gzip/dd/scp/netcat Reminder to transfer huge file (and retrieve if it fails)
by Ronan FOUCHER on juil.14, 2010, under Network, Unix / Linux, Unix : Sun Solaris
A reason why I love our database administrator, is because he’s facing some really interresting problems !
For exemple last week he tries to copy a huge mysqldump from a slave in Datacenter 1 to another mysql server in our Datacenter 2… and I help him to optimize those recurent transfer between our datacenters…
We studied different solutions to improvethe speed of transfer and find some solutions to retrieve some transfer when they fail.
1- What you should not do gzip / scp / gunzip
gzip -c mysqdump.sql >mysqldump.sql.gz
scp mysqldump.sql.gz root@master_dc2:/var/database/tmp/
ssh root@master_dc2 "gunzip /var/database/tmp/mysqldump.sql.gz"
naaarf …. not the best choice, you will have to zip your datas, then copy (using encryption), and unzip on the remote server…
Some reasons why I don’t like this solution :
- - All steps will be serialized (we’ll see later that we can avoid at least one step)
- - Step 1 will need a lot of reads from and writes to disks, which is really slow
- - Step 1 requires a lot of CPU
- - Step 2 needs cpu to encrypt all your datas, and will read from slave@dc1 and writes@dc2
- - Step 3 (same issue than step 1)
- - Step 3 need you to have a large hard drive (i.e. if your dump size is 50GB zipped, you will need at least 100GB on your hard drive)
This Solution failed because of the point 5, we don’t have enough available space to store both the zipped file and the unzipped data.
2 What you can do gzip / ssh / gunzip
Another solution to avoid the write to server 1 et read from server 2 of steps 1 and 2
gzip -1 -c mysqdump.sql | ssh root@master_dc2 "gunzip -c - > /var/database/tmp/mysqldump.sql"
This will read the file mysqldump.sql, zip it (-1 for fast zipping) and pipe the result directly to master@dc2.
The master will directly unzip the file to write the unzipped data on your hard drive.
The resutl is that you will never write on slave@dc1 and will write only one time on master@dc2.
Some reason why I don’t use this solution everythime :
- this requires a lot of CPU, as for encryption as for transferring data through ssh.
3 What you should do gzip / netcat / gunzip
As said before ssh is not the fastest way to transfer data because of the data encryption
When you’re using a dedicated black fiber between your Datacenter you can use netcat to send raw bits over the fiber
Open a listening socket on your client
root@master_dc2# nc -l -p 9999 | gunzip -c > /var/database/tmp/mysqldump.sql
Start sending raw packets over the network
root@slave_dc1# gzip -c mysqdump.sql | nc -q 1 master_dc2 9999
4 What you could do tar / netcat
Pay Attention to the locations of your file that must be the same
Open a listening socket on your client
root@master_dc2# nc -l -p 9999 | tar xvzf -
Start sending raw packets over the network
root@slave_dc1# tar zcvf - mysqdump.sql | nc -q 1 master_dc2 9999
4 retieve your transfer after a network failure
Of course when you’re trying to send more that 35GB over the network, it is hard to be sure that you will not have any broken connection when you have already sent 30GB….
To be sure to have a solution to this type of problem we did some tests for different type of protocols :
Sending datas via SCP
To tranfer some files on our local network, we always use scp because of the encryption and because of the possibility to use rsa/dsa key exchange to script our transfer.
Even if it’s rare, we can face sometimes some problem of failure on our network during transfer, so we find this solution :
root@slave_dc1# scp mysqldump.sql.gz root@master_dc2:/var/database/tmp/
if the connection screwed up, with a ssh tranfer (scp does not support retrieving) your can use rsync…
root@slave_dc1# rsync --partial --progress -e ssh mysqldump.sql.gz root@master_dc2:/var/database/tmp/
Sending datas via ftp
One of our partners does not support sftp connection, so we have to use ftp with encrypted files to send some informations….
The solution when you lost the connection during the transfer…., is to use dd to split the file and send missing data.
Obviously, we need to know that ftp copies file sequentially, and this is the key to success in retrieving data
How it works :
root@slave_dc1# ls -al myfiletocopy.log
-rw-rw---- 1 mysql mysql 35704013289 2010-07-14 18:31 myfiletocopy.log
root@slave_dc1#ncftpput -u ronan -p ronan partners.org /remoteronan myfiletocopy.log
-----failed tranfer----
root@slave_dc1#ncftpls "-al" -u ronan -p ronan ftp://partners.org/remoteronan/myfiletocopy.log
-rw-rw-rw- 1 ronan ftp 25462988800 Jun 22 2008 VIRG_VALID_200806.zi
Did you see that?
- Original file size : 35704013289
- Remote file size : 25462988800
- What is missing : 10241024489 so approximatively 10241024000 (1024 divisibility)
Lets try to send what is missing :
The common blocksize on a linux is 1024, so to be as fast as possible
Local Site
root@slave_dc1# dd if=myfiletocopy.log iseek=10001000 bs=1024 | nc -l -p 2121
Remote Site
root@partner# nc mycompany.com 2121 | dd of=myfiletocopy.log seek=10001000 bs=1024
You can change the blocksize but 1024 is a common value on ext3 partition so your system will be able to cut your file really quickly when he will have to read it on your hard drive
++
Tips & trick LSOF Troubleshoot your Linux
by Ronan FOUCHER on mai.06, 2010, under Network, Unix / Linux, Unix : Sun Solaris
One of the most useful tool for unix debug is lsof, I use it many times for many problems for day to day monitoring and debug.
It just lists all files openned by processes no more no less, but because on *NIX system, everything IS a « file », this gives you a lot of information on your system use (e.g. ttys, directories,sockets, pipes,memory mapping).
1 – List all open files used on your system .
gollum:~# lsof
2 – Unmounting a partition
You’re trying to unmount /dev/sdd1, but it is still in use by a process or a user
gollum:~#lsof /dev/sdd1
and then kill each processes or users to free the partition
=> aggressive mode :
gollum:~#kill `lsof -t /dev/sdd1`
Find some issues with user’s script
List all connection on your server openned by/for non root users
gollum:~#lsof -i -u^root
List all files on your server used by/for user_ronan
gollum:~#lsof -u user_ronan
Find all open files in a directory recursively.
gollum:~#lsof +D /usr/lib64/
- with +D argument lsof will return all files in the specified directory and subdirectories.
another way is using grep (but if your system is using ia32 or if you’re looking in symlinks +D argument will be necessary)
gollum:~#lsof | grep '/usr/lib64/'
Find some issues with programs
Find all open files by program’s name.
gollum:~#lsof -c mysql
-with -c argument lsof will return all files openned by/for processes whose name begins with ‘mysql’.
You can compile multiple option using -a (and):
gollum:~#lsof -a -c apache +D /usr/lib64/
If you don’t specify the -a option by default lsof will return an « OR » result
gollum:~#lsof -c apache +D /usr/lib64/
And you can use ‘^’ translate by except to find all files open by all processes except PID 1
gollum:~#lsof -p ^1
Find some issues with space left
df and du does not match…
You should have a problem with some files that have been deleted but one or more processes are keeping the files open.
The system will preserved the file and its blocks, even though it appears to be deleted from the filesystem.
gollum:~#lsof +L1
another way :
gollum:~#lsof | grep deleted
Too many open files issue
Find the top 10 of procsesses with the most files open.
gollum:~#lsof | awk '{printf("%s (%s)\n", $1, $2)}' | sort | uniq -c | sort -rn | head
You can check the number of script opened by a process using
gollum:~#ps -ef | grep MyScripts*.sh | grep -v grep | awk '{print $2}'
46899
gollum:~#lsof -p 46899
gollum:~#lsof -p 46899 | wc -l
This will give you idea of the files that your script opens.
(for more than one process just separate pids using comas)
gollum:~#ps -ef | grep MyScripts*.sh | grep -v grep | awk '{print $2}'
46800
46801
46802
gollum:~#lsof -p 46800,46801,46802
And what about Network?
As said before, everything on Linux is a file, so IP sockets can also be listed using lsof and help you to know more about your IP system use.
(Of you can also use netcat or netstat for some of those examples)
List all IP sockets openned
gollum:~#lsof -i
gollum:~#netstat -anp
Lsof with -i option lists all processes with open Internet sockets (TCP and UDP).
List all TCP network connections.
gollum:~#lsof -i tcp
List all UDP network connections
gollum:~#lsof -i udp
You can check if a port is open and which process binding this port
gollum:~#lsof -i :80
You can also use the service name listeed in /etc/services :
gollum:~#lsof -i :www
Problem with NFS sharing
You can list all NFS files in use :
gollum:~#lsof -N
Another way to find those informations
This tool uses the information in /proc/$PID/ (man 5 proc) to list the files openned by a process.
Of course you can debug by yourself a process using special commands like
gollum:~#cat /proc/1/maps | awk '/\//{print $6}' | uniq
CISCO VSS configuration: reliable solution for Datacenter’s LAN
by Ronan FOUCHER on avr.01, 2010, under Network
1 – Introduction
A good solution to get a reliable solution for your Datacenter’s LAN without configurations replication problems is using the CISCO solution VSS.
Basically, you will configure a « Virtual Switch » instead of configuring two switches, and still have the hardware advantage of an hardware redundancy.
The solution implemented named Virtual Switch System 1440 (VSS) on the Catalyst 6500, create a single virtual switch from two 6500 switches
Some interresting features are :
- Redundancy of Hardware and links
- High availability of supervisor (active/standby chassis)
- Usefull system management
Hardware needed
- We use a 720-10GE Uplink on both 6506
- DFC3C in conjunction with th PFC3C Supervisor
- 2 Cisco 3750 Stackwise 48 Ports for Top of the Rack switching
- Ethernet bonding on servers (round-robin or 802.3ad)
With this configuration you SHOULD not have any Point Of Failure…
2 – Description
The Virtual Switching System is based on the Virtual Switch Link (VSL) which a dedicated 10GE link (or link aggregation up to 8 links) that create an extension of the backplane between 6500.
The VSL carries control and data traffic between VSS members thru an Etherchannel. Bascically you have only one configuration and mac-address, as for the 6500 VSS configuration as for 3750 configuration.
The Logical NAD gives you an idea how much the configuration becomes simple with those technologies.
3 – Configuration
3.1 – Enable the required Feature
The VSS works in « active » / « hot standby » mode. The Supervisor manage this feature using Statefull SwitchOver (SSO) and NonStop Forwarding (NSF).
