March 2008 Archives

Shrubbery Networks offers a free TACACS+ daemon for download as C source code. If you have a little network and you want to offer TACACS-Services without buying the Cisco ACS software, this could be the right thing for you (it does NOT offer RADIUS services, but there are quite many free radius servers available).

For IOS based devices, the configuration is quite trivial. Example:

key = XXXXXXXXX

user = ciscoadm {
        default service = permit
        service=exec {
                priv-lvl=15
        }
        login = cleartext XXXXXXXX
}

This is a user "ciscoadm" which will have privilege 15 after login (thus no need to "enable"). In this trivial example I've used a cleartext password as I am the only one to have access to this server in the management lan and it is not productive at the moment.
Configure your IOS as usual with

aaa new-model
aaa authentication default group tacacs+ local
tacacs-server 192.168.10.10 key 7 "......."
tacacs-server direct-request

But then we got new Cisco MDS SAN FibreChannel (FiberChannel) Switches to replace our Inrange ones.
So I thought it was as easy as with IOS because SAN-OS claims to be somewhat the same...
Eh, no.

It begins with the fact that you have to explicitly enable tacacs+ and ends with the issue that the default server group "tacacs+" is not available. You HAVE to declare a TACACS server group.

Example (SAN-OS 3.x):

tacacs+ enable
tacacs-server host 192.168.10.10 key 7 "XXXXXXXX"
tacacs-server host 192.168.10.11 key 7 "XXXXXXXX"
aaa group server tacacs+ MYTACACS
   server 192.168.10.10
   server 192.168.10.11
aaa authentication login default group MYTACACS local


But then again - no tacacs login. You cannot login and the tacacs+ daemon logs "Authentication failed". And then - how to assign roles? SAN-OS on Cisco MDS Switches have roles for access levels. Predefined are "network-admin" and "network-operator". So how to assign them via TACACS?

The solution is quite fuzzy and simple. You may solve the password (login) issue by using "global" instead of "login" - this would mean that SAN-OS requests another password than "login". The use of "global" means to set all passwords for all services for this user to the given value - regardless of type transmitted.

Roles finally are defined via cisco-av-pairs. Please don't wonder about the asterisk, it's the correct syntax.
Our SAN-Admin user can be defined like that:

user = user1 {
        default service = permit
        service = exec {
                cisco-av-pair*shell:roles="network-admin"
        }
        global = cleartext XXXXXXXX
}


And - bingo - it works. "user1" can log in and is "network-admin".

You may test it by typing on your san switch:

sanswitch# show user-account


Hooray, ZFS compression ratio 9.97, 9.98, 10.00 !

| | TrackBacks (0)
Never saw that. Will it reach 10?

# zfs get compressratio cyrus/backup
NAME          PROPERTY       VALUE         SOURCE
cyrus/backup  compressratio  9.97x         -


IBM Tivoli Storage Manager Client Backup logs are stored there (dsmc scheduler logfile).

And yeah, 12:44, here it is:

# zfs get compressratio cyrus/backup
NAME          PROPERTY       VALUE         SOURCE
cyrus/backup  compressratio  10.00x        -


Tivoli logfiles are great for zfs compression :)
This was another day where we got new devices in our SAN and my collegue told me "just use the new bunch of disks to put up a temporary storage for me, ok?". Unfortunately, Solaris isn't as reliable in autodetecting new devices on the fiberchannel side. Sometimes it works, sometimes it does not.

A reconfiguration reboot DOES solve the problem but this is not available here. A downtime for adding a fc disk, quite fuzzy.

So after some lookups I found a command normally NOT used for this task automatically does the right thing:

cfgadm -al


Yes, this command LISTS configured channels and devices, but look at the "a" - it expands dynamic lists - wtf .. - yes it does what you want. It discovers new fc devices and attaches the relevant drivers to them, even MPxIO:

Mar 19 06:03:15 augusta genunix: [ID 834635 kern.info] /scsi_vhci/disk@g600d0230006b66680c50ab0187d75000 (sd26) multipath status: optimal, path /pci@7b,0/pci10de,5d@e/pci1077,142@0/fp@0,0 (fp1) to target address: w220000d0232c50ab,2 is online Load balancing: logical-block, region-size: 20
Mar 19 06:03:20 augusta genunix: [ID 834635 kern.info] /scsi_vhci/disk@g600d0230006c1c4c0c50be27386c4900 (sd27) multipath status: optimal, path /pci@7b,0/pci10de,5d@e/pci1077,142@0/fp@0,0 (fp1) to target address: w210000d0231c50be,2 is online Load balancing: logical-block, region-size: 20



Just in case you have the same problem...

[Update Apr 20th, 2008:] You may check the multiple paths handled by scsi_vhci by using vhci_stat.

