Več

Preverite, ali je ena značilnost popolnoma znotraj druge (arcpy)

Preverite, ali je ena značilnost popolnoma znotraj druge (arcpy)


Imam razred funkcij, ki vsebuje eno poligonsko funkcijo, in moram preveriti, ali je omenjena značilnost popolnoma znotraj druge poligonske funkcije.

Uporabil selectLayerByLocation in nato prikril štetje (arcpy.GetCount_management) za nekatera druga preverjanja na osnovi križišč, ki jih je treba opraviti; v tem primeru pa je v razredu funkcij samo ena funkcija in pridobivanje štetja bo vrnilo samo eno (ne glede na to, ali je poligon v celoti vsebovan ali ne).

Kaj idej?


"Zabaven" način za rešitev vprašanja, da je v vašem vhodnem razredu funkcij samo ena značilnost, bi bil, da bi plast lastnosti izbrala vsako funkcijo (v tem primeru 1) in nato s parametrom zagnala izbrani sloj po lokacijiselection_type = "REMOVE_FROM_SELECTION". Nato bo GetCount () vrnil 0, če je funkcija res znotraj poligona (izbrana in zato odstranjena) in 1, če ni.

Nekoliko nazaj, zato samo oddajte v int innerezultat, če želite, da je vaš 0 enak 1.


Orodje Select Layer By Location (Data Management) ima različne vrednosti prekrivanja_vrste, ki jih lahko uporabite, zato mislim, da bi morali poskusiti:

COMPLETELY_CONTAINS - Funkcije v vhodni plasti bodo izbrane, če popolnoma vsebujejo izbirno funkcijo. Vhodne funkcije morajo biti poligoni.


Kako delujejo zaznamki z vprašanji?

Vprašanje je zaznamovano s klikom na ikono pod števcem glasov:

Številka pod ikono prikazuje število uporabnikov, ki so določeno vprašanje dodali med zaznamke. Zaznamek vprašanja v bistvu pravi, da se določenemu uporabniku zdi, da bi to vprašanje shranil, da bi ga pozneje znova lahko našel. Popolnoma je ločen od glasovalnega sistema in ne vpliva na ocene vprašanj ali ugled uporabnika. Če imate vprašanje, ki ga je zaznamovalo dovolj uporabnikov, ste upravičeni do določenih značk.

Zaznamek vprašanja vam omogoča, da z lahkoto preverite, kdaj se objava posodobi, in se v prihodnosti znova sklicujete nanjo.

Vsa vprašanja, ki jih dodate med zaznamke, bodo navedena v vašem uporabniškem profilu pod zavihkom & quotbookmarks & quot. Tako lahko zlahka najdete, kdaj se vprašanje sicer lahko izgubi.

Na zavihku zaznamkov v vašem profilu je števec, ki prikazuje, koliko vprašanj z zaznamki je dobilo odgovore, odkar ste si zadnjič ogledali ta zavihek. Ko kliknete na zavihek, bodo poudarjena nedavno spremenjena vprašanja. & quotChanged & quot vključuje komentarje ali urejanje vprašanja in nove ali urejene odgovore. To je način, da dobite posodobitve o vprašanjih, ki jih sami niste postavili.

Število izbranih zaznamkov ni omejeno. Poleg tega lahko zaznamek kadar koli odstranite s klikom na isto ikono na samem vprašanju ali v svojem uporabniškem profilu. Število dodajanja ali odstranjevanja vprašanja iz zaznamkov ni omejeno.

Če želite iskati po svojih zaznamkih, v iskalno poizvedbo dodajte izraz inbookmarks: mine.

Priljubljene drugih uporabnikov lahko vidite na strani uporabniškega profila in kateri uporabniki so s tem poizvedbo na spletnem mestu Raziskovalec podatkov dodali med zaznamke, na primer seznam uporabnikov, ki so prav to vprašanje zaznamovali.


5 Odgovori 5

Didier Stevens je za analizo zlonamerne programske opreme PDF ponudil dva odprtokodna skripta na osnovi Pythona. Nekaj ​​drugih je, ki jih bom tudi izpostavil.

Primarna, ki jih želite najprej zagnati, so PDFiD (na voljo še en z Didierjevimi drugimi orodji PDF) in Pyew.

Tu je članek o tem, kako zagnati pdfid.py in videti pričakovane rezultate. Tu je še en primer za pyew.

Na koncu, ko boste prepoznali možne JS, Javascript, AA, OpenAction in AcroForms - boste želeli te predmete odložiti, Javascript filtrirati in ustvariti neobdelane rezultate. To je mogoče s pdf-parser.py.

Poleg tega Brandon Dixon vzdržuje nekaj izjemno elitnih objav v svojih blogih o svojih raziskavah z zlonamerno programsko opremo PDF, vključno z objavo o točkovanju PDF-jev na podlagi zlonamernih filtrov, tako kot opisujete.

Jaz osebno uporabljam vsa ta orodja!

Pravkar sem prišel do te najnovejše objave v spletnem dnevniku Lennyja Zelcerja, ki je precej zaslužena

6 brezplačnih orodij za analizo zlonamernih datotek PDF

Orodja, ki jih omenja, so:

V objavi v spletnem dnevniku so podrobnosti o njih in povezave do drugih dokumentov za analizo pdf.

Zadnjih nekaj mesecev raziskujem analizo PDF in kako bi jo lahko bolje izboljšali. Med raziskovanjem sem se znašel med pisanjem orodij in scenarijev, ki so mi pomagali pri delu, in se odločil, da je čas, da združim nekaj bolj koristnega. PDF X-RAY je orodje za statično analizo, ki vam omogoča analizo datotek PDF prek spletnega vmesnika ali API-ja. Orodje uporablja več odprtokodnih orodij in kod po meri, da PDF posname in ga spremeni v obliko, ki jo je mogoče deliti. Cilj tega orodja je centralizirati analizo PDF in začeti deliti komentarje o videnih datotekah.

PDF X-RAY se razlikuje od vseh drugih orodij, ker se ne osredotoča na eno datoteko. Namesto tega primerja datoteko, ki jo naložite, s tisoči zlonamernih datotek PDF v našem skladišču. Ta preverjanja iščejo podobne podatkovne strukture v PDF-ju, ki ga naložite, in tiste, ki so jih pregledali analitiki. S to funkcijo lahko začnemo videti šifrirane vzorce v skupni rabi med zlonamernimi datotekami ali trendi zaradi zlonamernih avtorskih stilov kodiranja. Orodje je še vedno v različici beta, vendar sem ga želel dati v javnost, da vidim, kaj mislijo uporabniki. Po mojem mnenju je API najbolj uporaben, saj lahko začnete z veliko ali brez stroškov vključevati bogato analizo PDF v druga orodja in storitve.