First Router : RTR_TEST1
RTR_TEST1# conf t
RTR_TEST1(config)# redundancy
RTR_TEST1(config-red)# mode sso
RTR_TEST1(config-red)# exit
RTR_TEST1(config)# router ospf 10
RTR_TEST1(config-router)# nsf
RTR_TEST1(config-router)# end
Second Router : RTR_TEST2
RTR_TEST2# conf t
RTR_TEST2(config)# redundancy
RTR_TEST2(config-red)# mode sso
RTR_TEST2(config-red)# exit
RTR_TEST2(config)# router ospf 10
RTR_TEST2(config-router)# nsf
RTR_TEST2(config-router)# end
3.2 – Virtual Switch Domain configuration
The Virtual Switch Domain defines the group id (1-255) of the virtual switches
First Router : RTR_TEST1
RTR_TEST1# conf t
RTR_TEST1(config)# switch virtual domain 100
RTR_TEST1(config-vs-domain)# switch 1
Second Router : RTR_TEST2
RTR_TEST2# conf t
RTR_TEST2(config)# switch virtual domain 100
RTR_TEST2(config-vs-domain)# switch 2
3.3 – Configure Switch Priorities
If you need to know which of your switchs is active by default, you can enforce priority and then configure your preference by giving a higher priority to the active router.
For exemple, if you prefer that RTR_TEST1 becomes the active router you just have to set the following options :
RTR_TEST1(config-vs-domain)# switch 1 priority 120
RTR_TEST1(config-vs-domain)# switch 2 priority 110
3.4 – Configure the Virtual Switching Link (Port Channel)
First Router : RTR_TEST1
RTR_TEST1(config)# interface port-channel 10
RTR_TEST1(config-if)# switch virtual link 1
RTR_TEST1(config-if)# no shutdown
RTR_TEST1(config-if)# exit
RTR_TEST1(config)# interface range tenGigabitEthernet 3/4 - 5
RTR_TEST1(config-if-range)# no shutdown
RTR_TEST1(config-if-range)# channel-group 10 mode on
RTR_TEST1(config-if-range)# end
Second Router : RTR_TEST2
RTR_TEST2(config)# interface port-channel 20
RTR_TEST2(config-if)# switch virtual link 2
RTR_TEST2(config-if)# no shutdown
RTR_TEST2(config-if)# exit
RTR_TEST2(config)# interface range tenGigabitEthernet 3/4 - 5
RTR_TEST2(config-if-range)# no shutdown
RTR_TEST2(config-if-range)# channel-group 20 mode on
RTR_TEST2(config-if-range)# end
3.5 – Applying the VSS configuration
Currently your configuration is not completely setted, you’ll need to « convert » your routers to the VSS mode :
Check that the PFC mode is PFC3C (VSL)
RTR_TEST1#show platform hardware pfc mode
if not set the pfc operating mode :
RTR_TEST1#platform hardware vsl pfc mode
Then launch the convertion (you should be prompted to confirm the action [yes])
RTR_TEST1#switch convert mode virtual
RTR_TEST2#switch convert mode virtual
Executing this mode will require a reload to merge both switches configurations, renumber all ports and to negotiation NSF/SSO etc between chassis and supervisors.
This step creates a VSS system. This will convert all interface names in to a three mode notation, chassis/slot/port.
4 – Status Command
RTR_TEST1#show switch virtual
RTR_TEST1#show switch virtual role
RTR_TEST1#show switch virtual link
You can now configure your Ethernchannel to your stacked 3750.
Setup your network for 802.1x and Vlan segmentation
by Ronan FOUCHER on mar.26, 2010, under Network
A good way to improve security in your local network is using ACLs and VLAN on your LAN.
But configuring your network with a lot of vlans becomes quickly boring, and hard to maintain.
A good solution is using 802.1x solution to set the vlan during the user authentication.
This will allow you to get the same configuration for all ports of your switchs, and setting a segmentation with vlans during the authentication of the users of your network.
I will describe in this article how to set up you’re Active Directory and Radius servers to manage the security, and the configuration of catalyst 2960 for 802.1x solution. This article will not describe the ACL’s configuration it will only explain how to split your services in different Subnets.
1- Introduction
You will find below the NAD of the network. We will split 3 services, for exemple Admin, Support and Project :
- Vlan 10 : 10_VLAN_Admin
- Vlan 11 : 11_VLAN_Support
- Vlan 12 : 12_VLAN_Project
We use 3 computers connected through ip-phone to the 2960. The vlan network for IP-Phone is vlan 220.
2- Update the switch to the latest version :
To get the 802.1x solution working you MUST have you’re switch in Version 12.2(44r)SE1 (at least).
2.1- Download the latest version on your switch using TFTP
TFTP server on 192.168.1.2
You can use tftp32 on windows to share the IOS binary.
DIST_04#copy tftp: flash:
Address or name of remote host [192.168.1.2]?
Source filename [c2960-lanbasek9-mz.122-50.SE3.bin]?
Destination filename [c2960-lanbasek9-mz.122-50.SE3.bin]?
Accessing tftp://192.168.1.2/c2960-lanbasek9-mz.122-50.SE3.bin…
Loading c2960-lanbasek9-mz.122-50.SE3.bin from 192.168.1.2 (via Vlan1): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
2.2- Set your new version to be used after next reload
DIST_04#conf t
Enter configuration commands, one per line.
End with CNTL/Z.
DIST_04(config)#boot system flash:/c2960-lanbasek9-mz.122-50.SE3.bin
2.3- Configuration your switch for ssh authentication
enable secret 5 $1$EEte$azzzzzzABAIrVDF0
username Administrator secret 5 $1$R1.T$oizajedfpazdXqNYXVbWf4.
aaa authentication login default local
ip domain-name virgin.fr
crypto key generate rsa
line con 0
line vty 0 4
privilege level 15
length 0
transport input ssh
line vty 5 15
2.4- Save and Load your configuration before configure 802.1X for rollback
write
reload
3- Configure vlan on the inter-vlan router
3.1- Configure vtp on you inter-vlan router
Wikipedia : VLAN Trunking Protocol (VTP) is a Cisco proprietary Layer 2 messaging protocol that manages the addition, deletion, and renaming of Virtual Local Area Networks (VLAN) on a network-wide basis. This will share the vlan database of your inter-vlan router to simplify the configuration of your network.
conf t
vtp domain Test_VTP
vtp password MyVTPPASSWD
vtp mode server
3.2- Configure your vlan
We will create 3 vlans for each services of the company :
- Vlan 10 : 10_VLAN_Admin
- Vlan 11 : 11_VLAN_Support
- Vlan 12 : 12_VLAN_Project
3.3- Set your new vlan in the database
vlan database
vlan 10 name 10_VLAN_Admin
vlan 11 name 11_VLAN_Support
vlan 12 name 12_VLAN_Project
3.4- Configure vlan interface of your router
The helper address will be used to handle dhcp request to the DHCP server (192.168.1.2) on another vlan (vlan1)
interface Vlan10
description 10_VLAN_Admin
ip address 192.168.10.254 255.255.255.0
ip helper-address 192.168.1.2
!
interface Vlan11
description 11_VLAN_Support
ip address 192.168.11.254 255.255.255.0
ip helper-address 192.168.1.2
!
interface Vlan12
description 12_VLAN_Project
ip address 192.168.12.254 255.255.255.0
ip helper-address 192.168.1.2
4- Configure your Active Directory for 802.1x authentication
We will use en new Security Group to split users in different services. And affect user (Ronan FOUCHER) to the security group (vlan_admins): Now you’re Active Directory is configured for 802.1x, you can configure your Authentication server (IAS for exemple)
4.1- Configure the Active Directory Users
We use a new Security Group instead of global group to split Users because this allow you to control change in the organization.
Create a security group for each service and affect the user to the new Security Group.
4.2- Configure The Radius Server
4.2.1- Create Remote Access policy for each vlan
Start->Administrative Tools->Internet Authentication
Service Remote Access Policies->Right Click->New Remote Access Policy Wizard
4.2.2- Configure the IAS to accept request from your switch
4.2.3- Configure your DHCP server
We use option 43 and 150 for IP-Phone configuration.
There’s no special configuration for the DHCP server.
5- Configure your CISCO Catalist 2960 for 802.1x
5.1- Configure the authentication server on your switch
aaa new-model
aaa group server radius Testradius
server-private 192.168.1.2 auth-port 1812 acct-port 1813 key myownsecretkey
aaa authentication dot1x default group Testradius
aaa authorization network default group Testradius
aaa session-id common
radius-server vsa send authentication
clock timezone fr 2
ntp clock-period 36029068
ntp server 192.168.10.1
5.2- Configure your Switch as a VTP client
conf t
vtp domain Test_VTP
vtp password MyVTPPASSWD
vtp mode client
5.3- Test the radius authentication
TEST_SW#test aaa group Testradius ronanfoucher mytestingpwd legacy
Attempting authentication test to server-group Testradius using radius
User was successfully authenticated.
(If the authentication failed, you should find some information in the Event Viewer or your IAS)
6- Configure The VoiP on your catalyst 2960
mls qos map policed-dscp 24 26 46 to 0
7- Configure the ethernet ports for 802.1x authentication
We use the vlan 400 for guest vlan and 220 for VoIP.
interface range FastEthernet0/1-24
8- Configure you computers for 802.1x
8.1- Using GPO
http://technet.microsoft.com/en-us/library/dd348501%28WS.10%29.aspx
8.2- On each Computer
http://technet.microsoft.com/en-us/library/dd348470%28WS.10%29.aspx
Configure a full load-balanced Web application using Alteon
by Ronan FOUCHER on mar.04, 2010, under Network
Configure Alteon using for a Web Application
Below you will find some steps to configure a Web Application with a mysql server (master/Slave-slave) and Website – webservices, with an Alteon Applcation Switch
NAD Web Application
First Time Installation
Reset the configuration
Connect the Alteon using a Serial Cable and your Laptop 9600/8/n/1
To reset the password you can use : admin/ForgetMe!
(or forgetMe! depending on your hardware version)
And Then erase complitely the configuration
/boot/conf
factory(y)
After the reboot you should not configure using the wizard (it’s like the CISCO wizard, it helps only when you really don’t know what you have to do 
Configure the Management Interface
First of all you will need to configure the management interface to configure remotely you’re Application Switch :
/c/sys/mmgmt
addr 192.168.30.10
mask 255.255.255.0
broad 192.168.30.255
gw 192.168.30.254
dns mgmt
ena
/c/sys/sshd/ena
/c/sys/sshd/on
This will configure the ip address for ssh management, you should now be able to configure your switch (switchport mode access//swictport access vlan 30)
Configure The Network Vlan Interface
As you can see in the Network Diagram to get the best flexibility on the Alteon Platform, we are using the vlan trunking to limit the use of ports on the Alteon and limit the physical intervention on the Alteon.
