Censornet Ltd

free -h

Confirm it is not full, or approaching.

free -s 3

This checks the RAM usage every 3 seconds.

TOP Breakdown (Simplified)

the command top is used to view the live processes on the USS gateway along with their associated load

-Load Average- this dispalys the CPU load on the gateway. Cenerally any one of the load averages shouldn't exceed the number of CPU's on the applicance. This is a rule of thumb, that if a gateway has 4 CPU's the load shouldn't exceed 4.0 otherwise there will be latency 

- Table below- the Table below the output shows a live list of processes (COMMAND Colum) and their associated memory and CPU usage (very similar to win resource monitor) 

Top should be the first point of reference for troubleshooting a slow gateway

Below is an example of two prxoes 80 and 81.

We can see normal and expected load averages on gateway 80 (below 2.5) and on gateway 81 we can see abnormal load averages of 9+

we can then use the live process table to try to identify an issue such as a process which is using up too much CPU:

HTOP breakdown

HTOP is used to example processes, sometimes referred to as Tasks.

Highlighted RED below are CPU cores:

The numbers on the top left from 1 to 8 represents the number of cpu's/cores in my system with the progress bar next to them representing the load of cpu/core. As you would have noticed the progress bars can be comprised of different colours. The following list will explain what each colour means.

• Blue: low priority processes (nice > 0)
• Green: normal (user) processes
• Red: kernel processes
• Yellow: IRQ time
• Magenta: Soft IRQ time
• Grey: IO Wait time

Highlighted RED below are Memory and Swap progress bars:

Like the cpu progress bars the memory and swap progress bars can be comprised of different colours. Here is a list of what the colours means within relation to the memory and swap progress bars.

• Green: Used memory pages
• Blue: Buffer pages
• Yellow: Cache pages

Highlighted RED below are Load averages:

The system load is a measure of the amount of computational work that a computer system performs. The load average represents the average system load over a period of time. 1.0 on a single core cpu represents 100% utilization. Note that loads can exceed 1.0 this just means that processes have to wait longer for the cpu. 4.0 on a quad core represents 100% utilization. Anything under a 4.0 load average for a quad-core is ok as the load is distributed over the 4 cores.

The first number is a 1 minute load average, second is 5 minutes load average and the third is 15 minutes load average.

HTOP Task information breakdown

Htop will lists all the running processes(tasks) on a system with information about how much cpu and memory each process is using as well as the command used to start the process.

Here is a list that explains what each column means.

• PID: A process’s process ID number.
• USER: The process’s owner.
• PR: The process’s priority. The lower the number, the higher the priority.
• NI: The nice value of the process, which affects its priority.
• VIRT: How much virtual memory the process is using.
• RES: How much physical RAM the process is using, measured in kilobytes.
• SHR: How much shared memory the process is using.
• S: The current status of the process (zombied, sleeping, running, uninterruptedly sleeping, or traced).
• %CPU: The percentage of the processor time used by the process.
• %MEM: The percentage of physical RAM used by the process.
• TIME+: How much processor time the process has used.
• COMMAND: The name of the command that started the process.

The difference between VIRT, RES & SHR:

VIRT stands for the virtual size of a process, which is the sum of memory it is actually using, memory it has mapped into itself (for instance the video card's RAM for the X server), files on disk that have been mapped into it (most notably shared libraries), and memory shared with other processes.

VIR represents how much memory the program is able to access at the present moment.

RES stands for the resident size, which is an accurate representation of how much actual physical memory a process is consuming. (This also corresponds directly to the %MEM column)

SHR indicates how much of the VIRT size is actually sharable memory or libraries. In the case of libraries, it does not necessarily mean that the entire library is resident. For example, if a program only uses a few functions in a library, the whole library is mapped and will be counted in VIRT and SHR, but only the parts of the library file containing the functions being used will actually be loaded in and be counted under RES.

HTOP PROTIPS:

• Press f5 to enable tree view. this helps massively
• Navigate the processes using arrow keys
• Kill a process using f9 key
• List open files used by a process by pressing the 'L' key ('q' to return from L view)
• Display only processes of single user by pressing 'u'
• Sort any HTOP column by pressing f6
• SUPER ADVANCED: You can customise how htop functions and displays by pressing the f2 key. (escape key to exit)
• HTOP IS CLICKABLE, you can LEFT CLICK entries! (handy for sorting)
• Lastly, a really good breakdown please refer to this document: https://peteris.rocks/blog/htop/

Excessive Proxy Connections

A proxy may slow down if excessive connections are active and open, in that scenario the course of action would be to investigate the number of connections per device and address a device which may be spamming connections or to upgrade to a load balances setup or add another standalone proxy to the mix

 The following commands should be run as the root user from the CensorNet server command line.