  • Uporabite 64-bitni Ubuntu - Velika večina osebnih računalnikov, ki temeljijo na EFI, uporablja 64-bitno vdelano programsko opremo, Ubuntu pa je nastavljen tako, da lahko v takšne sisteme namestite samo 64-bitni Ubuntu - vsaj privzeto. (Če želite namestiti 32-bitni Ubuntu, lahko skočite skozi obroče, vendar le redko obstajajo razlogi za to.)
  • Onemogočite hitri zagon in mirovanje v sistemu Windows - Te Windows funkcije verjetno povzročijo poškodbe datotečnega sistema v okolju z dvojnim zagonom, zato jih mora biti onemogočen. Za informacije o tem glejte tukaj in tukaj. Upoštevajte, da je funkcija hitrega zagona sistema Windows popolnoma ločena od funkcije v številnih EFI s podobnim imenom. Onemogočanje funkcije EFI je redko potrebno (včasih pa je potrebno). Iz vašega opisa ni jasno, ali ste onemogočili sistem Windows ali funkcijo EFI. Če teh funkcij ne onemogočite, ne boste povzročili težav, s katerimi ste se srečali, vendar bodo povzročili težave, zato jih morate rešiti zdaj.
  • Onemogočite BIOS / CSM / starejši način v svoji vdelani programski opremi - Noter najbolj (vendar ne vsi) EFI, ta možnost, če je aktivna, omogoča mogoče (vendar niste prepričani, da ga boste) zagnali v načinu BIOS. Popolnoma onemogočite to možnost ponavadi (vendar ne vedno) preprečuje zagon v tem načinu. Poimenovanje funkcije CSM se razlikuje od sistema do sistema. Običajno morate to funkcijo onemogočiti, v nekaterih primerih pa morate način zagona nastaviti na "Samo UEFI" ali kaj podobnega.
  • Pravilno pripravite zagonski medij - Če datoteko .iso pretvorite v zagonski bliskovni pogon z orodjem, lahko to orodje ali ne kopira zagonskega nalagalnika EFI na pogon USB. Tudi če se zdi, da je datoteka EFI / BOOT / bootx64.efi prisotna, EFI morda ne bo všeč nekaterih podrobnosti o tem, kako je bil pogon USB pripravljen (na primer njegova particijska tabela). Morda bo potrebno drugo orodje. Rufus to na splošno dobro opravi. Dodatne komentarje o tem podajam na koncu strani CSM, na katero se sklicujemo spodaj.
  • Uporabite ustrezno možnost zagona - V večini primerov boste v upravitelju zagona računalnika videli dve možnosti zagona za zunanji zagonski medij. Ena od teh možnosti vključuje niz "UEFI", ena pa ne. Izberite tisto, ki vključuje niz »UEFI«, če sta prisotna oba, druga pa se bo verjetno zagnala v načinu BIOS.
  • Uporabite "Nekaj ​​drugega" - V mnogih primerih, ko zaženete namestitveni program, v meniju namestitvenega programa Ubuntuja manjkajo možnosti »namestitev zraven«. To je preprosto omejitev namestitvenega programa in za rešitev te težave morate uporabiti možnost "Nekaj ​​drugega" (kot je opisano tukaj).

Upoštevajte, da je onemogočanje varnega zagona redko potrebno. Ubuntu podpira Secure Boot in običajno deluje v redu. Redki so primeri nezdružljivosti zaradi napak v EFI in / ali v komponenti Ubuntu, vendar te običajno povzročijo, da se namestitveni program Ubuntu ne zažene. Secure Boot lahko tudi zaplete uporabo nekaterih drugih gonilnikov po zagonu.


Preverite, ali je ena značilnost popolnoma znotraj druge (arcpy) - Geografskih informacijskih sistemov

Q1. Imate aplikacijo s 100 GB zbirke podatkov MySQL, ki jo selite v AWS. Na kaj morate biti pozorni pri odločanju, ali boste gostili bazo podatkov na RDS za MySQL ali Auroro?

  • stroškov
  • enostavnost vzdrževanja in natančnost nadzora
  • vsi ti odgovori
  • trenutni pomnilniški mehanizem, ki ga uporablja aplikacija, na primer InnoDB ali MyISAM

Q2. Katera zbirka podatkov je vrsta zbirke podatkov NoSQL, ki lahko hitro shrani in pridobi pare ključ-vrednost?

Q3. Vaša baza podatkov je primerek RDS, v katerem se izvaja SQL Server z replikacijo Multi-AZ in imate več starejših pripomočkov .NET console, ki izvajajo operacije baze podatkov vsakih 15 sekund. Ko mora grozd preklopiti primarni strežnik baze podatkov na sekundarni AZ, pripomočki .NET začnejo poročati o napakah povezave v bazo podatkov, čeprav druge aplikacije lahko dostopajo do baze podatkov. Kako odpravite to težavo?

  • Uporabite konzolo RDS za prisilni ponovni zagon primerka baze podatkov, tako da primarni strežnik znova postane glavni strežnik.
  • Strežnik, ki izvaja pripomočke .NET, predpomni iskanje DNS na naslovu gruče baz podatkov. Izperite predpomnilnik DNS strežnika in prisilite pripomočke C #, da odprejo nove povezave do baze podatkov.
  • Aplikacija A.NET bo obdržala naslov IP povezavnega niza, dokler gostiteljska naprava ne bo znova zagnana.
  • Pripomočki NET morajo spremeniti končno točko SQL Server v nizih povezave za branje s sekundarnega strežnika baz podatkov s poskusom / ulovom.

V4. Katere storitve AWS vam lahko pomagajo avtomatizirati vaš razvojni trak za nenehno integracijo in stalno uvajanje?

V5. Katera storitev AWS je v skladu s standardi, opisanimi v standardu za varnost podatkov o plačilnih karticah (PCI DSS) 1. stopnje, za obdelavo in prenos podatkov o kreditnih karticah?

  • API Gateway
  • vsi ti odgovori
  • Preprosta storitev v čakalni vrsti (SQS)
  • Podatkovni tokovi Kinesis

V6. V omrežno priloženi shrambi imate veliko datotek, ki jih je treba zaradi industrijskih predpisov arhivirati in vzdrževati 10 let. Do teh podatkov bo redko dostopati, vendar jih je treba hraniti. Katera je najboljša storitev AWS za shranjevanje teh podatkov?

V7. Za svoj korenski račun AWS ste ustvarili naključno geslo največje dovoljene dolžine in vključili posebne znake. Katere dodatne korake morate zaščititi s korenskim računom AWS?

  • Ustvari vlogo AM za skrbnika računa z najvišjimi pravicami. Ne shranjujte korenskega gesla, toda ko je potreben korenski račun, z geslom potrdite geslo s korektnim računom in ponovite ta postopek.
  • Shranite naključno ustvarjeno geslo v zbirko podatkov o skrivnostih organizacije s pomočjo storitve, kot je 1Password ali LastPass, in dostop do te skrivnosti odobrite samo skupini DevOps.
  • Ustvarite račune IAM za svoje skrbnike in njihovim računom priložite pravilnik AdministratorAccess. V uporabniških nastavitvah onemogočite korenski račun.
  • Ustvarite vlogo IAM za skrbnika računa z najvišjimi privilegiji in pri dnevnih operacijah ne uporabljajte korenskega računa. Omogočite dvofaktorsko overjanje v korenskem računu

V8. Katera možnost elastičnega uravnoteženja obremenitve podpira Lambdo kot tarčo?

  • Izravnalnik omrežne obremenitve
  • Dohodne spletne zahteve ne morejo klicati Lambde neposredno. Uporabiti morate API Gateway.
  • Klasični izravnalnik obremenitve
  • Izravnalnik obremenitve aplikacije

V9. Kako oblikujete rešitev za kopiranje baze podatkov SQL Server v regijah AWS v aktivno-aktivni arhitekturi?

  • Uporabite RDS za SQL Server in ustvarite isti primerek v dveh različnih regijah. Uporabite storitev selitve podatkovnih baz, da se vsaka baza podatkov sinhronizira.
  • Uporabite VPN ali VPC, ki iščete, da vzpostavite povezavo med VPC-ji v vsaki regiji. Namestite SQL Server Enterprise Edition na primerke EC2 v vsako regijo in konfigurirajte skupino razpoložljivosti Always On.
  • Uporabite RDS za SQL Server 2016 ali 2017 Enterprise Edition. Omogočite podporo za Multi-AZ in izberite možnost Mirroring / Always On. Izberite drugo regijo za možnost zrcaljenja.
  • Za SQL Server ne morete nastaviti aktivno-aktivne arhitekture, ki zajema geografska območja.

Q10. Koliko stane zagon primerka EC2 s tržnice AWS?

  • Vse slike na AWS Marketplace poleg stroškov iz izbrane velikosti primerka zaračunavajo še vsako uro.
  • Zaženete lahko samo slike, ki so jih ustvarili drugi uporabniki v vašem računu AWS, zato plačate samo za izbrano velikost primerka in stroške shranjevanja S3 za osnovno sliko.
  • Vsaka slika ima svoje cene, ki so lahko brezplačne ali vključujejo stroške licenciranja programske opreme. Plačali boste tudi za primer, na katerem se slika izvaja
  • Vse slike na AWS Marketplace vsebujejo samo odprtokodno programsko opremo brez dodatnih stroškov in jih ustvarijo drugi uporabniki AWS. Plačali boste samo za velikost primerka, ki ste jo izbrali.

