Archive for the ‘Networking’ Category

## Linux and Active State Power Management

Last year I had an odd issue when installing CentOS 6.0 on a Supermicro motherboard with an Intel PCIe quad port GB nic using an 82576 chip. I got by the initial kernel panic by using pci=noaer as a kernel option but later encountered really weird kernel panics regarding the Intel nic again which required an additional pcie_aspm=off in my grub file. Pretty odd stuff really since this was a server and I wasn’t worried about managing my power consumption since we’re a small company and I simply want the server to stay on. There’s a number of good articles about ASPM & Linux over on the Phoronix.com website which I found very interesting.

Initial bug report from RHEL: https://bugzilla.redhat.com/show_bug.cgi?id=704758

A number of Kernel parameters one can use at boot time to help troubleshoot things: http://www.kernel.org/doc/Documentation/kernel-parameters.txt

Initial Phoronix News article that got me wondering if Linux’s implementation of ASPM might be my problem: http://www.phoronix.com/scan.php?page=news_item&px=MTAwMjg

I can see how ASPM would be really important to laptop users sure, but when I’m installing a server I don’t need stuff shutting down on me when not in use. (Of course this is different for datacenters!)

## Properly Partitioning a HW RAID Volume over 2TB in size

Like most geeks I’ve got lots of files and a need for spacious network shares. However, as soon as you go over a 2TB partition, you’ll encounter problems w/ how to correctly partition a drive or RAID volume using the newer 4096 sector spec called simply Advanced Format. I initially stumbled upon a series of articles written by Roderick W. Smith over on IBM’s DeveloperWorks when searching how to properly check partition alignment under Linux for SSDs but quickly had an “Uh Oh” moment when I realized SSDs weren’t my only problem and I had in fact been flying blind on larger than 2TB partitions under Linux. Thankfully I didn’t have systems in production where this was a problem but I was literally building a system at work where this could bite me in the rear!

To bottom line it for you, if you’re using software RAID or a true HW RAID setup, you need to stripe your file system across the partition in accordance to the number of discs involved, type of RAID and the stripe size in KBs. My example below is strictly regarding Areca ARC RAID cards and might not be applicable to your setup.

I’m using an ARC-1680ix-24 w/ 4GB of ram on board. I’ve got 24 – 500GB HDs with one volume using all HDs in a RAID 6 raidset. So, for me the math is such when using EXT4 filesystem:

chunk size = 128KB (For Areca ARC-1680s it's your Stripe size.)
block size = 4KB (My desired partition is over 2TB. 6.5TB to be exact.)
stride = chunk / block
= 128KB / 4KB
= 32
Stripe-width = stride * (( # disks in RAID) - # of RAID parity disks)
= 32 * ((using all 24 disks) - RAID 6 uses 2 parity disks)
= 32 * (24 - 2)
= 32 * 22
= 704

so in other words, once I’ve created the basic partition on my device and I’m ready to format it as EXT4 I’ll end up using:

mkfs.ext4 -v -m .1 -b 4096 -E stride=32,stripe-width=704 /dev/sdd1

I’m not going to go into every detail of the line so please read RAID Setup over on Kernel.org for the skinny.

## So from Soup to Nuts:

Use parted to create the partition table on my new volume & create a massive single partition at the right offset:
parted /dev/sdd
Once in the parted tool:
mklabel gpt
unit s
mkpart primary 2048s 100%
name 1 BFS
quit

Next, you’ll need to create an EXT4 filesystem inside your newly created partition from above:
mkfs.ext4 -v -m .1 -b 4096 -E stride=32,stripe-width=704 /dev/sdd1
Now you’ll want to add it to your fstab file so let’s grab the UUID from blkid next:
blkid -o list
And edit your /etc/fstab file so it will automount it at boot time
.
UUID=8e0a7d10-blah-blah-tomatoes-are-yummy-b4a0f6a13c15 /bfs ext4 defaults  1 2
.
Finally, create the mount point and mount it.
sudo mkdir /bfs
mount /bfs

