Benchmarked by geekbench_x86_64

=== legacy ===

On my Mac:

Intel Core i7-5557U @ 3.10 GHz, 1 processor, 2 cores, 4 threads

Single-Core Score = 3973
Multi-Core Score = 7661

https://browser.geekbench.com/v4/cpu/2431825

On Linode server

Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz @ 2.50 GHz, 1 Processor

Single-Core Score = 2234
Multi-Core Score = 2099

https://browser.geekbench.com/v4/cpu/2436485

On OVH vm 2.5$/month

Intel Core (Broadwell, IBRS)

Single-Core Score = 4043
Multi-Core Score = 3781

Single-Core Score = 3769 
Multi-Core Score = 3492

https://browser.geekbench.com/v4/cpu/8802946
https://browser.geekbench.com/v4/cpu/11047826

On Scaleway vm 2.27$/month

Intel Atom C3955

Single-Core Score = 1702
Multi-Core Score = 1594

https://browser.geekbench.com/v4/cpu/11047834

On GCP vm f1-micro 6.$/month (but free tier)

Intel(R) Xeon(R) CPU @ 2.00GHz

Single-Core Score = 3039
Multi-Core Score = 2597

https://browser.geekbench.com/v4/cpu/11463325

... To be continue

Question:

• Why are 64-bit distros often called 'amd64'?
• Why do they call the 64 version amd64 since they say that it works for Intel also?

Answer:

• Because AMD was the first one to release 64-bit x86 (x86-64) CPUs
• AMD intially implemented x86-64, before Intel

More fun:

• The first AMD64-based processor, the Opteron, was released in April 2003.

https://wiki.skullsecurity.org/Passwords
https://www.shodan.io/

Problem?

Cannot install livepatch trên ubuntu 16.04, server thuê ở linode
Error log:

$ sudo snap install canonical-livepatch
error: cannot perform the following tasks:
- Setup snap "core" (1577) security profiles (cannot setup apparmor for snap "core": cannot load apparmor profile "snap.core.hook.configure": cannot load apparmor profile: exit status 1
apparmor_parser output:
Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.
)
- Setup snap "core" (1577) security profiles (cannot load apparmor profile "snap.core.hook.configure": cannot load apparmor profile: exit status 1
apparmor_parser output:
Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.
)

Investigate

Check thấy kernel ở /boot/ và từ uname -a khác nhau. WHY?
Linode nếu để chế độ default thì họ sẽ dùng một bản linux kernel được tuỳ biến riêng

• 4.9.15-x86_64-linode81
• 4.6.5-x86_64-linode71
• ....

Một phát hiện thú vị.

Tại sao họ lại custom?

Không rõ. Nhưng mình có thể vô linode manager dashboard -> profile -> chọn được kernel version mình muốn dùng -> reboot là apply được ngay?
Đây có thể là lý do cho họ custom kernel

Vậy kernel này được store ở đâu?

#Fetch kernel version
$ uname -a
Linux snode 4.9.15-x86_64-linode81 #1 SMP Fri Mar 17 09:47:36 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux

#Find it
$ sudo find / -name "4.9.15-x86_64-linode81"
/lib/modules/4.9.15-x86_64-linode81

#List all Linode's kernel
lib/modules$ ls -lh
total 24K
drwxr-xr-x 5 root root 4.0K Sep  9  2016 4.4.0-36-generic
drwxr-xr-x 2 root root 4.0K Sep  9  2016 4.6.5-x86_64-linode71
drwxr-xr-x 2 root root 4.0K Sep 15  2016 4.7.0-x86_64-linode72
drwxr-xr-x 2 root root 4.0K Apr 13 14:40 4.9.15-x86_64-linode81
drwxr-xr-x 2 root root 4.0K Apr  1 12:35 4.9.7-x86_64-linode80
drwxr-xr-x 2 root root 4.0K Sep  9  2016 grub-2.00-17-linode.img

Application Load Balancer

http://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html

Benefits - Compare with Classic Load Balancer

• Support for path-based routing.

  • configure rules for your listener that forward requests based on the URL in the request.
  • structure your application as smaller services
  • route requests to the correct service based on the content of the URL.

• Support for routing requests to multiple services on a single EC2 instance by registering the instance using multiple ports.

• Support for containerized applications.

  • Amazon ECS can select an unused port when scheduling a task and register the task with a target group using this port.
  • make efficient use of your clusters.

• Support for monitoring the health of each service independently

  • health checks are defined at the target group level
  • CloudWatch metrics are reported at the target group level
  • Attaching a target group to an Auto Scaling group enables you to scale each service dynamically based on demand.

• Access logs contain additional information and are stored in compressed format.

• Improved load balancer performance.

Listeners for Elastic Load Balancer AWS

ELB only supports the following protocols:

• HTTP
• HTTPS (secure HTTP)
• TCP
• SSL (secure TCP)

So, we cannot make a ping to ELB, because it's an ICMP protocol, that's no supported from ELB

ELB's terms:

• front-end: client to load balancer
• back-end: load balancer to back-end instance

Read more at Listeners for Your Classic Load Balancer

X-Frame-Options

# config to don't allow the browser to render the page inside a frame or iframe
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN or even set a URI with ALLOW-FROM URI
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

add_header X-Frame-Options SAMEORIGIN;

X-Content-Type-Options

# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020

add_header X-Content-Type-Options nosniff;

X-XSS-Protection

# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for 
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers

add_header X-XSS-Protection "1; mode=block";

Reference:

1. https://gist.github.com/plentz/6737338
2. https://www.upguard.com/articles/10-tips-for-securing-your-nginx-deployment

Free command

• Nào giờ cứ assume là cái free memory ở khung đỏ là RAM đang còn trống có 152/3951mb, tức đang low memory
• nhưng thực chất con instance này RAM 4GB, nó đang free tận 3.4GB 😑 RAM dư quá dư để chạy

Reference: https://corlewsolutions.com/articles/article-6-understanding-the-free-command-in-ubuntu-and-linux

Problem & Question

The Amazon DNS servers return one or more IP addresses to the client, which are the IP addresses of the load balancer nodes for your load balancer

Usecase

• ELB A resolve into one IP
• ELB B resolve into 2 IPs

Why need more than one IP?