Q11. Katere vzdrževalne naloge bi morali izvajati na EC2 s primerki EC2?

  • Primerki, ki jih ustvari ECS, nimajo popravkov, ki bi jih bilo treba uporabiti, vendar pazite, da vaši vsebniki vsebujejo pomembne varnostne posodobitve.
  • Osvežite gručo s primerki, izdelanimi iz najnovejšega ECS AMI.
  • Grozdi ECS ne uporabljajo primerkov EC2.
  • Ne bi smeli neposredno manipulirati s primerki EC2, ki jih je ustvaril ECS. AWS bo te primerke samodejno posodobil.

Q12. Katerega strežnika za predpomnjenje v pomnilniku ElastiCache ne podpira?

Q13. S katero storitvijo AWS lahko ustvarite dokumentacijo, ki jo zahtevajo različni standardi skladnosti, na primer Standard za zaščito podatkov plačilnih kartic (PCI DSS) 1. stopnje za obdelavo podatkov s kreditnih kartic?

  • Artefakt
  • DocumentDB
  • Natisnite povzetek skladnosti z AWS in ga shranite z zahtevano dokumentacijo za revizijo.
  • Upravitelj skrivnosti

V14. Kako pri načrtovani selitvi AWS uporabljate za raziskave in razvoj, kako preprečiti nepričakovano povečanje ali pospešitev obračuna?

  • Z nadzorno ploščo za obračunavanje ustvarite proračun stroškov. Vnesite najvišji znesek, ki ga želite zaračunati vsak mesec. Morebitni stroški, ki nastanejo nad tem zneskom, bodo povzročili, da bo AWS samodejno zaustavil ta sredstva
  • S korenskim računom AWS aktivirajte dostop IAM do informacij za obračun računa. Prepričajte se, da imajo vaši uporabniki IAM pravilnik Billing FullAccessGroup. Nato na nadzorni plošči obračunavanja enkrat na dan preverite nastale stroške.
  • Če uporabljate brezplačno stopnjo AWS, boste morali potrditi uporabo katere koli storitve, ki presega omejitve proste stopnje AWS.
  • Z uporabo korenskega računa AWS omogočite Opozorila za zaračunavanje v uporabniških nastavitvah. Nato s programom CloudWatch ustvarite alarm za obračun in nastavite prag na določen znesek v dolarjih za vaše ocenjene mesečne stroške.

Q15. Ustvarjate tabelo DynamoDB za shranjevanje vseh filmov, izdanih od leta 1938. Vaša aplikacija bo uporabnikom omogočala iskanje po naslovu filma in ogled podrobnosti tega filma. Glede na spodnji vzorec, ki prikazuje podatke o filmu, ki jih boste uvažali, kakšen je najboljši nabor tipk za to tabelo?

  • Primarni ključ mora biti particijski ključ naslovnega polja.
  • Primarni ključ naj bo naslovno polje, particijski ključ pa polje zvrsti.
  • Primarni ključ bi moral biti sestavljeni ključ, sestavljen iz particijskega ključa na polju naslova in ključa razvrščanja na polju leta.
  • Primarni ključ je treba ustvariti kot popolnoma edinstveno vrednost, na primer zaporedni številčni seznam ID-jev filmov. Prekatna tipka naj bo naslovno polje za hitro iskanje.

Q16. Katera shramba podatkov ponuja preprost in hiter način shranjevanja osnovnih uporabniških atributov v objektni obliki?

Q17. Potrebujete bazo podatkov brez sheme. Katera storitev zbirke podatkov Amazon ponuja to rešitev?

Q18. Kateri komunikacijski kanal SNS lokalno ne podpira?

Q19. Kateri ključni koncept morate pri načrtovanju spletne aplikacije brez strežnika uporabljati pri Lambdi?

  • Spletne aplikacije brez strežnika se izvajajo v spletnem brskalniku uporabnika, zato boste morali podatke, ki jih uporabnik spremeni, shraniti neposredno v bazo podatkov.
  • Lambda vam omogoča samo pisanje funkcij v JavaScript.
  • Lambda ne uporablja strežnikov, zato lahko vsakemu uporabniku vrne samo isto zahtevo.
  • Lambda je brez državljanstva, zato si ne bo zapomnil, kdo je uporabnik med zahtevami.

Q20. Načelo DevOps je, da na infrastrukturo gleda kot na kodo. Katera storitev AWS vam omogoča skriptiranje vaše infrastrukture AWS?

Q21. Ustvarili ste primerek sistema Windows EC2 z javnim naslovom IP in namestili SQL Server. Ko se poskuša povezati s strežnikom SQL Server iz strežnika SQL Server Enterprise Manager v lokalnem računalniku, primerek sistema Windows EC2 ne more vzpostaviti povezave s strežnikom. Kaj morate najprej preveriti?

  • Preverite usmerjevalne tabele za VPC.
  • Preverite, ali dodeljene varnostne skupine dovoljujejo promet vrat TCP 1433 s vašega trenutnega naslova IP.
  • Preverite pravilnike v požarnem zidu Windows.
  • Preverite, ali se s primerkom povezujete z uporabnikom, ki ni sa.

Q22. Gostite aplikacijo, konfigurirano za pretakanje medijev do svojih odjemalcev na vratih TCP 3380-3384, 3386-3388 in 3390. Spodnji zavihek Vhodni prikazuje tri dohodne pravilnike varnostnih skupin, priložene temu primerku. Katero politiko bi morali uporabiti?

  • Pravilo, ki razkriva vrata TCP 3380-3390, bi tudi javno izpostavilo vrata 3389 (RDP) celotnemu internetu. Napišite ločena pravila, da izpostavite samo potrebna vrata.
  • Prvo pravilo varnostne skupine dovoljuje ves promet v ta primerek. Izpostavitev celotnega primerka celotnemu internetu pušča strežnik odprt za različne napade drugih storitev, ki se izvajajo na različnih številkah vrat.
  • Preverite, ali lastniki računov AWS dejansko nadzorujejo celoten blok CIDR C za različico 12.228.11.0-255 in so to zaščiteni IP-ji za dostop RDP v ta primerek.
  • Ni priporočil.

Q23. Za izravnalnikom obremenitve imate štiri prednje spletne strežnike, ki uporabljajo NFS za dostop do drugega primerka EC2, ki spreminja velikost in shranjuje slike za čelni program. Katere pravilnike varnostnih skupin je treba dodeliti tem strežnikom?

  • Vsem primerkom dodelite elastične IP-je in ustvarite skupino, ki omogoča, da ves promet prehaja med petimi naslovi Elastic IP in dovoli ves dohodni promet HTTPS.
  • Front-end spletni strežniki naj omogočajo HTTPS. Vsem primerkom dodelite drugo skupino, ki omogoča prehod celotnega prometa med primerki, ki uporabljajo to skupino.
  • Ustvarite varnostno skupino, ki omogoča dohodni promet NFS, HTTP in HTTPS z vseh naslovov IP. Uporabi to skupino za vse strežnike.
  • Ustvarite varnostno skupino, ki omogoča vhodni promet HTTP in HTTPS z vseh naslovov IP in to uporabite na spletnih strežnikih. Ustvarite drugo varnostno skupino za shrambo datotek NFS, ki omogoča odhodni promet NFS v zasebni obseg IP čelnih spletnih strežnikov.

Q24. Imate spletni strežnik Linux EC2, ki nenadoma poteče za vse zahteve HTTP, poskusi povezave SSH pa potečejo. Opazili ste, da v konzoli EC2 ne preverja stanja sistema. Kakšen ukrep naj storite?

  • Obnovite primerek iz zadnje slike AMI. Preverjanje stanja sistema kaže, da je datotečni sistem na primerku poškodovan.
  • Ustavite in zaženite primerek. To bo primerek premaknilo na drugega gostitelja.
  • Obrnite se na podporo za AWS. Če sistem ne preveri stanja, pomeni napako v osnovni strojni opremi, zato jo mora odpraviti predstavnik AWS.
  • Znova zaženite primerek. To bo ustavilo in zagnalo primerek ter ga premaknilo na drugega gostitelja.

