Linux, BSD, Unix and Security hints
Ubuntu upgrade from 14.04 to 16.04
To upgrade from Ubuntu 14.04 to 16.04, you can use the ubuntu tool update-manager. This tool make a clean upgrade from the system.
Please before update your system.
sudo apt-get update
sudo apt-get dist-upgrade
If you are done with the upgrade, install the update-manager-core.
sudo apt-get install update-manager-core
Now upgrade to the new ubuntu release.
sudo do-release-upgrade -d
raspberry pi ntp server gps
You need:
stty -F /dev/ttyAMA0 raw 9600 cs8 clocal -cstopb
test gps
cat /dev/ttyAMA0
gpsmon
(eg, remove console=ttyAMA0,115200 and if there, kgdboc=ttyAMA0,115200) /boot/cmdline.txt
dwc_otg.lpm_enable=0 console=tty1 root=/dev/mmcblk0p2 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait
Install ntp package
apt-get install ntp gpsd
/etc/default/gpsd
# Default settings for the gpsd init script and the hotplug wrapper. # Start the gpsd daemon automatically at boot time START_DAEMON="true" # Use USB hotplugging to add new USB devices automatically to the daemon USBAUTO="false" # Devices gpsd should collect to at boot time. # They need to be read/writeable, either by user gpsd or the group dialout. DEVICES="/dev/ttyAMA0" # Other options you want to pass to gpsd GPSD_OPTIONS="-b -n"
/lib/systemd/system/gpsd.service
#ExecStart=/usr/sbin/gpsd -N $GPSD_OPTIONS $DEVICES ExecStart=/usr/sbin/gpsd -N -b -n /dev/ttyAMA0
/usr/local/bin/leap-seconds.sh
#!/bin/sh cd /etc/ntp wget https://www.ietf.org/timezones/data/leap-seconds.list &> /dev/null service ntp restart &> /dev/null
/etc/cron.d/ntp
0 0 31 6,12 * root /usr/local/bin/leap-seconds.sh
mkdir /etc/ntp
download the leap-seconds.list the first time
/usr/local/bin/leap-seconds.sh
/etc/ntp.conf
driftfile /var/lib/ntp/ntp.drift leapfile /etc/ntp/leap-seconds.list # Enable this if you want statistics to be logged. statsdir /var/log/ntpstats/ statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable # pool server 0.ch.pool.ntp.org iburst server 1.ch.pool.ntp.org iburst server 2.ch.pool.ntp.org iburst server 3.ch.pool.ntp.org iburst # HW GPS server 127.127.28.0 iburst fudge 127.127.28.0 flag1 1 flag2 0 time2 0.600 refid GPS # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for # details. The web page # might also be helpful. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1 # Clients from this (example!) subnet have unlimited access, but only if # cryptographically authenticated. restrict 172.23.0.0 mask 255.255.0.0 notrust # If you want to provide time to your local subnet, change the next line. # (Again, the address is an example only.) #broadcast 192.168.123.255 # If you want to listen to time broadcasts on your local subnet, de-comment the # next lines. Please do this only if you trust everybody on the network! #disable auth #broadcastclient
Tricks:
query and synchronize against a pool
ntpdate -q 0.ch.pool.ntp.org 1.ch.pool.ntp.org
/etc/udev/rules.d/99-com.rules
KERNEL==”ttyAMA0″, SYMLINK+=”gps0″
KERNEL==”pps0″, SYMLINK+=”gpspps0″
The NTP status codes that ntpq is showing you are on this list, yours is showing an “*” which means you aren’t using the PPS, just the serial output of the GPS chip. You might want to look into that as the PPS is probably going to give you better time accuracy.
