168.1.255
        response-policy {
                zone "blocked";
                zone "trust-aa";
                zone "trust-ab";
                zone "adultaa";
                zone "adultab";
                zone "adultac";
                zone "adultad";
                zone "adultae";
                zone "adultaf";
                zone "adultag";
#               zone "malware";
        } recursive-only no max-policy-ttl 60 break-dnssec no qname-wait-recurse no;

# disable 'check-names'
#check-names master ignore;
#check-names slave ignore;
#check-names response ignore;

        forwarders {
                1.1.1.1;
                1.0.0.1;
        }; // use CloudFlare 1.1.1.1 DNS as a forwarder

        recursion yes;  // allow recursive queries
        auth-nxdomain no;    # conform to RFC1035
        allow-recursion {
                LAN;
        };
};

Docker

https://www.youtube.com/watch?v=syzwLwE3Xq4

Ref

• https://serverspace.io/support/help/configure-bind9-dns-server-on-ubuntu/

• https://github.com/andrizan/partial-output

• https://www.isc.org/bind/

• https://www.isc.org/rpz/

his puts folder A into folder B:

rsync -avu --delete "/home/user/A" "/home/user/B"

If you want the contents of folders A and B to be the same, put /home/user/A/ (with the slash) as the source. This takes not the folder A but all of its content and puts it into folder B. Like this:

rsync -avu --delete "/home/user/A/" "/home/user/B"

• -a Do the sync preserving all filesystem attributes

• -v run verbosely

• -u only copy files with a newer modification time (or size difference if the times are equal)

• --delete delete the files in target folder that do not exist in the source

Manpage: https://download.samba.org/pub/rsync/rsync.html

src = https://unix.stackexchange.com/questions/203846/how-to-sync-two-folders-with-command-line-tools

Using Rsync to Sync with a Remote System

To use rsync to sync with a remote system, you only need SSH access configured between your local and remote machines, as well as rsync installed on both systems. Once you have SSH access verified between the two machines, you can sync the dir1 folder from the previous section to a remote machine by using the following syntax. Please note in this case, that you want to transfer the actual directory, so you’ll omit the trailing slash:

rsync -a ~/dir1 username@remote_host:destination_directory
#OR
rsync -a -e 'ssh -p 2320' ~/dir1 username@remote_host:destination_directory

This process is called a push operation because it “pushes” a directory from the local system to a remote system. The opposite operation is pull, and is used to sync a remote directory to the local system. If the dir1 directory were on the remote system instead of your local system, the syntax would be the following:

rsync -a username@remote_host:/home/username/dir1 place_to_sync_on_local_machine

Like cp and similar tools, the source is always the first argument, and the destination is always the second.

src :

• https://www.digitalocean.com/community/tutorials/how-to-use-rsync-to-sync-local-and-remote-directories#using-rsync-to-sync-with-a-remote-system

• https://stackoverflow.com/questions/4549945/is-it-possible-to-specify-a-different-ssh-port-when-using-rsync

Before changing the timezone, you’ll need to find out the long name for the timezone you want to use. The timezones are using “Region/City” format.

To list all available time zones, you can either list the files in the /usr/share/zoneinfo directory or invoke the timedatectl command with the list-timezones option:

timedatectl list-timezones

...
America/Montevideo
America/Nassau
America/New_York
America/Nipigon
America/Nome
America/Noronha
...

Once you identify which time zone is accurate to your location, run the following command as sudo user:

sudo timedatectl set-timezone your_time_zone

For instance, to change the system’s timezone to Asia/Jakarta:

sudo timedatectl set-timezone Asia/Jakarta

Invoke the timedatectl command to verify the changes:

timedatectl

               Local time: Wed 2020-05-06 15:41:42 EDT  
           Universal time: Wed 2020-05-06 19:41:42 UTC  
                 RTC time: Wed 2020-05-06 19:41:48      
                Time zone: America/New_York (EDT, -0400)
System clock synchronized: yes                         
              NTP service: active                      
          RTC in local TZ: no

srv : Changing the Timezone Using the timedatectl Command

Before changing the timezone, you’ll need to find out the long name for the timezone you want to use. The timezones are using “Region/City” format.

To list all available time zones, you can either list the files in the /usr/share/zoneinfo directory or invoke the timedatectl command with the list-timezones option:

timedatectl list-timezones

...
America/Montevideo
America/Nassau
America/New_York
America/Nipigon
America/Nome
America/Noronha
...

Once you identify which time zone is accurate to your location, run the following command as sudo user:

sudo timedatectl set-timezone your_time_zone

For instance, to change the system’s timezone to America/New_York:

sudo timedatectl set-timezone America/New_York

Invoke the timedatectl command to verify the changes:

timedatectl

               Local time: Wed 2020-05-06 15:41:42 EDT  
           Universal time: Wed 2020-05-06 19:41:42 UTC  
                 RTC time: Wed 2020-05-06 19:41:48      
                Time zone: America/New_York (EDT, -0400)
System clock synchronized: yes                         
              NTP service: active                      
          RTC in local TZ: no

src = https://linuxize.com/post/how-to-set-or-change-timezone-on-ubuntu-20-04/#changing-the-timezone-using-the-timedatectl-command

Setup: Hyper-V; VHDX file as hard disk; Ubuntu-18.04

Steps:

1. Expand the VDHX file via Hyper-V as mentioned in existing solutions and then inside the VM:

2. fdisk -l

   See which partition is the current Ubuntu setup - should be obvious based on size (in my case was sda3)

3. growpart /dev/sda 3

   Note the space as mentioned.

4. pvresize /dev/sda3

   This is the step which isn't mentioned in a lot of places; its the intemediate step that allows the logical volume extension step work.

