Mark's blog

Adventures in IPv6 land

As you may have noticed, there's now a new "IPv6 Ready" icon on the right of this page. It's the last piece of my latest project experimenting with IPv6; it now means that my whole home network and this website run over IPv6 as well as IPv4. If you're lucky, it will have turned green like the example on the left - this means you are connecting to this blog natively over IPv6. As I've spent the last few weeks playing with this technology, I thought I'd write my notes up here in the hopes that it will help someone else. I'll cover briefly some of the IPv6 concepts that I initially struggled with, and in the next article show how I set up IPv6 at home through a tunnel-broker despite my ISP (Virgin Media) not offering native IPv6 connectivity. I'll also cover setting up a publicly accessible website over IPv6 and share some firewall scripts and other tools I've found useful.

I found that the hardest part of getting my head round IPv6 was forgetting what I previously knew about IPv4 networking. The concepts of NAT, private address space, CIDR subnet masks and so on was getting in the way of me understanding what is ultimately a much simpler system. Let's face it, the current IPv4 status quo is pretty broken, and we've got the Internet this far based on a series of hacks built upon hacks. Sure, it sort of works but it's pretty ugly - and I think it's only because we're so used to IPv4 concepts that I never took a step back and thought about how broken it truly is.

Needless to say, although the theory should be equally applicable to Windows systems, all this is all written with a heavy Unix-bias as that's what I use most of them time. Also, if you notice any glaring mistakes or omissions I would be grateful if you'd leave a comment below, and I'll go back and edit this article ASAP. Click the "Continue reading" link for the full article...

Continue reading "Adventures in IPv6 land"

SGI Irix packages

I have finally got a working build environment for my SGI IRIX systems (an R14k Fuel and a dual R12k Ocatane2) and have packaged some open-source software for the fantastic Nekoware project. If you're a fan of classic Unix systems, I strongly recommend heading over to their forums - there's also a pretty strong Sun and HP contingent there among the SGI fanatics!

Anyway - the two packages I have built so far are the fantastic pv (Pipe Viewer) tool and Mercurial DVCS. PV is a fantastic utility that can be used to replace "cat", and displays a progress bar on stderr. See the overview for some examples of what you can do with it. Mercurial should need no introduction; I just had to make a couple of minor patches (included in the tardist and submitted upstream). I've tested both local-only repositories, as well as pushing/cloning/pulling from remote HTTP sites. The only problem I have found is that accessing SSL-enabled repositories produces warnings, due to the old version of Python in Nekoware (2.5). Apart from that, it seems to work great - and the projects do seem to get checked out, it just warns you it can't check the certificate.

Any feedback is always gratefully received; I'm sure there are still some IRIX users out there

Solaris 11 Review

I've finally had the chance to devote some time to experimenting with some of the new features in Solaris 11. This article is really just intended as a walk-through of my first few weeks using Solaris 11 - a "kick of the tyres", so to speak. There is far too much that is new for me to cover everything, so I'll be adding to this article and updating this site as I go through it. I'm also assuming the reader is familiar with Solaris 10; if you feel some parts need clarification, or if I've skipped over something you'd particularly like covered, feel free to let me know!

Download

I am a little unclear as to the new licensing restrictions around Solaris 11. My understanding (Caveat: I Am Not A Lawyer) is that it is free to use for personal and non-commercial purposes, but anything after a 30-day trial period must be licensed if you intend to use it for any kind of commercial purposes - this includes development and testing environments. You also do not get access to patches or software updates without a support contract; sadly that now includes things like BIOS and firmware updates that used to be freely available in the Sun days. All part of the new regime, I suppose - we all have to get used to contributing to Larry's yacht fund now.

Heading on over to Oracle's online store reveals that a "Oracle Solaris Premier Subscription for Non-Oracle Hardware (1-4 socket server)" starts at £672.00, which does compare favourably with Red Hat Linux. Excluding the 2-socket tier, an equivalent 4-socket Red Hat license would set you back around £1,000 and only includes a license for 1 virtual machine. More details of what's included in the support offering are at http://www.oracle.com/us/support/systems/operating-systems/index.html.

