Mysql quota for database using zfs on CentOS 7

Assume we have done Move mysql data folder to ZFS on CentOS 7.
Follow steps to create mysql database (run as root). (database files locate at /mysqldata)

// add fcontext for database storage folder. Only needs running once
semanage fcontext -a -t mysqld_db_t "/mysqldata(/.*)?"

// create folder for database
zfs create -o mountpoint=/mysqldata/test_quota -o quota=1gb mysqldata/test_quota
chown -R mysql:mysql /mysqldata/test_quota
chmod -R 700 /mysqldata/test_quota

cd /var/lib/mysql
mysql -e "create database test_quota;"
mv test_quota/db.opt /mysqldata/test_quota
mv test_quota /tmp
rm -rf /tmp/test_quota
ln -s /mysqldata/test_quota /var/lib/mysql
restorecon -R -v /mysqldata

Now the database space is only 1GB.
To delete mysql database

cd /var/lib/mysql
TABLES=$(mysql test_quota -e 'show tables' | awk '{ print $1}' | grep -v '^Tables' )

for t in $TABLES
	msg "Deleting $t table from ${dbname} database..."
	mysql ${dbname} -e "drop table $t"
echo "All tables have been dropped."
rm test_quota
mkdir test_quota
chown mysql:mysql test_quota
mysql -e "drop database test_quota"
zfs destroy mysqldata/test_quota
rm -rf /mysqldata/test_quota

Add static route on Mac OSX and Windows

Add static route on windows is very easy. Run command prompt as Administrator.

route -p add mask

Add static route on OS x, need the following steps

  1. Find the network service which can access gateway
    mac-mini:~ ladmin$ networksetup -listallnetworkservices
    An asterisk (*) denotes that a network service is disabled.
    Bluetooth DUN
    *Bluetooth PAN 2
    mac-mini:~ ladmin$ networksetup -getinfo LAN
    Manual Configuration
    IP address:
    Subnet mask:
    IPv6: Automatic
    IPv6 IP address: none
    IPv6 Router: none
    Ethernet Address: 00:1f:5b:33:1d:75
  2. set additional gateway on the network service
    mac-mini:~ ladmin$ sudo networksetup -setadditionalroutes LAN
    mac-mini:~ ladmin$ networksetup -getadditionalroutes LAN
  3. Check the route list

    mac-mini:~ ladmin$ netstat -rn
    Routing tables
    Destination        Gateway            Flags        Refs      Use   Netif Expire
    default      UGSc           18        0   vlan0
    default       UGScI           0        0     en0
    default       UGScI           0        0     en1
    default       UGScI           0        0     en2
    10/24         UGSc            0        0     en1
    127                UCS             0        0     lo0          UH             75  2330825     lo0
    169.254            link#8             UCS             1        0   vlan0
    169.254            link#4             UCSI            0        0     en0
    169.254            link#5             UCSI            0        0     en1

    Add more routing paths:

    iso@isoAir:/dev$ sudo networksetup -setadditionalroutes “Ethernet Pantalla Trabajo”
    iso@isoAir:/dev$ sudo networksetup -getadditionalroutes “Ethernet Pantalla Trabajo”


KVM access guest from outside host on CentOS

For default virbr0, it provides a way to help guest to access host (VM<–>host). But the guest cannot be accessed from outside host. But we can use the following commands to enable it temporally.

# iptables -D  FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
# iptables -D  FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable

The best way is to create another bridge for guest.

  1. create new bridge xml file (routeNetwork.xml)

      <bridge name="virbr100" />
      <forward mode="route" />
      <ip address="" netmask="" />
  2. create new bridge
    # virsh net-create routeNetwork.xml
  3. edit the bridge to enable dhcp (I think if we define DHCP at the first step, no need this one. If we don’t do this step, the persistent state is no. Not sure what the impact is.)
    # virsh net-edit routenetwork
      <forward mode='route'/>
      <bridge name='virbr100' stp='on' delay='0'/>
      <mac address='52:54:00:cc:3b:aa'/>
      <ip address='' netmask=''>
          <range start='' end=''/>
  4. Set the bridge autostart
    # virsh net-autostart routenetwork
  5. Check virtual networks
    # virsh net-list
     Name                 State      Autostart     Persistent
     default              active     yes           yes
     routenetwork         active     yes           yes
  6. add masquerade to firewalld
    # firewall-cmd --permanent --add-masquerade
  7. change guest network type
    # virsh --connect qemu:///system
    virsh # edit <VM's name>
    <interface type='bridge'>
      <mac address='52:54:00:ea:98:1a'/>
      <source bridge='virbr100'/>
      <model type='e1000'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
  8. shutdown and start the guest again
  9. add route on your router
    # sudo route -n add <host ip>

    Now the guest can access from your network via it ip 10.10.120.x.

    Other virsh commands used in managing virtual networks are:

    • virsh net-list — list virtual networks
    • virsh net-autostart [network name] — Autostart a network specified as [network name]
    • virsh net-create [XML file] — Generates and starts a new network using a preexisting XML file
    • virsh net-define [XML file] — Generates a new network from a preexisting XML file without starting it
    • virsh net-destroy [network name] — Destroy a network specified as [network name]
    • virsh net-name [network UUID] — Convert a specified [network UUID] to a network name
    • virsh net-uuid [network name — Convert a specified [network name] to a network UUID
    • virsh net-start [name of an inactive network] — Starts a previously undefined inactive network
    • virsh net-undefine [name of an inactive network] — Undefine an inactive network
    • virsh net-dumpxml [network name] — Dump network as xml file

How to edit KVM VM profile which is created by virt-manager and add port-forwarding function?

Virt-manager hides some functions such as port-forwarding. We can edit the VM profile form terminal.

# virsh --connect qemu:///system

List all VMs in virsh envrionment

virsh # list --all

Edit VM’s profile

virsh # edit <VM's name>

Add qemu namespace

<domain type='kvm'>
<domain type='kvm' xmlns:qemu=''>

Change network type from network to user

   <interface type='network'>
      <mac address='xx:xx:xx:xx:xx:xx'/>
      <model type='e1000'/>
      <source network='default'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
  <interface type='user'>
    <mac address='xx:xx:xx:xx:xx:xx'/>
    <model type='e1000'/>
    <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>

Add port-forwarding arguments before tag </domain>

    <qemu:arg value='-redir'/>
    <qemu:arg value='tcp:2001::3389'/>
    <qemu:arg value='-redir'/>
    <qemu:arg value='tcp:2002::80'/>



Drupal security modules

Base security modules for drupal:

  1. Login security
  2. Password policy
  3. Update manager
  4. Captcha
  5. Flood Control
  6. Secure Pages Hijack Prevention
  7. XFS (cross frame scripting)
  8. Idle Session Timeout
  9. Concurrent Sessions
  10. ACL
  11. Two-factor Authentication (TFA)
  12. Paranoia
  13. Coder
  14. Security Review
  15. SpamSpan filter