Q25. Imate več lokalnih strežnikov in bi radi svoje varnostne kopije zunaj spletnega mesta shranili v AWS. Katero popolnoma upravljano varnostno kopijo lahko uporabite za pošiljanje varnostnih kopij v AWS?

  • Windows Server 2016 podpira S3 kot cilj pri uporabi kopij pomnilnika.
  • Uporabite Storage Gateway.
  • Datoteke sinhronizirajte neposredno s S3 z AWS CLI.
  • Uporabite konzolo RDS za prisilni ponovni zagon primerka baze podatkov, tako da primarni strežnik znova postane glavni strežnik.

Q26. Kakšna je najboljša praksa za ustvarjanje visoko razpoložljive baze podatkov PostgreSQL v RDS, ki lahko povzroči izgubo ene same regije AWS?

  • PostgreSQL ni mogoče kopirati po regijah. Obnovite varnostne kopije baze podatkov iz vedra S3 in znova usmerite povezave do baze podatkov na nov primerek.
  • Ustvarite bralne replike v drugih regijah AWS. Novo glavno bazo podatkov lahko določite iz katere koli bralne replike, dokler ne odpravite regionalne napake.
  • Preverite, ali je vaš primerek konfiguriran za podporo za Multi-AZ. Spremembe zbirke podatkov se bodo v primeru okvare samodejno sinhronizirale z drugo regijo, RDS pa bo samodejno izbral novega glavnega upravitelja, dokler se regionalna napaka ne odpravi.
  • Ustvarite bralne replike v drugih regijah AWS. Prepričajte se, da se bralne operacije proti zbirki podatkov izvajajo na razpoložljivi bralni replici, in pošljite operacije pisanja v drugo regijo, če morate promocijo bralne replike promovirati v samostojno bazo podatkov, če je glavna enota izklopljena.

Q27. Ustvarili ste nov primerek Linuxa EC2 in namestili PostgreSQL, vendar iz lokalnega računalnika ne morete vzpostaviti povezave s strežnikom. Katere korake sprejmete za rešitev te težave?

  • Ustvarite pravilo varnostne skupine, ki dovoljuje ves promet od 0.0.0.0/0. To bo preverilo, ali drugo pravilo zavrača promet ali ne.
  • Preverite, ali dodeljene varnostne skupine dovoljujejo promet z vašega naslova IP do vrat 5432. Preverite, ali je PostgreSQL konfiguriran za poslušanje zunanjega prometa in je vezan na javni vmesnik.
  • Prepričajte se, da uporabljate elastični IP in da je vključen v konfiguracijsko datoteko postgresql.conf.
  • Ustavite in zaženite primerek. Nova pravila varnostne skupine bodo začela veljati šele po ponovnem zagonu.

Q28. Kaj naredi telo izjav te politike segmenta S3?

  • bucketpolicy1 omogoča vsakemu uporabniku, da izvede katero koli dejanje nad objekti v vedru userreports, vendar omejuje predmete na dovoljenja samo za branje za vse, ki prihajajo od 68.249.108.0 do 68.249.108.255 - razen 68.249.108.128.
  • bucketpolicy1 omogoča vsakemu uporabniku, ki prihaja iz območja IP 68.249.108.0, dostop do predmetov v vedru userreports in zavrne dostop do 68.249.108.128.
  • bucketpolicy1 omogoča vsakemu uporabniku, da izvede katero koli dejanje nad objekti v vedru userreports - razen vsem, ki prihajajo z IP-ja 68.249.108.128.
  • bucketpolicy1 omogoča vsakemu uporabniku, ki prihaja iz območja IP 68.249.108.0 do 68.249.108.255, dostop do predmetov v vedru userreports - razen vsem, ki prihajajo z IP-ja 68.249.108.128.

Q29. V ekipo je bil dodan nov razvijalec in morali ste omogočiti dostop do računa organizacije AWS. Katera je najboljša praksa za odobritev dostopa?

  • Novemu razvijalcu omogočite prijavo v IAM, ki je dodeljena razvojni skupini. Ta uporabnik IAM bi moral že vključevati vse pravilnike, ki bi jih potreboval razvijalec.
  • Ustvarite uporabnika IAM za novega razvijalca. Ročno dodelite pravilnike novemu uporabniškemu računu IAM.
  • Novemu razvijalcu ne omogočite dostopa do konzole AWS. Z uporabnikom IAM, ki je dodeljen razvojni skupini, ustvarite nov nabor dostopnih ključev in jih označite z imenom razvijalca.
  • Ustvarite uporabnika IAM za novega razvijalca. Novemu razvijalcu dodelite skupino razvijalcev, ki ste jo že ustvarili za druge razvijalce.

Q30. Kateri primer uporabe je primeren za shranjevanje primerkov pri zagonu primerka EC2 s tipom primerka, ki podpira shranjevanje primerkov?

  • Shrambo primerkov uporabite za strežanje začasnih datotek, ki zahtevajo nizko zakasnitev V / I.
  • Uporabite pomnilnik primerka za obdelavo datotek, ki so jih naložili vaši uporabniki. Ker je varnejši od nosilca EBS, lahko zlonamerne datoteke izolirate pred okužbo vašega strežnika.
  • Shranjevanje primerkov je hitrejše od nosilcev EBS, zato namestite koren operacijskega sistema na ta nosilec, da pospešite delovanje strežnika.
  • Shramba primerkov je zastarela možnost za shranjevanje in je ne bi smeli uporabljati.

Q31. Kakšna je najboljša praksa za vodoravno spreminjanje starejše spletne aplikacije ASP.NET, ki temelji na Active Directory in je trenutno nameščena v enem primerku sistema Windows EC2?

  • S Sysprepom zaustavite primerek med oknom vzdrževanja. Ustvarite sliko AMI in postavite oba strežnika za Application Load Balancer z lepljivimi sejami.
  • Zaženite novo EC2 z najnovejšo različico sistema Windows Server in znova namestite aplikacijo. Za uravnoteženje med strežnikoma uporabite Application Load Balancer in lepljive seje.
  • Ustvarite klon strežnika s pomočjo slike AMI in uporabniškega izravnalnika obremenitve aplikacij, da uravnotežite promet med obema primerkoma z uporabo lepljivih sej.
  • V tem primeru vodoravno skaliranje ni najboljša praksa. Povečajte velikost obstoječega primerka EC2 in vertikalno prilagodite aplikacijo.

Q32. Kaj počne ta majhen del predloge CloudFormation?

  • Dnevnike tokov omrežja VPC zapiše v skupino dnevnikov CloudWatch FlowLogsGroup. To lahko uporabite za pregled omrežnih povezav vašega VPC.
  • Zabeleži ves omrežni promet znotraj VPC, razen ID-jev primerkov, ki jih definira LogVpcID, in ga prijavi v skupino dnevnikov CloudWatch FlowLogsGroup.
  • Ves omrežni promet, ki se usmerja na en primerek EC2 in iz njega, beleži v skupino dnevnikov CloudWatch FlowLogsGroup. To lahko uporabite za pregled sumljivega omrežnega prometa, ki pride v primerek EC2.
  • Zabeleži vse zahteve DNS, ki jih pošljejo viri znotraj VPC, in jih zabeleži v CloudWatch FlowLogsGroup. To uporabite za diagnosticiranje napak pri iskanju DNS v vašem okolju.

Q33. Na ECS uporabljate Dockerjeve vsebnike. Katera meritev je najpomembnejša za spremljanje?

  • Število tekočih vsebnikov za vsako storitev znotraj CloudWatch.
  • Stanje primerka vsakega primerka EC2 v vaši gruči znotraj CloudWatch.
  • Nadzirajte nadzorno ploščo storitve EC2. Pazite na objavljene izpade v službi ECS.
  • Poraba pomnilnika vsakega primerka EC2 v vaši gruči znotraj CloudWatch.

