dimanche 6 novembre 2011

NetApp FAS270 w/ old firmware + ESXi 4 or 5

I've inherited this old NetApp FAS270 with firmware 7.0.3 and an iSCSI and CIFS license. This product is discontinued and I obviously do not have a "support plan" for it, so there's no way for me to get the most recent one (7.3.3.) - unless some charitable mind sends it to me! ;)

So I've decided to configure an iSCSI target on the FAS270 for my ESXi 5 host, but when I try to add the LUN, I cannot find it because the path to it is shown as "dead" in ESXi. Why? The FAS270, with this old firmware, does not support ALUA, and ESXi has a rule that will try to use ALUA with any NETAPP product.

So I did this to remove that rule from the ESXi CLI:

esxcli storage nmp satp rule remove -s VMW_SATP_ALUA -V NETAPP --claim-option="tpgs_on" --psp="VMW_PSP_RR" -b

This removed the SATP rule, but it still showed a "dead" path in ESXi. So just to make sure my NetApp device really does not go through any ALUA rule, I create a local rule for it:

esxcli storage nmp satp rule add -s VMW_SATP_LOCAL -V NETAPP

And then unclaimed any path to the device (especially the "dead" one):

esxcli storage core claiming unclaim -t location -A vmhba34 -C 0 -T 2 -L 0 

Where you can replace vmhba34 with your own, as well as your controller, target and LUN numbers.

Then re-scan your devices:

esxcfg-rescan vmhba

You should see your device with the status "alive" in ESXi, and you will be able to add your LUN as storage. If you want to check if it's there, from the CLI:

esxcli storage nmp device list

samedi 2 avril 2011

Meilleur site de pneus en ligne!

Si vous êtes au Canada et que vous cherchez des pneus en ligne, allez sur http://spinauto.ca. C'est tout simplement le meilleur site d'achat de pneus (et d'autres pièces automobile) en ligne! Vous y trouverez les meilleurs prix, mais aussi les méthodes de livraison les plus rapides et moins dispendieuses. J'ai acheté mes Yokohama Advan AD08 et mes freins Hawk dessus.

jeudi 10 mars 2011

mod_rewrite: http to https, https to http except specific files

Let's quote Brian Moore :

"Despite the tons of examples and docs, mod_rewrite is voodoo. Damned cool voodoo, but still voodoo."

Well, it ain't that bad... As long as you know how to use regular expressions and understand how rules are processed by your HTTP server, you're in business.

But on with common requirements and their practical solutions...

So you got your free SSL certificate ;) and you want a complete directory_path to use https:// instead of http://.

This is a .htaccess file you could put in that directory_path:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} directory_path
RewriteRule ^(.*)$ https://%{SERVER_NAME}/directory_path/$1 [R,L]
For example, if this was on the server foo.com and the directory_path was /secure, someone typing http://foo.com/secure would get redirected to https://foo.com/secure.

Now let's say you want all requests for https://foo.com to be rewritten as http://foo.com, except for two specific files, say secure1.php and secure2.php. Here's one way to do it with .htaccess:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^secure1\.php https://%{SERVER_NAME}/secure1\.php [R,L]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^secure2\.php https://%{SERVER_NAME}/secure2\.php [R,L]

RewriteCond %{SERVER_PORT} 443
RewriteCond %{REQUEST_URI} !secure1\.php
RewriteCond %{REQUEST_URI} !secure2\.php

RewriteRule ^(.*)$ http://%{SERVER_NAME}/$1 [R,L]
Ok, this is not the most elegant rule-writing code... We could use rule negation and have a little less rules, but I find the code above explicit and easy to understand - and blog-friendly! :) Also, we explicitly exclude secure1.php and secure2.php from the https:// to http:// RewriteRule, that's because we're using .htaccess and we need to avoid loops, as .htaccess would be read again after the redirect. If we were using per-server context with httpd.conf, we probably wouldn't need this.

Let's finish with Brian Behlendorf's quote :

"The great thing about mod_rewrite is it gives you all the configurability and flexibility of Sendmail. The downside to mod_rewrite is that it gives you all the configurability and flexibility of Sendmail.''

mercredi 9 mars 2011

Get your free SSL certificate.

There are plenty of trials out there (like Comodo's 90-day trial), but if you want to SSLize your website (yup, that word exists in my dictionary) for nothing at all, go to StartSSL.

It is NOT like self-signing a certificate, which will give you that annoying message saying that your site cannot be trusted, but it will give you a legitimate certificate confirming that you have been email- or domain-verified. Which is just enough to get that SSL-encrypted data flow, with just enough validation to avoid tickling your clients' browsers.