o = pps peer
* = sys peer
# = too distant
+ = selected
x = false ticker
– = discarded
[](http://opensource.org/licenses/MIT)
Ubuntu LXC memory & swap limit
Add to the LXC config
# Memory limits lxc.cgroup.memory.limit_in_bytes = 2G lxc.cgroup.memory.memsw.limit_in_bytes = 4G
If you get the following error, when you like to set swap memory limit:
lxc-start: cgmanager.c: cgm_setup_limits: 1238 call to cgmanager_set_value_sync failed: invalid request lxc-start: cgmanager.c: cgm_setup_limits: 1241 Error setting cgroup memory:lxc/testlxc limit type memory.memsw.limit_in_bytes lxc-start: start.c: lxc_spawn: 911 failed to setup the cgroup limits for 'testlxc' lxc-start: start.c: __lxc_start: 1080 failed to spawn 'testlxc' lxc-start: lxc_start.c: main: 342 The container failed to start. lxc-start: lxc_start.c: main: 346 Additional information can be obtained by setting the --logfile and --logpriority options.
Add swapaccount=1 to linux boot parameter
sudo -e /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="swapaccount=1"
Now update grub
sudo update-grub
MaxScale MariaDB
This is a small guide to install MaxScale on Ubuntu. Scalable, highly available and powerful transformative database services with MariaDB MaxScale.
First step is to add the repository into your config
sudo apt-get install software-properties-common sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8167EE24 sudo add-apt-repository 'deb [arch=amd64] http://downloads.mariadb.com/software/MaxScale/maxscale/DEB trusty main'
Now you can install MaxScale
sudo apt-get update sudo apt-get install maxscale
This should look like this
# aptitude install maxscale
The following NEW packages will be installed:
libaio1{a} maxscale
0 packages upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 27.8 MB of archives. After unpacking 76.8 MB will be used.
Do you want to continue? [Y/n/?]
Get: 1 http://downloads.mariadb.com/software/MaxScale/maxscale/DEB/ trusty/main maxscale amd64 1.0.5 [27.7 MB]
Get: 2 http://archive.ubuntu.com/ubuntu/ trusty/main libaio1 amd64 0.3.109-4 [6,364 B]
Fetched 27.8 MB in 2s (12.8 MB/s)
Selecting previously unselected package libaio1:amd64.
(Reading database ... 16780 files and directories currently installed.)
Preparing to unpack .../libaio1_0.3.109-4_amd64.deb ...
Unpacking libaio1:amd64 (0.3.109-4) ...
Selecting previously unselected package maxscale.
Preparing to unpack .../maxscale_1.0.5_amd64.deb ...
Unpacking maxscale (1.0.5) ...
Setting up libaio1:amd64 (0.3.109-4) ...
Setting up maxscale (1.0.5) ...
Processing triggers for libc-bin (2.19-0ubuntu6.5) ...
Default password for MaxScale is
skysql
Main directory
/usr/local/skysql/maxscale
Logroate script
/usr/local/skysql/maxscale/log/*.log {
monthly
rotate 5
missingok
nocompress
sharedscripts
postrotate
# run if maxscale is running
if test -n "`ps acx|grep maxscale`"; then
/usr/local/skysql/maxscale/bin/maxadmin -pskysql flush logs
fi
endscript
}
Create a DB user for MaxScale, on your MariaDB server
create user 'maxscale'@'192.168.0.%' identified by 'setup123'; grant SELECT on mysql.user to 'maxscale'@'192.168.0.%'; grant SELECT on mysql.db to 'maxscale'@'192.168.0.%'; grant SHOW DATABASES on *.* to 'maxscale'@'192.168.0.%'; flush privileges;
Small config for MaxScale
[maxscale] threads=6 [Galera Monitor] type=monitor module=galeramon servers=amupv-db01-test,amupv-db02-test,amupv-db03-test user=maxscale passwd=setup123 monitor_interval=10000 [Read Connection Router] type=service router=readconnroute servers=amupv-db01-test,amupv-db02-test,amupv-db03-test user=maxscale passwd=setup123 router_options=slave [RW Split Router] type=service router=readwritesplit servers=amupv-db01-test,amupv-db02-test,amupv-db03-test user=maxscale passwd=setup123 [Debug Interface] type=service router=debugcli [CLI] type=service router=cli [Read Connection Listener] type=listener service=Read Connection Router protocol=MySQLClient port=4008 [RW Split Listener] type=listener service=RW Split Router protocol=MySQLClient port=3306 [Debug Listener] type=listener service=Debug Interface protocol=telnetd address=127.0.0.1 port=4442 [CLI Listener] type=listener service=CLI protocol=maxscaled address=127.0.0.1 port=6603 [amupv-db01-test] type=server address=192.168.0.1 port=3306 protocol=MySQLBackend [amupv-db02-test] type=server address=192.168.0.2 port=3306 protocol=MySQLBackend [amupv-db03-test] type=server address=192.168.0.3 port=3306 protocol=MySQLBackend
Now you can start MaxScale
service maxscale start
maxadmin
# /usr/local/skysql/maxscale/bin/maxadmin Password: MaxScale> list servers Servers. -------------------+-----------------+-------+-------------+-------------------- Server | Address | Port | Connections | Status -------------------+-----------------+-------+-------------+-------------------- amupv-db01-test | 192.168.0.1 | 3306 | 0 | Master, Synced, Running amupv-db02-test | 192.168.0.2 | 3306 | 0 | Slave, Synced, Running amupv-db03-test | 192.168.0.3 | 3306 | 0 | Slave, Synced, Running -------------------+-----------------+-------+-------------+-------------------- MaxScale> show servers Server 0x1fb8b90 (amupv-db01-test) Server: 192.168.0.1 Status: Master, Synced, Running Protocol: MySQLBackend Port: 3306 Server Version: 10.0.15-MariaDB-1~trusty-wsrep-log Node Id: 0 Master Id: -1 Repl Depth: 0 Number of connections: 0 Current no. of conns: 0 Current no. of operations: 0 Server 0x1f153b0 (amupv-db02-test) Server: 192.168.0.2 Status: Slave, Synced, Running Protocol: MySQLBackend Port: 3306 Server Version: 10.0.15-MariaDB-1~trusty-wsrep-log Node Id: 2 Master Id: -1 Repl Depth: 0 Number of connections: 0 Current no. of conns: 0 Current no. of operations: 0 Server 0x1f152a0 (amupv-db03-test) Server: 192.168.0.3 Status: Slave, Synced, Running Protocol: MySQLBackend Port: 3306 Server Version: 10.0.15-MariaDB-1~trusty-wsrep-log Node Id: 1 Master Id: -1 Repl Depth: 0 Number of connections: 0 Current no. of conns: 0 Current no. of operations: 0
Links:
https://mariadb.com/portal_file/60898
https://mariadb.com/products/mariadb-maxscale
unbound root server setup
Unbound is a validating, recursive, and caching DNS resolver.
Install unbound
sudo aptitude install unbound
Create cron job for named.root file
# vi /etc/cron.d/named-root 0 * * * * root wget -c http://www.internic.net/domain/named.root -O /etc/unbound/root.hints
Unbound config – /etc/unbound/unbound.conf
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
#include: "/etc/unbound/unbound.conf.d/*.conf"
## Authoritative, validating, recursive caching DNS
## unbound.conf
#
server:
