Hanne's Blog - Bastard Operator in Heaven

New blog

URL for my new blog:
http://people.binf.ku.dk/~hanne/b2evolution/blogs/

Not all posts have been imported yet but they will be sooner or later.

My first iSCSI steps

So a month ago or so I convinced the boss and the group with the storage need (and money) to go iSCSI, because it would be fun to try, easy to move, had certain nice expansion facilities and i/o speed was not really an issue for this device as much as flexibility.

And there I was a week ago with my first iSCSI device on my hands and a good deal less time than I'd hoped for to figure it out.

It is a Promise VTrak m610i, see screen shot of admin interface in previous blog post.

We considered an HP thing to approx. same price but half the disk space (double price for compatible disks, no 1TB disks available), and only room for 12 disks in 3 u. Here we have room for 16. The drawback is no onsite support, we have to actually send it in for repair :( But with the cheap disks it is affordable to buy spares so it is only the box itself.

Anyway we decided that if we don't like it we can always use it for backup. So we bought it.

So far I like it. It is clearly mediocre quality disk enclosures but once they're in they seem to work fine and look rather nice, too.

It comes with a manual saying how to install it in the rack, how to connect via the serial port and set an IP address, and how to configure RAID and a logical disk. And not much more.

I got the Ikea feeling after mounting it in the rack: Having bits left over that I'm pretty sure should have gone somewhere but that is just too bad...

The serial connection went smooth. It has a management interface which I have put on my "real" network so I can access it via https (and snmp and telnet if enable it) and it has 2 iSCSI interfaces. I connected both to my dedicated iSCSI Gbit switch, and connected the Gbit switch to my fileserver which has the honor of being the iSCSI initiator on it's 2nd Gbit network interface.

Does this make sense? Only one host connected, and wasting a switch in between? Well we need to start somewhere, and this is an attempt to get ourselves a flexible easily expandable and easily moveable solution.



In the https interface I found a place where I could trunk the two iSCSI interfaces, they call it "Link aggregation".
From management interface in browser: Network Management → Link aggregation: Trunk port 1 and 2 (1 master 2 slave).

So I created a disk array and a logical disk drive. I am glad that I had a SAN before. The manual has no explanation of the SAN terminology they use, or any other terminology, that is. (The cd might have. I never bother to open those unless I have to).

Now for the Linux part.

• Configure 2nd network interface to talk to iSCSI net
  
• Do not use the iSCSI net as default gateway... that is, if you still want your hosts to be able to see the server ;)
  
• Install open-iscsi
  
• Configure iscsi:
  iscsiadm -m iface -I iface0 --op=new
  iscsiadm -m iface -I iface0 --op=update -n iface.hwaddress -v aa:bb:cc:xx:yy:zz
  /etc/init.d/open-iscsi start
  iscsiadm -m discovery -t sendtargets -p 192.168.4.1:3260 --interface=iface0
  /etc/init.d/open-iscsi restart
  
• On iSCSI device in web interface map the iSCSI initiator to the LUN on the Storage Services → LUN Map: Dropdown menu: Add LUN Map.
  
• On fileserver again:
  iscsiadm -m node --targetname iqn.1234-12.com.promise.11.22.33.44.5.0.0.60 --portal 192.168.4.1
  iscsiadm -m node --targetname iqn.1234-12.com.promise.11.22.33.44.5.0.0.6o --portal 192.168.4.1 --interface iface0 --login
  fdisk -l
  
  
• Create filesystem. mkfs.ext3 -m 0 -O dir_index /dev/sdc or whatever.
  
• Mount, nfs export etc.
  
• Do not stop the iSCSI service without unmounting the device first..
  
• To automatically start a session with the iSCSI device I did this,
  but I have not yet tested if it works:
  iscsiadm -m node -T iqn.1234-12.com.promise.11.22.33.44.5.0.0.60 --portal 192.168.4.1 --op update -n node.conn
[0].startup -v automatic

If I missed some steps in this description or mixed up the order I apologize.

I think what I need to do next is to find some time to RTFM on the iscsiadm tool, then I'll probably soon be pretty cool with what this thing can do and how to do it.

I must say I like this toy very much better than I liked the EMC Clarion CX400 at my former work place, which was FC and more than ten times the price. Perhaps because I don't have to deal with a support queue, I can play all on my own. And no proprietary HBA drivers! \o/

Promise VTrak m610i 16-drive RAID iscsi 3u

New toy:

24 core server arrival photos

pptp on Linux the manual way

A few years ago I wrote a guide for myself describing how to get on the institute's vpn via ppttconfig on Linux.