Enable Vlan tagging
We are using the port 1 for inbound/outbound traffic
/c/port 1
tag ena
Vlan Layer 2 Configuration
Let’s configure all vlans
/c/l2/vlan 20
ena
name "VLAN 20 FRONT NET"
learn ena
def 1 2
/c/l2/vlan 21
ena
name "VLAN 21 WEB SERVICES"
learn ena
def 1 2
/c/l2/vlan 22
ena
name "VLAN 22 VIPs NET"
learn ena
def 1 2
/c/l2/vlan 30
ena
name "VLAN 30 Management"
learn ena
def 0
/c/l2/stg 1/add 1 20 21 22 30
USAGE
- def : the VLAN is defined to be spread over the ports listed
- stg : the vlan will be setted with the STP protocol enable (not necessary) you should disable this feature in Production context
/cfg/l2/stg 1/port 1/off
Configure the Network Interfaces
You will configure the ip address on each subnet configured before
You will need to configure your servers to use those IPs as Gateways, in this simple network we won’t use the DSR features to avoid configuring the Alteon as a gateway
(I will write an article to implement this feature later)
Configure Ip adresses
/c/l3/if 1
ena
ipver v4
addr 192.168.20.252
mask 255.255.255.0
broad 192.168.20.255
vlan 20
/c/l3/if 2
ena
ipver v4
addr 192.168.21.252
mask 255.255.255.0
broad 192.168.21.255
vlan 21
/c/l3/if 3
ena
ipver v4
addr 192.168.22.252
mask 255.255.255.0
broad 192.168.22.255
vlan 22
Configure the routing table
/c/l3/gw 1
ena
ipver v4
addr 192.168.20.254
/c/l3/gw 2
ena
ipver v4
addr 192.168.21.254
/c/l3/gw 3
ena
ipver v4
addr 192.168.22.254
Configure the Load Balancing Part
Enable Layer 4 (Load balancing)
/c/slb
on
Configure your real server
/c/slb/real 1
ena
rip 192.168.20.1
inter 15
retry 2
restr 2
name "FRONT1"
/c/slb/real 2
ena
rip 192.168.20.2
inter 15
retry 2
restr 2
name "FRONT2"
/c/slb/real 3
ena
rip 192.168.20.3
inter 15
retry 2
restr 2
name "FRONT3"
/c/slb/real 4
ena
rip 192.168.21.1
inter 15
retry 2
restr 2
name "WEBSERVICE1"
/c/slb/real 5
ena
rip 192.168.21.2
inter 15
retry 2
restr 2
name "WEBSERVICE2"
/c/slb/real 6
ena
rip 192.168.21.3
inter 15
retry 2
restr 2
name "WEBSERVICE3"
USAGE :
- ena (enable)
- rip (real IP address)
- inter (Health check interleave)
- retry (number of try before server considered ad dead)
- restr (number of try before server considered as alive)
Configure your loadbalanced group
We’ll now create 2 group for each web cluster, you can test different parameters to check the ealth of servers in the group.
I use a webpage named index.html for all servers, the Application Check will launch every « inter » seconds, a connection to each servers to check the connectivity and the service.
/c/slb/group 1
health http
viphl dis
content "/index.html"
add 1
add 2
add 3
/c/slb/group 2
health http
viphl dis
content "/index.html"
add 4
add 5
add 6
the add option describe the real server id
Configure the Virtual Ips for each services
Configure client / server mode
The port 1 is used for inbound traffic to VIPs and OUtbound traffic to real server, so you need to enable both features on port 1
/c/slb/port 1
client ena
server ena
Declare each virtual IP for HTTP services
/c/slb/virt 1
ena
ipver v4
vip 192.168.22.1
vname "FrontWebsiteVIP"
avail 43
remrule 1
/c/slb/virt 1/service http
group 1
hname "HTTP_FrontWebsiteVIP"
epip ena
/c/slb/virt 2
ena
ipver v4
vip 192.168.22.2
vname "WebServicesVIP"
avail 43
remrule 1
/c/slb/virt 2/service http
group 2
hname "HTTP_WebServicesVIP"
epip ena
Apply and Save Alton’s configuration
apply
save
Configure your webserver
Configure the network
vim /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 192.168.20.1
netmask 255.255.255.0
network 192.168.20.0
broadcast 192.168.20.255
gateway 192.168.20.252 #IP address of the LB
Configure a webpage for test
Hello my name is FRONT 1
Hello my name is FRONT 2
Hello my name is WEBSERVICE 1
Hello my name is WEBSERVICE 2
Now you should be able to test from Client PC 192.168.20.1 a connection to VIP FRONT and VIP WEB SERVICES 192.168.22.1/2 the connectivity.
And from FRONT your web services should be able to call soap services on WEB SERVICES.
Configure Mysql Slave Cluster
The Alteons are not able to check, as for http, the health of a server, so you will need to configure a new service to check the port 3306 on mysql Slave servers
IP configuration
/c/l2/vlan 40
ena
name "VLAN 40 MYSQL SLV NET"
learn ena
def 1 2
/c/l3/if 4
ena
ipver v4
addr 192.168.40.252
mask 255.255.255.0
broad 192.168.40.255
vlan 40
/c/l3/gw 4
ena
ipver v4
addr 192.168.40.254
Configure you real mysql slave servers
/c/slb/real 7
ena
rip 192.168.40.2
name "Slave 1"
/c/slb/real 8
ena
rip 192.168.40.3
name "Slave 2"
/c/slb/real 9
ena
rip 192.168.40.4
name "Slave 3"
Configure the new group
/c/slb/group 3
add 7
add 8
add 9
name "MySQL Slave Cluster"
Configure the new service for mysql
/c/slb/virt 3
ena
ipver v4
vip 192.168.22.3
/c/slb/virt 3/service 3306
group 3
hname "MYSQL_SlaveVIP"
dbind ena
tmout 32768
Configure your mysql servers
You must be aware of the replication Network which splitted from the load balancing network (the amount of data can be critical for the Alteon)
Configure the network
vim /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 192.168.40.1
netmask 255.255.255.0
network 192.168.40.0
broadcast 192.168.40.255
gateway 192.168.40.252 #IP address of the LB
And Now you should be able to connect the the slave server using the Mysql Slave VIP
root@192.168.20.1:~#mysql -h192.168.22.3 -uuser_test -p
SSHFS : Howto share quickly a private folder between 2 servers
by Ronan FOUCHER on fév.23, 2010, under Network, Unix / Linux
A good way to share folders, CDs, DVDs etc between 2 systems (need fuse) is using SSHFS.
Indeed, ssh can be used to copy remotely folders/files, unfortunately, if you want to synchronize your modification, access a file quickly on a dvd, the solution is a bit useless…
Of course you can use SAMBA or NFS, unfortunately, this type of solution needs root access for file sharing, and is not quite simple to implement for a remote access (WAN Sharing)…
1 – Sample Configuration
A simple example, is to use SSHFS to access your $HOME on the system solarisX at work and mount it on your local $HOME/mnt_skylwalker at home.
(you wan do exactly the same thing with your dc drive, a USB Storage, …)
Install needed package
gollum:~$ apt-get install sshfs
Dependencies fuse-utils libfuse2 libglib2.0-0 sshfs
Network diagram
Configure your system
To use fuse, you will need to add you user to the groupe fuse :
usermod -a -G fuse bobze_
Mount your new sharepoint
It’s simple as that :
bobze_:~#whoami
bobze_
bobze_:~#mkdir mnt_skylwalker
bobze_:~#sshfs skywalker@working_site.com:/home/skywalker/ /home/bobze_/mnt_skylwalker
bobze_:~#mount
/dev/mapper/gollum.dc02.virginmobile.fr-root on / type ext3 (rw,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
procbususb on /proc/bus/usb type usbfs (rw)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
/dev/sda1 on /boot type ext2 (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
skywalker@working_site.com:/home/skywalker/ on /home/bobze_/mnt_skylwalker type fuse.sshfs (rw,nosuid,nodev,max_read=65536,user=bobze_)
Here we are you can list your remote files using
bobze_:~# ls -al /home/bobze_/mnt_skylwalker
Automatical mounting using /etc/fstab
You will need to share your rsa/dsa keys between your servers (I will write an article about that later)
vim /etc/fstab
and add the line below :
sshfs#skywalker@working_site.com:/home/skywalker/ /home/bobze_/mnt_skylwalker fuse user,noauto 0 0
Configure Inside and Outside NAT on a shared L2 network
by Ronan FOUCHER on fév.16, 2010, under Network
Description of the NAT implementation
When you interconnect your network and a partner’s network you can face some overlapping problem.
Basically, you often have to hide partner’s network to simplify subnet distribution for your partners. Unfortunately, sometimes, you will have to hide your proper network for only one partner.
For exemple, last week I had to interconnect our DC with a partner’s L2 network, using 2 Routers configured with GLBP… In theorie, it should not be difficult using both inside and outside NAT, but I face a strange problem using my configuration…
Network diagram :
NAT INSIDE OUTSIDE GLBP
My local network is 172.20.5.0/24 and the real partners network (172.19.5.0) is already used for another partner.
This part is simply resolve using the ip nat inside 172.19.5.0 <-> 172.20.13.0 /24
My partner gave me a full /24 subnet for all my L3 equipments and the NAT subnets to hide my subnet on his network.
NAT restriction
There are 2 problems in this type of configuration :
- I must split my subnet to manage the « outsite NAT » because SNAT does not allow you to nat from outside with the same subnet than the inside Network
- exemple : I want to NAT 172.21.5.0<->172.17.11.0 /24First I need to add in the new static route :
Router1_1(config)#ip route 172.17.11.0 255.255.255.0 10.10.10.1And the static NAT rules :
Router1_1(config)#ip nat outside source static network 172.21.5.0 172.17.5.0 /27 add-route
Router1_1(config)#ip nat outside source static network 172.21.5.0 172.17.5.0 /27 add-route
From 172.21.5.10 ping 172.17.5.1
Router2_1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- --- --- 172.17.5.0 172.21.5.0
icmp--- --- 172.17.5.10 172.21.5.10
--- --- --- 172.17.5.0 172.21.5.0
--- 172.19.5.0 172.20.13.0 --- ---
If you launch a trace on you FW you will see the echo from 172.17.5.10 and reply to.
But when router R2_1 or R2_2 receive the reply packet from 172.17.5.1 to 172.17.5.10 it won’t reach the outside SNAT layer, the packet is dropped by the L3 because it is a part of the directly connected subnet on Fa0/0.
- I must to split my subnet between my two routers because glbp does not share nat translation use
The solution is to feign routing part between nat pools and interconnection network by splitting the subnet in 3 subnets
So lets configure our 3 routers :
So you will need a piece of paper, a pen, and use VLSM to create 3 subnets.