Research & Answer

Source: http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/how-elastic-load-balancing-works.html
Request routing

Before a client sends a request to your load balancer, it resolves the load balancer's domain name using a Domain Name System (DNS) server. The DNS entry is controlled by Amazon, because your instances are in the amazonaws.com domain. The Amazon DNS servers return one or more IP addresses to the client, which are the IP addresses of the load balancer nodes for your load balancer. As traffic to your application changes over time, Elastic Load Balancing scales your load balancer and updates the DNS entry. Note that the DNS entry also specifies the time-to-live (TTL) as 60 seconds, which ensures that the IP addresses can be remapped quickly in response to changing traffic.

The client determines which IP address to use to send requests to the load balancer. The load balancer node that receives the request selects a healthy registered instance and sends the request to the instance using its private IP address.

Key: nó có 1 đống IPs bên dưới

• ít client vào ELB, thì nó resolve ra 1 IP
• nhiều client, nhiều request vào, thì nó mò trong kho của nó, cấp thêm cho mình 1 IP nữa (là 2 IP)
• càng nhiều thì có thể cấp lên cho mình nhiều IP thêm

Testing with a single client machine will result in using only one of these IP addresses. When a larger set of independent clients resolve the DNS entry and get different IP addresses to use, they will effectively spread the load amongst the full set.

https://forums.aws.amazon.com/thread.jspa?threadID=32280

Must learn:

...

Reference:

1. http://www.oracle.com/webfolder/technetwork/tutorials/obe/java/gc01/index.html
2. http://www.cubrid.org/blog/dev-platform/understanding-java-garbage-collection/
3. https://www.dynatrace.com/resources/ebooks/javabook/how-garbage-collection-works/
4. http://www.javaworld.com/article/2078623/core-java/jvm-performance-optimization-part-1-a-jvm-technology-primer.html
5. http://www.javaworld.com/article/2078645/java-se/jvm-performance-optimization-part-3-garbage-collection.html
   ...

What is FLUSH TABLES WITH READ LOCK in MySQL?

Command:

mysql> FLUSH TABLES WITH READ LOCK;

What exactly does command do?

1. Set the global read lock - after this step, insert/update/delete/replace/alter statements cannot run
2. Close open tables - this step will block until all statements started previously have stopped
3. Set a flag to block commits

It means:

• Closes all open tables
• Locks all tables for all databases with a global read lock
• MySQL is in READ only mode, cannot WRITE anything, except one case (see below)
• insert/update/delete/replace/alter statements cannot run

Important:

• The session that holds the lock can read the table (but not write it)
• It prevents other sessions from modifying tables during periods
• If you don't keep this session open to keep Locking
  • Other sessions can write into tables
  • If you run FLUSH TABLES WITH READ LOCK for preparing mysqldump, you must keep this session, and run mysqldump in another session.
  • Because If you don't keep, the binlog and the position of binlog may be changed during this session

Note:

• FLUSH TABLES WITH READ LOCK does not prevent the server from inserting rows into the log tables

How to unlock and keep MySQL back to normal?

• Use UNLOCK TABLES to release the lock

Issue & investigating:

• https://stackoverflow.com/questions/44257960/unknown-process-of-jenkins-kxjdhendlvie/44260273#44260273
• http://jenkins-ci.361315.n4.nabble.com/cryptonight-exploit-td4898258.html
• https://groups.google.com/forum/#!topic/jenkinsci-advisories/sN9S0x78kMU
• https://slushpool.com/help/manual/stratum-protocol

Hotfix and prevent?

• Upgrade Jenkins to version Jenkins-Ci Jenkins LTS 2.46.2 or newer
• Disable the deprecated “remoting mode” of the CLI
• Install Host based IDS for tracking all running processes

Write up about this vulnerability

• https://blogs.securiteam.com/index.php/archives/3171

❓ What is slow query log?

• Slow queries can affect database and server performance.
• The slow query log consists of SQL statements that took more than long_query_time seconds to execute.
• This greatly simplifies the task of finding inefficient or time-consuming queries.
• By default, the slow query log is disabled

🔥 How to enable?