Here’s a couple of links I found note worthy while going down this rabbit hole:
https://raid.wiki.kernel.org/index.php/RAID_setup#Calculation (shows the actual formula shown above & values)
http://www.gnu.org/software/parted/manual/parted.html  (parted’s man page over on GNU.ORG)
http://en.wikipedia.org/wiki/Ext4
http://lwn.net/Articles/377897/  (talks about 4KB sector size disks and let the panic ensue!)
http://whattheit.wordpress.com/2011/08/23/linux-aligning-partitions-to-a-hardware-raid-stripe/  (lots of theory but looks incomplete)
Last 4 links are from Rod Smith:
http://www.rodsbooks.com/gdisk/advice.html  (using gdisk but applicable to parted)
http://www.rodsbooks.com/gdisk/index.html  (main gdisk site!)
http://www.ibm.com/developerworks/linux/library/l-4kb-sector-disks/  (talks about the severe performance effects if you gloss over this stuff!)
http://www.ibm.com/developerworks/linux/library/l-gpt/  (good overview of GPT & understanding why they’re moving away from MBR)

(Personal Note: By finally posting this up on my blog I can close 10 tabs I’ve had open since middle of 2011!)

## Bootable USB flash drive

This one took a while. Essentially I had lost my other bootable USB flash drive and needed to make another one. I had previously used an HP utility which did the heavy lifting for me but I couldn’t find it on the interwebs nor my HD to save my life. I essentially had to use FreeDOS and SysLinux to get the job done. I’m pretty sure the wiki page I found was using an older version so I had to download FreeDOS 1.0 to find the fat32lba.bss file which was eluding me.

I will never lose this USB thumb drive…ever…bit of a nightmare really.

http://sourceforge.net/apps/mediawiki/freedos/index.php?title=USB

http://www.kernel.org/pub/linux/utils/boot/syslinux/ (I grabbed version 4.05!)

## Sendmail’s tweakable settings in the sendmail.mc file

Recently had a question at work about the maximum number of recipients Sendmail would allow thru our in-house server. I wasn’t sure but knew I hadn’t personally configured a hard limit. Did some quick searching and stumbled upon confMAX_RCPT_PER_MESSAGE as the answer. I haven’t set it to anything in our config but didn’t know what the default limit was in Sendmail so I did some digging. Stumbled upon the following links of value (to me at least!)

http://www.sendmail.com/sm/open_source/docs/m4/tweaking_config.html

Answer: infinite number. Sendmail doesn’t have a limit (now it does!)

Also stumbled upon Centos.org’s version 5 Deployment Guide on running the m4 macro command to build a new Sendmail.cf file.

http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s3-email-mta-sendmail-changes.html

## USN Rollback on a Domain Controller

This one bit me in the behind a while back. Essentially, the AD server was restored from a snapshot but had USN numbers that were younger than another servers’ USN numbers which was trying to connect to the AD server. This put the AD server into “disabled” mode so it wasn’t being used for AD stuff. The only way I could permanently fix my USN rollback issue was by keeping the other server off and restoring it to a previous snapshot as well. Long story short, this sucked to fix.

http://exchangeserverpro.com/recovering-a-single-domain-controller-from-a-usn-rollback

## Configuring Windows Time Service on a Domain Controller

I’m getting ready to migrate our AD servers to a virtual environment and one of the things that can get messed up is the AD servers’ time. Also, I’m joining some non Windows systems to the Windows domain which might encounter some time sync issues since they aren’t currently configured to use the domain’s NTP server (easy fix I know but I’m saving that for another post!)

Short story long, your AD server typically uses its’ CMOS time versus an external NTP server which is all fine and good so long as A) it’s a real hardware server not a virtualized one and B) No other servers in your infrastructure use other NTP servers (ie. Linux server ‘A’ isn’t using tick.usno.navy.mil which will have a different time then your main AD server which is going off of it’s CMOS clock!)

So, I did some searching on the interwebs and stumbled upon a couple of useful links on how to modify your registry on your AD server so it:

A) Uses an external time source versus the CMOS time & date.

B) Has a number of servers to attempt time updates from (use spaces to delimit servers! and don’t forget to append “,0x1” at the end if you’re using a FQDN versus an IP Address!)

C)…I forget C!