My solution (not the only one) :
=> 172.17.11.0/25 [Network Interconnection]
=> 172.17.11.128/26 [NAT Subnet Router 2_1]
=> 172.17.11.192/26 [NAT Subnet Router 2_1]
Using CLI you will get something like this :
For Router2_1
Router2_1(config)#ip nat inside source static network 172.19.5.0 172.20.13.0 /24
Router2_1(config)#ip nat outside source static network 172.21.5.0 172.17.11.128 /26 add-route
Router2_1(config)#ip route 172.19.5.0 255.255.255.0 172.17.5.1
For Router2_2
Router2_2(config)#ip nat inside source static network 172.19.5.0 172.20.13.0 /24
Router2_2(config)#ip nat outside source static network 172.21.5.0 172.17.11.192 /26 add-route
Router2_2(config)#ip route 172.19.5.0 255.255.255.0 172.17.5.1
Configure Netapp FAS250 for iscsi target
by Ronan FOUCHER on jan.26, 2010, under Netapp / Filer, Network, Unix / Linux
Configuring the NetApp Filer can be sum-up in 4 steps :
1. Create the flexible volumes that will store the LUNs for iscsi Servers.
2. Create the LUNs that Servers will use as a new partition.
3. Create the initiator group(s) (igroups) that will be used to log server to the NetApp Filer.
4. Map the LUNs to the appropriate igroup.
Let’s go for the configuration :
FYI : In this exemple we’ll create a volume for a server named gollum and use 95% of this volume vol_gollum for the iscsi partition.
1. First Launch of Netapp
You can refer to the article for basic configuration of you fas250
2. Configure the FAS 250 volume
2.1. Check the space left on aggregate
fas250> aggr show_space -h
Aggregate 'aggr1'
Total space WAFL reserve Snap reserve Usable space BSR NVLOG A-SIS
1593GB 159GB 71GB 1362GB 0KB 0KB
Space allocated to volumes in the aggregate
Volume Allocated Used Guarantee
vol_1 402GB 283GB volume
vol_2 402GB 205GB volume
vol_3 201GB 83GB volume
Aggregate Allocated Used Avail
Total space 1005GB 573GB 356GB
Snap reserve 71GB 22GB 49GB
WAFL reserve 159GB 10GB 148GB
Aggregate 'aggr0'
Total space WAFL reserve Snap reserve Usable space BSR NVLOG A-SIS
1593GB 159GB 71GB 1362GB 0KB 0KB
Space allocated to volumes in the aggregate
Volume Allocated Used Guarantee
vol0 11GB 725MB volume
vol_4 402GB 305GB volume
vol_5 402GB 288GB volume
vol_6 402GB 273GB volume
Aggregate Allocated Used Avail
Total space 1217GB 868GB 144GB
Snap reserve 71GB 24GB 47GB
WAFL reserve 159GB 17GB 142GB
2.2. Create a new volume in one of your aggregate
There’s a lot of way to configure you filer for iscsi, we
vol create vol1 -l fr aggr0 80g
Thu Feb 12 20:31:07 GMT [vol.language.changed:info]: Language on volume vol1 changed to fr
The new language mappings will be available after reboot
Thu Feb 12 20:31:07 GMT [vv_config_worker:notice]: XL - Language of Volume vol1 has been changed to fr.
Creation of volume 'vol1' with size 80g on containing aggregate
'aggr0' has completed.
2.3. [Option] Rename the new volume
fas250> vol rename vol1 gollum
'vol1' renamed to 'gollum'
2.4. Force the snapshot reservation to n%
fas250> snap reserve gollum 5
3. Create the luns
fas250> lun create -s 79g -t linux /vol/gollum/vol_gollum
4. Create the igroup
In order to make the LUNs visible to connected hosts, we must create an initiator group (igroup). In the iSCSI world, the igroup will contain the iSCSI node names of the initiators that will be connecting to the storage system.
On debian systems (refer to article debian iscsi) you will find the initiator name of your systems using this command :
gollum:~# cat /etc/iscsi/initiatorname.iscsi | grep -v '#'
InitiatorName=iqn.1993-08.org.debian:01:d6000000912
To create an iSCSI igroup, use the following commands:
fas250> igroup create -i -t linux gollum iqn.1993-08.org.debian:01:d6000000912
5. Map the igroup to the lun
fas250> lun map /vol/gollum/vol_gollum gollum
Thu Feb 12 22:31:22 GMT [lun.map:info]: LUN /vol/gollum/vol_gollum was mapped to initiator group gollum=0
6. Check the configuration
fas250> lun show -v /vol/gollum/vol_gollum
/vol/gollum/vol_gollum 79.0g (84828749824) (r/w, online, mapped)
Serial#: hp00000cs3
Share: none
Space Reservation: enabled
Multiprotocol Type: linux
Maps: gollum=0
Now the rest of the configuration will be done on the server
Configure ISCSI target on Debian Systems (netapp filer)
by Ronan FOUCHER on jan.26, 2010, under Netapp / Filer, Network, Unix / Linux
1. Open-iCSCI Installation :
apt-get install open-iscsi
Use the good folder for iscsi configuration :
ln -s /etc/{iscsid.conf,initiatorname.iscsi} /etc/iscsi/
2. Configure the iscsi client :
2.1 Enable automatic startup
vim /etc/iscsi/iscsid.conf
And Set the value :
node.startup = automatic
3. Configure the filer (Netapp FAS 250)
Refer to the following article
4. Configure the Target :
Discover the available target on the iscsi server
iscsiadm -m discovery -t sendtargets -p ISCSI-SERVER-IP-ADDRESS
You should get womething like this :
root@debian:~# iscsiadm --mode discovery --type sendtargets --portal 192.168.1.100
[fe80::a0:ffff:ffff:ffff]:3260,2000 iqn.1992-08.com.netapp:sn.84000037
192.168.1.100:3260,2000 iqn.1992-08.com.netapp:sn.84000037
Login to the target
root@debian:~# iscsiadm --mode node --targetname iqn.1992-08.com.netapp:sn.84200007 --login
Logging in to [iface: default, target: iqn.1992-08.com.netapp:sn.84200007, portal: 192.168.1.100,3260]
Login to [iface: default, target: iqn.1992-08.com.netapp:sn.84200007, portal: 192.168.1.100,3260]: successful
You can also login by restarting the initiator
root@debian:~# /etc/init.d/open-iscsi restart
Check the new partition and prepare it to be used
Check the new parition
gollum:~# fdisk -l
Disk /dev/sda: 80.0 GB, 80000000000 bytes
255 heads, 63 sectors/track, 9726 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000080
Device Boot Start End Blocks Id System
/dev/sda1 * 1 31 248976 83 Linux
/dev/sda2 32 9726 77875087+ 8e Linux LVM
Disk /dev/sdb: 84.8 GB, 84828749824 bytes
255 heads, 63 sectors/track, 10313 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000000
Disk /dev/sdb doesn't contain a valid partition table
Use fisk to create the new parition table
fdisk /dev/sdb
If you need some help, '?' is your friend
gollum:~# fdisk /dev/sdb
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0x4d5e25da.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
The number of cylinders for this disk is set to 10313.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
Create a new primary partition numbered 1 begun at 1 finish at default end : 'n' -> 'p' -> '1' ->'enter'
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-10313, default 1): 1
Last cylinder or +size or +sizeM or +sizeK (1-10313, default 10313):
Using default value 10313
Then write the new partition table using 'w'
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
Use the new partition
gollum:~# fdisk -l
Disk /dev/sda: 80.0 GB, 80000000000 bytes
255 heads, 63 sectors/track, 9726 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000080
Device Boot Start End Blocks Id System
/dev/sda1 * 1 31 248976 83 Linux
/dev/sda2 32 9726 77875087+ 8e Linux LVM
Disk /dev/sdb: 84.8 GB, 84828749824 bytes
255 heads, 63 sectors/track, 10313 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x4d5e25da
Device Boot Start End Blocks Id System
/dev/sdb1 1 10313 82839141 83 Linux
Now you can use you new parition and format it :
gollum:~# mkfs.ext3 /dev/sdb1
mke2fs 1.41.3 (12-Oct-2008)
warning: 409 blocks unused.
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
5187456 inodes, 20709376 blocks
1035489 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=0
632 block groups
32768 blocks per group, 32768 fragments per group
8208 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000
Mount the new parition
mkdir /mnt/netapp
mount /dev/sdb1 /mnt/netapp
To mount automticaly you partition during startup
Edit your fstab
vi /etc/fstab
vi /etc/fstab
And adapt the sample configuration below to your system
/dev/sdb1 /mnt/netapp ext3 defaults,auto,_netdev 0 0
NFS Server and Client with Static Ports (iptables configuration)
by Ronan FOUCHER on jan.15, 2010, under Network, Unix / Linux
Basically the portmapper assigns each NFS service to a port dynamically at service startup time.
If you want to secure access to the NFS server, you will have to configure serves to use fixed ports instead of dynamic port that cannot be protected using port filtering firewalls (such as iptables)
1. Configure NFS SERVER
1-1. Install NFS
apt-get install nfs-kernel-server nfs-common portmap
1-2. Create a share point
mkdir /nfs_billing
vim /etc/exports
Then add your share to that file:
/nfs_billing pp_billing.dc03.mydomain.fr(rw,no_root_squash,async,no_subtree_check)
/nfs_billing will be shared with the system « pp_billing.dc03.mydomain.fr » in read/write mode
option no_root_squash => remote root have root rights on exported directories.
async => asynchronous writing : improve performance [!! in case of concurrent access read-write you can crash the server]
no_subtree_check => The entire volume is exported, disabling this check will speed up transfers.
Save that and restart the service:
/etc/init.d/nfs-kernel-server restart
load the new configuration
exportfs -a
2. Make all of the ports static
Edit /etc/default/nfs-common:
vim /etc/default/nfs-common
To update the STATDOPTS line thus:
STATDOPTS="--port 4000"
Save that and restart the service:
/etc/init.d/nfs-common restart
Edit /etc/default/nfs-kernel-server:
vim /etc/default/nfs-kernel-server
To update the RPCMOUNTDOPTS:
RPCMOUNTDOPTS="--p 4002"
Save and restart:
/etc/init.d/nfs-kernel-server restart
And the special port that caught me out…nlockmgrneed to be set using the options.local folder :
vim /etc/modprobe.d/options.local
options lockd nlm_udpport=32777 nlm_tcpport=32777
Save and reboot the server:
reboot
When the server comes up, do the following to see the changes:
rpcinfo -p
program no_version protocole no_port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 udp 32777 nlockmgr
100021 3 udp 32777 nlockmgr
100021 4 udp 32777 nlockmgr
100021 1 tcp 32777 nlockmgr
100021 3 tcp 32777 nlockmgr
100021 4 tcp 32777 nlockmgr
100005 1 udp 4002 mountd
100005 1 tcp 4002 mountd
100005 2 udp 4002 mountd
100005 2 tcp 4002 mountd
100005 3 udp 4002 mountd
100005 3 tcp 4002 mountd
100024 1 udp 4000 status
100024 1 tcp 4000 status
And you’re done… one NFS server with static ports serving to a private range of IPs.