5. lvextend -l +100%FREE /dev/ubuntu-vg/ubuntu-lv

   The /dev/ part can seen in the fdisk output from step 1.

6. resize2fs /dev/mapper/ubuntu--vg-ubuntu--lv

   After the prep above, this step now works. Takes a couple of moments and afterwards can verify with df -h that the partition is expanded.

src = https://superuser.com/questions/1716141/how-to-expand-ubuntu-20-04-lts-filesystem-volume-on-hyper-v

You can install recent stable versions of Redis from the official packages.redis.io APT repository.

Prerequisites

If you're running a very minimal distribution (such as a Docker container) you may need to install lsb-release, curl and gpg first:

sudo apt install lsb-release curl gpg

Add the repository to the apt index, update it, and then install:

curl -fsSL https://packages.redis.io/gpg | sudo gpg --dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg

echo "deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/redis.list

sudo apt-get update
sudo apt-get install redis

Testing Redis

As with any newly-installed software, it’s a good idea to ensure that Redis is functioning as expected before making any further changes to its configuration. We will go over a handful of ways to check that Redis is working correctly in this step.

Start by checking that the Redis service is running:

sudo systemctl status redis-server

Binding to localhost

By default, Redis is only accessible from localhost. However, if you installed and configured Redis by following a different tutorial than this one, you might have updated the configuration file to allow connections from anywhere. This is not as secure as binding to localhost.

To correct this, open the Redis configuration file for editing:

sudo nano /etc/redis/redis.conf

Locate this line and make sure it is uncommented (remove the # if it exists):

bind 127.0.0.1 ::1

Save and close the file when finished (press CTRL + X, Y, then ENTER).

Then, restart the service to ensure that systemd reads your changes:

sudo systemctl restart redis-server

To check that this change has gone into effect, run the following netstat command:

sudo netstat -lnp | grep redis

Output
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      14222/redis-server  
tcp6       0      0 ::1:6379                :::*                    LISTEN      14222/redis-server

Note: The netstat command may not be available on your system by default. If this is the case, you can install it (along with a number of other handy networking tools) with the following command:

sudo apt install net-tools

Configuring a Redis Password

Configuring a Redis password enables one of its two built-in security features — the auth command, which requires clients to authenticate to access the database. The password is configured directly in Redis’s configuration file, /etc/redis/redis.conf, so open that file again with your preferred editor:

sudo nano /etc/redis/redis.conf

Scroll to the SECURITY section and look for a commented directive that reads:

. . .
# requirepass foobared
. . .

Uncomment it by removing the #, and change foobared to a secure password.

Note: Above the requirepass directive in the redis.conf file, there is a commented warning:

. . .
# Warning: since Redis is pretty fast an outside user can try up to
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
#
. . .

Thus, it’s important that you specify a very strong and very long value as your password. Rather than make up a password yourself, you can use the openssl command to generate a random one, as in the following example. By piping the output of the first command to the second openssl command, as shown here, it will remove any line breaks produced by that the first command:

openssl rand 60 | openssl base64 -A

Your output should look something like:

Output
RBOJ9cCNoGCKhlEBwQLHri1g+atWgn4Xn4HwNUbtzoVxAYxkiYBi7aufl4MILv1nxBqR4L6NNzI0X6cE

After copying and pasting the output of that command as the new value for requirepass, it should read:

requirepass RBOJ9cCNoGCKhlEBwQLHri1g+atWgn4Xn4HwNUbtzoVxAYxkiYBi7aufl4MILv1nxBqR4L6NNzI0X6cE

After setting the password, save and close the file, then restart Redis:

sudo systemctl restart redis-server

To test that the password works, open up the Redis client:

redis-cli

The following shows a sequence of commands used to test whether the Redis password works. The first command tries to set a key to a value before authentication:

127.0.0.1:6379> set key1 10

That won’t work because you didn’t authenticate, so Redis returns an error:

Output
127.0.0.1:6379> (error) NOAUTH Authentication required.

The next command authenticates with the password specified in the Redis configuration file:

127.0.0.1:6379> auth your_redis_password

Redis acknowledges:

Output
OK

After that, running the previous command again will succeed:

127.0.0.1:6379> set key1 10

Output
OK

get key1 queries Redis for the value of the new key.

127.0.0.1:6379> get key1

Output
"10"

After confirming that you’re able to run commands in the Redis client after authenticating, you can exit redis-cli:

127.0.0.1:6379> quit

src :

• https://redis.io/docs/getting-started/installation/install-redis-on-linux/

• https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-redis-on-ubuntu-20-04

    function boot()
    {
        app('db')->listen(function ($query) {
            app('log')->info(
                $query->sql,
                $query->bindings,
                $query->time
            );
        });

log location

storage\logs\lumen-{date}.log

https://medium.com/devops-dudes/proxmox-101-8204eb154cd5

https://medium.com/@saderi/create-vm-templates-on-proxmox-with-packer-84723b7e3919

Windows 2012 R2 Essentials: http://download.microsoft.com/download/8/F/7/8F7024D2-AB2A-4BE2-8406-1E3AC49C5C1F/9600.16384.WINBLUE_RTM.130821-1623_X64FRE_SERVER_SOLUTION_EN-US-IRM_SSSO_X64FRE_EN-US_DV5.ISO

Windows 2012 R2: http://download.microsoft.com/download/6/2/A/62A76ABB-9990-4EFC-A4FE-C7D698DAEB96/9600.17050.WINBLUE_REFRESH.140317-1640_X64FRE_SERVER_EVAL_EN-US-IR3_SSS_X64FREE_EN-US_DV9.ISO