1. Login to MySQL, database abc_prod

   shell> mysql -u root -p abc_prod

2. Enable slow query log

   mysql> SET GLOBAL slow_query_log = 'ON';

3. Check path to log file

   mysql> SHOW VARIABLES LIKE 'slow_query_log_file';
   +---------------------+-----------------------------+
   | Variable_name       | Value                       |
   +---------------------+-----------------------------+
   | slow_query_log_file | /var/lib/mysql/db3-slow.log |
   +---------------------+-----------------------------+
   1 row in set (0.00 sec)

4. Change long query time to 5 seconds - default is 10 seconds

   mysql> SET GLOBAL long_query_time = 5;

5. Logout MySQL session then login again

6. Take a small test to ensure slow query log is enable

   mysql> SELECT SLEEP(10);

7. Check sleep on slow query log

   root@db3:/home/ubuntu:~$ cat /var/lib/mysql/db3-slow.log
   

   /usr/sbin/mysqld, Version: 5.6.35-log (MySQL Community Server (GPL)). started with:
   Tcp port: 3306  Unix socket: /var/run/mysqld/mysqld.sock
   Time                 Id Command    Argument
   # Time: 170321  7:15:52
   # User@Host: root[root] @ localhost []  Id:  1160
   # Query_time: 7.000249  Lock_time: 0.000000 Rows_sent: 1  Rows_examined: 0
   SET timestamp=1490080552;
   SELECT SLEEP(7);
   # Time: 170321  7:17:31
   # User@Host: root[root] @ localhost []  Id:  1161
   # Query_time: 10.000215  Lock_time: 0.000000 Rows_sent: 1  Rows_examined: 0
   use abc_prod;
   SET timestamp=1490080651;
   SELECT SLEEP(10);

Most important:

Using mysqldumpslow tool for summarize slow query log files

root@db3:/home/ubuntu:~$ mysqldumpslow /var/lib/mysql/db3-slow.log

Reading mysql slow query log from /var/lib/mysql/db3-slow.log
Count: 2  Time=8.50s (17s)  Lock=0.00s (0s)  Rows=1.0 (2), root[root]@localhost
  SELECT SLEEP(N)

How to turn it off?

mysql> SET GLOBAL slow_query_log = 'OFF';

Problem:

• I opened UDP port 1514 on my linux instance B (172.30.31.32)
• But not sure it works

Solution:

From instance A, send a simple packet to B with IP & port

❯❯ echo "Packet data right here" > /dev/udp/172.30.31.32/1514

On instance B, using tcpdump for looking traffic incoming

❯❯ tcpdump -nei eth0 udp port 1514

Problem:

• Log file is too big in some cases, opening with vim will cause high ram usage
• Want to analyze real-time logs, it means you need to read something new in the end of it, and real-time. Right?
• No need to read the beginning of this.

Solution:

• In general, we use tailf or tail -f command

tailf [option] <file>
Follow the growth of a log file.
Options:
 -n, --lines <number>   output the last <number> lines
 -<number>              same as '-n <number>'

 -h, --help     display this help and exit
 -V, --version  output version information and exit
For more details see tailf(1).
Warning: use of 'tailf' is deprecated, use 'tail -f' instead.

• But we should use both watch and tail command for better display and we can handle interval, seconds to wait between updates

For example:

$ watch -n 1 tail test.log
-----
Every 1.0s: tail test.log

</script>

  </body>

</html>
hello-test color
color again

More fun:

Check RAM usage with watch and head command

$ devops@snode:/proc$ watch -n 1 head meminfo
Every 1.0s: head meminfo

MemTotal:        1012720 kB
MemFree:          415876 kB
MemAvailable:     847124 kB
Buffers:           29064 kB
Cached:           445560 kB
SwapCached:            0 kB
Active:           237192 kB
Inactive:         259380 kB
Active(anon):      26888 kB
Inactive(anon):    47504 kB

What's Launch More Like This ?

The Amazon EC2 console provides a Launch More Like This wizard option that enables you to use a current instance as a template for launching other instances. This option automatically populates the Amazon EC2 launch wizard with certain configuration details from the selected instance.

Most important thing

• The Launch More Like This wizard option does not clone your selected instance; it only replicates some configuration details.
• To create a copy of your instance, first create an AMI from it, then launch more instances from the AMI.

How ?

Check http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launch-more-like-this.html

Need root permission

# clean buffer and cached
root@appv2-1:~# free -m && sync && echo 3 > /proc/sys/vm/drop_caches && free -m

# step by step
root@appv2-1:~# free -m
             total       used       free     shared    buffers     cached
Mem:          3951       3260        691          0         46        121
-/+ buffers/cache:       3092        859
Swap:         4095          0       4095
root@appv2-1:~# sync
root@appv2-1:~# echo 3 > /proc/sys/vm/drop_caches
root@appv2-1:~# free -m
             total       used       free     shared    buffers     cached
Mem:          3951       3065        886          0          2         22
-/+ buffers/cache:       3040        911
Swap:         4095          0       4095

Before: buffers = 46 mb, cached = 121 mb
After: buffers = 2 mb, cached = 22 mb

When you found this error of mysqldump

Error: mysqldump: Got errno 32 on write

It means: No space left on this storage

How to fix?

• Check disk space of this storage: df -h
• Disk usage of files in tracking folder, sorted sudo du -hs * | sort -h
• Remove useless files sudo rm abc.xyz

Note

• Errno stands for Error Number
• https://www.allacronyms.com/ERRNO/Error_number

Error

❯❯ brew install awscli
Warning: awscli-1.11.65 already installed, it's just not linked.

How to fix?

❯❯ brew link awscli
Linking /usr/local/Cellar/awscli/1.11.65... 8 symlinks created
❯❯ aws --version
aws-cli/1.11.65 Python/2.7.10 Darwin/16.4.0 botocore/1.5.28

Reference:

• First run brew link <package>
• If it gives an error, try for an automated diagnosis brew doctor. Brew doctor gives a list of problems that could be leading to errors in installation process.
• To fix problems in case of conflicting files, run to get a list of all actions which will be performed by overwrite without actually performing them.
• To list all files that would be deleted: brew link --overwrite --dry-run <package> followed by this run which will execute the overwrite, assuming you feel that the actions performed by overwrite will take your system to a more stable state.
• To force the link and overwrite all conflicting files: brew link --overwrite <package>

From: http://stackoverflow.com/a/34270372/5402121

Một kiểu nhìn về dữ liệu

Tôi là a.