Q34. Application Load Balancer lahko usmerja promet v več različnih ciljnih skupin glede na več pogojev. Katerega od teh primerov Application Load Balancer ne podpira?

  • Zahtevo z glavo HTTP X-Request-With: uprizoritev lahko preusmerite v ciljno skupino za storitev ECS v vašem odrskem okolju.
  • Izvorne IP-je, ki se ujemajo z 192.0.2.0/24 na vratih poslušalca 1433, lahko preusmerite v ciljno skupino za gručo RDS za SQL Server.
  • Pot / prijave * je mogoče usmeriti v ciljno skupino za funkcijo Lambda, ki obdeluje registracije novih uporabnikov.
  • Niz poizvedbe Http POST? action = createuser lahko preusmerite v ciljno skupino za storitev ECS.
  • ustvari omrežje v oblaku za medsebojno povezovanje nabora navideznih strežnikov in naprav
  • ustvari varen predor med dvema omrežjema
  • ustvari deljeno pomnilniško ravnino za skupno rabo podatkov aplikacij v več primerkih.
  • ustvari zasebno omrežje, ki je popolnoma izolirano od javnega interneta.

Q36. Ali lahko izgubite javni naslov IP, povezan z vašim primerkom EC2?

  • Da, lahko ga znova zaženete, če znova zaženete primerek.
  • Da, lahko ga izgubite, če ustavite in zaženete primerek.
  • Ne, nikoli ne boste izgubili javnega naslova IP za svoj primerek.
  • Da, izgubite ga lahko, ko uredite lastnosti primerka in sprostite naslov IP.

Q37. Kje je najbolje shraniti varnostne kopije baz podatkov na primerku EC2, ki je konfiguriran kot strežnik baz podatkov?

  • vedro S3, sinhronizirano z varnostnimi kopijami baze podatkov prek skripta, ki prikliče CLI AWS
  • Obseg EBS, priložen primerku
  • primerek, ki je priložen primerku
  • primerka s skriptom, ki podvaja varnostne kopije baze podatkov na drug primerek v drugem območju razpoložljivosti.

Q38. Kaj od tega je veljavna omejitev lastnosti VPC?

  • Na novi račun AWS lahko imate samo 10 internetnih prehodov na regijo.
  • Na novi račun AWS lahko imate samo 10 VPC-jev na regijo
  • Bloka CIDR ne morete ustvariti z mrežno masko, večjo od / 16
  • V VPC lahko imate le 10 podomrežij

Q39. Imate primerek Linuxa EC2, ki se ne odziva na zahteve in se z njim ne morete povezati prek SSH. S pomočjo konzole EC2 ste izdali ukaz za zaustavitev primerka, vendar je bil v zadnjih 10 minutah primerek v stanju "zaustavitve". Kateri je naslednji korak?

  • Prek konzole EC2 izdajte še eno zaustavitveno dejanje in izberite možnost za prisilno zaustavitev primerka.
  • Ustvarite sliko AMI primerka in izberite možnost, da posnamete sliko brez ponovnega zagona primerka.
  • Uredite lastnosti primerka in povečajte velikost primerka.
  • Obrnite se na podporo za AWS. Vsa nadaljnja dejanja bi lahko poškodovala datotečni sistem.

Q40. Na voljo imate 14 lokalnih strežnikov, 4 strežnike baz podatkov, 6 strežnikov z uporabo GIS programske opreme, 3 datotečne strežnike in 4 razvojne strežnike. Katere premisleke morate upoštevati pri selitvi teh strežnikov v AWS?

  • AWS ne more ločiti obračunavanja za računske stroške, zato boste morali razviti način za razdelitev proračuna med oddelke.
  • Novi računi AWS so omejeni na 20 primerkov EC2 na zahtevo. Pred začetkom selitve oddajte zahtevo za zvišanje omejitev cen.

Q41. Ko se vaša spletna aplikacija povečuje in potrebe po spremljanju aplikacij postajajo bolj zapletene, katere dodatne storitve spremljanja dnevnika NE SMETE upoštevati?

Q42. Imate primerek T2 EC2, ki je ključnega pomena za vašo infrastrukturo. Kako bi spremljali najpomembnejšo meritev v tem primeru?

  • Vklopite samodejno obnovitev CloudWatch in monitorje vključite v preverjanja stanja sistema in stanja primerka, da vas primerek obvesti, ko je kateri od alarmov.
  • Z CloudWatch postavite monitorje na preostale kredite CPU. Če vam zmanjka kredita za CPU, bo primerek ustavljen.

Q43. Katero funkcijo lahko uporabimo za odziv na nenadno povečanje spletnega prometa?

  • Skupine za samodejno skaliranje EC2
  • AWS Shield Advanced
  • RDS branje replik
  • vsi ti odgovori

Q44. Če se niz strežnikov nahaja v zasebni podomrežji vašega VPC, kako lahko te strežnike povežete s lokalnimi strežniki?

  • Vzpostavite povezavo z AWS Direct Connect.
  • Uporabite odjemalca AWS VPN.
  • Namestite strežnik OpenVPN na primerek, ki se nahaja v podomrežju z elastičnim IP-jem.
  • Vse te možnosti lahko vzpostavijo povezavo z zasebnim podomrežjem.

Q45. Imate izravnalnik obremenitve UDP, ki ga ustvari primerek, ki izvaja proxy NGINX. Rešitev za upravljanje zmogljivosti aplikacije (APM) lahko zazna napake v primerku izravnalnika obremenitve in prenese elastični IP v pasivni primerek pripravljenosti. Kateri skript z uporabo AWS CLI programirate v svoj APM za premikanje elastičnega IP-ja?

Q46. Katera storitev lahko gosti vaše Docker zabojnike?

  • Luč jadra
  • Storitev elastičnega zabojnika (ECS)
  • Elastični računalniški oblak (EC2)
  • Vse te storitve lahko gostijo Dockerjev vsebnik.

Q47. Kaj označuje javna značka poleg imena segmenta v konzoli S3 pod stolpcem Access?

  • Vsem predmetom v tem vedru je dodeljen javni dostop in jih lahko kdor koli v internetu bere ali piše. Ensure no sensitive data is being publicly shared within this bucket.
  • All objects within this bucket are writable, which means that the public internet has the ability to upload any file directly to your S3 bucket. Your S3 bucket could be used to serve malware.
  • Some objects within this bucket are assigned public access. Verify that any publicly shared objects within this bucket contain no sensitive data.
  • Objects within this bucket can be made public, if the ACL on that object is set to allow everyone access. Private buckets do not allow you to set public permissions on any object.

Q48. What privilege is specific to the AWS root account, and cannot be granted to another IAM user on the account?

  • Revoke the AdministratorAccess role or grant it to another IAM user.
  • Create a new hosted zone in Route 53.
  • Delete the AWS account.
  • Modify the billing details.

Q49. Your application is sending 50,000 emails through SES each day. Since you must maintain a low bounce rate to avoid being put on probation, what simple system do you architect to automatically process hard bounces?

  • Configure SES to send all bounce events to an SNS topic. Create a Lambda function that processes each hard bounce event and automatically flags that account as a bounce in your application to prevent further sending attempts.
  • Configure SES to no longer send to email addresses that are on your bounce list.
  • Configure SES to send the logs of all delivery attempts through Kinesis Firehose. Process each event and look for bounce types and remove these emails from your list.
  • Send all emails through SES with a custom reply-to header. Configure SES to listen for events on this email address and flag any email address that replies to this account as a bounced message and remove it from your email list.

Q50. Your web application is getting a suspicious amount of bad requests from foreign IP addresses. Your business is operating in only a few countries and you would like to block any other traffic. What is the best practice for limiting access to your web application by country?

  • Use Web Application Firewall and create a geo match condition to drop all requests from countries that aren't on your allow list.
  • Use Application Load Balancer to create a new routing rule that looks at source IP address. Add an IP block for the countries that have access.
  • Host the front end of your website in CloudFront and configure a geo restriction on the distribution.
  • Use CloudTrail to monitor the IP addresses of the bad requests. Use Lambda to add these IP addresses to an Application Load Balancer rule that blocks the IPs.