# log verbosity
verbosity: 1
# specify the interfaces to answer queries from by ip-address. The default
# is to listen to localhost (127.0.0.1 and ::1). specify 0.0.0.0 and ::0 to
# bind to all available interfaces. specify every interface[@port] on a new
# 'interface:' labeled line. The listen interfaces are not changed on
# reload, only on restart.
interface: 172.23.0.23
interface: 2a01:4f8:210:3101::101
# port to answer queries from
port: 53
# Enable IPv4, "yes" or "no".
do-ip4: yes
# Enable IPv6, "yes" or "no".
do-ip6: yes
# Enable UDP, "yes" or "no".
do-udp: yes
# Enable TCP, "yes" or "no". If TCP is not needed, Unbound is actually
# quicker to resolve as the functions related to TCP checks are not done.i
# NOTE: you may need tcp enabled to get the DNSSEC results from *.edu domains
# due to their size.
do-tcp: yes
# control which client ips are allowed to make (recursive) queries to this
# server. Specify classless netblocks with /size and action. By default
# everything is refused, except for localhost. Choose deny (drop message),
# refuse (polite error reply), allow (recursive ok), allow_snoop (recursive
# and nonrecursive ok)
access-control: 172.23.0.0/24 allow
access-control: 2a01:4f8:210:3101::/64 allow
# Read the root hints from this file. Default is nothing, using built in
# hints for the IN class. The file has the format of zone files, with root
# nameserver names and addresses only. The default may become outdated,
# when servers change, therefore it is good practice to use a root-hints
# file. get one from ftp://FTP.INTERNIC.NET/domain/named.cache
root-hints: "/etc/unbound/root.hints"