Update : An anonymous reader provides some clarification - it looks like it may not be such a great deal after all :

The list price comparison to RHEL intrigued me. I think the Solaris price is higher than £672/$1000 for the 4 socket example you're giving as according to the Oracle store description page for the 1-4 socket non-Oracle option:
"Please note, this subscription is based on the number of sockets in the system you need to support, when ordering enter the number of sockets in the quantity field."

So that'd be £672 * 4 = £2688 (or $4000). I'm assuming premier is the same sort of service + SLAs on both. The equivalent to the single socket £672/$1000 subscription would be the RHEL 2-socket premium subscription at $1299/yr. Hopefully I'm not missing anything here.

I would be interested to hear of any experiences of Oracle's support when using non-Oracle hardware, as to date (apart from some non-production environments running on HP ProLiant systems) everything I have run Solaris on has been a Sun/Oracle SPARC or x64 system, and the OS support was included under a larger company support contract. Update 2 : There's some experience of Solaris on HP kit in the comments below.

Anyway, the first step is to download the software and unlike previous Solaris releases, there's now a variety of different installation media so you have to pick the correct one for your needs. The available downloads are :

Text Install : This is very similar to the old Solaris text-mode installs (SPARC and x86) and even has the same colour-scheme and "F2_Continue" shortcuts down the bottom. Takes me right back to installing Solaris 8 on old Pentium systems!
Automated Installer : This provides a "hands-free" network installation system, and replaces the old Jumpstart system. You need to have your own IPS repository (more on that later) set up, or have access to the Internet so you can reach Oracle's IPS repository.
Live Media : This is only available for x86 systems, and is very similar to the Linux "live environments" on Ubuntu and Fedora etc. It lets you run the system off the CD and experiment with it before actually installing it. It's pretty slow and you'll need a lot of memory so I personally didn't find it of much use other than to check hardware compatibility and so on.
Repository Image : Unlike previous Solaris releases, the installation media does not contain all available packages. Instead, it contains a smaller subset of software which will allow you to get a basic system up and running. After that, you need to connect to Oracle's pkg.oracle.com server to download other packages, or use this image to either setup a local IPS server on your network (or mount it and use it as a local repository).
USB Install Images : Again, only available for x86. I didn't test this out as I didn't have a need for it, but it would be a useful addition to the Solaris Sysadmin's toolbox.
Virtual Machine Downloads : These are VM images that can be imported directly into a variety of hypervisors - could be useful for getting started quickly, but most admins will either be using the text or automated installers.

There's also a "Oracle Solaris 11 Preflight Application Checker" available, which checks an application running on Solaris 10 and indicates whether it should run without problems on Solaris 11. However, given the Solaris binary compatibility guarantee it's unlikely you'd encounter problems. In any case, you could always run a Solaris 10-branded zone under Solaris 11 - indeed, creating a Solaris 10 zone from a running system (using flash images) is a supported configuration and process.

Installation

I grabbed the x86 text installation images and installed a system using Oracle Virtualbox. As with Solaris 10, the boot menu (grub) lets you choose an install over a local terminal or serial ports. The latter option is particularly useful in an environment using Sun/Oracle servers without a graphics card - while you can use iLOM/ALOM, going straight to the serial port is much faster.

The setup starts off much the same as Solaris 7 onwards, with the usual region/keyboard selection, and then you get presented with a new menu :

1 Install Oracle Solaris
2 Install Additional Drivers
3 Shell
4 Terminal Type (currently sun-color)
5 Reboot

Choosing option 3 (Shell) drops you into a basic rescue-like environment, and typing "exit" (or hitting Ctrl-D) at any point returns you to menu. This environment is extremely useful for performing emergency maintenence or recover tasks and while you could always use "boot -s" from older Solaris installation media, it's is a very welcome addition to have it so easily available. In this shell environment "svcadm enable ssh" starts a SSH server, and if you create a new user (you can't login as root), you can also login over network.

