POSTFIX Error “fatal: parameter inet_interfaces: no local interface found for ::1”

Issue

You are note able to restart / start postfix and getting the below error.
fatal: parameter inet_interfaces: no local interface found for ::1

Solution

Edit the file /etc/postfix/main.cf

vim /etc/postfix/main.cf

search for the line inet_interfaces = all

And change it to:

inet_interfaces = 127.0.0.1, 10.10.11.12 10.10.11.12 is your local IP address

:wq! Save and exit

restart postfix.

service postfix restart

Please Comment and share if this post was able to fix your issue

Original Article: fatal: parameter inet_interfaces: no local interface found for ::1

Here’s What’s New in VMware vSphere and vCenter 6.7 You can expect some incremental changes to VMware hypervisor (ESXi) and management (vCenter Server)

Widenet is VCP Certified for VMware Products.
In many Article, we talked about Tips & tricks, or to solve problems, like here, or here. Now we will talking about a big news from VMware.

vSphere 6.7, released today, includes an update to both its hypervisor (ESXi 6.7) and management console (vCenter Server 6.7). This release shows that VMware Inc. is not content to let its hypervisor become a commodity, and that it’s possible to make incremental, evolutionary changes to a proven product and, moreover, that VMware is still making substantial investments in its hypervisor. The vSphere 6.7 beta, though NDA-constrained, has been available to the public since October 2017. Despite the fact that a lot of new features were baked into the 6.5 release, this release does make some nice incremental changes. Following are some of the most important changes included with vSphere 6.7.

Hardware Caveat
An important hardware caveat to be aware of is VMware has released an HCL for vSphere 6.7 that excludes some older, yet popular CPUs. If you’re thinking about running this release on an older system for development or testing first before placing it into production on your newer servers, make sure to check the HCL to ensure compatibility.

Single Reboot Upgrade
vSphere upgrades can now be completed with one single reboot. Prior to vSphere 6.7, major version upgrades took quite a while (although they could be done without disruption by transferring workloads by using the Distributed Resource Scheduler [DRS]). vSphere 6.7, on the other hand, allows you to do a “quick boot” where it loads vSphere ESXi without restarting the hardware because it only restarts the kernel. This feature is only available with platforms and drivers that are on the Quick Boot whitelist, which is currently quite limited.

VMware Configuration Maximum Tool
The most visible configuration maximum change in vSphere 6.7 is the number of devices that can be attached to a host. VMware has increased some of the other maximums.

vSphere Client
vSphere 6.5 eliminated the vSphere Client that ran natively on Windows (also known as the C# Client or Thin Client) in favor of the vSphere Web Client, which was Flash-based. Also introduced in version 6.5 was the vSphere Client, which replaced Flash with HTML5. vSphere 6.7 further extends the capabilities of the vSphere Client and will eventually replace the vSphere Web Client. It looks like the vSphere Client can do about 90 percent that the vSphere Web Client can do. In vSphere 6.5, VMware had a list of the functionalities not yet supported in the vSphere Client; hopefully the company will do the same for vSphere 6.7.
Figure 1 shows the main menu of the vSphere Web Client, and Figure 2 shows the main vSphere Client menu. Although the new client looks cleaner, and does seem more responsive than the vSphere Web Client, the location of some items has changed and some workflows will have to be adjusted accordingly with these changes. I wrote an article on the vSphere Client when it first came out that explains why VMware is switching to an HTML5-based client.

[Click on image for larger view.]Figure 1. 
The vSphere Web Client main menu.
[Click on image for larger view.]Figure 2.

vCenter Server Appliance

Now that the vCenter Server Appliance (VCSA) is functionally equivalent to the Windows-based vCenter Server, it would take a lot to convince me to use the Windows-based one instead of VCSA. Overall, I have found that the VCSA embedded database (PostgreSQL) performs great. Furthermore, the VCSA is very easy to update, and the Linux OS (Photon OS) is rock solid. As a side note, the VCSA can easily be monitored using vimtop (be sure to read my recent articles on using vimtop). You can also read my article about migrating from a Windows-based vCenter Server to a VCSA, as well as another article on using the built-in VCSA backup tool. The built-in backup tool in vSphere 6.7 offers more scheduling options for its VCSA backup tool than in vSphere 6.5. The Backup Scheduler tool (Figure 3) can be accessed from the vCenter Server Appliance Management Interface (VAMI). VMware is also stating that there are “phenomenal” performance improvements in vCenter operations per second, in reduction of memory usage and DRS-related operations.