Lũ bạn tôi, đứa thì tên 1, đứa tên 10, đứa tên 3.5407059681495977512423785953907e+48, lại có đứa tên Nguyễn Văn Tèo, đứa thì mang tên t\u00ed, thậm chí có đứa mang tên là 74 E8 6F.

Cùng nhau, chúng tôi rong ruổi qua những chặng đường mà người tạo ra chúng tôi muốn như thế.

Chúng tôi, một đám dữ liệu vô tri giác, đi và về những khi bị gọi tên, hoà lẫn vào những lối đi, cưỡi lên các nhịp đập của tín hiệu, bị phân tán rã rời, bị ghép lại từ các mảnh, bị nhào trộn, nắn bóp, lọc chắt để rồi được sắp hàng trước đôi mắt của ai đó.

Đôi khi chúng tôi hiền hoà và ích lợi.
Lắm lúc chúng tôi tàn nhẫn và vô ích.

Chúng tôi là nguyên nhân của thành công và thất bại. Chúng tôi chỉ là một đám dữ liệu vô tri vô giác.

conmale

--
Hieu Huynh
HCM - Jan 1, 2017.

Issue

• Remind me "Drink water" hourly by using Mac's notification
• No need to install anything

Solution

• Create a file MacNotification.sh in /Users/admin/Documents/ or somewhere

  #!/bin/bash
  /usr/bin/osascript -e 'display notification "Ngồi thẳng lưng + uống nước" with title "Suggestion"'

• Make this script executable

  ❯❯ sudo chmod +x /Users/admin/Documents/MacNotification.sh

• Test this script

  ❯❯ /Users/admin/Documents/MacNotification.sh

  

• Push this notification frequency by using crontab

  ❯❯ crontab -e
  
  # Paste this line to crontab's configuration
  10 * * * *  /Users/admin/Documents/MacNotification.sh

It means, we have this notification at minute 10 of every hour, every day

Reference:

1. https://apple.stackexchange.com/questions/57412/how-can-i-trigger-a-notification-center-notification-from-an-applescript-or-shel
2. https://ole.michelsen.dk/blog/schedule-jobs-with-crontab-on-mac-osx.html

https://llnx.me/technical/2017/06/11/Understanding-top-command.html

Python2

File 2.py

#!/usr/bin/env python2
print '3 / 2 =', 3 / 2
print '3 // 2 =', 3 // 2
print '3 / 2.0 =', 3 / 2.0
print '3 // 2.0 =', 3 // 2.0

Run:

❯❯ python 2.py
3 / 2 = 1
3 // 2 = 1
3 / 2.0 = 1.5
3 // 2.0 = 1.0

Python3

File 3.py

#!/usr/bin/env python3
print('3 / 2 =', 3 / 2)
print('3 // 2 =', 3 // 2)
print('3 / 2.0 =', 3 / 2.0)
print('3 // 2.0 =', 3 // 2.0)

Run:

❯❯ python3 3.py
3 / 2 = 1.5
3 // 2 = 1
3 / 2.0 = 1.5
3 // 2.0 = 1.0

Reference: http://sebastianraschka.com/Articles/2014_python_2_3_key_diff.html

Issue:

• Having a lot of hits from app server/background-worker to master DB
• Seconds_Behind_Master = 14657
• Sometime Slave_IO_State is in system lock
• Error from /var/log/mysql/error.log: Error reading packet from server: Lost connection to MySQL server during query (server_errno=2013)

Root cause:

• Data transfer from the master cannot be sent to slave because net_read_timeout is too small, timeout from slave database
• Packet data transfer is too big from the master, and the current max_allowed_packet value in slave is too small

Solution:

• Increase net_read_timeout from 10 to 360
• Increase max_allowed_packet from 4MB to 8MB

Think more

mysql> SHOW variables like `net_read_timeout` 
mysql> SET GLOBAL `net_read_timeout` = 360;

Reference:

1. https://dev.mysql.com/doc/refman/5.6/en/error-lost-connection.html
2. https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#option_mysqld_slave-parallel-workers

What is a CNAME record?

• CNAME stands for Canonical name
• It can be used to alias one name to another.

Example

• Assume we have a server where you keep all of your documents online
• It might normally be accessed through docs.example.com.
• You may also want to access it through documents.example.com.
• One way to make this possible is to add a CNAME record that points documents.example.com to docs.example.com.

Result: When someone visits documents.example.com they will see the exact same content as docs.example.com.