Yes, StartSSL's website could definitely be pimped-up, and it could provide with a nice-looking Verisign-like logo, but heck, if you don't have $400US to dish out, then it's the way to go. The process isn't that painful, you may need to refresh your browser once in a while to get through key creation, but it does create the CSR for you and it also provides with (slightly outdated) instructions to configure your web server.

Now who's going to provide us with that silly EV green bar for free? :p

lundi 7 mars 2011

Solaris + ZFS + MySQL + InnoDB performance tweaks

So I've got a relatively cheap ZFS system running in my garage, acting as a MySQL database server for data mining... It's running Solaris 11 Express with MySQL, Apache and PHP on it.

ZFS is a great filesystem, but you can make it better with some performance tweaks (besides using mirrored SSD's for your ZIL and L2ARC).
  • Compress your database pool(s):
  • zfs set compression=lzjb data/mysql
    zfs set compression=lzjb logs/mysql
  • Set the ZFS recordsize to match the InnoDB block size (16KB for InnoDB data files, and 128KB for InnoDB log files) :
  • zfs set recordsize=16K data/mysql
    zfs set recordsize=128K logs/mysql 
  • Limit ARC cache to < 80 % total RAM (in my case, 10GB for 16GB total RAM)
  • vi /etc/system:
         set zfs:zfs_arc_max = 10737418240
Use the following my.cnf directives:
[mysqld]

# use one large data file on one ZFS pool, with large autoextend
# /var/lib/mysql is symlinked to /data/mysql, a ZFS pool
innodb_data_file_path = ibdata1:1G:autoextend
innodb_autoextend_increment = 128

# put logs in a separate ZFS pool
innodb_log_group_home_dir=/logs/mysql

# use one file per table
innodb_file_per_table=1

# not too high (default=unlimited) to avoid thread trashing
innodb_thread_concurrency=16

# use 2GB because we have 16GB and ZFS needs a lot of RAM. I would use 4GB but MySQL does not accept a total log size > 4GB, which is abnormal for 64-bit...
innodb_buffer_pool_size=2G

# 25% to 50% of the buffer pool size to avoid buffer pool flush on log file overwrite
innodb_log_file_size=1G

# log buffers are flushed every second, so there's no reason to have a big buffer
innodb_log_buffer_size=8M

# not very important, InnoDB will get more RAM from OS if needed but warns in log
innodb_additional_mem_pool_size=256M

# compromise performance for full ACID compliance
innodb_flush_log_at_trx_commit=1

# traditional auto-increment
innodb_autoinc_lock_mode=0

# disable DNS lookups
skip-name-resolve

dimanche 6 mars 2011

Configurer ProFTPd avec des utilisateurs virtuels

Il est fort recommendable de créer des utilisateurs FTP "virtuels", c'est-à-dire qui ne font pas partie du système d'authentification du système d'exploitation (SE), au cas où le mot de passe d'un compte FTP soit découvert (et nous savons qu'il est facile d'obtenir cette information puisqu'elle n'est pas encryptée lors de l'authentification de la session FTP).

Sous Linux, plusieurs serveurs FTP existent, et nous verrons ici comment configurer le serveur ProFTPd pour qu'il utilise une table d'authentification différente de celle du SE (plus particulièrement, un fichier texte). Personnellement, j'aime aussi beaucoup vsftpd puisqu'il n'a presque aucune dépendance, et il se peut fort bien que cela fasse l'objet d'un autre message sur mon blogue.

De plus, nous créérons un compte FTP "webmaster" qui n'aura le droit que de modifier le contenu d'un site web.