The next screen that has noticably changed is the disks screen. UFS has been completely removed as an option, so instead of choosing your slices for filesystems, you now only get to pick which slice whould be used for the ZFS root pool. It is recommended that you use the entire disk/LUN where possible, as this lets ZFS make much better use of the underlying volume (see http://www.solarisinternals.com/wiki/index.php/ZFS_Best_Practices_Guide for more information).

There is no choice as to ZFS filesystem layout, although as it can so easily be modified it really doesn't matter. Whatever slice or LUN you select is assigned to the "rpool" volume.

After the network configuration (which has changed slightly but still provides the same choices of "DHCP, Manually or None"), you reach the User creation step. This again is noticably different: Firstly, it now enforces password complexity. Secondly, you have to create a new user account as well. The traditional root account is now a role, and you can't login directly as root. Like most Linux distros, the first user account created has the ability to use sudo/RBAC to work as root when needed.

After this step, the installation starts in earnest. The install is very quick, and after the slow initial reboot (when it loads smf service descriptions), you can login.

Click the "continue reading" link for the rest of the review...

Continue reading "Solaris 11 Review"

Citrix XenServer 5.6 Review

Introduction

I've been using and evaluating Citrix XenServer now for a while, and felt I should really post a review. I haven't seen much detailed coverage of this product at the level I'm interested in, so what follows is my take on it from a Unix Sysadmin's perspective. There won't be any funky screenshots or graphics; instead, I tried to cover the sort of things I wanted to know about when I was looking at it as a candidate for our virtualization solution at work.

After all, implementing a new hypervisor is a big step, and a decision that you'll likely be stuck with for a long time. If there's anything else you'd like to know, just post in the comments section and I'll do my best to answer.

As some background: I've been using the open source Xen hypervisor as a virtualization platform, alongside VMware for Windows hosts for a good few years now at work. Part of the reason for picking Xen was that it was the standard on the systems I inherited, and also it was free and well-supported on most Linux distributions at the time. To date, I have been using CentOS as a Dom0 - as it's a free "clone" of Red Hat Enterprise Linux, it follows the same support schedules (up to 2014 for RHEL/CentOS 5.x) and is supported by pretty much every hardware vendor out there. It also has the libvirt tools built into it, as well as up to date packages for storage infrastructure such as DRBD and open-iscsi. It's well supported, and even though it is a conservative "stable" distro, point releases occur regularly with back-ported drivers and user-land updates.

With some work, you can roll your own management tools and scripts, and end up with a very flexible solution. However, it lacks some management ease of use, particularly for other systems administrators who may not be totally comfortable in a Linux environment. We also wanted to standardise on one virtualization platform if possible, and this all coincided nicely with a planned upgrade/migration off the VMware stack.

XenServer therefore presents a very attractive proposition: A well known, widely tested and supported open source hypervisor, with a superior management stack. The basic product is free, although support and enterprise features are available for a price. The prices for the advanced features are very reasonable, all the more so when you compare against VMware's offerings. Also consider that the free product allows you to connect to a wide range of networked storage systems and includes live migration, something that the free ESXi doesn't offer.

All of what follows covers the freely downloadable XenServer 5.6; Both Dell and HP offer embedded versions for some of their servers, however running and managing these systems should be near enough identical apart from the installation steps.

Update : Just after writing this, the beta of "FP1" (an update to XenServer 5.6) was announced. Full details of what will be in this update are here in the release notes. It looks like there will be plenty of significant improvements across all areas (including MPP RDAC, scheduled backups, supported jumbo frames, on-line coalescing of snapshot space and various other things of particular interest to me). Bear in mind when reading this review, that many of the little issues I have with XenServer may well be resolved in the upcoming version, and other areas may be totally overhauled. As soon as the final version is released I'll post a full update...

Update 2 : FP1 is indeed a big improvement. I've been using it in production now for a few months and should have an update soon, covering the new features such as the distributed switch, self-service portal etc.

Click the "Continue reading" link for the full review.