Q51. What is the best practice for maintaining Windows EC2 instances and applying updates?

  • Turn on auto update in Windows Update on each EC2 that is launched, or create your own AMI with this feature enabled and launch all of your EC2 instances from this AMI.
  • Create a maintenance schedule that an employee must fill out each week confirming a visual inspection of each instance was conducted and which patches were applied.
  • Use AWS Systems Manager Patch Manager to find an patch instances that require updates during a set maintenance window.
  • Install Window Server Update Services on your primary Active Directory controller.

Q52. In addition to CloudFormation, you can use other orchestration tools to automate server formation and maintenance. Which tool is ne an efficient choice for the orchestration of a large infrastructure?

Q53. What happens to a SQL Server RDS instance if the databases increase in size and go over the allocated space?

  • RDS will automatically increase the allocated space by 10% and will send the AWS root account an email with resolution steps. Allocate more space to avoid overage charges.
  • The database instance will report a STORAGE_FULL status and become inaccessible if the instance does not have enough remaining storage to operate. Allocate more space to the instance.
  • SQL Server will close all existing connections to the databases and attempt to shrink its log files to reclaim storage space.
  • RDS will automatically increase the allocated space by 5% and will continue to allocate new space up to 50% of the orginal allocated space. When storage space has increase 50%, RDS will automatically stop the instance to preserve data integrity.

Q54. You have a fleet of IoT devices that send telemetry to a server-side application provided by your IoT vendor for decoding a proprietary messaging format. The devices are provisioned to send telemetry reports to your server via UDP on port 6339. What is the best way scale this server as more Iot devices are added to your fleet?

  • Use a Network Load Balancer to distribute the traffic across your servers. Use UDP health checks to determine if the server is available to receive traffic.
  • Use Route 53 with HTTP health checks. Create an application on the server to report the readiness status of the vendor-provided server software to Route 53 via HTTP.
  • Use Route 53 with UDP health checks. As you scale up, Route 53 wiwll route the traffic to the new servers if they pass the health checks.
  • Use Application Load Balancer to distribute the traffic across your servers.

Q55. the outbound rules of a security group only allow traffic going to 0.0.0.0/0 on TCP Port 22 (SSH) and TCP port 3306 (MySQL). Review the inbound rules listed in the image below. What is the most important issue to fix with this security group configuration, for an Ubuntu EC2 instance acting as a web server?

  • The outbound rules block UDP port 53, so the server will not be able to resolve any DNS lookups.
  • The outbound rules do not allow for HTTP traffic to leave the instance, so inbound HTTP requests will fail because the clients will never get HTTP responses.
  • The incoming SSH port should not be open to the public. Limit SSH to a single IP address or IP range of controlled addressed, or use a VPN to access the VPC for this server.
  • The all incoming TCP ports are exposed, which overrides the HTTP and SSH rules and exposes all TCP ports to the public internet.

Q56. An EC2 instance running a WordPress site keeps getting hacked, even though you have restored the server several times and have patched WordPress. What AWS service can help you detect and prevent further attacks?

Q57. A nontechnical client wants to migrate a WordPress site to AWS from a private server managed by a third-party hosting company. Which AWS service should you recommend to migrate the site to?

  • CloudFront
  • An EC2 instance launched from the official WordPress AMI
  • S3
  • Lightsail

Q58. Your company has on-premise servers with an existing onsite backup solution that also replicates backups to another campus on the other side of the country with its own on-site backup solution. You have been asked to create a third level of redundancy by also storing these backups in the cloud. In the event of a primary and secondary backup failure, your boss wants to know that the cloud backups can be accessible as fast as possible to reduce downtime during the recovery. What S3 storage class do you recommend for cost and performance?

  • S3 Standard
  • S3 Intelligent-Tiering
  • S3 Glacier
  • S3 One Zone-Infrequent Access

Q59. Which big data store will let you store large streams of user activity data coming from both web and mobile applications?

Q60. What option is best for Auto Scaling your EC2 instances for predictable traffic patterns?

  • scale based on a schedule
  • manual scaling
  • scale based on demand
  • maintain current levels at all times

Q61. You are migrating an on-premise RabbitMQ cluster into AWS. Which migration path should you choose for ease of both maintenance and deployment?

  • Rewrite the parts of your application that use RabbitMQ to use SQS.
  • Launch a RabbitMQ cluster with EC2 instances using a supported AMI.
  • Rewrite the parts of your application that use RabbitMQ to use Kinesis.
  • Rewrite the parts of your application that use RabbitMQ to use Amazon MQ.

Q62. When creating a new RDS instance, what does the Multi-AZ option do?

  • replicates backups of your database to S3 and makes them available across regions to prevent against any data loss
  • creates a second passive database instance within the same region that will become the primary database during a failover
  • creates a highly available database cluster that will host your database cluster in at least two regions
  • creates another database instance in another region and keeps a hot standby active to failover to during regional failures

Q62. What is the best EC2 instance class for a server that continuously has a heavy CPU load?

Q63. Your application performance management (APM) system can read the status of your CloudWatch monitors and perform scripted actions. When the CloudWatch metric StatusCheckFailed enters a failed state (a value of 1), you would like your APM to automatically repair the instance. Which script do you use?

Q64. What is wrong with the third incoming security group rule, which allows all traffic from sg-269afc5e to go to an

Ubuntu EC2 instance configured as a web server?

  • All traffic on all ports is being denied into this instance, which overwrites the HTTP rule and makes it redundant.
  • The instance was launched with the default security group, but there is no way for an administrator to SSH into the instance. Add another rule that allows for SSH access from a secured source, such as a single IP or a range of managed IP addresses.
  • There is nothing wrong with this security group rule. Assuming that sg-269afc5e is applied to other resources that are properly secured, this rule allows all traffic to pass through that is also assigned security group sg-269afc5e.
  • ?> All traffic on all ports are allowed into this instance. This exposes the instance to all public internet traffic and overwrites the incoming HTTP rule.

Q65. You have a VPC that has a public and private subnet. There is a NAT gateway in the public subnet that allows instances in the private subnet to access the internet without having public exposure outside of the VPC. What should the routing tables be for the private subnet?

Q66. To comply with auditing requirements of some compliance standards, which AWS tool can be enabled to maintain an audit log of access and changes to your AWS infrastructure?

Q67. You have an application that generates long-running reports, stores them in an S3 bucket, and then emails the user who requested

the report with a link to download it. What is the best practice for storing the report data in S3?

  • Create a public S3 bucket. When your application creates the report object in S3, generate two randomly generated long folder names and place the file within the deepest subfolder. Set the retention policy on the object to one hour and email this link to the user. The link will be active for one hour.
  • Create a public S3 bucket. Use a hash of the user's email address and the date and time the report was requested to generate a unique object name. Email this link to the user and have a scheduled task run within your application to remove objects that are older than seven days.
  • Create a private S3 bucket. The link in the email should take the user to your application, where you can verify the active user session or force the user to log in. After verifying the user has rights to access this file, have the application retrieve the object from S3 and return it in the HTTP response. Delete the file from the S3 bucket after the request is completed.
  • Create a private S3 bucket. The link in the email should take the user to your application, where you can verify the active user session or force the user to log in. Set the report object in S3 to public. Show the user a "Download" button in the browser that links to the public object.

Q68. When sending a large volume of email through SES, what is the most important set of metrics to monitor?

  • your complaint and bounce rates
  • opens and clicks
  • clicks and deliveries
  • sending volume over the past 15 minutes and over one day to watch for billing spikes

Q69. You are going to host an application that uses a MySQL database. Which database should you select if you don't want to manage

scaling or database administration tasks?

  • Launch an AMI image from the marketplace containing a preconfigured MySQL server.
  • Aurora
  • RDS for MySQL
  • Redshift

Q70. A form in web application is sending sign-up data to "http://example.com/signup/new?source=web" and this data needs to be handled by an ECS service behind Application Load Balancer (ALB). Which ALB rule will route this request?