I never really understood what was so hard about it for other people until now... where pptpconfig has gone from all my Linux distributions.

I tried kvpnc and networkmanager and both failed. Either they are broken - I believe network manager is in general - or they just don't give access to the parameters I need to change.

So I did it manually and here it is for everyone to see.

/etc/ppp/chap-secrets
mycoolusername vpnatwork mysecretpassword *

/etc/ppp/peers/vpnatwork (edited from the kvpnc generated file)

# name of tunnel, used to select lines in secrets files
remotename vpnatwork

# name of tunnel, used to name /var/run pid file
linkname vpnatwork

# name of tunnel, passed to ip-up scripts
ipparam vpnatwork

# data stream for pppd to use
# xxx.xxx.xxx.xxx should be replaced by vpn gateway IP
pty "/usr/sbin/pptp --debug --loglevel 2 xxx.xxx.xxx.xxx --nolaunchpppd"

# domain and username, used to select lines in secrets files
name "mycoolusername"

# use MPPE encryption
require-mppe

# we do not require the peer to authenticate itself
noauth

# enable debug
debug
kdebug 1

# we want to see what happen
nodetach

# Dont use BSD compression
nobsdcomp

# Dont use deflate method
nodeflate

# dont set defaultroute
nodefaultroute

file /etc/ppp/options.pptp

You might want to remove the debug entries.

/etc/ppp/options.pptp

# Lock the port
lock

# Authentication
# We don't need the tunnel server to authenticate itself
noauth

# We won't do EAP, CHAP, or MSCHAP, but we will accept MSCHAP-V2
refuse-eap
refuse-chap
refuse-pap
refuse-mschap

require-mppe

# Compression
# Turn off compression protocols we know won't be used
nobsdcomp
nodeflate

As is seen in this file we use mschapv2 and that is what I cannot configure from kvpnc or networkmanager.

I don't know if it is necessary to have the nobsdcom and nodeflate in both files.

Kernel modules
Some kernel modules are needed: The ppp_mppe module and perhaps also the ip_gre module. I read somewhere that I should load the ppp_mppe module with the ppp-compress-18 alias. No idea if it makes a difference. I might get around to testing it later. So:

modprobe ip_gre
modprobe ppp-compress-18

Firewall issues
You need to allow outgoing connections to tcp port 1723 and you need to allow the GRE protocol: IP protocol 47. Also you need to allow established-related or whatever keep state option you have in your firewall.
If you run natted through an iptables firewall you also need to load the module ip_nat_pptp on the firewall. Took me a while to figure that one out!

Starting the connection
This is the simple part:

# pppd call vpnatwork

Now either it work happily or you get funny error messages like a repeated

sent [LCP ConfReq id=0x1 <mru 1440> <asyncmap 0x0> <magic 0x370c5c0> <pcomp> <accomp>]

. this is not an error in itself but you are only supposed to get it once, not repeatedly until it times out, which I had until I loaded the ip_nat_pptp module on the firewall, but I also had it from home when i did not have the reqiure-mppe in the options.pptp file. Lots of possibilities for errors. But this runs for me

• From home wireless on my eee ubuntu
  
• From eduroam wireless at work (same PC)
  
• From my own wired network at home (when I got the fw right) (same PC)
  
• From my wired network at work on stationary PC with debian etch

The funny thing is that I didn't have the firewall issue with a Windows laptop :/ Perhaps Windows has started using a more secure protocol by default and we Linux users just haven't figured that out yet. Or perhaps it connected via eduroam and I didn't notice.

24 core server

First test results:

http://people.binf.ku.dk/~hanne/technotes/cputests/#intel24

(compare with the same test of 16 core servers above).

Net::SNMP returns inconsistent data type

I am trying to get some Mac addresses from HP switches with perl's Net::SNMP module.

It works fine most of the time, I get results of the form
0x0000747d2736. Except from in certain cases where I get stuff like ^@^@t}'6 instead. Which seems to be the ASCII value of each hex number (74, 7d, 27 and 36).

I think this happens when the Mac address starts with 0000, but I haven't verified that this is consistent.