# enable to not answer id.server and hostname.bind queries.
hide-identity: yes
# enable to not answer version.server and version.bind queries.
hide-version: yes
# Will trust glue only if it is within the servers authority.
# Harden against out of zone rrsets, to avoid spoofing attempts.
# Hardening queries multiple name servers for the same data to make
# spoofing significantly harder and does not mandate dnssec.
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the
# zone becomes bogus. Harden against receiving dnssec-stripped data. If you
# turn it off, failing to validate dnskey data for a trustanchor will trigger
# insecure mode for that zone (like without a trustanchor). Default on,
# which insists on dnssec data for trust-anchored zones.
harden-dnssec-stripped: yes
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
# While upper and lower case letters are allowed in domain names, no significance
# is attached to the case. That is, two names with the same spelling but
# different case are to be treated as if identical. This means calomel.org is the
# same as CaLoMeL.Org which is the same as CALOMEL.ORG.
use-caps-for-id: yes
# the time to live (TTL) value lower bound, in seconds. Default 0.
# If more than an hour could easily give trouble due to stale data.
cache-min-ttl: 3600
# the time to live (TTL) value cap for RRsets and messages in the
# cache. Items are not cached for longer. In seconds.
cache-max-ttl: 86400
# perform prefetching of close to expired message cache entries. If a client
# requests the dns lookup and the TTL of the cached hostname is going to
# expire in less than 10% of its TTL, unbound will (1st) return the ip of the
# host to the client and (2nd) pre-fetch the dns request from the remote dns
# server. This method has been shown to increase the amount of cached hits by
# local clients by 10% on average.
prefetch: yes
# number of threads to create. 1 disables threading. This should equal the number
# of CPU cores in the machine. Our example machine has 4 CPU cores.
num-threads: 4
## Unbound Optimization and Speed Tweaks ###
# the number of slabs to use for cache and must be a power of 2 times the
# number of num-threads set above. more slabs reduce lock contention, but
# fragment memory usage.
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
# Increase the memory size of the cache. Use roughly twice as much rrset cache
# memory as you use msg cache memory. Due to malloc overhead, the total memory
# usage is likely to rise to double (or 2.5x) the total cache memory. The test
# box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed objects.
rrset-cache-size: 256m
msg-cache-size: 128m
# buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
# the kernel buffer larger so that no messages are lost in spikes in the traffic.
so-rcvbuf: 1m
## Unbound Optimization and Speed Tweaks ###
# Enforce privacy of these addresses. Strips them away from answers. It may
# cause DNSSEC validation to additionally mark it as bogus. Protects against
# 'DNS Rebinding' (uses browser as network proxy). Only 'private-domain' and
# 'local-data' names are allowed to have these private addresses. No default.
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 10.0.0.0/16
# Allow the domain (and its subdomains) to contain private addresses.
# local-data statements are allowed to contain private addresses too.
# private-domain: "home.lan"
# If nonzero, unwanted replies are not only reported in statistics, but also
# a running total is kept per thread. If it reaches the threshold, a warning
# is printed and a defensive action is taken, the cache is cleared to flush
# potential poison out of it. A suggested value is 10000000, the default is
# 0 (turned off). We think 10K is a good value.
unwanted-reply-threshold: 10000
# IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on
# localhost you will want to allow the resolver to send queries to localhost.
# Make sure to set do-not-query-localhost: yes . If yes, the above default
# do-not-query-address entries are present. if no, localhost can be queried
# (for testing and debugging).
do-not-query-localhost: no