Reference: https://support.dnsimple.com/articles/cname-record/

We have 3 interfaces for interacting with aws

• AWS web console: https://console.aws.amazon.com/console/home
  Quick & easy integration
• AWS CLI: https://aws.amazon.com/cli
  For automation pipelines
• AWS boto python: http://docs.pythonboto.org/en/latest/index.html
  For both automation pipelines and interact with other or need more core logic tasks

anh em nào xài LB của aws, xem chỗ certificate SSL, phần cipher
upgrade lên ELBSecurityPolicy-2016-08 mới nhất nhe, vì mấy policy cũ có khả năng weak & vulnerable á :D
source: http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-config-update.html

Using Terminal command-line to unpack archived files

Unpacking .tar.gz files

tar -xzf foo.tar.gz

OR

gunzip -c foo.tar.gz | tar xopf -

Unpacking .tar files

tar xopf foo.tar

Unpacking .zip files

unzip -a foo.zip

Unpacking .rar files
Install unrar from Homebrew: brew install unrar

unrar x foo.rar

For your information:

• Gitlab Database incident
• Discussion on HackerNews

Lessons learned:

• Engineers should get more sleeps
• Restore strategy is more important than backup strategy
• Testing backup plans would not be a bad idea. If we don't test backups, we don't have them.
• We must rechecking backup/restore plans monthly, quarterly or yearly
• Always careful, anything with sudo command, we need to double/triple check
• Change terminal PS1 format/colors to make it clear whether you’re using production or staging
  • RED for production
  • Blue/green for staging
• Show the full hostname in the bash prompt for all users by default (e.g., “db1.staging.gitlab.com” instead of just “db1”)

Problem:

SSH session is stuck and cannot be exited by entering exit or enter or CTRL+D
And we need to break out this session without closing terminal emulator

Solved: Press ~ then press .

Why? Because ~. is an escape sequence that can terminate SSH session

More details:

Supported escape sequences:
  ~.  - terminate session
  ~B  - send a BREAK to the remote system
  ~R  - Request rekey (SSH protocol 2 only)
  ~#  - list forwarded connections
  ~?  - this message
  ~~  - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)

From http://askubuntu.com/a/29952/668849

1. Let’s look at typical speed scales of RAM, SSD and rotating disks. A typical reference to RAM is in the area of 100ns, accessing data on a SSD 150μs (so 1500 times of the RAM) and accessing data on a rotating disk 10ms (so 100.000 times the RAM).

2. RAM is hugely faster. A typical SSD has a random access time of ~100 microseconds, while typical RAM has access times of a few nanoseconds or even less for onboard RAM. So the RAM is thousands to millions of times faster. You would not like performance of your computer if you used the SSD for main memory. The trade-offs between speed, cost, power, and volatility is why computers have evolved to have a hierarchy of memory - from fast, expensive, volatile, and power-hungry onboard cache memory to slow, cheap, non-volatile HDD or SSD

Replication Master-Slave Configurations

• Master DB = 172.30.20.111
• Slave DB = 172.30.20.222

Create Configurations On Master Database /etc/mysql/my.cnf

# Setup replication master slave
# On Master
bind-address       = 172.30.20.111
event-scheduler  = on
server-id              = 1

log-bin
binlog-format      = row
binlog-do-db       = xxx_production
binlog-ignore-db = mysql
binlog-ignore-db = test
log_bin                  = /var/log/mysql/mysql-bin.log

sync_binlog          = 0
expire_logs_days = 2
# End of master config

Create Configurations On Slave Database /etc/mysql/my.cnf

# Setup replication master slave
# On Slave
bind-address       = 172.30.20.222
event_scheduler  = off
server-id              = 2

log-bin
binlog-format      = row
binlog-do-db       = xxx_production
binlog-ignore-db = mysql
binlog-ignore-db = test
log_bin                  = /var/log/mysql/mysql-bin.log

sync_binlog           = 0
expire_logs_days  = 2
# End of slave config

Create user for Replication

On Master

GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'172.30.20.222' IDENTIFIED BY 'sl@ve';
FLUSH PRIVILEGES;

Lock database on master and check binlog with position

On Master

FLUSH TABLES WITH READ LOCK;
SHOW MASTER STATUS;

+----------------+----------+--------------+------------------+
| File           | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+----------------+----------+--------------+------------------+
| m01-bin.000001 |      827 | xxx_prod     | mysql,test       |
+----------------+----------+--------------+------------------+

Dump all database on master

On Master

$ mysqldump -u root -p --all-databases > xxx_production.sql

Import sql dump to slave database:

On Slave

mysql> CREATE DATABASE IF NOT EXISTS xxx_production;
mysql> USE xxx_production;
mysql> source dump.sql

Create user on slave and start slave

On Slave

CHANGE MASTER TO MASTER_HOST='172.30.20.111', MASTER_USER='slave_user', MASTER_PASSWORD='sl@ve', MASTER_LOG_FILE='mysql-bin.000005', MASTER_LOG_POS=80;
START SLAVE
SHOW SLAVE STATUS\G

Note:

+ SHOW GLOBAL VARIABLES LIKE 'binlog_format';
+ SET GLOBAL binlog_format = 'ROW';

Basic concept and information

• DNS stands for Domain Name System
• Its purpose is to resolve and translate human-readable website name to IPv4 or IPv6 address
• It's basically a large Database which resides on various servers around the world, that contains the names and IP address of various host/domains.
• Without DNS, we would only be able to visit any website directly via IP address, no human-readable anymore
• DNS works on both the TCP and UDP Protocols, port 53

How does DNS work?

Whenever you visit a domain such as github.com, the browser's journey begins >>>

Step 1: Request information

• TODO: Type github.com to address bar of Chrome, it's a new request for browser

Step 2: DNS cache on Chrome

• TODO: DNS query on chrome's cache, see chrome://net-internals/#dns
• True: Return IP address of this domain for making a request
• False: Didn't know it before --> call OS (step3)

Step 3: DNS cache on OS

• TODO: OS receive request from chrome, then check its DNS cache, see mDNSResponder on MacOS
• True: Return IP of github.com for browser
• False: OS didn't know it before same as browser, OS call the Resolver (Recursive DNS servers)

Step 4: The Resolver on ISP (Internet Service Provider)

• TODO: local OS sends a DNS Query to the Resolver by using UDP Protocol over Port 53, the Resolver will check its cache to find IP for github.com
• True: Return IP address for OS
• False: ISP didn't know it before same as our OS. ISP will ask the Root server

Step 5: The ROOT servers - see https://www.iana.org/domains/root/servers

• Fact: We have 13 root server for DNS around the world. They don’t know the answer, but they know where to find it.
• TODO: Root look at the first part of request, reading from right to left .com <--
• Direct our request to Top-Level Domain (TLD) name servers for .com, it's Verisign TLD
• ISP will store TLD information, no need ask the root again.

