Techhell

Add a little Fiber

Some very basics for adding a device to a SAN Fabric. In this case I’m adding a server to a SAN via a Brocade Silkworm.

But first some basic Terminology…

HBA – Host Bus Adapter, which in this case, refers to the Fibre Channel Card. In LAN networking, it’s analogous to an Ethernet card.
WWN – World Wide Name, a unique 8-byte number identifying the HBA. In Ethernet networking, it’s analogous to the MAC address.
FC Zone – Fibre Channel Zone, a partitioned subset of the fabric. Members of a zone are allowed to communicate with each other, but devices are not allowed to communicate across zones. An FC Zone is loosely analogous to a VLAN.

Zones:

In storage networking, Fibre Channel zoning is the partitioning of a Fibre Channel fabric into smaller subsets to restrict interference, add security, and to simplify management. While a SAN makes available several virtual disks (LUNs), each system connected to the SAN should only be allowed access to a controlled subset of the LUNs. Zoning applies only to the switched fabric topology (FC-SW), it does not exist in simpler Fibre Channel topologies.

Types Of Zones:

There are two main methods of zoning, the two methods being hard and soft, that combine with two sets of attributes, name and port.

Soft and Hard zoning

The fabric name service allows each device to query the addresses of all other devices. Soft zoning restricts only the fabric name service, to show only an allowed subset of devices. Therefore, when a server looks at the content of the fabric, it will only see the devices it is allowed to see. However, any server can still attempt to contact any device on the network by address. In this way, soft zoning is similar to the computing concept of security through obscurity.

In contrast, hard zoning restricts actual communication across a fabric. This requires efficient hardware implementation (frame filtering) in the fabric switches, but is much more secure.

Port and WWN zoning

Zoning can also be applied to either switch ports or end-station names. Port zoning restricts specific switch ports from seeing unauthorized ports. WWN zoning (also called name zoning) restricts access by a device’s World Wide Name (WWN). With port zoning, even when a device is unplugged from a switch port and a different one is plugged in, the new device has access to the zone instead of the old one – i.e. the fact that a device’s WWN changed is ignored. With WWN zoning, when a device is unplugged from a switch port and plugged into a different port (perhaps on a different switch) it still has access to the zone, because the switches check only a device’s WWN – i.e. the specific port that a device connects to is ignored. This is more flexible, but WWNs can be easily spoofed, reducing security.

Currently, the combination of hard and WWN zoning is the most popular.

Read the rest of this entry »

NTP on Solaris 10

For a NTP server …

cp /etc/inet/ntp.server /etc/inet/ntp.conf

Replace the server lines  with

server 0.north-america.pool.ntp.org
server 1.north-america.pool.ntp.org
server 2.north-america.pool.ntp.org
server 3.north-america.pool.ntp.org

touch /var/ntp/ntp.drift
svcadm enable svc:/network/ntp

For a client :

cp /etc/inet/ntp.client /etc/inet/ntp.conf
svcadm enable svc:/network/ntp

To test:
# ntpq -p
# svcs ntp

3Com Vlan to Vlan Routing / ACL’s

system-view – to enter system-view
interface vlan-interface X – to change into the VLAN to interface
ip address X.X.X.X X.X.X.X – To assign an IP address with subnet mask.

The corresponding static routes were automatically created for the VLAN interface which can be checked using.

display ip routing-table

Then I had to add routes for the subnets on my VLANs.

Finally I set up an advanced ACL filter to block the new VLANs from accessing anything on my primary VLAN 1.

from system-view
acl number (ACL # – 3000 range) match-order config
rule deny IP source X.X.X.X(Address of source) X.X.X.X(Wildcard of source) destination X.X.X.X(Address of destination) X.X.X.X(Wildcard of destination) time-range allday(My named time range.)  - This blocks the entire subnet on VLAN 1 from being access from the subnet on VLAN 3.

Then create rules to unblock specific IPs for access from the VLAN 3 subnet which are on the VLAN 1 subnet.

rule permit IP source X.X.X.X(Address of source) X.X.X.X(Wildcard of source) destination X.X.X.X(Address of destination) 0.0.0.0(Wildcard of destination 0.0.0.0 signifies a host IP) time-range allday(My named time range.)  - This allows access from the VLAN 3 subnet to one specific IP on the other subnet in my first case the Internet router(default gateway of the other subnet.)