Anyhow, here’s some links I wrangled up.

http://support.microsoft.com/kb/816042#method2

http://www.windowsnetworking.com/articles_tutorials/configuring-windows-time-service.html

## WordPress install on Win 2008 R2

I’ve installed WordPress websites several times on various Linux distros w/o issue but today I needed to install WordPress on a Windows 2008 R2 Server for the first time. Thankfully WordPress.org had an entire webpage up on just how to do it. Looks like they’re using a Microsoft publishing site called Web App Gallery or Web Platform Installer to install not only WordPress but also any dependencies and also do the initial configuration. The only problem I had was getting WordPress to update itself via FTP. Not only do you need to install the FTP server under the IIS additional roles but you need to explicitly give that FTP user account modify & write permissions to your wwwroot folder which is housing your WordPress files.

WordPress IIS page:
http://codex.wordpress.org/Installing_on_Microsoft_IIS

Microsoft’s Web App Gallery page:

## Converting a PFX file to a Java Keystore & using it w/ Tomcat

So a couple of months ago I had to stand up a DOORS Web Access server for work. It was pretty straight forward except for the creation of a certificate in your Java Keystore and then using it inside of your Tomcat server’s server.xml file.

To create the Java Keystore file you’ll first need to have downloaded Jetty which will do the command-line magic for you. I downloaded it from the codehaus.org website but you can find it by doing a Google for Jetty keytool. Once downloaded ensure your Java environment is setup correctly by issuing via command-line java -classpath lib/jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import . It should return back w/ usage information letting you know your Java environment is setup for command-line Java execution. Next, put your PFX file in the same directory where you are via command-line and then issue java -classpath lib/jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import <mycert>.pfx <myjavakeystorefile>.jks. You’ll be prompted for the password that allows you to use the PFX file, then you’ll be asked for a password for your JKS file. Once it’s done, you’ll have your Java Keystore and password.

Now, you need to open up your server.xml file and find the SSL part which needs to be modified to point to your Java Keystore file. When I found my server.xml file the https port was changed to 8443 which from what I hear is pretty common. I simply changed mine back to 443 so I wouldn’t have to do any firewall redirection. Now, I simply had to add SSLEnabled="true" keyAlias="server" keystoreFile="C:\path\to\keystore\file\mykeystorefile.jks" keypass="supersecretpasswordwhichI'mnotstupidenoughtoblogabout" . Once I had those attributes correctly set I simply stopped and restarted the Tomcat server.

All credit really goes to DigiCert & Entrust 🙂

Jetty tool kit explained:
http://www.entrust.net/knowledge-base/technote.cfm?tn=7925

Tomcat SSL certificate installation:
http://www.digicert.com/ssl-certificate-installation-tomcat.htm

Jetty’s website:
http://docs.codehaus.org/display/JETTY/Jetty+Wiki

## Personalizing your Remote Desktop webpage to something more meaningful

So I’ve recently installed Remote Desktop Services at work for testing purposes. I haven’t decided if we’re going to use RDS or something from Citrix. When doing the install I opt’d for the RD web access & gateway pieces so folks can use RDS over port 443. One of the first things I noticed was the generic title page of “Remote Desktop Services Default Connection” which I wasn’t to happy about. Did some quick Googling and found out you can change the text on the webpage by editing the RDWebAccess.config file. Just look for the <WorkspaceSettings Name=””> key and change it to what you want. I found the file at C:\Windows\Web\RDWeb\App_Data folder.

Need to give credit to Matt’s blog over at Bunker Hollow.
http://www.bunkerhollow.com/blogs/matt/archive/2010/02/05/rename-quot-remote-desktop-services-default-connection-quot.aspx

Thanks Matt!

## Joining domain fails when domain suffix isn’t supplied

So I’ve got my own Active Directory server at home w/ multiple network segments. On one of these network segments, I’ve got a Win2008R2 server w/ a static IP address that needs to join the domain but isn’t on the same network segment as the AD server. When I attempt to join the domain I get the following error message.

Once I get the error message and do a reboot I’ve joined the domain w/ no perceivable errors except the one shown above. I can log into the server w/o any issues using domain user accounts and everything appears fine. Obviously not satisfied w/ this conclusion I start doing some searches and remove the server from the domain to see if I can repeat the above error message.

Finally after searching for an hour I stumble upon a similar domain joining error on Lumbgaps blog and add a domain suffix to my server via the advanced settings on my network card. Once joined, I remove the domain suffix w/o any issues. Seems the server was having a domain searching issue and wasn’t appending the right FQDN on the end of whatever it was doing. This fixed it.