Step 6: The TLD nameservers

• TODO: The TLD nameservers review the next part of our request - github
• Direct our query to the nameservers responsible for this specific domain
• These Authoritative nameservers are responsible for knowing all the information about a specific domain, which are stored in DNS records

Step 7: The Authoritative nameservers

• TODO: The Resolver (ISP) retrieves the A record for github.com from the authoritative nameservers and stores the record in ISP's local cache
• More keywords: time-to-live value, Domain Registrar, types of records

Step 8: Receive the answer

• TODO: Resolver returns the A record back to OS
• OS stores the record in its cache, reads the IP address then passes information to Chrome
• Chrome stores the record in its cache

Finally, Chrome opens a connection to the webserver and receives the site.

This entire process, from start to finish, takes only milliseconds to complete.

Reference:

1. https://howdns.works
2. http://dyn.com/blog/dns-why-its-important-how-it-works/
3. https://www.verisign.com/en_US/website-presence/online/how-dns-works

Khi tiếp cận một hệ thống mới, nên follow theo những hướng như sau:

1. Tìm hiểu tổng quan của system, architecture
2. Đào sâu từng module của system, phải hiểu tất cả câu trả lời của những câu hỏi dưới đây:
   • Module/service này là gì?
   • Tại sao lại cần nó?
   • How it works?

Khi hiện thực feature/service/module mới cho system:

0. What is the most important thing that we need to do right now?
1. Trả lời câu hỏi Tại sao lại cần nó?
2. List ra những solution hiện có (from google, github, community, ...)
3. List advantage and disadvantage of all solutions
4. Choose right tool for right job
5. Cố gắng tìm tất cả document có sẵn, những thứ related với vấn đề cần build
6. Hiểu những inventory hiện có trên system để hỗ trợ cho the new thing

Khi module/service cũ có lỗi:

1. Tìm mọi log của module/service đó, có thể là log của service, có thể là log từ webapp, log từ các module connect tới nó
2. Đọc hiểu kĩ càng, hiểu rõ lỗi trước khi bắt tay vào fix
3. Hạn chế rebuild all the thing from scratch, nên dựa vào những step, những document có sẵn, xem người trước họ implement thế nào, tại sao họ lại làm vậy?

How can we do?

• Install and setup mailutils

  sudo apt-get install mailutils

• Install mailx

  sudo apt-get install heirloom-mailx
  

Demo

• Send a simple email

  ubuntu@db3:~$ mail -s "Test email from database server" [email protected]
  Hi,
  
  Hello world.
  
  Best,EOT

  Note: EOT is Control + D

• Result:

  

Resource Limits

http://stackoverflow.com/a/18152957/5402121

ElasticSearch has the best performance when it has a lot of resources (open files and RAM) available.

#/etc/security/limits.conf

elasticsearch - nofile 65535
elasticsearch - memlock unlimited

Verification:

sudo -u elasticsearch -s "ulimit -Sn"

Configuration

cluster.name: myFirstElasticsearchCluster
node.name: $hostname

index.number_of_shards: 4 x $numberOfNodes
index.number_of_replicas: 0  # See explanation below
bootstrap.mlockall: true

path.data: /data/elasticsearch # Additional directories can be added here, comma-delimited.
                               # Data will be striped across the directories

http.max_content_length: 256mb

Heap size:

/etc/default/elasticsearch

# Run Elasticsearch as this user ID and group ID
#ES_USER=elasticsearch
#ES_GROUP=elasticsearch

# Heap Size (defaults to 256m min, 1g max)
ES_HEAP_SIZE=1500m

# Heap new generation
#ES_HEAP_NEWSIZE=

# max direct memory
#ES_DIRECT_SIZE=

# Maximum number of open files, defaults to 65535.
#MAX_OPEN_FILES=65535

# Maximum locked memory size. Set to "unlimited" if you use the
# bootstrap.mlockall option in elasticsearch.yml. You must also set
# ES_HEAP_SIZE.
MAX_LOCKED_MEMORY=unlimited

# Maximum number of VMA (Virtual Memory Areas) a process can own
#MAX_MAP_COUNT=262144

# Elasticsearch log directory
#LOG_DIR=/var/log/elasticsearch

# Elasticsearch data directory
#DATA_DIR=/var/lib/elasticsearch

# Elasticsearch work directory
#WORK_DIR=/tmp/elasticsearch

# Elasticsearch configuration directory
#CONF_DIR=/etc/elasticsearch

# Elasticsearch configuration file (elasticsearch.yml)
#CONF_FILE=/etc/elasticsearch/elasticsearch.yml

# Additional Java OPTS
#ES_JAVA_OPTS=

# Configure restart on package upgrade (true, every other setting will lead to not restarting)
#RESTART_ON_UPGRADE=true

Number of Replicas

A replica is a copy of the data. If a node goes down, having replicas allows you to continue running, and the cluster will rebalance itself automatically. Similarly, if your cluster is slower than you would like, you can add an additional node, and the load will be rebalanced.