Q71. Which AWS service can host the web application server for a WordPress site?

Q72. What does the following AWS CLI create-service command for ECS do?

  • changes the security groups of the running rest-api task
  • creates a cluster called production and launches two containers into Farget with the rest-api task definition
  • launches two containers onto Farget into the existing production cluster using the rest-api task definition
  • creates a service definition for the rest-api task put two containers on the production cluster when launched ecs-cli up command

Q73. You want to make your public API quickly accessible from all regions. What is the best way to do this?

  • Create a single API gateway endpoint in a central region.
  • Create a private API gateway endpoint for each region.
  • Create a regional API gateway endpoint for each region.
  • Create edge-optimized API gateway endpoints and deploy them to a CloudFront network.

Q74. What type of data solution should you use for data coming from nonrelational and relational data from IoT devices, websites, mobile apps, etc.?


Indeed there is a way, using the Wireshark filters. But you cannot filter directly by process name or PID (because they are not a network quantities).

You should first figure out the protocols and the ports used by your process (the netstat command in the previous comment works well).

Then use Wireshark to filter the inbound (or outbound) port with the one you just retrieve. That should isolate the incoming and outcoming traffic of your process.

To start and monitor an new process:

To monitor an existing process with a known PID:

  • -f is for "follow new processes"
  • -e defines a filter
  • -s sets the limit of strings to more then 32
  • -p takes the process id to attach to

I know this thread is a bit old but I think this might help some of you:

If your kernel allows it, capturing the network traffic of a single process is very easily done by running the said process in an isolated network namespace and using wireshark (or other standard networking tools) in the said namespace as well.

The setup might seem a bit complex, but once you understand it and become familiar with it, it will ease your work so much.

create a test network namespace:

create a pair of virtual network interfaces (veth-a and veth-b):

change the active namespace of the veth-a interface:

configure the IP addresses of the virtual interfaces:

configure the routing in the test namespace:

activate ip_forward and establish a NAT rule to forward the traffic coming in from the namespace you created (you have to adjust the network interface and SNAT ip address):

(You can also use the MASQUERADE rule if you prefer)

finally, you can run the process you want to analyze in the new namespace, and wireshark too:

You'll have to monitor the veth-a interface.

That will show the connections an application is making including the port being used.

Just an idea: Is it possible to bind your application to a different IP address? If so, you can use the usual suspects (tcpdump, etc.)

Tools for applications which are not capable of binding to another IP address:

fixsrcip is a tool for binding outgoing TCP and UDP client sockets (IPv4) to specific source IP addresses on multi-homed hosts

force_bind allows you to force binding on a specific IP and/or port. It works with both IPv4 and IPv6.

I have come to a similar issue and I was able to sort it out based on this answer by ioerror, using NFLOG as described here:

Then you can create run the process in question from a user account that doesn't do anything else - and voila, you have just isolated and captured traffic from a single process.

Just wanted to post back in case it helps anyone.

I wrote a C application that does what is described in the great answer above by felahdab!

It does exactly what you want, you can either give it a process ID or a program to run.

This is a dirty hack but I'd suggest either a divert or a log target with iptables for a given UID. eg:

It might also be worth looking into something like '--log-tcp-sequence', '--log-tcp-options', '--log-ip-options', '--log-uid' for that log target. Though I suspect that will only help you post process a pcap that includes a ton of other data.

The NFLOG target might be useful if you want to flag packets and then certain tagged packets will be sent over a netlink socket to a process of your choosing. I wonder if that would be useful for hacking up something with wireshark and your specific application running as a specific user?


Best Azure Tools for Monitoring Performance

Performance metrics for servers, databases, applications, and network connections are some of the most important metrics for monitoring. This section of the guide focuses on pure performance monitoring. It’s geared toward those of you who want to home in on performance metrics, or who are looking to supplement tools already monitoring other aspects of your Azure services.

SolarWinds Server & Application Monitor (SAM) tops the list as the best Azure monitoring tool for performance. It offers a range of Azure monitoring approaches, including IaaS and PaaS monitoring, in addition to performance monitoring.

Performance monitoring with SAM includes Azure application and infrastructure monitoring, and general monitoring for Microsoft systems, applications, and cloud resources from one console. SAM uses dynamic baselining to set clear expectations of server and application performance and includes alerting features for when things aren’t behaving normally. It allows you to visualize performance metrics in an easy-to-understand way, with tools to correlate these metrics across your entire environment, so you can determine which parts of your environment are performing poorly and how the performance might be causing follow-on issues.

Among its many features, SAM undertakes Azure IaaS monitoring, including monitoring of virtual machine performance, and the performance of Kubernetes. With an auto-discovery system, you can be sure your Azure virtual machines and containers are being monitored. Once you have discovered all the virtual machines in your Azure service, SAM can perform Azure cloud VM management, so you can keep tabs on the performance of your virtual setup. It includes information on how your VMs are communicating across your network, and how VMs and applications are communicating and connected.

Regarding PaaS monitoring, SAM provides service metrics along with key component metrics like CPU performance, available memory, number of requests, response times for devices and components, and information on Azure workloads. Finally, it provides application monitoring, allowing you to look at infrastructure metrics and then compare them to the performance of your applications. With Azure performance over time, and information on configuration, security, and Azure region, you can keep track of your entire Azure setup.

SolarWinds AppOptics ™ provides server and infrastructure monitoring, and application performance monitoring. It can work with custom metrics and analysis, so you can analyze custom infrastructures, applications, and business metrics.

The application performance monitoring component is extensive, with support for a large number of frameworks and libraries, including Go, Java, .NET, PHP, Ruby, Python, and Node.js. It also undertakes distributed performance tracing across processes and hosts, and to the data center. This ensures you can easily get to root-cause analytics from looking at application performance trends.

In addition to application monitoring, AppOptics includes a unified dashboard for server and infrastructure monitoring. This helps speed up MTTR for issues on the front end, and it can work well with hybrid and cloud-native environments including Microsoft Azure.

One of this tool’s great features is it provides custom metrics and analytics, so you can customize the entire tool based on the specific information you’re looking to record and examine. You can use tags to filter and group data in many ways to drill down into particular datasets (filtering options include cloud regions, instance types, and availability zones). AppOptics can also track one metric over time, and then compare past performance to current performance.

You can request a demo of AppOptics, or try it free for 14 days.

SolarWinds Database Performance Analyzer (DPA) is a great performance monitoring tool designed specifically for databases. Monitoring the performance of your databases is important, as slow database access can have a major impact on the other applications and services you offer.

With DPA, you can track the performance of relational database operations, host server and operating system, virtualization resources, and storage I/O. This gives you a comprehensive overview of how your databases are performing, and how they may be affecting the performance of your applications. You can use SolarWinds DPA with Microsoft Azure, SQL Server, and SQL databases.

The tool provides 24/7 monitoring and accumulates a large backlog of historical information, which helps to set accurate baselines. Using these baselines, it can easily determine unusual behavior and notify you of bottlenecks or spikes in wait time. To figure out why the issue is occurring and where it’s coming from, DPA incorporates several correlated resource metrics. It can go so far as to perform detailed blocking and deadlock analysis, looking at the blocking tree to see which queries and sessions were involved in the slowdown.

From there, DPA can help you to optimize and fine tune performance going forward, so you run into fewer issues in the future. It includes a repository of table tuning best practices, against which you can check your own practices to make improvements where necessary. This means you can ensure database performance (optimization and tuning) for traditional databases and IaaS and PaaS databases.

For comprehensive performance across your network, SolarWinds Network Performance Monitor (NPM) is a robust tool including noteworthy features for discrete monitoring tasks.

First, NPM provides excellent baselining tools and general network health measures, so you can determine what your “normal” is and be alerted to any network performance changes or network event log occurrences moving away from this baseline.

If you’re dealing with a slow network or troubleshooting an issue, NPM can use deep packet inspection software to determine possible causes. NPM also includes LAN monitoring and mapping of routers, switches, servers, and SNMP-enabled devices. This means you’re able to quickly check on the core availability of your services and device health.