[Click on image for larger view.]Figure 3. 
The Backup Scheduler tool.

Suspend and Resume of vGPU Workloads
vGPU allows you to carve up a physical GPU into multiple virtual GPUs that can be used by VMs. Although vGPUs were introduced with vSphere 6.0, the VMs that used vGPUs there were limited in what you could do with a VM that was using a vGPU. vSphere 6.7, on the other hand, removes some of these barriers, and now you can suspend and resume a vGPU-enabled VM.

Per-VM EVC
For quite some time vSphere has had the ability to mask off CPU features so that VMs that were running on systems with newer CPUs could be vMotion to servers with older CPUs. This is called Enhanced vMotion Compatibility, or EVC. In vSphere 6.7 VMware has extended this capability to allow you to do this on a per-VM, rather than on an ESXi-host basis. This means that if you have VMs that you want to take advantage of CPU-specific features, and are willing to limit those VMs to CPUs that only have those features in your cluster, you can configure them to do so.

A per-VM EVC is set from the vSphere client by selecting a VM, going to the Configure tab and selecting Edit (Figure 4).

[Click on image for larger view.]Figure 4. Setting up a per-VM EVC.

 

Instant Clone
I’ve been a fan of using instant clones with virtual desktops—they’ve proven to be a big space saver, to use only a fraction of the disk resources compared to a full clone, and to allow VMs to be provisioned in seconds from a parent image. With vSphere 6.7, VMware has exposed the APIs that can be used to create instant clones. It looks like a straightforward process and I suspect that many people will figure out some very interesting ways to use the instant clone API.

ESXi Quick Boot
vSphere 6.7 introduces the Quick Boot feature, which allows a system to reboot in less than two minutes as it does not re-initialize the physical server BIOS. This can speed up operations that require an ESXi system to be rebooted; however, Quick Boot is only supported on certain systems and does not work with systems that have ESXi Secure Boot enabled.

Figure 5 shows two hosts, one with Quick Boot enabled and another without it enabled. By default, Quick Boot is enabled if the system supports it.

[Click on image for larger view.]Figure 5. 
The New ESXi Quick Boot feature is enabled by default if the system supports it.

Persistent Memory (PMem) Devices
vSphere 6.7 now supports the next generation of storage devices that use persistent DRAM memory, known as non-volatile dual in-line memory module (NVDIMM) devices. This technology is still in its infancy, but applications that require the lowest possible latency regardless of the cost will find this feature invaluable. PMem is presented to vSphere as either as vPMemDisk, which is treated somewhat like a datastore, or as a virtual NVDIMM (vNVDIMM), which is presented directly to guest OSes that can use NVDIMM devices.

Virtual Hardware Version 14
Virtual hardware is the abstract version of physical hardware to a virtual machine or, in essence, a virtual motherboard. As physical hardware supports more features, VMware builds new virtual hardware accordingly to emulate the physical version. vSphere 6.7 comes with a new virtual hardware, version 14. Version 14 adds support for NVDIMM, as well as Trusted Platform Module (TPM), Microsoft Virtual-based Security (VBS) and I/O Memory Management.

VMFS Datastores
VMFS3 datastores have been around for a long time, but VMware is now phasing them out. To assist with this transition, vSphere 6.7 automatically upgrades VMFS3 datastores to VMFS5 when they’re mounted. If you want to upgrade VMFS5 datastores to VMFS6 datastores, you’ll need to upgrade the datastore with vSphere Storage vMotion because an in-place upgrade of a VMFS5 to VMFS6 datastore isn’t possible.

As a side note, vSphere 6.7 supports VMFS5 and VMFS6; however, vSphere 6.0 and earlier systems only support VMFS5 datastores. As such, if you have an environment that contains vSphere 6.0 or earlier systems, you’ll want to only use VMFS6 datastores on systems that won’t be accessed by them.