Volume names in ZFS and scsi_vhci MPxIO Arrays

| | Comments (1) | TrackBacks (0)
Solaris has a nifty 8-character-string named "volname" perfectly usable to distinguish disks when working with format.

Imagine this:

# format     
Searching for disks...done


AVAILABLE DISK SELECTIONS:
       0. c3t0d0 <DEFAULT cyl 8872 alt 2 hd 255 sec 63>
          /pci@7b,0/pci1022,7458@11/pci1000,3060@2/sd@0,0
       1. c6t600D0230006B66680C50AB19E032BF00d0 <ADVUNI-OXYGENRAID 416F4-347B-698.38GB>
          /scsi_vhci/disk@g600d0230006b66680c50ab19e032bf00
       2. c6t600D0230006B66680C50AB7821F0E900d0 <ADVUNI-OXYGENRAID 416F4-347B-3.41TB>
          /scsi_vhci/disk@g600d0230006b66680c50ab7821f0e900
       3. c6t600D0230006C1C4C0C50BE2E1F609B00d0 <ADVUNI-OXYGENRAID 416F4-347B-698.38GB>
          /scsi_vhci/disk@g600d0230006c1c4c0c50be2e1f609b00
       4. c6t600D0230006C1C4C0C50BE5BC9D49100d0 <ADVUNI-OXYGENRAID 416F4-347B-3.41TB>
          /scsi_vhci/disk@g600d0230006c1c4c0c50be5bc9d49100
       5. c6t600D0230006C1C4C0C50BE6F2E72AF00d0 <ADVUNI-OXYGENRAID 416F4-347B-698.38GB>
          /scsi_vhci/disk@g600d0230006c1c4c0c50be6f2e72af00
       6. c6t600D0230006C1C4C0C50BE7D50643500d0 <ADVUNI-OXYGENRAID 416F4-347B-698.38GB>
          /scsi_vhci/disk@g600d0230006c1c4c0c50be7d50643500
       7. c6t600D0230006C1C4C0C50BE17A06DA500d0 <ADVUNI-OXYGENRAID 416F4-347B-698.38GB>
          /scsi_vhci/disk@g600d0230006c1c4c0c50be17a06da500
       8. c6t600D0230006C1C4C0C50BE3427E7E200d0 <ADVUNI-OXYGENRAID 416F4-347B-698.38GB>
          /scsi_vhci/disk@g600d0230006c1c4c0c50be3427e7e200
       9. c6t600D0230006C1C4C0C50BE6456AC0D00d0 <ADVUNI-OXYGENRAID 416F4-347B-698.38GB>
          /scsi_vhci/disk@g600d0230006c1c4c0c50be6456ac0d00
      10. c6t600D0230006C1C4C0C50BE6866B36E00d0 <ADVUNI-OXYGENRAID 416F4-347B-698.38GB>
          /scsi_vhci/disk@g600d0230006c1c4c0c50be6866b36e00


So which of these "698.38GB" disks are your NRAID (non-raid) FC-SAS-bridged disk and which is a RAID1 volume through 2 RAID controllers?
Use volume names!

It's simple:

Specify disk (enter its number): 3
selecting c6t600D0230006C1C4C0C50BE2E1F609B00d0
[disk formatted]
/dev/dsk/c6t600D0230006C1C4C0C50BE2E1F609B00d0s0 is part of active ZFS pool nraidtest. Please see zpool(1M).


FORMAT MENU:
        disk       - select a disk
        type       - select (define) a disk type
        partition  - select (define) a partition table
        current    - describe the current disk
        format     - format and analyze the disk
        fdisk      - run the fdisk program
        repair     - repair a defective sector
        label      - write label to the disk
        analyze    - surface analysis
        defect     - defect list management
        backup     - search for backup labels
        verify     - read and display labels
        inquiry    - show vendor, product and revision
        volname    - set 8-character volume name
        !<cmd>     - execute <cmd>, then return
        quit
format> volname
Enter 8-character volume name (remember quotes)[""]:HeyGuys
Ready to label disk, continue? y