Windows 2016: https://software-download.microsoft.com/download/pr/Windows_Server_2016_Datacenter_EVAL_en-us_14393_refresh.ISO

Windows 2019 Essentials: https://software-download.microsoft.com/download/pr/17763.737.190906-2324.rs5_release_svc_refresh_SERVERESSENTIALS_OEM_x64FRE_en-us_1.iso

Windows 2019: https://software-download.microsoft.com/download/pr/17763.737.190906-2324.rs5_release_svc_refresh_SERVER_EVAL_x64FRE_en-us_1.iso

Windows 2022: https://software-static.download.prss.microsoft.com/sg/download/888969d5-f34g-4e03-ac9d-1f9786c66749/SERVER_EVAL_x64FRE_en-us.iso

src = https://gist.github.com/vinhjaxt/a774ac87b0313a34f4c445048d8e13cf

Windows Server 2022 = https://www.microsoft.com/en-us/evalcenter/download-windows-server-2022

Windows Server 2019 = https://www.microsoft.com/en-us/evalcenter/download-windows-server-2019

The following tabs provide examples of installing MinIO onto 64-bit Linux operating systems using RPM, DEB, or binary. The RPM and DEB packages automatically install MinIO to the necessary system paths and create a minio service for systemctl. MinIO strongly recommends using the RPM or DEB installation routes. To update deployments managed using systemctl, see Update systemctl-Managed MinIO Deployments.

AMD64

Use the following commands to download the latest stable MinIO binary and install it to the system $PATH:

wget https://dl.min.io/server/minio/release/linux-amd64/minio
chmod +x minio
sudo mv minio /usr/local/bin/

Create the systemd Service File

The .deb or .rpm packages install the following systemd service file to /etc/systemd/system/minio.service. For binary installations, create this file manually on all MinIO hosts:

[Unit]
Description=MinIO
Documentation=https://min.io/docs/minio/linux/index.html
Wants=network-online.target
After=network-online.target
AssertFileIsExecutable=/usr/local/bin/minio

[Service]
WorkingDirectory=/usr/local

User=minio-user
Group=minio-user
ProtectProc=invisible

EnvironmentFile=-/etc/default/minio
ExecStartPre=/bin/bash -c "if [ -z \"${MINIO_VOLUMES}\" ]; then echo \"Variable MINIO_VOLUMES not set in /etc/default/minio\"; exit 1; fi"
ExecStart=/usr/local/bin/minio server $MINIO_OPTS $MINIO_VOLUMES

# MinIO RELEASE.2023-05-04T21-44-30Z adds support for Type=notify (https://www.freedesktop.org/software/systemd/man/systemd.service.html#Type=)
# This may improve systemctl setups where other services use `After=minio.server`
# Uncomment the line to enable the functionality
# Type=notify

# Let systemd restart this service always
Restart=always

# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536

# Specifies the maximum number of threads this process can create
TasksMax=infinity

# Disable timeout logic and wait until process is stopped
TimeoutStopSec=infinity
SendSIGKILL=no

[Install]
WantedBy=multi-user.target

# Built for ${project.name}-${project.version} (${project.name})

The minio.service file runs as the minio-user User and Group by default. You can create the user and group using the groupadd and useradd commands. The following example creates the user, group, and sets permissions to access the folder paths intended for use by MinIO. These commands typically require root (sudo) permissions.

groupadd -r minio-user
useradd -M -r -g minio-user minio-user
chown minio-user:minio-user /mnt/disk1 /mnt/disk2 /mnt/disk3 /mnt/disk4

The specified drive paths are provided as an example. Change them to match the path to those drives intended for use by MinIO.

Alternatively, change the User and Group values to another user and group on the system host with the necessary access and permissions.

MinIO publishes additional startup script examples on github.com/minio/minio-service.

To update deployments managed using systemctl, see Update systemctl-Managed MinIO Deployments.

Create the Environment Variable File

Create an environment variable file at /etc/default/minio. For Windows hosts, specify a Windows-style path similar to C:\minio\config. The MinIO Server container can use this file as the source of all environment variables.

The following example provides a starting environment file:

# MINIO_ROOT_USER and MINIO_ROOT_PASSWORD sets the root account for the MinIO server.
# This user has unrestricted permissions to perform S3 and administrative API operations on any resource in the deployment.
# Omit to use the default values 'minioadmin:minioadmin'.
# MinIO recommends setting non-default values as a best practice, regardless of environment

MINIO_ROOT_USER=myminioadmin
MINIO_ROOT_PASSWORD=minio-secret-key-change-me

# MINIO_VOLUMES sets the storage volume or path to use for the MinIO server.

MINIO_VOLUMES="/mnt/data"

# MINIO_SERVER_URL sets the hostname of the local machine for use with the MinIO Server
# MinIO assumes your network control plane can correctly resolve this hostname to the local machine

# Uncomment the following line and replace the value with the correct hostname for the local machine and port for the MinIO server (9000 by default).

#MINIO_SERVER_URL="http://s3.domain.com"
#MINIO_CONSOLE_ADDRESS=":9001"
#MINIO_BROWSER_REDIRECT_URL="http://s3.domain.com/minio/ui"

#MINIO_PROMETHEUS_URL=http://192.168.100.16:9090
#MINIO_PROMETHEUS_JOB_ID="minio-job"

Include any other environment variables as required for your local deployment.