Then I repeated that for the other few IPs that I needed to open access up for.

Finally I applied the new ACL as a packet-filter from the system view.

So quit back out the system-view.

Type
packet-filter vlan X(Mine is 3) inbound ip-group (ACL # – mine is 3000)

Can   test this and if there are problems or you need to make changes you can use the undo command in from of it to remove it.

We need to ingnore stp. and all units must have point to the vlan interface as a gateway

System Password Recovery from mirrored disks

Root password recovery from mirrored (disk suite/lvm/slvm/what ever sun marketing wants to call it today) disks

Root metadevice is D10, made up of D11 (c1t0d0s0) and D12 (c1t1d0s0).

1) boot off Solaris 10 CD into single user mode
2) mount /dev/dsk/c1t0d0s0 /a
3) cd /a/etc
4) vi shadow and remove the encrypted password
5) cd /, then umount /a
6) dd if=/dev/rdsk/c1t0d0s2 of=/dev/rdsk/c1t1d0s2 bs=512k
7) reboot (from the root disk metadevice)

PM that DC !

It is a given that a car performs better and lasts longer if you take care of routine maintenance, such as oil changes, rotating your tires, and keeping an eye on fluid levels. What isn’t so widely accepted is that similar rules apply to data center equipment.

Few data center managers know and follow best practices related to the proper maintenance of key systems. When you think about the cost of the infrastructure components and systems and the business value of the data supported, the cost of maintenance is small.
Read the rest of this entry »

Think Small

Think small. When it comes to maintenance, it is important to pay attention to the little things. Vacuuming the data center and eliminating dust buildup on fans and inside equipment are relatively simple preventive maintenance tasks that can add longevity to equipment and prevent sudden overheats.
Read the rest of this entry »

Fresh (Outside) for your data center and budget

A good way to cut costs while improving maintenance efficiency is to use outside air (downflow / upflow) economizers to reduce usage of chillers or AC units.

If a facility is well designed, and the return air is pretty hot, the outside temperature will be more favorable for energy than the return air from the hot aisles. You have the choice to switch to outside air and keep the chiller plant operating, or as the outside air temperature drops even more, you have the option to save even more money by turning off the chiller plant. Why pay to cool 120 degree air when you have much cooler make up air available.
Read the rest of this entry »

Remove Failed Package Installs

Having a package install fail in the global zone can cause issues all over the zones.

While attempting to install a Sun package this week, I encountered the following error:

$ pkgadd -d . mysqlr

## Waiting for up to <300> seconds for package administration commands to become available (another user is administering packages on zone )

^C

1 package was not processed!

After a bit of truss’ing, I noticed that the pkgadd commands were checking for the existence of files with the name .ai.pkg.zone.lock. in /tmp. Based on a cursory inspection of the package utility source code, it appears these files are used as lock files to prevent multiple package commands from running at the same time. Since this was the only package installation running on the system, I logged into the zone and removed the stale lock file:

$ zlogin zoneA

$ rm /tmp/.ai.pkg.zone.lock-afdb66cf-1dd1-11b2-a049-000d560ddc3e

Once I removed this file, the package installed like a champ! Nice!

Find how many and what kind of interfaces on a Sun system

Ok, as I keep building various intel / amd based systems in to Solaris x86 boxen, and / or can never tell who has installed what card in one of the sparcs, this little trick comes in handy.

# ifconfig -a plumb
# ifconfig -a

This brings all interfaces online, and then lists them….

Simple DNS Monitor (Simple Hack)

Simple “nsping” there’s no need to install a separate utility to run “nsping”, you have “dig” already …

This is a simple network diagnostic tool to determine the health and reachability of name servers is nsping. As the name suggests you ping a name server, not with an ICMP echo request but with a (very random) lookup. The time interval it takes to get a reply back is what you’re after. Serious lags can indicate network issues.

The tool nsping is a standalone binary, and on most UN*X systems it’s another package to install. however, almost everyone already has dig installed, part of the BIND package. Dig is a complex name server query and diagnostic tool. one useful feature of it is that it reports the amount of time it takes to perform it’s query in milliseconds … exactly what we’re after. So, let’s use dig to do exactly what nsping does and trim down the answer to look like nsping. all we have to do is a random lookup and report only the query time. this simple shell hack uses the built in random number generator from ksh (i think the tool can work in bash, too) and awk to trim down the query from dig.
Read the rest of this entry »