Upgrading to vCenter Server 6.7
A specific order must be used when upgrading to vSphere 6.7. Check the documentation for the latest order and caveats, but the basic procedure can be carried out by first upgrading the Platform Service Controller (PSC), then upgrading vCenter Server and, last, updating the ESXi hosts.

Because upgrading directly from vSphere 5.5 to 6.7 isn’t supported, you’ll need to first upgrade from vSphere 5.5 to vSphere 6.5, and then finally to vSphere 6.7. It needs to be noted that an ESXi 5.5 host cannot be managed by VCSA 6.7. On the contrary, upgrading from vSphere 6.0 to 6.7 is supported. If you’re still running a window-based vCenter Server rather than a VCSA, VMware does offer a tool to assist you in the migration; be sure to read my article on using this tool.

Upgrading to ESXi 6.7
As mentioned earlier, ESXi 6.5 doesn’t support all the CPUs that ESXi 6.0 does, so be sure to check the HCL to unsure that your system is supported. Roughly speaking, what you’ll typically find supported, at the minimum, is a 2 core CPUs that were released after September 2006 and have NX/XD enabled. You can use the VMware Update Manager (VUM) to do an orchestrated automated upgrade. Alternatively, you can manually update the ESXi systems using an ISO image or esxcli commands or, if you use stateless host, you can use vSphere Auto-Deploy to update your servers. To see how to update an ESXi system using esxcli commands, be sure to read my article.

Wrapping Up
If I’m forced to pick one single standout feature in vSphere 6.7, it would have to be the instant clone API. I see this feature as a great enabler for the VMware ecosystem and VMware developers because the ability to spawn hundreds of identical VMs that only use a small amount of space in minutes has some mind-boggling use cases. However, with great power comes greater responsibility, and it will be interesting to watch the development of tools to manage and orchestrate these VMs over time.

Yes, instant clones is the gee-wiz feature in this release, but the rest of the improvements in this release prove that the hypervisor has room for evolutionary growth—and that VMware is serious in maintaining its leadership position in this regard.

Related Article: Here’s What’s New in vSphere 6.7

Intel’s CPU List affected by Meltdown and Spectre Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method

We talk about Meltdown and Spectre Here and Here.

In this article we’re reporting the Intel’s CPU list affected by Meltdown and Spectre.

Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method

 

Intel ID: INTEL-SA-00088
Product family: Systems with Speculative Execution
Impact of vulnerability: Information Disclosure
Severity rating: Important
Original release: Jan 03, 2018
Last revised: Jan 03, 2018
Summary:Today a team of security researchers disclosed several software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from many types of computing devices with many different vendors’ processors and operating systems.

Intel is committed to product and customer security and to responsible disclosure. We worked closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to mitigate this issue promptly and constructively.

For facts about these new exploits, and steps you can take to help protect your systems and information please visit: https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html.

Description:Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

Affected products:For non-Intel based systems please contact your system manufacturer or microprocessor vendor (AMD, ARM, Qualcomm, etc.) for updates.

The following Intel-based platforms are impacted by this issue. Intel may modify this list at a later time. Please check with your system vendor or equipment manufacturer for more information regarding updates for your system.