Nginx (reverse proxy)

install nginx

server {
   server_name s3.domain.com;
   listen 80;

   # Allow special characters in headers
   ignore_invalid_headers off;
   # Allow any size file to be uploaded.
   # Set to a value such as 1000m; to restrict file size to a specific value
   client_max_body_size 0;
   # Disable buffering
   proxy_buffering off;
   proxy_request_buffering off;

   location / {
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_connect_timeout 300;
      # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
      proxy_http_version 1.1;
      proxy_set_header Connection "";
      chunked_transfer_encoding off;

      proxy_pass http://127.0.0.1:9000; # This uses the upstream directive definition to load balance
   }

   location /minio/ui/ {
      rewrite ^/minio/ui/(.*) /$1 break;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-NginX-Proxy true;

      # This is necessary to pass the correct IP to be hashed
      real_ip_header X-Real-IP;

      proxy_connect_timeout 300;

      # To support websockets in MinIO versions released after January 2023
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      # Some environments may encounter CORS errors (Kubernetes + Nginx Ingress)
      # Uncomment the following line to set the Origin request to an empty string
      # proxy_set_header Origin '';

      chunked_transfer_encoding off;

      proxy_pass http://127.0.0.1:9001/;
   }

}

Start the MinIO Service

Issue the following command on the local host to start the MinIO SNSD deployment as a service:

sudo systemctl start minio.service

Use the following commands to confirm the service is online and functional:

sudo systemctl status minio.service
journalctl -f -u minio.service

MinIO may log an increased number of non-critical warnings while the server processes connect and synchronize. These warnings are typically transient and should resolve as the deployment comes online.

Changed in version RELEASE.2023-02-09T05-16-53Z: MinIO starts if it detects enough drives to meet the write quorum for the deployment.

If any drives remain offline after starting MinIO, check and cure any issues blocking their functionality before starting production workloads.

The journalctl output should resemble the following:

Status:         1 Online, 0 Offline.
API: http://192.168.2.100:9000  http://127.0.0.1:9000
RootUser: myminioadmin
RootPass: minio-secret-key-change-me
Console: http://192.168.2.100:9090 http://127.0.0.1:9090
RootUser: myminioadmin
RootPass: minio-secret-key-change-me

Command-line: https://min.io/docs/minio/linux/reference/minio-mc.html
   $ mc alias set myminio http://10.0.2.100:9000 myminioadmin minio-secret-key-change-me

Documentation: https://min.io/docs/minio/linux/index.html

The API block lists the network interfaces and port on which clients can access the MinIO S3 API. The Console block lists the network interfaces and port on which clients can access the MinIO Web Console.

Connect to the MinIO Service

You can access the MinIO Console by entering any of the hostnames or IP addresses from the MinIO server Console block in your preferred browser, such as http://localhost:9090.

Log in with the MINIO_ROOT_USER and MINIO_ROOT_PASSWORD configured in the environment file specified to the container.

You can use the MinIO Console for general administration tasks like Identity and Access Management, Metrics and Log Monitoring, or Server Configuration. Each MinIO server includes its own embedded MinIO Console.

If your local host firewall permits external access to the Console port, other hosts on the same network can access the Console using the IP or hostname for your local host.

Cloudflare Tunnel

Disable cache to resolve error 403

dash.cloudflare.com > caching > cache-rules

rule :

• hostname = DOMAIN/sub Domain

• Cache Status = Bypass Cache

Install Prometheus on Ubuntu

Update System Packages

You should first update your system's package list to ensure that you are using the most recent packages. To accomplish this, issue the following command:

sudo apt update

Create a System User for Prometheus

Now create a group and a system user for Prometheus. To create a group and then add a user to the group, run the following command:

sudo groupadd --system prometheus
sudo useradd -s /sbin/nologin --system -g prometheus prometheus

This will create a system user and group named "prometheus" for Prometheus with limited privileges, reducing the risk of unauthorized access.

Create Directories for Prometheus

To store configuration files and libraries for Prometheus, you need to create a few directories. The directories will be located in the /etc and the /var/lib directory respectively. Use the commands below to create the directories:

sudo mkdir /etc/prometheus
sudo mkdir /var/lib/prometheus

Download Prometheus and Extract Files

To download the latest update, go to the Prometheus official downloads site and copy the download link for Linux Operating System. Download using wget and the link you copied like so:

wget https://github.com/prometheus/prometheus/releases/download/v2.43.0/prometheus-2.43.0.linux-amd64.tar.gz

You should see it being downloaded.

After the download has been completed, run the following command to extract the contents of the downloaded file:

tar vxf prometheus*.tar.gz

Navigate to the Prometheus Directory

After extracting the files, navigate to the newly extracted Prometheus directory using the following command:

cd prometheus*/

Changing to the Prometheus directory allows for easier management and configuration of the installation. Subsequent steps will be performed within the context of the Prometheus directory.

Configuring Prometheus on Ubuntu 22.04

Move the Binary Files & Set Owner

First, you need to move some binary files (prometheus and promtool) and change the ownership of the files to the "prometheus" user and group. You can do this with the following commands:

sudo mv prometheus /usr/local/bin
sudo mv promtool /usr/local/bin
sudo chown prometheus:prometheus /usr/local/bin/prometheus
sudo chown prometheus:prometheus /usr/local/bin/promtool

Move the Configuration Files & Set Owner

Create minio-alerting.yml

# minio-alerting.yml 
groups:
- name: minio-alerts
  rules:
  - alert: NodesOffline
    expr: avg_over_time(minio_cluster_nodes_offline_total{job="minio-job"}[5m]) > 0
    for: 10m
    labels:
      severity: warn
    annotations:
      summary: "Node down in MinIO deployment"
      description: "Node(s) in cluster {{ $labels.instance }} offline for more than 5 minutes"

  - alert: DisksOffline
    expr: avg_over_time(minio_cluster_disk_offline_total{job="minio-job"}[5m]) > 0
    for: 10m
    labels:
      severity: warn
    annotations:
      summary: "Disks down in MinIO deployment"
      description: "Disks(s) in cluster {{ $labels.instance }} offline for more than 5 minutes"