My code goes like this:

...
my $macoid="1.3.6.1.4.1.11.2.14.2.10.5.1.3.1.$port";
my $macresult;
if (defined ($macresult = $session->get_table( -baseoid => $macoid))){
my %macreshash = %{$macresult};
while ((my $key, my $value) = each(%macreshash)){
print "value " . $value . "\n";
}

...

where session and port is defined earlier. I wonder if this is an error in Net::SNMP or me being clueless.

I solved it by doing this on all the values before printing them:

my $formatted = $value;
unless($formatted =~ m/0x.{12}/) {
$formatted="0x" . unpack("H*", $value);
}


I'm too chicken to submit an error report unless some real Perl programmer tells me that this is an error and not just me misunderstanding how hashes works :)

We might not have a large hadron collider...

... but we have pretty cool stuff, too ;)

Projector and ipp on the mac

I gave up my package building project. It is easy to build a package but not a modified package that does what I wanted, which is, including some preset preferences. And it is really not I who promised to do it, but the owner of the Mac. So I guess I'd better give it back soon *G* Eee playtime to come, anyway. I learned something about the package structure, though.

Projector
One reason I wanted to play with Mac was that we always have trouble getting the projector to work on a Mac, especially our new projector. Only the day my student aid borrowed a mac from one of our researchers to test, everything worked fine. The magic sysadm touch strikes again.

So I picked of the little trouble projector (which BTW is called Alice, since someone told me the old one was called Bob), and plugged it in via DVI. It worked like a dream. So I changed the resolution and it still worked.

Then I changed to the VGA cable with a VGA to DVI adapter. Bugger. It still worked. How the *** can I debug on something that works whenever I do it?

Anyway I learned where to find the display settings on a Mac, which was easy as soon as you figure out the Mac anyway: System Preferences (which is in the toolbar), then Display.

Next time we have a Mac that refuses to work with the new projector I shall video it on my phone to prove that it happened...

Internet Printing Protocol
So I turned to printers. I got the Mac to print happily directly to my printers, without passing through my print server, by just letting the "Add printer" dialog sit in the default tab long enough for all my network printers to let themselves be known.

I wish to disable this direct printing, tough, in spite of us being relatively few users so abuse it easy to spot. Running everything through the print server makes it easier to make print statistics and control my traffic and in the end someone might want to know why we are spending so much money on toner - who is printing how much.

So I want the CUPS print server printers to announce themselves to Mac and Windows users for easy installation. However, today I just wanted to get Mac to work with ipp.

Go to the "IP" tab, set the protocol to be IPP and enter (in my case):
Address: printserver/printers
Queue: lp
Name: lp at printserver
Location; Whatever
Print Using: Brother HL-5270DN series CUPS



What mystified me a bit here was:
In a browser I can go to http://printserver:631/printers and find the printer I want. (No it doesn't work from outside, you don't have to bother to try.) In Windows I can use that URL in the print dialog to connect to the printer. On Mac, that just doesn't work.

So I noticed that choosing the Internet Printing Protocol, the URL ends up with a ipp:// in front.

The Ipp URL RFC says that that the ipp:// URL can take a port number but uses 631 by default. So both printserver:631/printers and printserver/printers should work. And it did!

What fooled me for a while was that the printing dialog claimed that it was an invalid address. Also, the print status dialog claimed to be contacting my print server on port 9100... But since it worked, and I can see the print having passed through my print server, that is probably en error in the status message and not in the actual protocol implementation.

Oh am I glad that I shall not be a Mac user for much longer.

I'll give it one credit compared to the Eee, however: I can see when Caps Lock is active on the mac. It has a large, friendy green light right on the actual Caps Lock key. On the Eee one should just learn not to hit it accidentally because there is no light indicator whatsoever.

Creating a pkg package on Mac

• Open the PackageMaker in Developer/Applications/Utilities
  
• Select "Assist me". I tried creating the package manually with "Single Package Project" but the PackageMaker crashed on me twice. It crashed when I was not even touching it but browsing on my Linux machine for stuff like "what does Remove .dsstore files "mean"?
  
• The "Assist" wizard only asked a few questions like the name of the package, company name, the path for the contents and the installation path.
  
• Then it built me a nice package that seems to work. I am installing it on top of an existing installation so I don't know for sure.
  
• The package is not a file but a directory. It seems that the mpkg format is not a file either but also a directory. So I created a zip file. What is the convention for this on Mac? Do people send whole directories around?
  

Anyway next step is playing with the projector. Or perhaps getting the media for Mac OS X 10.5 and give it another try. (And see if I can still build packages :)