Continue reading "Citrix XenServer 5.6 Review"

Xenserver snapshot and template based backup script

We have recently started using Citrix Xenserver in production at work (fantastic product, see my review for more information) and needed a simple backup solution. Our VMs run from an iSCSI SAN and are backed up daily through various methods - e.g. Bacula for the Unix/Linux systems. However, we wanted the ability to quickly roll back to a previous VM snapshot, and get up and running quickly if our SAN failed for whatever reason. Our solution was to create a large shared NFS storage repository, and periodically snapshot VMs and copy the templates over to this SR. Doing this means that if the SAN fails, we can create a new VM quickly from this NFS store (using the Xenserver's local disks, or even the NFS SR itself as storage). Once up and running, we can bring VMs back up to date by restoring the latest backup to them.

In order to automate this, I wrote a quick script which I thought may prove useful to someone else, so decided to post it here : snapback.sh.

Update: This script is now being hosted at GitHub. This means you can check out the latest version from there, by doing :

git clone https://github.com/markround/XenServer-snapshot-backup.git

or accessing the raw script file at https://github.com/markround/XenServer-snapshot-backup/raw/master/snapback.sh

It is very simple, and although it may serve well as your only backup solution, it's really intended as an image-level compliment to your primary file-system based backup system such as Bacula, Amanda, Netbackup etc. It also has not had much testing, and I fully appreciate the scripting is pretty rudimentary and could do with some optimisation - there's no error checking, for instance. I kept it pretty verbose on purpose though, so you can get a good idea of exactly what it's doing at each step; it may be better to think of this as a template you can base your own scripts off!

Overview

The script creates a snapshot of a running VM on a configurable schedule, and then creates a template from this snapshot. It will copy all these backup templates over to a configurable storage repository, and then clean up any old backups according to a specified retention policy. These backups are full backups, so if you have a 10GB VM and keep 7 previous copies you will need a total of 80GB disk space on your backup VM. Non-running VMs, and those not configured (as detailed below) will be skipped.

Important: See http://support.citrix.com/article/CTX123400. After backing up each VM, you will end up with a new VDI, so you may need to manually coalesce your VDIs again to reclaim disk space.

Installation and usage

First, copy the script to your Xenserver pool master, and make it executable. A good location for this is /usr/local/bin/snapback.sh.

Next, create a cron entry for the script - to make it run daily just after 1AM, you'd create /etc/cron.d/backup with the following contents :

2 1 * * * root /usr/local/bin/snapback.sh > /var/log/snapback.log 2>&1

This will also record a log of it's actions to /var/log/snapback.log. You now need to edit the script and change the DEST_SR variable to the UUID of your backup storage repository. You can find this value by clicking on the SR in Xencenter; the UUID will be displayed as a value like "2c01dc26-f525-70d6-dedf-00baaec76645".

Lastly, you need to configure your backup and retention policy for your VMs. In Xencenter, right click your VM, and select "Properties". Click on "Custom Fields", and then "Edit Custom Fields". You should add two text fields :

backup : Can be one of "daily", "weekly", or "monthly". If it is set to weekly, it will by default run on a Sunday, and if it set to monthly, it will run on the first Sunday of the month. This day can be changed at the top of the script - see the WEEKLY_ON and MONTHLY_ON variables.
retain : How many previous backups (in addition to the currently running backup) to keep. So, setting this to a value of "2" would mean that after a backup has run, you would end up with 3 backups in total.

Adding a custom field

The script will look for these fields when it is run, and will skip any VM that doesn't have them set. You can also see them in the Xencenter summary and properties for the VM :

VM summary showing the custom fields

You can now either run the script manually, or wait until the cron job kicks off. It will produce a detailed log to the console (or log file if run through cron), and when it's finished, you'll see your template backup VMs listed in Xencenter, similar to this :

Backups listed in Xencenter

If you find that this clutters up the Xencenter view a little, you can always hide them (View->Server View->Custom Templates). To restore a VM from a backup, just right click, and choose "New template from backup". Anyway, I hope this helps someone else!

The setting sun

Well, that's that, then. Solaris as we knew it is pretty much dead. I've suspected for a while now that Oracle's intentions regarding Solaris were not what the community, or us "old-school" Solaris sysadmins wanted or had hoped for.