More replicas - slower indexing, faster searching, increased reliability.
Fewer replicas - faster indexing, slower searching, decreased reliability.

Generally, it's a good idea to have as many replicas as you can. 2 replicas will use 3x the disk, though (the original + 2 copies).

NOTE: You can modify the number of replicas on the fly. You can also modify it per-index, so your current index can have fast indexing, slow searching, while older indexes can be tuned for faster searching. This setting just configures the default whenever a new index is created.

Make sure that we have a plan for every task
Estimate for it with nearly exactly time for doing, not for problems caused by that task
If we have problems, please change the plan, make another or modify current plan

Pronunciation: have

Mindset: không phạm phải 1 lỗi tới 2 lần

Mailing lists

Some security mailing lists that we need to subscribe for receiving latest OSS vulnerabilities

• http://oss-security.openwall.org/wiki/mailing-lists/oss-security
• https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
• ... update later

Case study

We have a pull request that's merged to master branch
But we need to revert this because of a lot of issues or this PR is not useful, etc ...

How to do this?

• Switch to master branch

git checkout master

• Show history of merge commits in this branch

git log

commit b4fcbeb56694aXXXXXXXXXXXXXX
Merge: 4dfb327 141fcb8


  1 Revert "Merged in SS-2141-Redis-cache-Change-connection-of-Redis-on-stage (pull request #148)"
Author: Hieu Huynh <[email protected]>
Date:   Mon Mar 6 09:52:57 2017 +0000

    Merged in SS-2141-Redis-cache-Change-connection-of-Redis-on-stage (pull request #148)

    SS-2141 Redis cache - Change connection of Redis on stage

    Approved-by: Hieu Huynh
    Approved-by: XXXX
    Approved-by: XXXX

commit 141fcb88781b0d65addXXXXXXXXXXXXXXX
Author: Hieu Huynh <[email protected]>
Date:   Mon Mar 6 14:59:29 2017 +0700

    Change connection between webapp and redis service from service inside app1.stage to new Redis instance

commit 4dfb3276bacc2986dc513XXXXXXXXXXXX
Merge: 21f6edf c2f1XXX
Author: Hieu Huynh <[email protected]>
Date:   Tue Jan 17 21:51:35 2017 +0700

    Merged in SS-1801-Rotate-key-access-to-bastion-server (pull request #147)

    SS-1801-Rotate-key-access-to-bastion-server

• Revert this merged PR

commit b4fcbeb56694aXXXXXXXXXXXXXX
Merge: 4dfb327 141fcb8

b4fcbeb56694aXXXXXXXXXXXXXX is commit-hash

Run commands:

git revert -m 1 <commit-hash> 
git commit -m "Reverting the last commit which messed the repo."
git push -u origin master

How many subdomains can you have on your domain?

Domain: example.com
Subdomain: sub.example.com
Level of subdomains: level.sub.example.com

There are no direct limits on how many levels i.e. dots you can have in a hostname

[email protected] is in a valid email address format

Reference:

1. https://tools.ietf.org/html/rfc1034
2. http://serverfault.com/a/841282/406268

Question

1. What does ^C mean?
2. What happens when we press Ctrl+C in the terminal Linux, when some process is running?

Answer

• ^C means Ctrl+C in some Linux distros
• It's the interrupt signal.
• When we type this in a terminal, bash sends SIGINT to the job in the foreground.
• If there is no job (which is the case when you've just opened a terminal), nothing happens.
• If there is a job or a process running, SIGINT will interrupt the running process -> close

Most important:

• Why doesn't Ctrl-C kill the Terminal itself?

Because:

• The terminal emulator program is not a job running in the shell, so, it doesn't get the signal and doesn't close.

How about ^D?

If you want to close the terminal with a control key, use Ctrl+D (EOF) which causes bash to exit (and closes the terminal too).

Presentation

My settings

Most important:

• Save CPU & battery with VS Code by disabling cursor blinking
  "editor.cursorBlinking": "solid"

// Place your settings in this file to overwrite the default settings
{
    "editor.fontSize": 12,
    "window.reopenFolders": "all",
    "editor.fontFamily": "Menlo, Monaco, 'Courier New', monospace",
    "editor.quickSuggestions": true,
    "editor.quickSuggestionsDelay": 0,
    "editor.renderWhitespace": "all",
    "workbench.sideBar.location": "left",
    "workbench.statusBar.visible": true,
    "files.associations": {
        "*.cnf": "shellscript",
        "*.md": "markdown",
        "*.markdown": "markdown"
    },
    "files.hotExit": "onExit",
    "window.titleBarStyle": "native",
    "window.zoomLevel": 0,
    "vsicons.dontShowNewVersionMessage": true,
    "workbench.editor.tabCloseButton":"right",
    "extensions.autoUpdate": true,
    "terminal.integrated.scrollback": 2000,
    "clock.dateFormat": "hh:MM TT - dddd mmm d",
    "workbench.iconTheme": "vscode-icons",
    "workbench.colorTheme": "Gruvbox Dark (Medium Contrast)",
    "editor.cursorStyle": "block",
    "terminal.integrated.cursorStyle": "block",
    "editor.cursorBlinking": "solid"
}

Habit

It takes 21 days to form a new habit

• Do it For Yourself
• Know the Benefits
• Know the Pain
• Start Simple
• Make it Daily
• Stay Consistent

Time management

Most important thing: Work more when you’re in the zone. Relax when you’re not.