Create ALIAS for mc

1. install mc

    curl --progress-bar -L https://dl.min.io/aistor/mc/release/linux-amd64/mc \
    --create-dirs \
    -o $HOME/aistor-binaries/mc
   
    chmod +x ~/aistor-binaries/mc
    echo 'export PATH="$HOME/aistor-binaries:$PATH"' >> ~/.bashrc
    source ~/.bashrc
   
    mc --help
   

   or add export PATH=$PATH:$HOME/minio-binaries/ on ~/.profile

   https://min.io/docs/minio/linux/reference/minio-mc.html

2. Create ALIAS

    mc alias set ALIAS HOSTNAME ACCESS_KEY SECRET_KEY
   

   Example:

    mc alias set s3example https://s3.domain.com user 'password'
   

3. Generate minio job

    mc admin prometheus generate s3-example
   

   https://min.io/docs/minio/linux/reference/minio-mc-admin/mc-admin-prometheus.html

Change prometheus.yml

# my global config
global:
  scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
  evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
  # scrape_timeout is set to the global default (10s).

# Alertmanager configuration
alerting:
  alertmanagers:
    - static_configs:
        - targets:
          # - alertmanager:9093

# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files:
  - minio-alerting.yml
  # - "first_rules.yml"
  # - "second_rules.yml"

# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
  - job_name: minio-job
    bearer_token: <TOKEN>
    metrics_path: /minio/v2/metrics/cluster
    scheme: http
    static_configs:
      - targets: ['192.168.100.14:9000']

  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
  - job_name: "prometheus"

    # metrics_path defaults to '/metrics'
    # scheme defaults to 'http'.

    static_configs:
      - targets: ["localhost:9090"]

Move Prometeus Files & Set Ownership

Move the configuration files and set their ownership so that Prometheus can access them. To do this, run the following commands:

sudo mv consoles /etc/prometheus
sudo mv console_libraries /etc/prometheus
sudo mv prometheus.yml /etc/prometheus
sudo mv minio-alerting.yml /etc/prometheus

sudo chown prometheus:prometheus /etc/prometheus
sudo chown -R prometheus:prometheus /etc/prometheus/consoles
sudo chown -R prometheus:prometheus /etc/prometheus/console_libraries
sudo chown -R prometheus:prometheus /var/lib/prometheus

The prometheus.yml file is the main Prometheus configuration file. It includes settings for targets to be monitored, data scraping frequency, data processing, and storage. You can set alerting rules and notification conditions in the file. You don't need to modify this file for this demonstration but feel free to open it in an editor to take a closer look at its contents.

sudo nano /etc/prometheus/prometheus.yml

Here's the default content of the Prometheus file:

Create Prometheus Systemd Service

Now, you need to create a system service file for Prometheus. Create and open a prometheus.service file with the Nano text editor using:

sudo nano /etc/systemd/system/prometheus.service

Include these settings to the file, save, and exit:

Configuration (Recomended)

[Unit]
Description=Prometheus
Wants=network-online.target
After=network-online.target

[Service]
User=prometheus
Group=prometheus
Type=simple
ExecStart=/usr/local/bin/prometheus \
    --config.file /etc/prometheus/prometheus.yml \
    --storage.tsdb.path /var/lib/prometheus/ \
    --web.console.templates=/etc/prometheus/consoles \
    --web.console.libraries=/etc/prometheus/console_libraries

[Install]
WantedBy=multi-user.target

Alternative Config

[Unit]
Description=Prometheus #Description
Documentation=https://prometheus.io/docs/introduction/overview/ #reference to documentation
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
User=prometheus #user
Group=prometheus #group
ExecReload=/bin/kill -HUP \$MAINPID
ExecStart=/usr/local/bin/prometheus \
--config.file=/etc/prometheus/prometheus.yml \ #main config
--storage.tsdb.path=/var/lib/prometheus \ #database
--web.console.templates=/etc/prometheus/consoles \
--web.console.libraries=/etc/prometheus/console_libraries \
--web.listen-address=0.0.0.0:9090 \
--web.external-url=
SyslogIdentifier=prometheus #name of log file
Restart=always #enable restart
[Install]
WantedBy=multi-user.target

The "systems" service file for Prometheus defines how Prometheus should be managed as a system service on Ubuntu. It includes the service configuration, such as the user and group it should run as. It also includes the path to the Prometheus binary and the Prometheus configuration file location. Additionally, the file can be used to set storage locations for metrics data and pass additional command-line options to the Prometheus binary when it starts.

Reload Systemd

You need to reload the system configuration files after saving the prometheus.service file so that changes made are recognized by the system. Reload the system configuration files using the following:

sudo systemctl daemon-reload

Start Prometheus Service

Next, you want to enable and start your Prometheus service. Do this using the following commands:

sudo systemctl enable prometheus
sudo systemctl start prometheus

Check Prometheus Status

After starting the Prometheus service, you may confirm that it is running or if you have encountered errors using:

sudo systemctl status prometheus

Sample output:

Access Prometheus Web Interface

Prometheus runs on port 9090 by default so you need to allow port 9090 on your firewall, Do that using the command:

sudo ufw allow 9090/tcp

With Prometheus running successfully, you can access it via your web browser using localhost:9090 or <ip_address>:9090

src

• https://min.io/docs/minio/linux/operations/install-deploy-manage/deploy-minio-single-node-single-drive.html#minio-snsd

• https://www.cherryservers.com/blog/install-prometheus-ubuntu

To follow this tutorial, we need three VM for PostgreSQL and one VM for HAproxy and etcd. Below is four VMs that we will deploy in Cloud Raya.