In the last few months, Oracle have completely alienated and scared off the community around OpenSolaris, killed any lines of communication by clamping down on employee blogs and have ignored open letters from highly influential and important community members begging for any kind of information. Theyve forbidden Sun/Oracle employees from heading up the Solaris user groups and booted the meetings out of their buildings; turned Solaris 10 into a 90-day trial, and pushed back the 2010.x release of OpenSolaris with no word as to its planned release date, or even if it is being continued as a product. And now, in a final act of desperation, the OGB has essentially threatened to "shoot itself in the head".

Even ignoring the OpenSolaris project, It's not at all rosy in "real" Solaris land, either. Requests for information and clarification are going unanswered, and I know of several managers who have had hardware quotes and support tickets ignored - there's a near total blackout of information from Oracle. People are fleeing Solaris in droves, and migrating to anything they can: Linux, FreeBSD (Dtrace and ZFS), AIX - hell, even HP-UX looks like a safer bet at the moment. And I never thought I'd find myself saying that!

It certainly appears that Oracle are doing a superb job of killing Solaris. But why would they do this, having paid all that money for Sun and announcing that they will increase spending on Solaris development ?

Well, this post on Slashdot (allegedly from a Sun/Oracle employee) confirms my suspicions as to why they may be doing this. Oracle just really doesn't care about Solaris as a general purpose data centre OS any more. There's just no money in it, and although I personally find it tragic it does make sense. It's probably also why they're killing all their OEM deals - why help a competitor sell hardware, when all you'll see from it is a possible support contract for the OS ? Oracle's overall aim is to have Solaris relegated to the role of running as the bottom layer in an Oracle "database machine", Java appserver bundle or inside a "Fishworks" storage appliance.

It excels at these tasks, and it would obviously fit into Oracle's stated goal of being a one stop shop, where if you want to run Oracle, they'll sell you the bundle - hardware, storage, OS and software. If they no longer want Solaris to be a dominant general purpose OS, then their approach makes sense. They don't need a "community" around the product, they don't need open source developers porting applications to it, and they certainly don't need the overhead of running and managing a community portal any more. Unless you are running (and paying for) Oracle applications on Solaris, you're probably more of an annoyance to them at the moment and I get the very strong idea that they'd rather you just quietly went elsewhere.

I just wish that if this was their plan, they'd make some sort of statement about it; rather than ignoring the Solaris community in the hopes that they'll eventually get frustrated and leave without Oracle having to spell it out for them. I think the way they are going about it reprehensible and it's a tragic end for such a historic and innovative OS. Sadly though, Larry is all about the bottom line and the old, altruistic Sun approach just wasn't bringing in the big bucks. As the Slashdot poster said : "Profit is king here. Anything else is overhead, and overhead eats into Larry's yacht fund."

Edit: Now it's official : http://www.theregister.co.uk/2010/08/13/opensolaris_is_dead/

Centreon review

One of my favourite interview questions I used to ask candidates was a variation of "Desert Island Discs" : Imagine you are going off to be a sysadmin on a desert island, with no internet access, and further imagine that the previous sysadmin was a total fascist with a minimalist install policy. We're talking a bare-bones "classic" Solaris installation, or a minimal Debian system here. You've got SSH installed, but not much else. Before you hop on the boat, however, you are given a couple of hours high-speed internet access and a USB stick. You can take up to 5 tools with you to this desert island: What do you pick ?

It was always an interesting question to ask, because it gave you an insight into the kind of sysadmin tasks someone had been doing before, and it also served as a nice, relaxed "ice breaker" type question. For my money, aside from some tools like rsync and screen which I couldn't live without, a decent monitoring package would have to be top of my priorities. There are a bunch out there: some of them free; some of them commercial, but the one that would make it on to my USB stick would have to be Nagios.

It's open source, extremely well documented and widely implemented, and there are a ton of useful add-ons and plugins available for it. The only draw backs I can find with it are it's ugly web interface, the complexity involved in setting up a new system for monitoring, and the disjoint between availability and performance monitoring. If you have money to throw at a problem, then software like Uptime or Hyperic neatly deal with all of these issues, but they can be quite pricey if you have a large number of systems to manage and a tight budget.