  • Intel® Core™ i3 processor (45nm and 32nm)
  • Intel® Core™ i5 processor (45nm and 32nm)
  • Intel® Core™ i7 processor (45nm and 32nm)
  • Intel® Core™ M processor family (45nm and 32nm)
  • 2nd generation Intel® Core™ processors
  • 3rd generation Intel® Core™ processors
  • 4th generation Intel® Core™ processors
  • 5th generation Intel® Core™ processors
  • 6th generation Intel® Core™ processors
  • 7th generation Intel® Core™ processors
  • 8th generation Intel® Core™ processors
  • Intel® Core™ X-series Processor Family for Intel® X99 platforms
  • Intel® Core™ X-series Processor Family for Intel® X299 platforms
  • Intel® Xeon® processor 3400 series
  • Intel® Xeon® processor 3600 series
  • Intel® Xeon® processor 5500 series
  • Intel® Xeon® processor 5600 series
  • Intel® Xeon® processor 6500 series
  • Intel® Xeon® processor 7500 series
  • Intel® Xeon® Processor E3 Family
  • Intel® Xeon® Processor E3 v2 Family
  • Intel® Xeon® Processor E3 v3 Family
  • Intel® Xeon® Processor E3 v4 Family
  • Intel® Xeon® Processor E3 v5 Family
  • Intel® Xeon® Processor E3 v6 Family
  • Intel® Xeon® Processor E5 Family
  • Intel® Xeon® Processor E5 v2 Family
  • Intel® Xeon® Processor E5 v3 Family
  • Intel® Xeon® Processor E5 v4 Family
  • Intel® Xeon® Processor E7 Family
  • Intel® Xeon® Processor E7 v2 Family
  • Intel® Xeon® Processor E7 v3 Family
  • Intel® Xeon® Processor E7 v4 Family
  • Intel® Xeon® Processor Scalable Family
  • Intel® Xeon Phi™ Processor 3200, 5200, 7200 Series
  • Intel® Atom™ Processor C Series
  • Intel® Atom™ Processor E Series
  • Intel® Atom™ Processor A Series
  • Intel® Atom™ Processor x3 Series
  • Intel® Atom™ Processor Z Series
  • Intel® Celeron® Processor J Series
  • Intel® Celeron® Processor N Series
  • Intel® Pentium® Processor J Series
  • Intel® Pentium® Processor N Series

 

Recommendations:Intel has worked with operating system vendors, equipment manufacturers, and other ecosystem partners to develop software updates that can help protect systems from these methods. End users and systems administrators should check with their operating system vendors and apply any available updates as soon as practical.

For non-Intel based systems please contact your system manufacturer or microprocessor vendor (AMD, ARM, Qualcomm, etc.) for updates.

Please check with your system vendor or equipment manufacturer for more information regarding your system.

Other variants of this side-channel analysis are being addressed by Operating System and Software Vendors.  For more details see:

–         CVE-2017-5753 https://01.org/security/advisories/intel-oss-10002

–         CVE-2017-5754 https://01.org/security/advisories/intel-oss-10003

Acknowledgements:Intel would like to thank Jann Horn with Google Project Zero for his original report and for working with the industry on coordinated disclosure.

Intel would also like to thank the following researchers for working with us on coordinated disclosure.

  • Moritz Lipp, Michael Schwarz, Daniel Gruss, Stefan Mangard from Graz University of Technology
  • Paul Kocher, Daniel Genkin from University of Pennsylvania and University of Maryland, Mike Hamburg from Rambus, Cryptography Research Division and Yuval Yarom from  University of Adelaide and Data61.

Thomas Prescher and Werner Haas from Cyberus Technology, Germa

Revision history:

Revision
Date
Description
1.0
03-January-2018
Initial Release
1.1
03-January-2018
Update Links
1.2
05-January-2018
Update
CVE Name:  CVE-2017-5715

Meltdown and Spectre CPU flaws for Windows 2003 Windows, Meltdown and Spectre: Keep calm and carry on

Microsoft releases Windows patches

Yesterday evening, Microsoft released Windows patches — Security-only Updates, Cumulative Updates, and Delta Updates — for a wide array of Window versions, from Win7 onward. See the Update Catalog for details. (Thx, @Crysta). Note that the patches are listed with a “Last Updated” date of Jan. 4, not Jan. 3, the nominal release date. The Win7 and 8.1 patches are Security Only (the kind you have to install manually). I’ve been assured that the Win7 and 8.1 Monthly Rollups will come out next week on Patch Tuesday.

The Win10 patch for Fall Creators Update, version 1709, contains other security fixes besides those related to Meltdown. The other Win10 patches appear to be Meltdown-only. Those of you running the beta version of Win10 1803, in the Insider Program, have already received the patches.

BUT… you won’t get any patches installed unless and until your antivirus software sets a specific registry key. (It now appears as if the value of the key doesn’t matter; just the presence of the registry entry turns on Meltdown protection. Thx, @abbodi86, @MrBrian.) If you’re running third-party antivirus, it has to be updated before the Meltdown patch installer will run. It looks as if there are known problems with bluescreens for some antivirus products.