We will use haetcd as jumpbox server since the VM has Public IP Address that we can access from the outside network. In /etc/host, insert the hostname of the servers to make us easy to access the server without remembering the IP Address.

hosts

Install PostgreSQL 14

In this step, we will use PostgreSQL14 for pgsql1, pgsql2, and pgsql3. Please the command below on each server.

sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
sudo apt update
sudo apt -y install postgresql-14 postgresql-server-dev-14

After the postgresql installation is completed, we need to stop and disable PostgreSQL service. Then we will continue to install patroni.

systemctl stop postgresql && systemctl disable postgresql

Install Patroni

Patroni uses the utilities of PostgreSQL that we have installed previously which is located at /usr/lib/postgresql/versin/bin directory.

In this step, we create a symbolic link to PostgreSQL utilities on psql1, psql2, and psql3

ln -s /usr/lib/postgresql/14/bin/* /usr/sbin/

Next, we will install patroni on each server

apt -y install python3 python3-pip
pip install --upgrade setuptools
pip install psycopg2
pip install patroni
pip install python-etcd

Configure Patroni on Pgsql1, Pgsql2, and Pgsql3

Patroni uses yaml files to store the configuration. We will place the yaml file on /etc directory.

sudo nano /etc/patroni.yml

pgsql1

scope: postgres
namespace: /db/
name: pgsql1

restapi:
    listen: 10.3.3.12:8008
    connect_address: 10.3.3.12:8008

etcd:
    host:  10.3.3.166:2379

bootstrap:
    dcs:
        ttl: 30
        loop_wait: 10
        retry_timeout: 10
        maximum_lag_on_failover: 1048576
        postgresql:
            use_pg_rewind: true

    initdb:
    - encoding: UTF8
    - data-checksums

    pg_hba:
    - host replication replicator 127.0.0.1/32 md5
    - host replication replicator 10.3.3.12/0 md5
    - host replication replicator 10.3.3.71/0 md5
    - host replication replicator 10.3.3.70/0 md5
    - host all all 0.0.0.0/0 md5

    users:
        admin:
            password: admin
            options:
                - createrole
                - createdb

postgresql:
    listen: 10.3.3.12:5432
    connect_address: 10.3.3.12:5432
    data_dir: /data/patroni
    pgpass: /tmp/pgpass
    authentication:
        replication:
            username: replicator
            password: replogin321
        superuser:
            username: postgres
            password: secretlogin321
    parameters:
        unix_socket_directories: '.'

tags:
    nofailover: false
    noloadbalance: false
    clonefrom: false
    nosync: false

pgsql2

scope: postgres
namespace: /db/
name: pgsql2

restapi:
    listen: 10.3.3.71:8008
    connect_address: 10.3.3.71:8008

etcd:
    host:  10.3.3.166:2379

bootstrap:
    dcs:
        ttl: 30
        loop_wait: 10
        retry_timeout: 10
        maximum_lag_on_failover: 1048576
        postgresql:
            use_pg_rewind: true

    initdb:
    - encoding: UTF8
    - data-checksums

    pg_hba:
    - host replication replicator 127.0.0.1/32 md5
    - host replication replicator 10.3.3.12/0 md5
    - host replication replicator 10.3.3.71/0 md5
    - host replication replicator 10.3.3.70/0 md5
    - host all all 0.0.0.0/0 md5

    users:
        admin:
            password: admin
            options:
                - createrole
                - createdb

postgresql:
    listen: 10.3.3.71:5432
    connect_address: 10.3.3.71:5432
    data_dir: /data/patroni
    pgpass: /tmp/pgpass
    authentication:
        replication:
            username: replicator
            password: replogin321
        superuser:
            username: postgres
            password: secretlogin321
    parameters:
        unix_socket_directories: '.'

tags:
    nofailover: false
    noloadbalance: false
    clonefrom: false
    nosync: false

pgsql3

scope: postgres
namespace: /db/
name: pgsql3

restapi:
    listen: 10.3.3.70:8008
    connect_address: 10.3.3.70:8008

etcd:
    host:  10.3.3.166:2379

bootstrap:
    dcs:
        ttl: 30
        loop_wait: 10
        retry_timeout: 10
        maximum_lag_on_failover: 1048576
        postgresql:
            use_pg_rewind: true

    initdb:
    - encoding: UTF8
    - data-checksums

    pg_hba:
    - host replication replicator 127.0.0.1/32 md5
    - host replication replicator 10.3.3.12/0 md5
    - host replication replicator 10.3.3.71/0 md5
    - host replication replicator 10.3.3.70/0 md5
    - host all all 0.0.0.0/0 md5

    users:
        admin:
            password: admin
            options:
                - createrole
                - createdb

postgresql:
    listen: 10.3.3.70:5432
    connect_address: 10.3.3.70:5432
    data_dir: /data/patroni
    pgpass: /tmp/pgpass
    authentication:
        replication:
            username: replicator
            password: replogin321
        superuser:
            username: postgres
            password: secretlogin321
    parameters:
        unix_socket_directories: '.'

tags:
    nofailover: false
    noloadbalance: false
    clonefrom: false
    nosync: false

According to the yml file, the data of PostgreSQL will be stored at /data/patroni. Make sure the ownership of that directory is postgres.

mkdir -p /data/patroni
chown postgres:postgres /data/patroni
chmod 700 /data/patroni

Create a Service

Next, we will create patroni service that allow us to start and stop the service on each server.

sudo nano /etc/systemd/system/patroni.service

Add the following parameter in the patroni.service

[Unit]
Description=High availability PostgreSQL Cluster
After=syslog.target network.target
[Service]
Type=simple
User=postgres
Group=postgres
ExecStart=/usr/local/bin/patroni /etc/patroni.yml
KillMode=process
TimeoutSec=30
Restart=no

[Install]
WantedBy=multi-user.target

Create and Enable Patroni Service

After the patroni service has been created then we enable it to make it autostart.

sudo systemctl daemon-reload
sudo systemctl enable patroni

Install Etcd and Haproxy on Haetcd VM

etcd is a fault-tolerant, a distributed key value store that can be used to store the state of PostgreSQL cluster. With etcd, it will keep the PostgreSQL cluster up and running.