# File with trusted keys, kept up to date using RFC5011 probes, initial file
# like trust-anchor-file, then it stores metadata. Use several entries, one
# per domain name, to track multiple zones. If you use forward-zone below to
# query the Google DNS servers you MUST comment out this option or all DNS
# queries will fail.
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Should additional section of secure message also be kept clean of unsecure
# data. Useful to shield the users of this validator from potential bogus
# data in the additional section. All unsigned data in the additional section
# is removed from secure messages.
val-clean-additional: yes
# Blocking Ad Server domains. Google's AdSense, DoubleClick and Yahoo
# account for a 70 percent share of all advertising traffic. Block them.
# local-zone: "doubleclick.net" redirect
# local-data: "doubleclick.net A 127.0.0.1"
# local-zone: "googlesyndication.com" redirect
# local-data: "googlesyndication.com A 127.0.0.1"
# local-zone: "googleadservices.com" redirect
# local-data: "googleadservices.com A 127.0.0.1"
# local-zone: "google-analytics.com" redirect
# local-data: "google-analytics.com A 127.0.0.1"
# local-zone: "ads.youtube.com" redirect
# local-data: "ads.youtube.com A 127.0.0.1"
# local-zone: "adserver.yahoo.com" redirect
# local-data: "adserver.yahoo.com A 127.0.0.1"
# Unbound will not load if you specify the same local-zone and local-data
# servers in the main configuration as well as in this "include:" file. We
# suggest commenting out any of the local-zone and local-data lines above if
# you suspect they could be included in the unbound_ad_servers servers file.
#include: "/usr/local/etc/unbound/unbound_ad_servers"
# locally served zones can be configured for the machines on the LAN.
# local-zone: "home.lan." static
#
# local-data: "firewall.home.lan. IN A 10.0.0.1"
# local-data: "laptop.home.lan. IN A 10.0.0.2"
# local-data: "xboxone.home.lan. IN A 10.0.0.3"
# local-data: "ps4.home.lan. IN A 10.0.0.4"
# local-data: "dhcp5.home.lan. IN A 10.0.0.5"
# local-data: "dhcp6.home.lan. IN A 10.0.0.6"
# local-data: "dhcp7.home.lan. IN A 10.0.0.7"
#
# local-data-ptr: "10.0.0.1 firewall.home.lan"
# local-data-ptr: "10.0.0.2 laptop.home.lan"
# local-data-ptr: "10.0.0.3 xboxone.home.lan"
# local-data-ptr: "10.0.0.4 ps4.home.lan"
# local-data-ptr: "10.0.0.5 dhcp5.home.lan"
# local-data-ptr: "10.0.0.6 dhcp6.home.lan"
# local-data-ptr: "10.0.0.7 dhcp7.home.lan"
# Unbound can query your NSD or BIND server for private domain queries too.
# On our NSD page we have NSD configured to serve the private domain,
# "home.lan". Here we can tell Unbound to connect to the NSD server when it
# needs to resolve a *.home.lan hostname or IP.
#
# private-domain: "home.lan"
# local-zone: "0.0.10.in-addr.arpa." nodefault
# stub-zone:
# name: "home.lan"
# stub-addr: 10.0.0.111@53
# If you have an internal or private DNS names the external DNS servers can
# not resolve, then you can assign domain name strings to be redirected to a
# seperate dns server. For example, our comapny has the domain
# organization.com and the domain name internal.organization.com can not be
# resolved by Google's public DNS, but can be resolved by our private DNS
# server located at 1.1.1.1. The following tells Unbound that any
# organization.com domain, i.e. *.organization.com be dns resolved by 1.1.1.1
# instead of the public dns servers.
#
# forward-zone:
# name: "organization.com"
# forward-addr: 1.1.1.1 # Internal or private DNS
# Use the following forward-zone to forward all queries to Google DNS,
# OpenDNS.com or your local ISP's dns servers for example. To test resolution
# speeds use "drill calomel.org @8.8.8.8" and look for the "Query time:" in
# milliseconds.
#
# forward-zone:
# name: "."
# forward-addr: 8.8.8.8 # Google Public DNS
#
## Authoritative, validating, recursive caching DNS
## unbound.conf
Links:
http://www.internic.net/domain/named.root/
http://www.it-wars.com/dns-back-to-the-roots/
https://calomel.org/unbound_dns.html/
MikroTik IPv6 DNS RDNSS
To activate on your MikroTik RouterOS device RDNSS, you must do the following.