3. Configure NFS CLIENT
3.1-Install the software:
apt-get install portmap nfs-common
mkdir /nfs_billing
Mount the shared folder
Mount the share onto the empty directory :
mount pp_nfsserver.dc03.mydomain.fr:/nfs_billing /nfs_billing
You can then test this by creating a file via the share. If you get a permissions error go check the permissions on the NFS server, specifically the directory permissions for /nfs_billing.
3.2-Configure the system to mount the folder at startup
To automatically mount the directory at boot time we need to add an entry to fstab:
vim /etc/fstab
pp_nfsserver.dc03.mydomain.fr:/nfs_billing /nfs_billing rw,sync,hard,intr 0 0
Now you can reboot your system your NFS client is properly configured and connected to your NFS server.
4. Configure the firewall
Server rules
Server rules
ENVIRONNEMENT="pp"
NFS_CLIENT="$ENVIRONNEMENT_billing.dc03.mydomain.fr"
NFS_CLIENT="$ENVIRONNEMENT_billing.dc03.mydomain.fr"
NFS_PORT_PORTMAPPER="111"
NFS_PORT_STATUS="4000"
NFS_PORT_LOSKMGR="32777"
NFS_PORT_GLB="2049"
NFS_PORT_MOUNTD="4002"
iptables -A INPUT -p tcp,udp -s $NFS_CLIENT --dport $NFS_PORT_PORTMAPPER -j ACCEPT
iptables -A INPUT -p tcp,udp -s $NFS_CLIENT --dport $NFS_PORT_PORTMAPPER -j ACCEPT
iptables -A INPUT -p tcp,udp -s $NFS_CLIENT --dport $NFS_PORT_STATUS -j ACCEPT
iptables -A INPUT -p tcp,udp -s $NFS_CLIENT --dport $NFS_PORT_LOSKMGR -j ACCEPT
iptables -A INPUT -p tcp,udp -s $NFS_CLIENT --dport $NFS_PORT_GLB -j ACCEPT
iptables -A INPUT -p tcp,udp -s $NFS_CLIENT --dport $NFS_PORT_MOUNTD -j ACCEPT
client Rules
ENVIRONNEMENT="pp"
NFS_SERVER="$ENVIRONNEMENT_nfsserver.dc03.mydomain.fr"
NFS_PORT_PORTMAPPER="111"
NFS_PORT_STATUS="4000"
NFS_PORT_LOSKMGR="32777"
NFS_PORT_GLB="2049"
NFS_PORT_MOUNTD="4002"
iptables -A INPUT -p tcp,udp -d $NFS_SERVER --dport $NFS_PORT_PORTMAPPER -j ACCEPT
iptables -A INPUT -p tcp,udp -d $NFS_SERVER --dport $NFS_PORT_PORTMAPPER -j ACCEPT
iptables -A INPUT -p tcp,udp -d $NFS_SERVER --dport $NFS_PORT_STATUS -j ACCEPT
iptables -A INPUT -p tcp,udp -d $NFS_SERVER --dport $NFS_PORT_LOSKMGR -j ACCEPT
iptables -A INPUT -p tcp,udp -d $NFS_SERVER --dport $NFS_PORT_GLB -j ACCEPT
iptables -A INPUT -p tcp,udp -d $NFS_SERVER --dport $NFS_PORT_MOUNTD -j ACCEPT
Implementing High Availability with HSRP
by Ronan FOUCHER on déc.31, 2009, under Network
Introduction to HSRP (Hot Stanby Router Protocol)
One of the easiest way to configure a high availibility gateway using CISCO systems… is implement HRSP.
Hot Stanby Router Protocol is a Cisco proprietary for a fault-tolerant default gateway using the First-hop redudancy Protocol (FHRP) to allow a transparent failover of the next hop gateway (if you need more information you can refer to the IETF Standard 2338 and RFC 3768).
1 – Description of the functionnalities :
How it works :
HSRP need at least 2 routers, one active router and one or more standby routers (usually just one standby), all on the same LAN segment.
Together they all form one, virtual router.
The HSRP is designed so that two or more routers can be grouped together as a single « Virtual Router », by sharing a single virtual IP address and a single virtual MAC address.
Router election :
The HSRP election is based on the hsrp priority (highhest is prior), and decided about 2 or three level of hsrp role :
- One of those routers will be the Active Router, all traffic will be routed thrue this gateway.
- Others router will stay in a ‘Standby Mode’ until the Active router.
After the demise of the active router, one of those ‘Standby’ routers will become active and a new ‘runner-up’ standby router will be elected.
By default, if an HSRP-enabled router comes in and sees an active router already in existence, nothing will change even if the new router’s priority is higher.
You can force a dynamic election using the « preempt » feature (With ‘preempt’ enabled, a router will automatically take over as active whenever it sees that its priority is better than the current active router’s priority.).
Router configured in the HSRP group (0-255) use the multicast IP 224.0.0.2[1985] to send hsrp packet back and forth between each other every 3 seconds (by default).
if a router does not send any packet during approximatively 3 period it is considered as dead.
There’s 3 type of hsrp packet :
- Hello (I’m OK)
- Coup (i want to become the active router)
- Resign (I’m lazy about being active, let me go in standby mode)
(refer to the Op Code in the rfc2281)
(!! if you set the same priotirity for two routers, the highest Ip become the active router)
Configuration of hsrp on Cisco Routers 2811
Network Diagram
Router Configuration
Router 1
interface FastEthernet0/1
description *** int LAN ***
ip address 192.168.1.2 255.255.255.0
standby 3 priority 105
standby 3 preempt
standby 3 ip 192.168.1.254
standby 3 track FastEthernet0/2
standby 3 authentication lookatmypasswd
Router 2
interface FastEthernet0/1
description *** int LAN ***
ip address 192.168.1.1 255.255.255.0
standby 3 priority 100
standby 3 preempt
standby 3 ip 192.168.101.254
standby 3 track FastEthernet0/2
standby 3 authentication lookatmypasswd
Options Description
- « standby priority xxx » set the priority for hsrp election (default value 100)
- « standby preempt » dynamic election
- « standby ip xxx.xxx.xxx.xxx » set the Virtual Ip address
- « standby track xinterfacex » is used to reduce by 10 the standby priority of the interface depending « xinterfacex »
for exemple if FastEthernet0/2 becomes down (ISP 1 connection) then the Router 1 will set its pririty to 95 and send a « coup » message so that the secondary router becomes the active router (preempt option must be set - « standby authentication » set the hsrp password (instead of the cisco default password)
Others option
- « standby timers x yy » x is the hello time period and yy is the time for the router to be considered as dead
- « standby preempt delay minimum xxx » pospone the preempt to change the active router (could be usefull for security reason)
Debug option
Show configuration
ROUTER_1#sh standby
FastEthernet0/1 - Group 3
State is Active
14 state changes, last state change 11w1d
Virtual IP address is 192.168.101.254
Active virtual MAC address is 0000.0c07.ac03
Local virtual MAC address is 0000.0c07.ac03 (v1 default)
Hello time 5 sec, hold time 15 sec
Next hello sent in 0.092 secs
Preemption enabled, delay min 180 secs
Active router is local
Standby router is 192.168.1.1, priority 100 (expires in 11.564 sec)
Priority 105 (configured 105)
Track interface FastEthernet0/2 state Up decrement 10
IP redundancy name is "hsrp-Fa0/1-0" (default)
Debug hsrp protocol
Global hsrp debug :
debug standby
Event hsrp debug :
debug standby terse
NetApp FAS250 configuration (aggregates + volumes)
by Ronan FOUCHER on déc.15, 2009, under Netapp / Filer
1 – Configure your Netapp using CLI (first time install)
First Launch Complete the Wizard Install
Please enter the new hostname []: fas250
Do you want to configure virtual network interfaces? [n]: n
Please enter the IP address for Network Interface e0a [192.168.1.83]:
Please enter the netmask for Network Interface e0a [255.255.255.0]:
Please enter media type for e0a {100tx-fd, tp-fd, 100tx, tp, auto (10/100/1000)} [auto]:
Please enter flow control for e0a {none, receive, send, full} [full]:
Do you want e0a to support jumbo frames? [n]: y
Please enter the IP address for Network Interface e0b []:
Would you like to continue setup through the web interface? [n]: y
executing: ifconfig e0a 192.168.1.83 mediatype auto flowcontrol full mtusize 9000
Point a web browser to
http://fas250/api
or
http://192.168.1.83/api
to complete setup. At any time, you can continue with the console setup.
Please enter the name or IP address of the default gateway [192.168.1.254]:
The administration host is given root access to the filer's
/etc files for system administration. To allow /etc root access
to all NFS clients enter RETURN below.
Please enter the name or IP address of the administration host: 192.168.1.52
Where is the filer located? []: DC_new
Do you want to run DNS resolver? [n]: y
Please enter DNS domain name [DC_new.local]:
You may enter up to 3 nameservers
Please enter the IP address for first nameserver [192.168.1.1]:
Do you want another nameserver? [y]: y
Please enter the IP address for alternate nameserver [192.168.1.2]:
Do you want another nameserver? [n]: n
Do you want to run NIS client? [n]: n
This system will send event messages and weekly reports to Network Appliance Technical Support. To disable this feature, enter "options autosupport.support.enable off" within 24 hours. Enabling Autosupport can significantly speed problem determination and resolution should a problem occur on your system. For further information on Autosupport, please see: http://now.netapp.com/autosupport/
Press the return key to continue.
2. Global Configuration
2.1 – Check your license.
fas250> license
cifs not licensed
cluster not licensed
cluster_remote not licensed
dafs not licensed
disk_sanitization not licensed
fcp not licensed
flex_clone not licensed
gateway_hitachi not licensed
http not licensed
iscsi not licensed
multistore not licensed
nfs not licensed
smdomino not licensed
smsql not licensed
snaplock not licensed
snaplock_enterprise not licensed
snapmanagerexchange not licensed
snapmirror not licensed
snapmirror_sync not licensed
snapmover not licensed
snaprestore not licensed
snapvalidator not licensed
sv_linux_pri not licensed
sv_ontap_pri not licensed
sv_ontap_sec not licensed
sv_unix_pri not licensed
sv_windows_ofm_pri not licensed
sv_windows_pri not licensed
syncmirror_local not licensed
v-series not licensed
vld not licensed
2.2 Log in as advanced user to change the root password :
fas250> priv set diag advanced
fas250*> passwd
New password:
Retype new password:
2.3 Then launch the update of you file system :
fas250*> software get http://192.168.1.10/732_setup_m.exe
software: copying to /etc/software/732_setup_m.exe
software: 100% file read from location.
software: /etc/software/732_setup_m.exe has been copied.
fas250*> software list
732_setup_m.exe
fas250*> software install 732_setup_m.exe
software: installing software, this could take a few minutes...
software: installation completed.