So, you can imagine my excitement when I first discovered Centreon. It's essentially a monitoring platform that uses Nagios at it's core. You could think of it as a fancy frontend to "stock" Nagios, but it's so much more than that: besides the attractive interface, it also bridges the gap between availability and performance monitoring, and makes Nagios administration a snap. Due to the reliance on Nagios though, I'd go so far as to say that before you experiment with Centreon, you really should have set up "stock" Nagios, and be familiar with the plugin architecture, NRPE and how alerts / escalations are managed. Ideally, you should have a stock Nagios installation you can use to duplicate on Centreon/Nagios.

Continue reading "Centreon review"

Cacti iostat scripts now support FreeBSD

Thanks to the awesome work of Boogie Shafer, there is now a FreeBSD port of my iostat scripts and templates for Cacti. I have included the modified tarball that was sent to me, this is inside the archive as "cacti-iostat-1.x-boogie_freebsd_linux_changes.tar.gz".

FreeBSD users should unpack this archive and follow the instructions inside. I have not had time to go through and merge these changes into one unified distribution yet, but as people were asking for the FreeBSD port, here it is! The next release of these scripts should see the FreeBSD scripts and templates etc. merged in, much the same as the Solaris modifications by Marwan Shaher and Eric Schoeller.

Follow the link to the original post to find the download link.

Dell MD3000i

I've just got a new array to play with at work for a small Xen virtualisation setup. It's the Dell MD3000i, which I've seen a few posts about before but though I'd chime in with my experiences. It is a budget array, but I have to say for the price it's not a bad bit of kit.

We've got it configured with dual controllers, 8x300Gb and 7x146GB 15k SAS drives. Throughput is around GigE wire speed - 110MB/s for both reads and writes. I'm also seeing a respectable IOPS figure depending on workloads: During an iozone run, I could see it sustaining around 1.5k IOPS.

True, the management features fall a little short when compared to the usual Sun and NetApp storage kit I'm used to, but it does the job. My main gripes are :

No built in graphing (seriously, Dell - WTF?), but you can do it from the CLI - see here.
Can't resize or change the I/O profile of a virtual disk once it's setup. This is a real pain, so make sure you set things up correctly the first time! You can however change the RAID level of a disk group once it's been created.
You need a Windows or RHEL box to run the administration GUI on - I'm sure you can probably hack a way to get the CLI running under Debian, but I haven't tried. You're probably straight out of luck if you want to run it on anything else like Solaris.
Can't mix SAS and SATA in the same enclosure. The controllers do support SATA as well as SAS, although SATA drives don't show up as options in the Dell pricing configuration thingy. Our account manager advised us that although technically you can mix SAS and SATA in the same enclosure, they'd experienced a higher than average number of disk failures in that configuration, due to the vibration patterns created by disks spinning at different rates (15K SAS and 7.2K SATA). If you need to mix the two types, your only real option is to attach a MD1000 array to the back (you can add up to two of these) and have each chassis filled with just one type of drive.

The hardware failover works nicely - the array is active/passive for each virtual disk, as both controllers are typically active, each handling separate virtual disks for load-balancing purposes. When a controller fails, the remaining "good" controller takes over the virtual disks or disk groups from the failed controller. Failback is pretty transparent - the GUI guides you through the steps, but I found that simply inserting a replacement HD/Controller/etc. just did the job automagically.

Multipath support under RHEL/CentOS with multipath-tools (dm-multipath) works fine with some tweaking - it uses the RDAC modules which lead to some oddness on CentOS 5.3. What tends to happen is that the first time device mapper picks up the paths, RDAC doesn't get a chance to initialise things properly (scsi_dh_rdac module isn't loaded) so you end up with all sorts of SCSI errors showing up in your logs. After flushing your paths (multipath -F) and restarting multipathd, things are OK. This is apparently fixed in RHEL 5.4, so should make it's way out to CentOS from there. I'm unsure what the status is on other distros, though.

It also works great with Citrix Xenserver, although you have to use MPP-RDAC instead of DM-Multipath due to performance issues with the latter.