Alors voici la marche à suivre :
  • Installer ProFTPd, que ce soit avec votre packager (apt-get, yum, zipper, etc.) ou manuellement en téléchargeant la dernière version du site officiel.
  • Vérifier sous quel groupe ID votre serveur HTTP roule (apache2 créé et utilise souvent le groupe www-data); dans mon cas, le GID de www-data est 33
  • Modifier le fichier de configuration /etc/proftpd/proftpd.conf en s'assurant d'avoir les lignes suivantes :
DefaultRoot                   ~
AuthOrder                     mod_auth_file.c
AuthUserFile                  /etc/proftpd/ftpd.passwd
Umask                         006 007
  • L'option DefaultRoot et le paramètre ~ restreignent les utilisateurs à leurs répertoires racines personnels.
  • L'option AuthOrder et le paramètre mod_auth_file.c obligent ProFTPd à authentifier les utilisateurs à partir d'un fichier texte.
  • L'option AuthUserFile et le paramètre /etc/proftpd/ftpd.passwd indiquent l'emplacement du fichier d'authentification utilisé par ProFTPd.
  • L'option Umask et les paramètres 006 et 007 spécifient les autorisations permises sur les fichiers et les répertoires créés par le serveur FTP, soit -rw-rw---- (660) et drwxrwx--- (770) respectivement.
  • Il reste à créer le compte FTP virtuel webmaster :
sudo ftpasswd --passwd --name=webmaster --uid=33 --gid=33 --home=/var/www --shell=/bin/sh
  • Il est important d'utiliser le GID trouvé plus haut (celui qu'utilise votre serveur HTTP) afin de donner les droits au nouvel utilisateur virtuel d'écrire dans le répertoire du site web. J'ai choisi d'utiliser le UID de www-data également (facultatif), pour que tout fichier transféré via FTP sous le compte webmaster soit créé en tant que l'utilisateur www-data et le groupe www-data. Nous utilisons ce groupe afin de permettre aux scripts PHP (roulés par le serveur HTTP) de lire et d'écrire les fichiers créés par le serveur FTP, et vice-versa.
  • Il ne vous reste plus qu'à définir les autorisations du répertoire de votre site web (souvent /var/www). Par exemple, pour permettre à tout utilisateur du système d'exploitation (SE) appartenant au groupe www-data de lire et d'écrire dans ce répertoire, il suffit d'effectuer les commandes suivantes :
sudo chgrp -R www-data /var/www
sudo chmod -R g+w /var/www
  • Si vous voulez qu'un utilisateur du SE puisse modifier, ajouter, effacer, etc. des fichiers du répertoire du site web, il suffit donc de l'ajouter au groupe www-data de votre SE (dans /etc/group).
  • Pour ne pas divulguer l'identité des réels propriétaires du contenu du répertoire de votre site web (par exemple, les fichiers qui auraient été créés par un utilisateur de votre SE appartenant au groupe www-data, vous pouvez utiliser les directives suivantes dans proftpd.conf qui auront pour effet de lister tous les répertoires et fichiers comme appartenant à www-data :
DirFakeUser on www-data
DirFakeGroup on www-data
  • Finalement, afin de ne pas divulguer la version de votre serveur FTP, vous pouvez changer la bannière de bienvenue en utilisant la directive suivante :
ServerIdent on "FTP server."
Voici le contenu du fichier proftpd.conf, au complet, avec la configuration de base tel que décrite ci-dessus :
Include /etc/proftpd/modules.conf

UseIPv6                         off
IdentLookups                    off
UseReverseDNS                   off
ServerIdent                     on "FTP server."
DeferWelcome                    on
ServerType                      standalone
MultilineRFC2228                on
DefaultServer                   on
ShowSymlinks                    on
TimeoutNoTransfer               600
TimeoutStalled                  600
TimeoutIdle                     1200
DisplayLogin                    welcome.msg
DisplayChdir                    .message true
ListOptions                     "-l"
DenyFilter                      \*.*/
DefaultRoot                     ~
RequireValidShell               on
Port                            21
MaxInstances                    30
User                            proftpd
Group                           nogroup
DirFakeUser                     on www-data 
DirFakeGroup                    on www-data 
Umask                           006 007
AllowOverwrite                  on
AuthOrder                       mod_auth_file.c
AuthUserFile                    /etc/proftpd/ftpd.passwd
TransferLog                     /var/log/proftpd/xferlog
SystemLog                       /var/log/proftpd/proftpd.log


QuotaEngine off



Ratios off



DelayEngine on

samedi 5 mars 2011

VMware tools for 32-bit Debian 6 (Squeeze) guest on 32-bit VMware host (Server 2 or ESX(i) 3.5)

Debian 6 (Squeeze) is now the distro's official release. You want it, even if the installation disc's welcome screen totally sucks. Come on Debian guys, you can do better than that. Anyways.

Installing the latest Debian as a 32-bit VMware guest is pretty straightforward, except when it comes to installing the VMware tools, especially on 32-bit VMware hosts. You will most probably get errors if you try to compile the tools included with VMware Server or if your ESX(i) 3.5 host is not up-to-date (and we all know it's not always easy to update an ESX(i) 3.5 host via VMware Infrastructure Client)...

So, whether you're using ESX(i) 3.5 or VMware Server 2 as a host, I found the easiest way to install the VMware tools for your latest and greatest 32-bit Debian guest is to do get the latest version from VMware and to install them manually. Here it goes:
  • download latest patch by selecting appropriate VMware host
  • from the downloaded .zip file, find and extract the file VMware-tools.tar.gz (you may need to traverse other .zip files within this one)
  • extract the linux.iso file from that archive
  • mount the ISO on your debian guest, using either the host's GUI or by transferring and mounting it directly from within your guest
  • find the .tar.gz file that contains the tools. As of today, the latest one for VMware 32-bit is VMwareTools-3.5.0-317866.tar.gz.
  • proceed with the usual installation procedure of the VMware tools