Run the command below to install etcd

sudo apt -y install etcd

Next step, we will configure the etcd file. Add the below parameter in the etcd file:

sudo nano /etc/default/etcd

ETCD_LISTEN_PEER_URLS="http://10.3.3.166:2380"
ETCD_LISTEN_CLIENT_URLS="http://localhost:2379,http://10.3.3.166:2379"
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://10.3.3.166:2380"
ETCD_INITIAL_CLUSTER="default=http://10.3.3.166:2380"
ETCD_ADVERTISE_CLIENT_URLS="http://10.3.3.166:2379"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

Restart the etcd service to make a change effect

sudo systemctl restart etcd

Start Patroni on Each Pgsql Server

Before we start the patroni service, we need to activate the watchdog support to prevent split-brain on the PostgreSQL

https://patroni.readthedocs.io/en/latest/watchdog.html

modprobe softdog
chown postgres /dev/watchdog

After the watchdog is activated, now we can start the patroni service again on each server.

systemctl start patroni
systemctl status patroni

pgsql1 as master. We can see, the pgsql1 will act as the PostgreSQL master

pgsql2 and pgsql3 as slave

Install Haproxy

Our last step install HAproxy service to give us an endpoint to which the application can connect to the database.

sudo add-apt-repository ppa:vbernat/haproxy-2.8
sudo apt -y install haproxy

Edit the haproxy file configuration as follow

nano /etc/haproxy/haproxy.cfg

global
    maxconn 100

defaults
    log global
    mode tcp
    retries 2
    timeout client 30m
    timeout connect 4s
    timeout server 30m
    timeout check 5s

listen stats
    mode http
    bind *:7000
    stats enable
    stats uri /

listen postgres
    bind *:5000
    option httpchk
    http-check expect status 200
    default-server inter 3s fall 3 rise 2 on-marked-down shutdown-sessions
    server pgsql1 10.3.3.12:5432 maxconn 100 check port 8008
    server pgsql2 10.3.3.71:5432 maxconn 100 check port 8008
    server pgsql3 10.3.3.70:5432 maxconn 100 check port 8008

Check our haproxy configuration using the following command:

sudo /usr/sbin/haproxy -c -V -f /etc/haproxy/haproxy.cfg

If the configuration is valid, we can restart our haproxy service

sudo systemctl restart haproxy

In the final step, we can monitor the PostgreSQL cluster using the browser as shown in the screenshot below:

http://199.180.130.99:7000/

As we can see, psql1 is the leader of the PostgreSQL cluster with the green line row. Now we will kill patroni service on psql1, to see which VM will be acting as the leader.

systemctl stop patroni

After we stop service patroni service in psql1, the psql2 will be elected as the leader node.

Test PostgresSQL Cluster

If we want to make a connection to PostgreSQL, we use the IP Address of HAProxy and port 5000.

su - postgres
psql -U postgres -h 199.180.130.99 -p 5000

You now have a high availability PostgreSQL Cluster in Cloud Raya that is ready to use.

src

repo: https://github.com/andrizan/postgre-cluster

https://cloudraya.com/knowledge-base/set-up-high-availability-postgresql-cluster-using-patroni-on-cloud-raya/

1. Add the PostgreSQL repository to your server's APT sources.

     $ sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
   

2. Import the PostgreSQL repository key to your server using the wget utility.

    $ wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo tee /etc/apt/trusted.gpg.d/postgresql.asc > /dev/null
   

3. Update the server packages to synchronize the new PostgreSQL repository.

    $ sudo apt update
   

4. Install PostgreSQL on your server.

    $ sudo apt install postgresql-15
   

5. Start the PostgreSQL database server.

    $ sudo systemctl restart postgresql
   

6. View the PostgreSQL service status and verify that it's active.

    $ sudo systemctl status postgresql
   

   Output:

     ● postgresql.service - PostgreSQL RDBMS
          Loaded: loaded (/lib/systemd/system/postgresql.service; enabled; vendor preset: enabled)
          Active: active (exited) since Sun 2024-04-21 16:08:10 UTC; 13s ago
         Process: 6756 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
        Main PID: 6756 (code=exited, status=0/SUCCESS)
             CPU: 1ms
   

Install PHP-FPM

ALL IN ONE CODE

sudo apt update && sudo apt upgrade -y
sudo add-apt-repository ppa:ondrej/php #private repo
sudo apt update
sudo apt-get install -y php8.2-fpm php8.2-cli php8.2-common php8.2-zip php8.2-gd php8.2-mbstring php8.2-curl php8.2-xml php8.2-bcmath php8.2-pgsql

1. Run system updates

The first thing to do in a new system is to update our repositories in order to make them up to date. Run upgrade command also.

sudo apt update && sudo apt upgrade -y

2. Add Ondrej sury PPA repository

To run PHP 8.2 on Ubuntu 22.04, we need to add Ondrej sury PPA into our system. This is the maintainer of the PHP repository at the moment. This PPA is not currently checked so installing from it will not be guaranteed 100% results.