My multipath.conf contains the following :

devices {
        device {
                vendor "DELL"
                product "MD3000i"
                product_blacklist "Universal Xport"
                path_grouping_policy group_by_prio
                getuid_callout "/sbin/scsi_id -g -u -s /block/%n"
                path_checker rdac
                prio_callout "/sbin/mpath_prio_rdac /dev/%n"
                hardware_handler "1 rdac"
                failback immediate
        }
}

And with everything working, multipath -ll shows :

360026b90002ab6f40000056a4aa9e87b dm-12 DELL,MD3000i
[size=409G][features=0][hwhandler=1 rdac][rw]
_ round-robin 0 [prio=200][active]
 _ 21:0:0:1  sdi 8:128 [active][ready]
 _ 22:0:0:1  sdj 8:144 [active][ready]
_ round-robin 0 [prio=0][enabled]
 _ 20:0:0:1  sdg 8:96  [active][ghost]
 _ 23:0:0:1  sdh 8:112 [active][ghost]

Update: It looks like the admin tool and SMcli are just shell script wrappers that run Java apps. I tried a quick'n'dirty hack of installing everything under RHEL, tarring up /opt/dell and /var/opt/SM and then transferring them over to a Debian Lenny host. All I had to change was the #!/bin/sh to #!/bin/bash at the top of the SMcli and SMclient wrappers, and they seem to work. I haven't put them through any serious testing though...

Building a redundant iSCSI and NFS cluster with Debian - Part 5

This is part 5 of a series on building a redundant iSCSI and NFS SAN with Debian.

Part 1 - Overview, network layout and DRBD installation
Part 2 - DRBD and LVM
Part 3 - Heartbeat and automated failover
Part 4 - iSCSI and IP failover
Part 5 - Multipathing and client configuration
Part 6 - Anything left over!

In this part of the series, we'll configure an iSCSI client ("initiator"), connect it to the storage servers and set up multipathing. Note : Since Debian Lenny has been released since this series of articles started, that's the version we'll use for the client.

If you refer back to part one to refresh your memory of the network layout, you can see that the storage client ("badger" in that diagram) should have 3 network interfaces :

eth0 : 172.16.7.x for the management interface, this is what you'll use to SSH into it.

And two storage interfaces. As the storage servers ("targets") are using 192.168.x.1 and 2, I've given this client the following addresses :

eth1: 192.168.1.10
eth2: 192.168.2.10

Starting at .10 on each range keeps things clear - I've found it can help to have a policy of servers being in a range of, say, 1 to 10, and clients being above this. Before we continue, make sure that these interfaces are configured, and you can ping the storage server over both interfaces, e.g. try pinging 192.168.1.1 and 192.168.2.1.

Assuming the underlying networking is configured and working, the first thing we need to do is install open-iscsi (which is the "initiator" - the iSCSI client). This is done by a simple :

# aptitude install open-iscsi

You should see the package get installed, and the service started :

Setting up open-iscsi (2.0.870~rc3-0.4) ...
Starting iSCSI initiator service: iscsid.
Setting up iSCSI targets:
iscsiadm: No records found!

At this point, we have all we need to start setting up some connections.

Continue reading "Building a redundant iSCSI and NFS cluster with Debian - Part 5"

Updated Cacti iostat package now supports Solaris

Just a quick update to my Cacti iostat monitoring scripts and templates - thanks to the work of Marwan Shaher and Eric Schoeller, the package now supports Solaris! The updated package is available here : cacti-iostat-1.4.tar.gz.

I have also updated the original blog post with the new package.

Oracle to buy Sun

My response to today's news:

Cracking dictionary passwords

I was talking a few days ago, and the subject of password security came up. Now, we all know that we're supposed to pick a secure password, use at least 8 characters and never to pick a word from the dictionary. But then I was asked how long it would take to brute-force a password using a dictionary attack, and I had to admit I had no idea. I knew it would only be a matter of minutes, but wanted to give it a try.