• It's normal to have days where you just can't work, and days where you'll work 12 hours straight.
• Stop multi-tasking. It merely kills your focus.
• We're always more focused and productive with limited time.
• Work is the best way to get working. Start with short tasks to get the ball rolling.
• Doing is better than perfect.
• More work hours doesn’t mean more productivity. Use constraints as opportunities.
• Separate thinking and execution to execute faster and think better.
• Always know the one thing you really need to get done during the day.
• Only ever work on the thing that will have the biggest impact.
• Set deadlines for everything. Don't let tasks go on indefinitely.

Strong mindset

• One of the most important decisions you make is deciding what not to do

Summary

System or infrastructure must have

• Fault tolerance
• NO single point of failure
• More than one or two security layers
• Auto-failover without requiring human intervention
• Heartbeat monitoring on all running components
• Infrastructure as code

Fault tolerance

It is the property that enables a system to continue operating properly in the event of the failure of (or one or more faults within) some of its components. If its operating quality decreases at all, the decrease is proportional to the severity of the failure, as compared to a naively designed system in which even a small failure can cause total breakdown. Fault tolerance is particularly sought after in high-availability or life-critical systems.

Single point of failure

A single point of failure (SPOF) is a part of a system that, if it fails, will stop the entire system from working.[1] SPOFs are undesirable in any system with a goal of high availability or reliability, be it a business practice, software application, or other industrial system.

Defense in depth

Defense in depth (also known as Castle Approach) is an information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical for the duration of the system's life cycle.

Failover

A method of protecting computer systems from failure, in which standby equipment automatically takes over when the main system fails. In computing, failover is switching to a redundant or standby computer server, system, hardware component or network upon the failure or abnormal termination of the previously active application, server, system, hardware component, or network. Failover and switchover are essentially the same operation, except that failover is automatic and usually operates without warning, while switchover requires human intervention.

Heartbeat

In computer science, a heartbeat is a periodic signal generated by hardware or software to indicate normal operation or to synchronize other parts of a computer system. Usually a heartbeat is sent between machines at a regular interval in the order of seconds. If the endpoint does not receive a heartbeat for a time —usually a few heartbeat intervals—, the machine that should have sent the heartbeat is assumed to have failed.

Infrastructure as code

All configuration is defined in executable configuration definition files, such as shell scripts, Ansible playbooks, Chef recipes, or Puppet manifests ...

https://martinfowler.com/bliki/InfrastructureAsCode.html

Reference: Wikipedia

Some mindsets about building a product

• Performance matters.
• Memory usage matters
• Slow is a bug

Others mindset

• People don’t buy products, they buy better versions of themselves

1. https://www.iplocation.net/subnet-calculator
2. https://www.aelius.com/njh/subnet_sheet.html

MySQL slave I/O thread not running because of this error

mysql> show slave status\G;
*************************** 1. row ***************************
               Slave_IO_State:
                  Master_Host: 172.31.24.216
                  Master_User: slave_user
                  Master_Port: 3306
                Connect_Retry: 60
              Master_Log_File: util11-bin.000025
          Read_Master_Log_Pos: 366468954
               Relay_Log_File: mysqld-relay-bin.000003
                Relay_Log_Pos: 4
        Relay_Master_Log_File: util11-bin.000025
             Slave_IO_Running: No
            Slave_SQL_Running: Yes

Error log: The slave I/O thread stops because master and slave have equal MySQL server UUIDs; these UUIDs must be different for replication to work.

Why?

See https://planet.mysql.com/entry/?id=103096

How to fix?

1. Switch to root user
2. Go to /var/lib/mysql/
3. Remove auto.cnf file
4. Restart MySQL service or reboot server instance

/etc is one of the most important things in our Linux system

• It contains all system related configuration files in here or in its sub-directories
• A "configuration file" is defined as a local file used to control the operation of a program
• It must be static and cannot be an executable binary. For this reason, it's a good idea to backup this directory regularly.
• It will definitely save you a lot of re-configuration later if you re-install or lose your current installation. Normally, no binaries should be or are located here.

/etc/hosts: This file is used to define a system name and domain combination with a specific IP address. This file needs to always contain an entry for an IP address, if the machine is connected to the network.

### etherconf DEBCONF AREA. DO NOT EDIT THIS AREA OR INSERT TEXT BEFORE IT.
127.0.0.1 localhost ::1 localhost
ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
192.168.0.99 debian.localdomain.com debian
### END OF DEBCONF AREA. PLACE YOUR EDITS BELOW; THEY WILL BE PRESERVED.
192.168.0.1 ws001

/etc/apt: This is Debian's next generation front-end for the dpkg package manager. It provides the apt-get utility and APT dselect method that provides a simpler, safer way to install and upgrade packages. APT features complete installation ordering, multiple source capability and several other unique features, see the Users Guide in /usr/share/doc/apt/guide.text.gz

/etc/apt/sources.list: Contains a list of apt-sources from which packages may be installed via APT.

Source: http://www.tldp.org/LDP/Linux-Filesystem-Hierarchy/html/etc.html

I want to write all output of bash script to a file, how to do that?

Inside this script

{
 } &> /path/to/log/file

Or outside of this script

❯❯ ./yourscript.sh > output.txt

Example:

❯❯ cat MacNotification.sh
#!/bin/bash
{
echo "Test output"
/usr/bin/osascript -e 'display notification "Ngồi thẳng lưng + uống nước" with title "Suggestion"'
} &> /Users/admin/Documents/Tools/output.log