Please type download to load the new software and reboot subsequently for changes to take effect.
fas250*> Thu Jan 1 23:16:43 GMT [rc:info]: software: installation completed.
Then copy the new file system on your system flash :
fas250*> download
fas250*> bye
fas250*> halt
And after the system boot :
CFE> update_flash
Reading flash0a: Done. 500216 bytes read
** DO NOT TURN OFF YOUR MACHINE UNTIL THE FLASH UPDATE COMPLETES!! **
Erasing flash...Programming...done. 500216 bytes written
Reading fatfs://ide0.0/MIPS/firmware/TSANTSA/firmware.img: Done. 499976 bytes read
Flash image is 499912 bytes, flags 00000002, CRC C65451F7
** DO NOT TURN OFF YOUR MACHINE UNTIL THE FLASH UPDATE COMPLETES!! **
Erasing flash...Programming...done. 499912 bytes written
CFE> bye
Now your system should be up-to-date
fas250> version
NetApp Release 7.3.2: Thu Oct 15 04:24:11 PDT 2009
2.4 License management
Now add your licence to your system :
license add AMMLLPP
A nfs license has been installed.
license add AMMLLPP
A snaprestore license has been installed.
license add AMMLLPP
A iscsi license has been installed.
license add AMMLLPP
A cifs license has been installed.
3- Setup cifs to configure easily network configuration.
fas250> cifs setup
This process will enable CIFS access to the filer from a Windows(R) system.
Use "?" for help at any prompt and Ctrl-C to exit without committing changes.
Your filer does not have WINS configured and is visible only to
clients on the same subnet.
Do you want to make the system visible via WINS? [n]: n
A filer can be configured for multiprotocol access, or as an NTFS-only
filer. Since multiple protocols are currently licensed on this filer,
we recommend that you configure this filer as a multiprotocol filer
(1) Multiprotocol filer
(2) NTFS-only filer
Selection (1-2)? [1]: 1
CIFS requires local /etc/passwd and /etc/group files and default files
will be created. The default passwd file contains entries for 'root',
'pcuser', and 'nobody'.
Enter the password for the root user []:
Retype the password:
The default name for this CIFS server is 'FAS250'.
Would you like to change this name? [n]:
Data ONTAP CIFS services support four styles of user authentication.
Choose the one from the list below that best suits your situation.
(1) Active Directory domain authentication (Active Directory domains only)
(2) Windows NT 4 domain authentication (Windows NT or Active Directory domains)
(3) Windows Workgroup authentication using the filer's local user accounts
(4) /etc/passwd and/or NIS/LDAP authentication
Selection (1-4)? [1]: 3
What is the name of the Workgroup? [WORKGROUP]:
CIFS - Starting SMB protocol...
It is recommended that you create the local administrator account
(FAS250administrator) for this filer.
Do you want to create the FAS250administrator account? [y]: y
Enter the new password for FAS250administrator:
Retype the password:
Welcome to the WORKGROUP Windows(R) workgroup
CIFS local server is running.
4 – Network Configuration
Now you can configure the vif (virtual interface) for a link aggregation :
On your windows WorkStation Connect to the fas250 :
\192.168.1.13\c$\etc
Edit rc file :
#Regenerated by registry Thu Jan 01 00:37:04 GMT 1970
#Auto-generated by setup Thu Jan 1 23:02:17 GMT 1970
hostname fas250
vif create multi trunk -b ip e0a e0b
ifconfig e0a mediatype auto
ifconfig e0b mediatype auto
ifconfig trunk `hostname`-trunk netmask 255.255.255.0 broadcast 192.168.1.255 mtusize 1500 -wins
route add default 192.168.1.254 1
routed on
options dns.domainname vmf.headoffice.local
options dns.enable on
options nis.enable off
savecore
5 – Aggregates configuration
Create 2 aggregates (FAS 250 can’t create a global aggregate of 4TB (you have to split your disk aggregate in 2 aggregates of 2TB max)
5.1 – List the current config of your fas 250
fas250> sysconfig -A
NetApp Release 7.3.2: Thu Oct 15 04:24:11 PDT 2009
System ID: 000000 (fas250)
System Serial Number: 00000 (fas250)
System Rev: M0
System Storage Configuration: Single Path
System ACP Connectivity: No Connectivity
slot 0: System Board
Processors: 2
Processor revision: B2
Processor type: 1250
Memory Size: 510 MB
slot 0: FC Host Adapter 0b
14 Disks: 3808.0GB
1 shelf with EFH
slot 0: FC Host Adapter 0c
slot 0: Dual SB1250-Gigabit Ethernet Controller
e0a MAC Address: 00:a0:98:02:88:2c (auto-1000t-fd-up)
e0b MAC Address: 00:a0:98:02:88:2d (auto-unknown-down)
slot 0: ATA/IDE Adapter 0a (0x00000000000001f0)
0a.0 245MB
sysconfig: There are no configuration errors.
Device HA SHELF BAY CHAN Disk Vital Product Information
---------- --------------- ----- ------------------------------
0b.16 0b 1 0 FC:B DH07P890FTWC
0b.17 0b 1 1 FC:B DH07P880EFYB
0b.18 0b 1 2 FC:B DH07P890FTSJ
0b.19 0b 1 3 FC:B DH07P880EG3A
0b.20 0b 1 4 FC:B DH07P8B0GSCM
0b.21 0b 1 5 FC:B DH07P890FTTG
0b.22 0b 1 6 FC:B DH07P8B0GSBF
0b.23 0b 1 7 FC:B DH07P890FUAR
0b.24 0b 1 8 FC:B DH07P890G92A
0b.25 0b 1 9 FC:B DH07P890FPY5
0b.26 0b 1 10 FC:B DH07P890FTW8
0b.27 0b 1 11 FC:B DH07P890FPYG
0b.28 0b 1 12 FC:B DH07P890G78T
0b.29 0b 1 13 FC:B DH07P890G78P
5.2 – Resize your root aggregate to use all disks :
fas250> aggr add aggr0 -d 0b.20 0b.21 0b.22 0b.29
5.3 – Create the disk aggregate with spare disks
fas250> aggr create aggr1 -r 7 -d 0b.23 0b.24 0b.25 0b.26 0b.27 0b.28
fas250> priv set diag advanced
fas250*> options raid.min_spare_count = 0
5.4 – List the new config of your fas 250
You should get a syscconfig like that :
fas250> sysconfig -A
sysconfig: There are no configuration errors.
Device HA SHELF BAY CHAN Disk Vital Product Information
---------- --------------- ----- ------------------------------
0b.16 0b 1 0 FC:B DH07P890FTWC
0b.17 0b 1 1 FC:B DH07P880EFYB
0b.18 0b 1 2 FC:B DH07P890FTSJ
0b.19 0b 1 3 FC:B DH07P880EG3A
0b.20 0b 1 4 FC:B DH07P8B0GSCM
0b.21 0b 1 5 FC:B DH07P890FTTG
0b.22 0b 1 6 FC:B DH07P8B0GSBF
0b.23 0b 1 7 FC:B DH07P890FUAR
0b.24 0b 1 8 FC:B DH07P890G92A
0b.25 0b 1 9 FC:B DH07P890FPY5
0b.26 0b 1 10 FC:B DH07P890FTW8
0b.27 0b 1 11 FC:B DH07P890FPYG
0b.28 0b 1 12 FC:B DH07P890G78T
0b.29 0b 1 13 FC:B DH07P890G78P
volume aggr1 (1 RAID group):
group 0: 7 disks
volume aggr0 (1 RAID group):
group 0: 7 disks
Aggregate aggr1 (online, raid4) (block checksums)
Plex /aggr1/plex0 (online, normal, active)
RAID group /aggr1/plex0/rg0 (normal)
RAID Disk Device HA SHELF BAY CHAN Pool Type RPM Used (MB/blks) Phys (MB/blks)
——— —— ————- —- —- —- —– ————– ————–
parity 0b.19 0b 1 3 FC:B – FCAL 10000 272000/557056000 280104/573653840
data 0b.18 0b 1 2 FC:B – FCAL 10000 272000/557056000 280104/573653840
data 0b.17 0b 1 1 FC:B – FCAL 10000 272000/557056000 280104/573653840
data 0b.16 0b 1 0 FC:B – FCAL 10000 272000/557056000 280104/573653840
data 0b.22 0b 1 6 FC:B – FCAL 10000 272000/557056000 280104/573653840
data 0b.21 0b 1 5 FC:B – FCAL 10000 272000/557056000 280104/573653840
data 0b.20 0b 1 4 FC:B – FCAL 10000 272000/557056000 280104/573653840
Aggregate aggr0 (online, raid4) (block checksums)
Plex /aggr0/plex0 (online, normal, active)
RAID group /aggr0/plex0/rg0 (normal)
RAID Disk Device HA SHELF BAY CHAN Pool Type RPM Used (MB/blks) Phys (MB/blks)
——— —— ————- —- —- —- —– ————– ————–
parity 0b.27 0b 1 11 FC:B – FCAL 10000 272000/557056000 280104/573653840
data 0b.26 0b 1 10 FC:B – FCAL 10000 272000/557056000 280104/573653840
data 0b.25 0b 1 9 FC:B – FCAL 10000 272000/557056000 280104/573653840
data 0b.24 0b 1 8 FC:B – FCAL 10000 272000/557056000 280104/573653840
data 0b.23 0b 1 7 FC:B – FCAL 10000 272000/557056000 280104/573653840
data 0b.28 0b 1 12 FC:B – FCAL 10000 272000/557056000 280104/573653840
data 0b.29 0b 1 13 FC:B – FCAL 10000 272000/557056000 280104/573653840
6 – Volume configuration
Now you will be ready for playing with your volumes :
6.1 – Resize root Volume
First of all you should resize your root volume ’cause the default size is 2 full hard drive (320*2GB)
Notice that the minimum size for the root Volume (FlexVol) on a fas 250 is 9GB
So limit the size to 9 or 10 GB
fas250> vol size vol0
vol size: Flexible volume 'vol0' has size 720g.