So, For anyone who is interested, I knocked up a quick BASH script to compare a MD5 hashed password against the contents of /usr/share/dict/words, which on a Red Hat 5.3 system contains 479,623 words. The script is as follows :

#!/bin/bash
TARGET_HASH=$1
while read WORD; do
        WORD_HASH=$(echo $WORD | md5sum | awk '{print $1}')
        if [ "$WORD_HASH" == "$TARGET_HASH" ]; then
                echo "Found match!"
                echo "Password is : $WORD"
                exit
        fi
done < /usr/share/dict/words

Now, this was just a quick hack to satisfy my curiosity, and only something I threw together after a few seconds. Of particular relevance is the fact that it's a shell script, and uses a lot of forking to generate the MD5 hashes of the dictionary. If I wrote it in C, I'm sure it would be faster by an order of magnitude.

But anyway, on to the test - I created a MD5 phrase for it to crack, and timed it :

# time ./crack.sh 3a783fb2aa3a2318499f0a60d7ef6078
Found match!
Password is : hedgehog

real    8m43.432s
user    1m48.410s
sys     8m27.030s

Not bad - just under 9 minutes. Obviously, that'd take longer if I used a word starting with "x" or "z"! I then realised it would be a lot faster if I generated a "compiled" version of the dictionary file with the MD5 hashes preprepared :

while read WORD; do echo "$WORD:$(echo $WORD | md5sum | awk '{print $1}')"; done < /usr/share/dict/words  > md5.txt

Obviously, I could then generate compiled dictionary files for each hashing algorithm I wanted to crack (assuming that they are non-Salted algorithms). This took around 30 minutes, but now I don't have to generate the hashes again, all I need to do is check against the second column of the file for a match. It is also irrelevant whether the word lies near the start or end of the file, it now takes about the same time to find a match :

# time grep ac23b37db0039dda62896bb21f312755 md5.txt | cut -d':' -f1
aardvark

real    0m0.019s
user    0m0.008s
sys     0m0.011s

# time grep 981fe627ab4906b677ce9d3e6eff499f md5.txt | cut -d':' -f1
zoology

real    0m0.019s
user    0m0.006s
sys     0m0.014s

So there you have it. It was an interesting way to spend a few minutes, and I now have an answer whenever someone asks "how long would it take to crack a password based on a dictionary word": Assuming you have the compiled hash files, around 0.019 seconds.

OpenVPN on Windows XP and Vista

Just a quick post this time, as I thought this may help others in the same situation I found myself in recently. At work, we've been using OpenVPN which works a treat with Unix clients; Windows clients (Vista in particular) were more problematic, though.

None of our regular users have admin privileges (for obvious reasons), but this caused problems with the routing setup: users could use the GUI tool, but could not create the necessary routes required to direct traffic over the VPN. We experimented for a while with setting up persistent routes, but this didn't work for multiple users. I'd read all kinds of posts about running the executables as an Administrator, disabling Vista UAC, registry tweaks and other voodoo - either they didn't work, or they were unacceptable in our environment.

I then hit upon a simple workaround that also seems to work on Windows XP: Just add the user to the "Network Configuration Operators" group:

Administrative Tools -> Computer Management -> Local Users and Groups -> Groups -> Network Configuration Operators

Now, everything works right out of the box on Vista SP1 with the 2.1RC builds of OpenVPN (OpenVPN 2.1_rc15 was the version we tested). You have to install this as an Administrator, and you do have to be happy with giving your VPN users slightly elevated privileges - but at least it stops way short of having to give them administrator rights.

For reference, here's the client config file as well :

client
script-security 3 system
dev tun
proto udp
remote  1194
nobind
persist-key
persist-tun
ca ca.crt
cert .crt
key .key
cipher BF-CBC 
comp-lzo
verb 3
mute 20
route-method exe
route-delay 2

Building a redundant iSCSI and NFS cluster with Debian - Part 4

This is part 4 of a series on building a redundant iSCSI and NFS SAN with Debian.

In this part, we'll configure Heartbeat to manage IP address failover on the two storage interfaces. We'll also install and configure an iSCSI target to provide block-level storage to clients.

Continue reading "Building a redundant iSCSI and NFS cluster with Debian - Part 4"