There are also cumulative updates for Internet Explorer 11 in various versions of Win7 and 8.1 listed in the Update Catalog. The fixes for Win10, and for Edge, are inside the respective Win10 cumulative updates. Microsoft has also released fixes for SQL Server 2016 and 2017.

Note that the Windows Server patches are not enabled by default. Those of you who want to turn on Meltdown protection have to change the registry. (Thx @GossiTheDog)

Question: Does Microsoft will release patches for olders operating systems like Windows Server 2003, Windows Server 2000?

Answer: Maybe No. Windows XP and Server 2003 don’t yet have patches. As you know these operating system are out of support. No word on whether Microsoft will release those sooner or later.

Operating system version Update KB
Windows Server, version 1709 (Server Core Installation) 4056892
Windows Server 2016 4056890
Windows Server 2012 R2 4056898
Windows Server 2012 Not available
Windows Server 2008 R2 4056897
Windows Server 2008 Not available

Kevin Beaumont, @GossiTheDog, is maintaining a list of antivirus products and their Meltdown-related problems. On Google Docs, of course.

Related Articles: Windows, Meltdown and Spectre | Meltdown and Spectre CPU flaws | Widenet Meltdown and Spectre CPU Blog

AWS – Processor Speculative Execution Research Disclosure News About Concerning: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754

We Talked about Meltdown and Spectre on this article.

Here what AWS – Amazon says:

Update As Of: 2018/01/07 11:30 PST

This is an update for this issue.

Amazon EC2

All instances across the Amazon EC2 fleet are protected from all known threat vectors from the CVEs previously listed. Customers’ instances are protected against these threats from other instances. We have not observed meaningful performance impact for the overwhelming majority of EC2 workloads.

Recommended Customer Actions for AWS Batch, Amazon EC2, Amazon Elastic Beanstalk, Amazon Elastic Container Service, Amazon Elastic MapReduce, and Amazon Lightsail

While all customer instances are protected, we recommend that customers patch their instance operating systems. This will strengthen the protections that these operating systems provide to isolate software running within the same instance. For more details, refer to specific vendor guidance on patch availability and deployment.

Specific vendor guidance:

For operating systems not listed, customers should consult with their operating system or AMI vendor for updates and instructions.

Updates to other AWS services

Amazon Linux AMI (Bulletin ID: ALAS-2018-939)

An updated kernel for Amazon Linux is available within the Amazon Linux repositories. EC2 instances launched with the default Amazon Linux configuration on or after 10:45 PM (GMT) January 3rd, 2018 will automatically include the updated package. Customers with existing Amazon Linux AMI instances should run the following command to ensure they receive the updated package:

sudo yum update kernel

After the yum update is complete, a reboot is required for updates to take effect.

More information on this bulletin is available at the Amazon Linux AMI Security Center.

EC2 Windows

We have updated AWS Windows AMIs. These are now available for customers to use, and AWS Windows AMIs have the necessary patch installed and registry keys enabled.

Microsoft have provided Windows patches for Server 2008R2, 2012R2 and 2016. Patches are available through the built-in Windows Update Service for Server 2016. We are pending information from Microsoft on patch availability for Server 2003, 2008SP2 and 2012RTM.

AWS customers running Windows instances on EC2 that have “Automatic Updates” enabled should run automatic updates to download and install the necessary update for Windows when it is available.

Please note, Server 2008R2 and 2012R2 patches are currently unavailable through Windows Update requiring manual download, Microsoft advise these patches will be available Tuesday, January 9th.

AWS customers running Windows instances on EC2 that do not have “Automatic Updates” enabled should manually install the necessary update when it is available by following the instructions here: http://windows.microsoft.com/en-us/windows7/install-windows-updates.

Please note, for Windows Server, additional steps are required by Microsoft to enable their update’s protective features for this issue, described here: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution.