NPM allows you to visualize the entire network path using NetPath, which tracks network traffic from source to destination, even if the source or destination is outside your own network. This can help with troubleshooting and network optimization, as you can see which parts of your network are struggling and which could use additional optimization. You can use the NetPath tool regardless of whether your entire network is on-premises, in the cloud, or a hybrid you can also use it with software-as-a-service applications.

Finally, NPM provides general network discovery and mapping tools, through which you can gain an overview of your entire network topology, functionality, and setup. This helps to ensure you have a clear understanding of how everything links in with your application availability, database access, and connections to the cloud.

NPM can be downloaded as a 30-day free trial.

Stackify Retrace is another useful tool to consider for performance monitoring. It provides cloud-based monitoring to support Azure services, including applications, storages, databases, and more. You can use Retrace to monitor and troubleshoot problems with applications, no matter where they’re deployed.

It provides basic performance metrics, partial support for event tracing, and support for slow and overused SQL queries. In addition, it provides monitoring for Azure service bus queues, so you can see whether messages are stacking up, indicating slow application performance.

Finally, it tracks user satisfaction with application performance using Apdex scoring. This can prove helpful with end-to-end performance monitoring.

Installation is simple. You can try out Stackify Retrace free for 14 days.


Should I still have a physical DC, even post-Server 2012?

Back in the pre-Windows Server 2012 days, the recommendation seemed to be to have at least one physical domain controller sat along-side your virtualised DCs.

One justification for this was because if your Hyper-V hosts were clustered, then they required a DC to be contactable during boot-up. This makes total sense to me.

However, I would often hear people say it is still important to have a physical DC even if you don't have a clustered set up (say for example in a simple setup with a single Hyper-V server running a couple of VMs, one of which is a DC). The justification for this seemed (and I could never quite be sure) that you would still have a problem in the sense that when the Hyper-V host first boots, there's no DC present on the network. Cached credentials mean you can still log on, but what about all those bits that happen during boot up that mean having a DC around is beneficial? Is this actually an issue? Are there actually any operations that might run only at boot up that will cause a problem? Any Group Policies for example? What I'm basically asking is, does the physical DC argument only really hold water when clustering is involved, or was (pre-2012) there a significant technical case for it without clustering? This article from Altaro (see "The “Chicken-and-Egg” Myth" section) suggests there is no need, but I'm still unsure.

Now to the second (and main) part of my question:

Windows Server 2012 introduced several features targeted at addressing the issues around virtualising domain controllers, including:

  1. VM-Generation ID - This addressed the USN rollback issue that meant snapshotting (or more specifically, rolling back to a snapshot) was unsupported/a really bad idea
  2. Cluster Bootstrapping - This addressed the "chicken and egg" issue surrounding Failover Clustering that I mentioned above. Failover Clustering no longer requires a DC to be present during boot-up.

So my second question is similar to the first, but this time for 2012+. Assuming both the vDC and the host are 2012+ and you take clustering out of the equation, are there any other issues like those mentioned above that mean I should still consider a physical DC? Should I still be considering having a physical DC along-side my single, non-clustered 2012/2012R2 Hyper-V host that has a single virtualised DC on it? I hear some people suggest putting AD on the Hyper-V host, but I don't like that idea for various reasons (WB cache being disabled for a start).

As a side-note, my question implicitly assumes that it makes sense to have your Hyper-V host joined to the domain to improve manageability. Does this assertion stand up to scrutiny?

After reading some answers, it occurred to me that I could phrase things slightly differently to get to the heart of what I'm asking:

Even with the improvements in 2012 and later, the fact still remains that without any physical DCs or virtual DCs on another host, the host still boots when there's no DC available. Is this actually an issue? In a sense, I suppose it's the same (or very similar) question if you take virtualisation out of the picture completely. If you start member servers before any DCs regularly, is that a problem?


The following steps will find e-mail that Gmail marks as spam and prevent it from going to the Spam "folder". This will then allow your your desktop client to download the e-mail and perform the spam filtering. This type of arrangement is often necessary if spammers send out e-mail using keywords that are legitimate for certain industries such as e-commerce, finance, pharmaceuticals, sex, or gambling.

Anyway, the Gmail steps are:

  • In the Has the words field, enter is:spam
  • Kliknite Create filter with this search

  • Check on Never Send it to Spam
  • Click on Create Filter

I found this in the Google help pages, and I think if you follow the instructions you will be able to do it:


6 Answers 6

You will still need local and Active Directory administrator account for this to work, but here's the exact steps I took to fix this issue.

  1. Login with local administrator account
  2. Go to System Preferences > Users & Groups
  3. Press Login Options > Unlock > Press Edit near Network Account Server > Open Directory Utility > Unlock > Select Active Directory and press "Edit settings for the selected service" button at the bottom > Unbind > Enter Active Directory administrator credentials and finish the unbinding process
  4. Close Directory Utility and reboot the computer
  5. Repeat steps 1 and 2
  6. Press Join near Network Account Server
  7. Enter your domain (ad.example.com) and Active Directory administrator credentials.

Assuming your AD account is not entirely network account (created on your local system and you can use it without network access) you should also set settings in 8-10 steps.

  1. Optional Step - Go to System Preferences > Users & Groups
  2. Optional Step - Login Options > Unlock > Press Edit on Network Account Server > Open Directory Utility > Unlock > Select Active Directory and press "Edit settings for the selected service" button at the bottom
  3. Optional Step - Press Show more > Check "Create mobile login at login" > Uncheck "Require confirmation before creating a mobile account"
  4. Log out (may need another reboot)
  5. Login with network account by selecting the user from the list or using your name on password (depends on "Display login windows as" setting)

Today I met a strange problem. After I enter my password, the progress bar runs to the end, and it is stuck there forever. No matter how many times I try to restart.

I finally need to go to Recovery mode by pressing Cmd+R at start up. I then select Get Help Online to open Safari. Strangely enough I wasn't connected to Internet

After select the wifi icon on the status bar to connect internet, I then restart and can login again. It seems that macOS is checking for something before allowing user to login

It appears that the main issue is in the empty local cache of network accounts after upgrade to High Sierra. I was able to login to network account without re-binding to network directory using the following steps (simplified comparing to @ernestasen's answer):

  1. Login with local administrator account
  2. Go to System Preferences > Users & Groups , Click the lock to make changes, Press Login Options , Click on Options button next to Allow network users to log in at login window
  3. Select Only these network users: , Press the plus sign
  4. Wait until network accounts are populated in the Network Users section (in my case I had to wait about 20 seconds while the accounts were showing up on the screen)

That's it, now you've got a local cache of network users refreshed, so you can press Cancel and restore desired option that was changed on 3rd step.

I love the answer by earnestasen and wish I had thought of that. I did yet a third thing to solve this. I logged in as a local admin, created a new local account, logged in to that account, connected to AD subnet (since I’m remote) via the VPN (which took some doing to get my VPN profile in this temp’ user account), then once connected, I did fast user switching to my domain account, and it worked. I rebooted to test it and was able to log straight in again afterward. I was momnetarily panicked that I’d orphaned my account, or would need to fly to SFO to be on the LAN for all of 3 minutes to solve this, but in the end was able to solve this with only a couple hours of downtime. I then removed the temp’ user and am whole again. Cheers.

The solution is simple, IF you have another user account set up. I had, for my girl friend.

  • Login with the other account
  • Go to apple> utilities> terminal
  • Enter resetpassword
  • Follow the instructions on the screen.

You may have to reenter some app passwords to store in your keychain again

The solution which worked for me.

System Preferences
Users & Groups
Click the padlock and enter the admin password
Login Options
Edit the Network Account Server to open the Directory Utility
Click the padlock and enter the admin password (again. )
Select Active Directory and click the pencil to edit
Enter the admin password (again. )
Click the drop-down arrow by "Show options"
Select the Administrative 'tab'
Ensure the "Prefer this domain server:" and "Allow administration by:" options are ticked. Add the relevant user into the list for admin rights.

Not sure why the OS upgrade from Sierra to Mojave would have de-selected these options but there you go.