Display a list of connections from unique IP addresses to the proxy (first column connection count, second column IP address):

netstat -n | grep -E '8080|8081|8082'  | awk '{print $5;}' | cut -d : -f 1 | sort | uniq -c

netstat -n | grep -E '8080|8081|8082'   | awk '{print $5;}' | cut -d : -f 1 | sort | uniq | grep -c .

 Display a count of unique IP addresses which have open and active connections to the proxy:

 netstat -n | grep -E '8080|8081|8082' | grep ESTAB | awk '{print $5;}' | cut -d : -f 1 | sort | uniq -c

Running out of Storage

Firstly, check the syslog and postgresql log to verify that the gateway is running out of space, the errors should be very verbose and easy to spot. A clear sign that the gateway is completely out os space is squid refusing to stay up.

These commands will let you check the system storage:

df -h  [this will display general storage, the dev sda1 is the main partition to worry about]

df -i [this will display inode storage which are tiny files which can fill up the gw]

sudo find / -type f -exec du -h {} + 2>/dev/null | sort -rh | head -n 20

Resizing the exisiting sda partition with unused space

In general the main partition will have unused space Change interface properly

We can see that using the logical volume manager, the sda3 partition is 79GB but there is a logical volume sub parititon which is 39GB and not being used. 

We can free up some space in a pinch by re-partitioning:

This command will move the space from the unused partition to the main partition. 

sudo lvresize -L +20G --resizefs /dev/ubuntu-vg/ubuntu-lv  

This is not normally necessary, but important to know if gateway reverts back to old IP address or internet connection isn't working.

Firstly, check the interfaces and change them in the USS gateway UI:

On the proxy its self, you can check them by:

Firstly using ifconfig:

Then in the database. To access the database use commands

su - postgres

psql cloudgw

\dt

The command \dt isn’t necessary as it just lists the DB tables, useful if you want to see what else is there)

select * from interfaces;

To edit interfaces using the DB (which you might need to do if the gateway UI is not reachable) use a simple SQL query:

update interfaces set address='192.168.1.x' where if_name='interface_name';

Finally, the location where interfaces and IP settings tend to get stuck is netplan:

To access the netplan file use the following command:

sudo nano /etc/netplan/00-installer-config.yaml

the file will look like this:

Editing the existing entries in the file are self explanatory. However adding new entries (which you likely won’t have to do) is a bit more complex as yaml format is indent sensitive.

• Use Spaces, Not Tabs: YAML requires spaces for indentation. Tabs are not allowed.
• Consistent Number of Spaces: Use a consistent number of spaces for each level of indentation. The most common choices are 2 spaces, 4 spaces, or even 8 spaces.
• Maintain Alignment: Keep items at the same level aligned properly. This helps with readability.
• Nested Structures: When you have nested structures (like lists within lists or dictionaries within dictionaries), indent them further.

View routing table

To view the gateway routing table run the command:

route -n

Normally the gateway should route automatically between NICs, but in rare cases – for example when customers use public IP ranges instead of private ones (not 10.0.0.0, 192.168.0.0 etc) a static route may be necessary.

• SSH into the gateway using putty or a similar tool
• run “sudo su” (without quotes) to gain root privileges
• edit (or create if it doesn't exist) /etc/ussgw_custom_firewall
• if newly created add "#!/bin/bash" on top (without quotes)
• Add your route command i.e.

route add -net 40.0.0.0 netmask 255.0.0.0 gw 10.0.5.1 dev eth0

#!/bin/bash
route add -net 40.0.0.0 netmask 255.0.0.0 gw 10.0.5.1 dev eth0

chmod +x /etc/ussgw_custom_firewall

service ussgw_sysmond restart

sudo su
cd /tmp

wget https://downloads.clouduss.com/gateway/packages/ussgateway_2.0.59_amd64.deb

sudo apt-get -f install ./ussgateway_2.0.59_amd64.deb

dpkg -l | grep ussgateway

apt-get -y install krb5-user

net ads join -U mick@jotunheim.local -s /etc/samba/JOTUNHEIM.LOCAL_smb.conf

sudo su -c "psql -d cloudgw -c \"update ad_auth_domains set is_joined='1' where realm='JOTUNHEIM.LOCAL'\";" postgres

net ads keytab add_update_ads HTTP -U mick@JOTUNHEIM.LOCAL -s /etc/samba/JOTUNHEIM.LOCAL_smb.conf

klist -ke /etc/krb5.keytab

sudo su -c "psql -d cloudgw -c \"update ad_auth_domains set has_keys='1' where realm='JOTUNHEIM.LOCAL'\";" postgres

sudo su -c "psql -d cloudgw -c \"update global_config set val='1' where key='ad_authentication'\";" postgres