To add this PPA use the following command on our terminal.

sudo add-apt-repository ppa:ondrej/php

After installation is complete we need to update the repositories again for the changes to take effect.

sudo apt update

3. Install PHP 8.2 on Ubuntu Server

We should now be able to install PHP 8.2 on Ubuntu 22.04 Linux machine. The commands to run are as shared below:

sudo apt install php8.2-fpm -y

Check for the currently active version of PHP with the following command:

php --version

4. Install PHP 8.2 Extensions

Besides PHP itself, you will likely want to install some additional PHP modules. You can use this command to install additional modules, replacing PACKAGE_NAME with the package you wish to install:

sudo apt-get install php8.2-PACKAGE_NAME

You can also install more than one package at a time. Here are a few suggestions of the most common modules you will most likely want to install:

sudo apt-get install -y php8.2-cli php8.2-common php8.2-zip php8.2-gd php8.2-mbstring php8.2-curl php8.2-xml php8.2-bcmath php8.2-pgsql

This command will install the following modules:

• php8.2-cli – command interpreter, useful for testing PHP scripts from a shell or performing general shell scripting tasks

• php8.2-common – documentation, examples, and common modules for PHP

• php8.2-zip – for working with compressed files

• php8.2-gd – for working with images

• php8.2-mbstring – used to manage non-ASCII strings

• php8.2-curl – lets you make HTTP requests in PHP

• php8.2-xml – for working with XML data

• php8.2-bcmath – used when working with precision floats

• php8.2-pgsql – for working with PostgreSQL databases

Install Composer Ubuntu Server

sudo apt-get install curl php8.2-cli php8.2-mbstring git unzip
curl –sS https://getcomposer.org/installer | php
sudo mv composer.phar /usr/local/bin/composer
composer -V

Install Latest Nginx Ubuntu Server

Ubuntu 22.04

Install the prerequisites:

sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring

Import an official nginx signing key so apt could verify the packages authenticity. Fetch the key:

curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
    | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null

Verify that the downloaded file contains the proper key:

gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg

The output should contain the full fingerprint 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 as follows:

pub   rsa2048 2011-08-19 [SC] [expires: 2024-06-14]
      573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid                      nginx signing key <signing-key@nginx.com>

If the fingerprint is different, remove the file.

To set up the apt repository for stable nginx packages, run the following command:

echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
    | sudo tee /etc/apt/sources.list.d/nginx.list

If you would like to use mainline nginx packages, run the following command instead:

echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" \
    | sudo tee /etc/apt/sources.list.d/nginx.list

Set up repository pinning to prefer our packages over distribution-provided ones:

echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
    | sudo tee /etc/apt/preferences.d/99nginx

To install nginx, run the following commands:

sudo apt update
sudo apt install nginx

Debian/Ubuntu 20.04 packages

The available NGINX Ubuntu release support is listed at this distribution page. For a mapping of Ubuntu versions to release names, please visit the Official Ubuntu Releases page.

Append the appropriate stanza to /etc/apt/sources.list. If there is concern about persistence of repository additions (i.e. DigitalOcean Droplets), the appropriate stanza may instead be added to a different list file under /etc/apt/sources.list.d/, such as /etc/apt/sources.list.d/nginx.list.

## Replace $release with your corresponding Ubuntu release.
deb https://nginx.org/packages/ubuntu/ $release nginx
deb-src https://nginx.org/packages/ubuntu/ $release nginx

e.g. Ubuntu 20.04 (Focal Fossa):

deb https://nginx.org/packages/ubuntu/ focal nginx
deb-src https://nginx.org/packages/ubuntu/ focal nginx

To install the packages, execute in your shell:

sudo apt update
sudo apt install nginx

If a W: GPG error:https://nginx.org/packages/ubuntufocal InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY $key is encountered during the NGINX repository update, execute the following:

## Replace $key with the corresponding $key from your GPG error.
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $key
sudo apt update
sudo apt install nginx

You have now nginx installed on your server but not ready to serve web pages. you have to start the nginx. You can do this by using this command:

sudo systemctl start nginx

Server Config Laravel & Lumen

Path

/etc/nginx/conf.d/{name-app}.conf

Laravel

server {
    listen 80;
    listen [::]:80;
    server_name example.com;
    root /var/www/example.com/public;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options "nosniff";

    index index.php;

    charset utf-8;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }

    server_tokens off; # for production

    access_log  /var/log/nginx/app_access.log;
    error_log  /var/log/nginx/app_error.log crit;
}

Lumen

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;

    root /var/www/lumen/public;
    index index.php index.html index.htm;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        try_files $uri /index.php =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    server_tokens off; # for production

    access_log  /var/log/nginx/app_access.log;
    error_log  /var/log/nginx/app_error.log crit;
}

Set Permission

cd /var/www/
sudo chown -R www-data:www-data <DIR>
sudo chmod -R g+w <DIR>

set user nginx

sudo nano /etc/nginx/nginx.conf

Before

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;
...

After

user  www-data;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;
...

restart nginx and php-fpm

sudo systemctl restart nginx
sudo systemctl restart php8.2-fpm

Install Certbot (Let’s Encrypt Client)

1. Install Certbot using the following command.

sudo apt install certbot python3-certbot-nginx

2. Run Certbot to obtain and install the SSL certificate for your domain. Replace your_domain with your actual domain name.

sudo certbot --nginx -d your_domain

3. Verify Certificate Renewal (Optional)

sudo certbot renew --dry-run

src:

• https://www.nginx.com/resources/wiki/start/topics/tutorials/install/

• https://josuamarcelc.com/install-php-8-2-on-ubuntu-with-nginx/

• https://docs.vultr.com/how-to-install-postgresql-database-server-on-ubuntu-22-04

• https://www.kamatera.com/knowledgebase/how-to-secure-nginx-with-lets-encrypt/