format> quit
# format
Searching for disks...done


AVAILABLE DISK SELECTIONS:
       0. c3t0d0 <DEFAULT cyl 8872 alt 2 hd 255 sec 63>
          /pci@7b,0/pci1022,7458@11/pci1000,3060@2/sd@0,0
       1. c6t600D0230006B66680C50AB19E032BF00d0 <ADVUNI-OXYGENRAID 416F4-347B-698.38GB>
          /scsi_vhci/disk@g600d0230006b66680c50ab19e032bf00
       2. c6t600D0230006B66680C50AB7821F0E900d0 <ADVUNI-OXYGENRAID 416F4-347B-3.41TB>
          /scsi_vhci/disk@g600d0230006b66680c50ab7821f0e900
       3. c6t600D0230006C1C4C0C50BE2E1F609B00d0 <ADVUNI-OXYGENRAID 416F4-347B-698.38GB>  HeyGuys
          /scsi_vhci/disk@g600d0230006c1c4c0c50be2e1f609b00
       4. c6t600D0230006C1C4C0C50BE5BC9D49100d0 <ADVUNI-OXYGENRAID 416F4-347B-3.41TB>
          /scsi_vhci/disk@g600d0230006c1c4c0c50be5bc9d49100
       5. c6t600D0230006C1C4C0C50BE6F2E72AF00d0 <ADVUNI-OXYGENRAID 416F4-347B-698.38GB>
          /scsi_vhci/disk@g600d0230006c1c4c0c50be6f2e72af00
       6. c6t600D0230006C1C4C0C50BE7D50643500d0 <ADVUNI-OXYGENRAID 416F4-347B-698.38GB>
          /scsi_vhci/disk@g600d0230006c1c4c0c50be7d50643500
       7. c6t600D0230006C1C4C0C50BE17A06DA500d0 <ADVUNI-OXYGENRAID 416F4-347B-698.38GB>
          /scsi_vhci/disk@g600d0230006c1c4c0c50be17a06da500
       8. c6t600D0230006C1C4C0C50BE3427E7E200d0 <ADVUNI-OXYGENRAID 416F4-347B-698.38GB>
          /scsi_vhci/disk@g600d0230006c1c4c0c50be3427e7e200
       9. c6t600D0230006C1C4C0C50BE6456AC0D00d0 <ADVUNI-OXYGENRAID 416F4-347B-698.38GB>
          /scsi_vhci/disk@g600d0230006c1c4c0c50be6456ac0d00
      10. c6t600D0230006C1C4C0C50BE6866B36E00d0 <ADVUNI-OXYGENRAID 416F4-347B-698.38GB>
          /scsi_vhci/disk@g600d0230006c1c4c0c50be6866b36e00


You see the "HeyGuys" volume name?

This "volname" does NOT break any label you use for your zpools. It is perfectly doable in running state and it helps me very much.

Berlin Tegel Airport's Blue Terminal

| | TrackBacks (0)
blue.jpg
Yes, I admit it. I smiled. And I had the camera with me.

"Does everybody now must have a BSOD section on his site" was the typical reaction, stating Windows was an excellent system bringing millions of users to work together with computers and "such screens are the results of hardware failures or poor noobs".

It seems to be a driver failure. No watchdog reboot, no automatic coin shutter. This seems to be really professional rock-solid engineering.

Most of us just ignore these blue screens - more - we're used to them. For us, a text screen with a blue background is per definition a "failure", as we saw these screens many times. They have become part of our living culture. Last week I saw a local TV cable station showing a still frame stating that there was a system failure and programming would continue in some moments - it was grey text on - a blue background.

Most of us cannot distinguish between "Computer" and the operating system it runs. More, when asked about what type of system they use, don't be surprised to hear them answer "Microsoft Office". Microsoft Windows Systems are ubiquitous like toasters - which has not (yet?) a blue screen though.

The scheme breaks totally when these persons sit in front of - say - a Macintosh computer running Mac OS X. After a kernel panic (which has just the same consequence as a blue screen on windows system - it halts) I was asked "what is this?" - the screen was not blue so the person did not know what to do - he did not even read what's on screen (the text there stated that the system had to be rebooted because of a serious error which is not correctable). Ok, point taken, this person still tries to find the "X" icon on the top right edge of the windows to close them...

blue2.jpg

Fuzzy Breschnew feeling - Berlin Television Tower

| | TrackBacks (0)
berlintower1.jpg
As there exist many photographsfrom the berlin tower (constructed 1965-1969 from the GDR (DDR), Walter Ulbricht made 1964 the SED party council decide to construct that tower.

The basement is nearly in its original state but rarely seen on photographic websites.

You will feel there like in the James Bond Movie "Octopussy". Typical wooden patterns and wall structures. You instantly think about Leonid Breschnew (which became leader of the soviet union at 1965) and all that anti-communism tv magazines on (west-)german TV.


The tower was officially opened on Oct 3rd, 1969. Exactly 20 years before unification between the two german states (Oct 3rd is national holiday in Germany, like July 4th is in the US).

Today, the tower is open for the public and there is a restaurant at the top with moving tables, when you sit there you will see the whole panorama in some minutes. Entrance fee was 9,50 € and it's worth the wait.

More photographs and information can be found on the english and german wikipedia articles about the tower.

Enjoy!
berlintower2.jpg
berlintower4.jpgberlintower3.jpg

December 2015

Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    

About

This blog is owned by:

Pascal Gienger
Jägerstrasse 77
8406 Winterthur
Switzerland


Google+: Profile
YouTube Channel: pascalgienger