fas250>vol size vol0 -710g
you can check the available space on each aggregates using the following command :
fas250> aggr show_space -h
6.2 – Create New Volumes
And create your volumes :
fas250>vol create vol1 -l fr aggr0 1116g
fas250>vol create vol1 -l fr aggr0 227g
fas250>vol create vol1 -l fr aggr0 240g
6.3 – Manage the snap reserve
If needed you can reduce the snapshot reserve to lose less than 20% of your volume :
fas250>snap reserve vol1 0
fas250>snap reserve vol2 0
fas250>snap reserve vol3 0
fas250>snap reserve vol4 0
Check your Configuration
The result should be something like this :
fas250> df -h
Filesystem total used avail capacity Mounted on
/vol/vol0/ 9728MB 539MB 9188MB 6% /vol/vol0/
/vol/vol0/.snapshot 512MB 54MB 457MB 11% /vol/vol0/.snapshot
/vol/vol1/ 1116GB 357MB 1115GB 0% /vol/vol1/
/vol/vol1/.snapshot 0MB 317MB 0MB ---% /vol/vol1/.snapshot
/vol/vol2/ 227GB 196KB 226GB 0% /vol/vol2/
/vol/vol2/.snapshot 0KB 52KB 0KB ---% /vol/vol2/.snapshot
/vol/vol3/ 1116GB 184KB 1115GB 0% /vol/vol3/
/vol/vol3/.snapshot 0KB 56KB 0KB ---% /vol/vol3/.snapshot
/vol/vol4/ 238GB 172KB 237GB 0% /vol/vol4/
/vol/vol4/.snapshot 0KB 52KB 0KB ---% /vol/vol4/.snapshot
Next article : Iscsi Implementation with a fas 250
CISCO Policy based Routing (PBR) : route-map & co.
by Ronan FOUCHER on nov.22, 2009, under Network
Route-map can be used in a lot of application, in most of them, the aim is enabling the network engineer to override the route table and influence which way traffic flows.
Below you will find a configuration sample of Policy Based Routing (PBR) we use to route different subnet thru different equipments.
We’ll route :
- Packets from 10.20.10.0/24 (vlan 10) to 172.20.10.0/24 thru Link 2
- Packets from 10.20.20.0/24 (vlan 20) to 172.20.10.0/24 thru Link 1
- Other Packets thru gateway 10.20.5.254 on Gigabit Ethernet interface 3/48
Policy based routing in Cisco Routers can be performed by using « route-map » and then applying as a policy to the interface of the IP Packets.
The route-map has a list of « match » and « set » commands where match defines the criteria under which the policy routing is performed (standard or Extended ACL) and set defines the actions to perform when match criteris met (i.e., set next hop).
I change the routing to a particular network only from a particular subnet which is defined in a standard ACL. This ACL is then matched in a route-map and applied as an IP policy for routing change for the change in routing behaviour.
First Step create ACLs :
BraveHeart-R-C#conf t
Enter configuration commands, one per line. End with CNTL/Z.
BraveHeart-R-C(config)# access-list 100 permit ip 10.20.10.0 0.255.255.255 172.20.10.0 0.255.255.255
BraveHeart-R-C(config)# access-list 101 permit ip 10.20.20.0 0.255.255.255 172.20.10.0 0.255.255.255
BraveHeart-R-C(config)# access-list 102 permit ip 10.20.10.0 0.255.255.255 any
BraveHeart-R-C(config)# access-list 102 permit ip 10.20.20.0 0.255.255.255 any
The access list id doesn’t matter for the matching order.
Second Step create route-map :
We will create a route map named Global-route map.
The matching order is the id number of the route map 9->10->11
BraveHeart-R-C#conf t
Enter configuration commands, one per line. End with CNTL/Z.
BraveHeart-R-C(config)# route-map Sample-routemap permit 9
BraveHeart-R-C(config-route-map)# match ip address 101
BraveHeart-R-C(config-route-map)# set ip next-hop 10.20.6.1
BraveHeart-R-C(config)# route-map Sample-routemap permit 10
BraveHeart-R-C(config-route-map)# match ip address 100
BraveHeart-R-C(config-route-map)# set ip next-hop 10.20.7.1
BraveHeart-R-C(config)# route-map Sample-routemap permit 11
BraveHeart-R-C(config-route-map)# match ip address 102
BraveHeart-R-C(config-route-map)#set default interface GigabitEthernet 3/48
That creates a route-map called « Sample-routemap » and matches the ACLs 100,101,102 where the source network for which the route-map should be actioned.
Apply Policy Route-map to interface
This route-map is now applied to the interface vlan 10 and 20.
BraveHeart-R-C#conf t
Enter configuration commands, one per line. End with CNTL/Z.
BraveHeart-R-C(config)#int vlan 10
BraveHeart-R-C(config-if)# ip policy route-map Sample-routemap
BraveHeart-R-C(config-if)#exit
BraveHeart-R-C(config)#int vlan 20
BraveHeart-R-C(config-if)# ip policy route-map Sample-routemap
BraveHeart-R-C(config-if)#end
Now all rules configured should work (use traceroute to check the link you use
Howto extract mysql table from a huge mysqldump using awk
by Ronan FOUCHER on oct.16, 2009, under Mysql, Unix / Linux
I know that the easiest way to get a mysqldump, table per table, is to use the « table option » of mysqldump "mysqldump -c -u username -ppassword databasename tablename > /tmp/databasename.tablename.sql", but sometimes, you do not have the choice.
Indeed, every night, we do a complete cold backup of one of our slave to have a consistent backup of our databases.
Unfortunately if we have to restore quickly a server, we prefer doing a complete mysqldump of our different database without splitting tables…. the result is a big text file of about 200GB EUL2400053_VIRGIN_PROD_20090928_1.dmp
If you want to extract a single table from a big mysql you should like the following shell script :
sample : ./extract_mysqltable.shTABLE SOURCEDUMPFILE RESULTTABLEDUMPFILE
#!/bin/bash
#This Shellscript will help you to extract a table from a huge mysqldump
USAGE="Usage: \"$0 TABLE SOURCEDUMPFILE RESULTTABLEDUMPFILE\"
\nwhere
\n\tTABLE is the full name of the table to extract
\n\tSOURCEDUMPFILE is the Name of the dump file (with full path if needed)
\n\tRESULTTABLEDUMPFILE is the name of the file where the result will be stored
"
if [ "$1" = "" ] || [ "$2" = "" ] || [ "$3" = "" ]
then
echo -e "$USAGE" && exit 1
fi
table="."$1"."
dumpfile=$2
resulttabledump=$3
if [ ! -f $dumpfile ]
then
echo "$dumpfile Does not exists please check." && exit 1
fi
if [ -f $resulttabledump ]
then
echo "$resulttabledump already exists please use another filename." && exit 1
fi
#Lock process for multiple instance
LOCKFILE="/var/run/$(echo $(basename $0)).pid"
ps -ef|awk '{print $2":"$NF}'|grep "^$(cat $LOCKFILE 2>/dev/null):"|grep "$(basename $0)" 1>/dev/null && echo "\"$0\": ALLREADY RUNNING ON \"$(hostname)\" (P
ID $(cat $LOCKFILE))..." && exit 0
echo $$ > $LOCKFILE
awk '{\
if (match($0,"Table structure for table '$table'"))
{
k++
print $0 >> "'$resulttabledump'"
if (k==1) next
if (k==2) exit
}
if (k==1) print $0 >> "'$resulttabledump'"
if (match($0,"Table structure for table") && k==1)
{
k++
}
}' $dumpfile
Install mysql on Solaris 10
by Ronan FOUCHER on oct.08, 2009, under Mysql, Network, Unix : Sun Solaris
1- Download mysql package for Solaris :
Logon to your favourite download center on mysql enterprise website : Mysql Website
And download the lastest version of Mysql Server :
Currently : MySQL Server 5.1.39 for Solaris 10
To choose the good one, you’ll need to check your system using the following commands:
sylvebarbe:/# prtdiag | head -3
System Configuration: Sun Microsystems Sun Fire X4540
BIOS Configuration: American Megatrends Inc. 080014 11/04/2008
BMC Configuration: IPMI 2.0 (KCS: Keyboard Controller Style)
sylvebarbe:/# uname -a
SunOS sylvebarbe 5.10 Generic_139556-08 i86pc i386 i86pc
sylvebarbe:/# isainfo -kv
64-bit amd64 kernel modules
gandalf:/# prtdiag | head -3
System Configuration: Sun Microsystems Sun Fire X4150
BIOS Configuration: American Megatrends Inc. 1ADQW020 02/19/2008
BMC Configuration: IPMI 2.0 (KCS: Keyboard Controller Style)
gandalf:/# uname -a
SunOS gandalf 5.10 Generic_137138-09 i86pc i386 i86pc
gandalf:/# isainfo -kv
64-bit amd64 kernel modules
As you can see for both systems, we’ll need to use Solaris 10 PKG (x86, 64-bit)
2- Check of installed packages :
First of all, you should start by checking the mysql package already installed on your system :
gandalf:/# pkginfo | grep mysql
If the result is not empty, you should remove them by using the command pkgrm
This command will give you only package name
gandalf:/# pkginfo | grep mysql | cut -d ' ' -f2,7
3- Installation of mysql Server
3-1: Check user/group configuration :
gandalf:/# grep mysql /etc/group
gandalf:/# grep mysql /etc/passwd
If the result of both line is empty please create the user/group for mysql :
gandalf:/# groupadd mysql
gandalf:/# useradd -g mysql mysql
3-2:Install the package
gandalf:/# cd /tmp
gandalf:/# scp nas-dwld/solaris/10/mysql/mysql-enterprise-gpl-5.1.39-solaris10-x86_64.pkg.gz.
gandalf:/# gzip –d mysql-enterprise-gpl-5.1.39-solaris10-x86_64.pkg.gz.
gandalf:/# pkgadd -d mysql-enterprise-gpl-5.1.39-solaris10-x86_64.pkg.gz.