ECS Optimized AMI

We have released Amazon ECS Optimized AMI version 2017.09.e which incorporates all Amazon Linux protections for this issue. We advise all Amazon ECS customers to upgrade to this latest version which is available in the AWS Marketplace. Customers that choose to update existing instances in-place should run the following command on each container instance:

sudo yum update kernel

The update requires a reboot of the container instance to complete

Linux customers who do not use the ECS Optimized AMI are advised to consult with the vendor of any alternative / third-party operating system, software, or AMI for updates and instructions as needed. Instructions about Amazon Linux are available in the Amazon Linux AMI Security Center.

An updated Microsoft Windows EC2 and ECS Optimized AMI will be released as Microsoft patches become available.

Elastic Beanstalk

We will be releasing new platform versions that include the kernel update to address this issue within 48 hours. For Linux environments, we recommend that you enable “Managed Platform Updates” to automatically update within your chosen maintenance window once these updates are available. We will post instructions for Windows environments once the update is available.

AWS Fargate

All infrastructure running Fargate tasks has been patched as described above and no customer action is required.

Amazon FreeRTOS

There are no updates required for or applicable to Amazon FreeRTOS and its supported ARM processors.

AWS Lambda

All instances running Lambda functions have been patched as described above and no customer action is required.

RDS

RDS-managed customer database instances are each dedicated to only running a database engine for a single customer, with no other customer-accessible processes and no ability for customers to run code on the underlying instance. As AWS has finished protecting all infrastructure underlying RDS, process-to-kernel or process-to-process concerns of this issue do not present a risk to customers. Most database engines RDS supports have reported no known intra-process concerns at this time. Additional database engine-specific details are below, and unless otherwise noted, there is no customer action required. We will update this bulletin as more information is available.

RDS for MariaDB, RDS for MySQL, Aurora MySQL, and RDS for Oracle database instances currently have no customer actions required.

For RDS PostgreSQL and Aurora PostgreSQL, DB Instances running in the default configuration currently have no customer actions required. We will provide the appropriate patches for users of plv8 extensions once they are made available. In the meantime, customers who have enabled plv8 extensions (disabled by default) should consider disabling them and review V8’s guidance at https://github.com/v8/v8/wiki/Untrusted-code-mitigations.

For RDS for SQL Server Database Instances, we will release OS and database engine patches as Microsoft makes each available, allowing customers to upgrade at a time of their choosing. We will update this bulletin when either has been completed. In the meantime, customers who have enabled CLR (disabled by default) should review Microsoft’s guidance on disabling the CLR extension at https://support.microsoft.com/en-us/help/4073225/guidance-for-sql-server.

VMware Cloud on AWS

Please refer to the VMware security advisory here for more details: https://www.vmware.com/security/advisories/VMSA-2018-0002.html.

WorkSpaces

AWS will apply security updates released by Microsoft to most AWS WorkSpaces over the coming weekend. Customers should expect their WorkSpaces to reboot during this period.

Bring Your Own License (BYOL) customers, and customers who have changed the default update setting in their WorkSpaces should manually apply the security updates provided by Microsoft.

Please follow the instructions provided by Microsoft security advisory at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002. The security advisory includes links to knowledge base articles for both Windows Server and Client operating systems that provide further specific information.

Updated WorkSpaces bundles will be available with the security updates soon. Customers who have created Custom Bundles should update their bundles to include the security updates themselves. Any new WorkSpaces launched from bundles that do not have the updates will receive patches soon after launch, unless customers have changed the default update setting in their WorkSpaces, in which case they should follow the above steps to manually apply the security updates provided by Microsoft.

WorkSpaces Application Manager (WAM)

We recommend that customers choose one of the following courses of action:

Option 1: Manually apply the Microsoft patches on running instances of WAM Packager and Validator by following the steps provided by Microsoft at https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution. This page provides further instructions and downloads for Windows Server.

Option 2: Rebuild new WAM Packager and Validator EC2 instances from updated AMIs for WAM Packager and Validator which will be available by end of day (2018/01/04).

=========================================================

2018/01/03 14:45 PST

AWS is aware of recently disclosed research regarding side-channel analysis of speculative execution on modern computer processors (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754). These are vulnerabilities that have existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices.