Anyway, you will probably want to monitor your LSI MPT raid if you find one, so here's how to do it if your distro does not come with the "mpt-status" command:
- Obtain mpt-status from http://freshmeat.net/projects/mptstatus/
- Obtain the X4100 resource CD from Sun. You may have to pay for this. Hopefully you got one with your box. I have an ISO file called X4100_X4200_ResourceCD_4.
- Install the mpt driver from the RPMs on the CD: mptlinux-4.00.05.00-1-rhel5.x86_64.rpm
- Activate the mptctl driver (your distro should have come with mptbase and mpt sas): "/etc/rc3.d/S99fusion.mptctl start". Set up an rc3.d link to start this driver on boot!
- You should see mptctl, mptsas, mptscsih (maybe), and mptbase in the output of lsmod at this point. If not, keep hunting for drivers.
- Also on the Sun CDROM is mptlinux-4.00.05.00-src.tar.gz. Create the directory and extract this source into /tmp/mptlinux-4.00.05.00-src.
- Extract the mpt-status source into /tmp/mpt-status-1.2.0.
- Edit the Makefile with:
KERNEL_PATH := /usr/src/kernels/2.6.18-164.15.1.el5-x86_64/include
CFLAGS := -Iincl -Wall -W -O2 \
- Make and - it works!
# ./mpt-status -i 2
ioc0 vol_id 2 type IM, 2 phy, 67 GB, state OPTIMAL, flags ENABLED
ioc0 phy 1 scsi_id 4 SEAGATE ST973401LSUN72G 0556, 68 GB, state ONLINE, flags NONE
ioc0 phy 0 scsi_id 3 SEAGATE ST973401LSUN72G 0556, 68 GB, state ONLINE, flags NONE
[ view entry ] ( 1814 views ) | permalink
Once again I am redoing our failed Symantec-Veritas Netbackup installation. There are a few things I'd rather be doing instead, like anything else, but we're going with ZManda, so it should be a less painful job this time.
[ view entry ] ( 1592 views ) | permalink
[ view entry ] ( 2369 views ) | permalink
Anyway, back to DHCP. JunOS just could not handle it. It turned out to be a mix of our fault and theirs. First, in some buildings but not all, the PCs have Windows Firewall blocking ICMP. This always encourages DHCP fail since hosts (clients and server) can't ping each other to see if an address is claimed. Second, JunOS was making a horrible mess of the leases database. Third, we made it worse by specifying week-long lease times. Fourth, the JunOS dhcpd would just dump core form time to time.
Well, after setting lease times short, disabling Windows Firewall, and upgrading to the latest JunOS, we about ready to start more rollouts. Cross our fingers.
[ view entry ] ( 1636 views ) | permalink
Eventually, we're going to give Symantec Netbackup the finger and move to Amanda, which will enable us to upgrade to OpenSolaris. I posted on Slashdot about this and got a reply from "greg1104":
"People need to understand that SATA disks and chipsets are fundamentally weak at error reporting and recovery. There's only so much you can do about that at the driver or OS level if a problem drives the chipset crazy. You really need hardware optimized for that purpose, like a mature and battle-tested RAID controller."
I agree 100%. For now, ZFS is worth the risk. The box is a virtual tape library, so 100% uptime is not a requirement. I'm not going to start shorting the stock of midrange storage companies just yet.
[ view entry ] ( 1776 views ) | permalink
- Microsoft Windows Remote Access: Not bad. Microsoft fixed the cryptological problems with PPTP long ago,and every Windows PC came with a VPN client until recently (oops, M$.) There was a decent Linux client, but no easy to install Mac client. You could piggyback the server off any random Windows box behind your VPN, and use Active Directory or any LDAP for authentication. Rating: 3 out of 5.
- El Cheapo EBay Anything-but-Cisco Special: You could buy an old Juniper or something firewall and use a generic client. Usually you could get it to authenticate against Radius (but not usually LDAP or AD.) If your magic box did PPTP, cool, but usually you had to fiddle with handing out generic, fiddly IPSec clients to your users. Rating: 2 out of 5 stars.
- "F*** it, just open up the firewall": Run Remote Desktop Services or VNC on the desktops. But once one power user gets a firewall hole opened, everybody wants in. Do you really want to open your entire LAN to VNC? Rating: 2 out of 5 stars.
- Magic Boxes: Well, you can just grit your teeth and pay thousands for a magic box. Thy usually work, except when the vendor decides to break a protocol and force you to use their client, which may or may not install easily or even work, or, worse, force you to pay even more per-seat for licensing. Oh - you wanted encryption with your VPN - just write us another check, please! Rating: Varies widely with size and, mostly, ease of client installation.
- Poptop, OpenSWAN, SSH tunnels: Promising, but we could never get Poptop or OpenSWAN to work. SSH tunneling is OK, but requires expert knowledge and only forwards one or two protocols at the same time.
So finally we had a chance to give OpenVPN a try. What a surprise. Better yet, there is a commercial enterprise OpenVPN Technologies that offers a added-value product for $5 per seat that makes OpenVPN fiddle-free. Rating: 5 out of 5 stars for smallish installs.
This approach solves several big problems we've had with VPN deployments: Licensing and fiddly hard to install clients.
Licensing is straightforward: $5 per seat, period. For huge installs, it might be cheaper to buy a Magic Box. But for smaller deployments, for $5 you get: Super-easy installation on most Linux platforms, a web GUI, added value support for the parts that are different from "free" OpenVPN, defaults that make it work right out of the box (with LDAP, too), a Windows client that works, and as part of the GUI, a place where Windows clients can log in and download it, and non Windows users can download a config that simply plugs in to OpenVPN for use as a client.
No more client fiddling: OpenVPN Technologies supplies the Windows client, Linux users use the OpenVPN that comes with their distro, and Mac users can either use OpenVPN or Tunnelblick. All this guarantees that the client will be compatibke with the OpenVPN Technologies server, which is OpenVPN itself, with the value-added parts wrapped around the server.
Well, enough fan mail for OpenVPN. Time to get back to work, doing real work from home instead of fiddling with a VPN.
[UPDATE: RedHat / Centos seems to have dropped OpenVPN from their repositories. You may have to build OpenVPN from source. Not too hard, but no longer fiddle-free.]
[ view entry ] ( 2249 views ) | permalink