Set the IPv6 DNS server.
/ip dns set server=2001:4860:4860::8888,2001:4860:4860::8844
Show the configuration
/ip dns print servers: 2001:4860:4860::8888,2001:4860:4860::8844 dynamic-servers: 77.109.128.2,213.144.129.20 allow-remote-requests: no max-udp-packet-size: 4096 query-server-timeout: 2s query-total-timeout: 10s cache-size: 2048KiB cache-max-ttl: 1w cache-used: 9KiB
Enable RDNSS
/ipv6 nd set [f] advertise-dns=yes
Show the IPv6 nd configuration
/ipv6 nd print Flags: X - disabled, I - invalid, * - default 0 * interface=all ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified ra-lifetime=30m hop-limit=unspecified advertise-mac-address=yes advertise-dns=yes managed-address-configuration=no other-configuration=no
On Ubuntu/Debian linux distributions you can install rdnssd package which is capable of receiving advertised DNS address.
sudo apt-get install rdnssd
Links:
Nginx 1.7 ubuntu 14.04
When you have Nginx 1.7 you can also use SPDY 1.3 and other cool features.
To install Nginx 1.7 on a Ubuntu 14.04 Linux. You can use this:
curl http://nginx.org/keys/nginx_signing.key | apt-key add - echo -e "deb http://nginx.org/packages/mainline/ubuntu/ `lsb_release -cs` nginx\ndeb-src http://nginx.org/packages/mainline/ubuntu/ `lsb_release -cs` nginx" > /etc/apt/sources.list.d/nginx.list
Update source and install or upgrade Nginx:
aptitude update aptitude install nginx aptitude dist-upgrade
When you use php, add this to /etc/nginx/fastcgi_params :
# add for nginx 1.7 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
Nginx worker_connections exceed open file resource
When you restart the nginx service and you see this meassage then you have a problem with the file limits.
root@web01:/var/log/nginx# service nginx restart * Restarting nginx nginx nginx: [warn] 4096 worker_connections exceed open file resource limit: 1024 nginx: [warn] 4096 worker_connections exceed open file resource limit: 1024
You can set in manual
ulimit -n 65536
When you like to see the open files limit you can see it with
root@web01:/var/log/nginx# ulimit -n 65536
You can also see all limits with
root@web01:/var/log/nginx# ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 256697 max locked memory (kbytes, -l) 64 max memory size (kbytes, -m) unlimited open files (-n) 65536 pipe size (512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 256697 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited
On Ubuntu and Debian you can set the limits in /etc/security/limits.conf with
* soft nofile 65536 * hard nofile 65536
The system can automatically install updates. If you want this, install unattended-upgrades package.vYou never miss a security update.
aptitude install unattended-upgrades
You must edit this file. Make a reconfiguration and select yes.
vi /etc/apt/apt.conf.d/50unattended-upgrades
....
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
"${distro_id}:${distro_codename}-updates";
"${distro_id}:${distro_codename}-proposed";
"${distro_id}:${distro_codename}-backports";
};
....
dpkg-reconfigure unattended-upgrades
To set multiple IPv6 addresses on one interface in Linux, you can use the tool ip.
ip addr add first_ipv6_address dev eth1 ip addr add second_ipv6_address dev eth1
When you like to set this on the system boot, you must do this in /etc/network/interfaces
auto eth0 iface eth0 inet6 static address first_ipv6_address Adress netmask 128 gateway ipv6_gateway up ip addr add second_ipv6_address/128 dev eth1 down ip addr del second_ipv6_address/128 dev eth1