3-3: Post-installation
Check that mysql server has been installed in /opt/mysql/mysql
gandalf:/# ll /opt/mysql/mysql/
total 108
drwxr-xr-x 2 mysql mysql 46 mai 27 14:59 bin
-rw-r--r-- 1 mysql mysql 19071 avr 1 2009 COPYING
drwxr-xr-x 2 mysql mysql 4 mai 27 14:59 docs
-rw-r--r-- 1 mysql mysql 5139 avr 1 2009 EXCEPTIONS-CLIENT
drwxr-xr-x 2 mysql mysql 34 mai 27 14:59 include
-rw-r--r-- 1 mysql mysql 8769 avr 1 2009 INSTALL-BINARY
drwxr-xr-x 3 mysql mysql 23 mai 27 14:59 lib
drwxr-xr-x 4 mysql mysql 4 mai 27 14:59 man
drwxr-xr-x 10 mysql mysql 14 mai 27 14:59 mysql-test
-rw-r--r-- 1 mysql mysql 1410 avr 1 2009 README
drwxr-xr-x 2 mysql mysql 4 mai 27 14:59 scripts
drwxr-xr-x 27 mysql mysql 35 mai 27 14:59 share
drwxr-xr-x 5 mysql mysql 29 mai 27 14:59 sql-bench
drwxr-xr-x 2 mysql mysql 17 mai 27 14:59 support-files
Modify in the /etc/passwd the home directory of mysql user from /home/mysql to /opt/mysql/mysql/ :
gandalf:/# vi /etc/passwd
Edit /etc/init.d/mysql to change basedir=/ to /opt/mysql/mysql/
(this could be done by configuring a my.cnf in /etc/
Then change the owner of mysql folder :
gandalf:/# cd /opt/mysql/
gandalf:/# chown -R mysql:mysql mysql
3-4: First creation of mysql database skeleton
Change user from root to mysql
gandalf:/# su - mysql
gandalf:/# cd /opt/mysql/mysql/scripts
The ldata option will configure the Path where database will be stored
gandalf:/# ./mysql_install_db --user=mysql --ldata=/DWH
Then you start mysql server :
gandalf:/# /opt/mysql/mysql/bin/mysqld_safe --datadir=/DWH --user=mysql &
You should now be able to connect to your new mysql server :
gandalf:/# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 32570
Server version: 5.1.39-enterprise-gpl-advanced MySQL Enterprise Server - Advanced Edition (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>
How-to « find » « locate » on solaris
by Ronan FOUCHER on sept.28, 2009, under Unix : Sun Solaris
If you’re used to the linux « locate » command, you will certainly look for your favourite GNU command to find quickly some files on your system.
Unfortunately on solaris, after a fresh install, the only way is to use « find », but as you know it’s quite long.
Below you will read howto install glocate… the GNU locate on your solaris ….
1) First Step : Install pkg_get.pkg
———————————————————–
pkgadd -d http://www.opencsw.org/pkg_get.pkg
You can then optionally edit /opt/csw/etc/pkg-get.conf to choose a mirror site that is better for you than the default.
2) Second Step : Install findutils
———————————————————–
locate is part of the GNU findutils.
The fastest way to use Blastwave tools is to add in you .bashrc :
PATH=${PATH}:/opt/csw/bin/
Install findutils tools, using the following command
# /opt/csw/bin/pkg-get -i findutils
One thing to notice is that in findutils are command are prefixed with a g (as GNU) so locate is called glocate and updatedb is called gupdatedb.
Once it is installed we need you need to populate the initial database. Run the following command as root
# /opt/csw/bin/gupdatedb --prunefs="ctfs devfs proc mntfs tmpfs objfs fd hsfs nfs"
This tells updatedb to index everything except for the file systems listed here.
This commands takes a while to run depending on how many files you have.
# /opt/csw/bin/glocate "filetosearch"
3) Third Step : Cron gupdatedb job to update automaticaly your system tree
#crontab -e
And add the following line
0 4 * * * /opt/csw/bin/gupdatedb --prunefs="ctfs devfs proc mntfs tmpfs objfs fd hsfs nfs dev lofs sharefs"
This line will run gupdatedb everyday morning at 4am.
howto configure monitor/mirror on cisco 2960
by Ronan FOUCHER on sept.15, 2009, under Network
Sometimes, you’ll need to do some debug on your network and monitor the traffic on some ports of your switch.
You’ll find below howto configure the port mirroring to get all the traffic from/to interface Fa0/16 on interface Fa0/24
SW-PILOT2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW-PILOT2(config)#monitor session 1 source interface Fa0/16
SW-PILOT2(config)#monitor session 1 destination interface Fa0/24
SW-PILOT2(config)#exit
And show your configuration
SW-PILOT2#sho monitor session 1
Session 1
---------
Type : Local Session
Source Ports :
Both : Fa0/16
Destination Ports : Fa0/24
Encapsulation : Native
Ingress : Disabled
How-to bind multiple Ip address on the single NIC
by Ronan FOUCHER on août.24, 2009, under Network, Unix / Linux
RedHat/Fedora/CentOs configuration :
redhat#cd /etc/sysconfig/network-scripts/
We’ll bind two Ipaddress on eth1.
redhat#cp ifcfg-eth1 ifcfg-eth1:0
redhat#cat ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
HWADDR=00:1A:64:00:00:00
IPADDR=10.25.209.86
NETMASK=255.255.0.0
ONBOOT=yes
TYPE=Ethernet
ETHTOOL_OPTS="autoneg on"
Now, you will configure your second Ip address (192.168.10.200):
redhat#vim ifcfg-eth1:0
DEVICE=eth1:0
BOOTPROTO=static
IPADDR=192.168.10.200
NETMASK=255.255.255.0
ONBOOT=yes
Now restart the network service
redhat#service network restart
And check that the configuration works :
redhat# ifconfig
eth1 Link encap:Ethernet HWaddr 00:1A:64:00:00:00
inet addr:10.25.209.86 Bcast:10.25.255.255 Mask:255.255.0.0
inet6 addr: fe80::21a:64ff:0000:0000/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:56813881 errors:0 dropped:0 overruns:0 frame:0
TX packets:12325284 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:13741623634 (12.7 GiB) TX bytes:2562341022 (2.3 GiB)
eth1:0 Link encap:Ethernet HWaddr 00:1A:64:00:00:00
inet addr:192.168.10.200 Bcast:192.168.10.255 Mask:255.255.255.0
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
Adding routes Linux / macosx / Iphone
by Ronan FOUCHER on août.17, 2009, under Network, Unix / Linux
Checking the route table in Linux
netstat -rn
route
Adding and Removing a Network in Linux
route add -net 172.31.0.0/16 gw 192.168.50.254
route del -net 172.31.0.0/16 gw 192.168.50.254
Adding and Removing a specific host in Linux
route add -host 172.31.50.50 gw 192.168.50.254
route del -host 172.31.50.50 gw 192.168.50.254
Adding a Default GW in Linux
route add default gw 192.168.50.248
route del default gw 192.168.50.248
Adding Routes on maxosx / iphone
route -n add 172.31.0.0/16 192.168.50.254
howto screen detach process from putty
by Ronan FOUCHER on août.13, 2009, under Unix / Linux, Unix : Sun Solaris
====== 1. Install screen ======
On debian installing screen is quite simple:
root# apt-get install screen
====== 2. Set some usefull preferences ======
Create the file ~/.screenrc with the following contents:
# Use visual bell
vbell on
# Set a big scrolling buffer
defscrollback 5000
# Set the caption on the bottom line
caption always "%{= kw}%-w%{= BW}%n %t%{-}%+w %-= @%H - %LD %d %LM - %c"
# Support UTF-8
defutf8 on
# Don't show the slash screen
startup_message off
====== 3. Start your first screen session ======
Start screen itself (//this will be the master screen, or number //):
user# screen
Now open a program you want to be able to disconnect and connect to:
user# irssi
====== 4. Detach from the running screen session ======
Don’t worry, irssi won’t actually quit, but type: ctrl+a ctrl+d\\ At this point you will return to your shell prompt, but irssi is still running in the background, pretty neat!
====== 5. Reconnect to the running screen session ======
Here’s how you reconnect to the master screen session:
user# screen -r -d
====== 6. Create another screen ======
This will be the first child screen, thus named 1\\ Type: ctrl+a c to create it. Now you should see a shell prompt again, try doing:
user# top
which will open up the performance monitor in this screen.
====== 7. Toggle between the two screens ======
Since you now have two screens running, you have two ways to toggle back and forth:
– Use ctrl+a n to go next, and ctrl+a p to go previous.
– You can also specify the screen name by number like this: ctrl+a 1 to toggle to « top » and ctrl+a 0 to toggle to « irssi »
====== 8. Assign a name to the currently active screen ======
Type: ctrl+a A which will give you a little prompt, it will probably have bash as the current name, hit the backspace key a few times, and then type in a name you will recognize. Use the enter key to save this screen name.
====== 9. Pull up a list of all running screens ======
If you get a bunch of screens running, you might need a list to find one faster (here your names are super helpfull). Do: ctrl+a » which will give you a list, you can either type in the number [0 - 9] or use the arrow keys to navigate, again just hit enter to choose it
====== 10. Scrolling up/down in a screen ======
If you need to scroll up or down you need to enable //copy mode//. To do this do: ctrl+a ESC and then use the arrow keys and page up/page down keys to navigate. When you’re finished hit ESC to return to normal mode.
====== 11. How do you close a screen? ======
Closing the program running in the screen should take care of it. For example, if you do ctrl+a ctrl+n which will create a new screen and leave you at a shell prompt, hitting ctrl+d to exit the shell will also close the screen. If you’re ever not sure who many are running, just use ctrl+a » to view the ones running.
====== 12. Quick toggle between two screens ======
If you’re using two screens and wanna quickly go back and forth between them, use: ctrl+a ctrl+a
====== 13. Fixing a screen that seems locked ======
If you hit ctrl+s or ctrl+a s you can lock the screen… \\ \\ The fix is to hit ctrl+a q
====== 14. How to list running screens ======
You can always list the screens that you have by doing:
screen -ls
Unfortunately this doesn’t show screens of other users. The only way I [currently] know how to do this is to look using ps:
ps -ef | grep SCREEN
====== 15. Shared screens ======
Temporarily make screen setuid (//remove this when your finished//):
root# chmod u+s /usr/bin/screenroot
root# chmod go-w /var/run/screen
Start a screen session:
user# screen
Then do (//where guest is the userid of the person who’s going to connect to the shared session, and owner is the userid of the person creating the shared session, aka the person who owns the computer//):
ctrl+a :multiuser on #Enable shared sessions
ctrl+a :acladd guest #Give rights to guest
ctrl+a :aclchg guest -x "?" #Revoke permission to execute commands
Then the other user will ssh to the box, and execute:
user# screen -x owner/
to join my session
If you are unable to connect to the screen session try using the fully qualified name, like this: screen -x owner/9322.pts-2.monster
When you’re finished with the session, clean things up by exiting the screen session, and do:
root# chmod u-s /usr/bin/screenroot
root# chmod 775 /var/run/screen
====== 16. Screwed up screens ======
So maybe I’ve had a problem where a screen session seemed to locup a time or two.
« //If you accidentally freeze screen (usually this happens if you hit ctrl+s or ctrl+a s you can fix it by hitting ctrl+q or ctrl+a q. Another way to potentially break screen is if you it the pause/break button while using putty or ctrl+z, then you simply need to type fg at the command line to bring your irssi session back. The fg trick also works should you manage to make anything else in screen dissappear with ctrl+z or pause/break.// »
