Anyone have suggestions?

However my RFC was denied not because of any technical reason, not because of any concern over the technology, the implementation, or the timing.  It was denied because I didn’t put the correct information into the details page and because my dates were wrong.  I’m all for doing process right (when it makes sense), but does it make sense to derail a security fix for 4 days because the form was incorrect?  Especially when there exists a forum in which you can be asked to clarify anything regarding your RFC.

Now when security takes a backseat to process, your organization has truly begun the decent to failure.  This may indeed be the straw…

Several of the things I played with were adding a lun to a machine and getting it to show up without rebooting.  Translating docs gleaned from the web to my configuration was a bit tough at the beginning because we have a highly redundant fabric.  That meaning we have 2 HBAs in each host each with 2 fiber paths.  What this means is that when I get luns to show up I see them 4 times for each lun.  Apparently most people that write about their SAN experiences do it with a single path to their storage device through the fabric.   I also went through the rigamarole of removing a lun from a host (again without rebooting).  All in all it was pretty clean, a series of echo’s to the /sys subsystem, not nearly as ugly as adding and removing actual scsi devices.  It was also completely non-disruptive to other luns and overall performance.

There’s been quite a bit of debate among the other SAs at work about how we should handle luns at the host level.  Originally the thought was to add LVM on top of the LUN (which with multipath is kinda a bear) then create the filesystem on top of LVM.  The thought was originally that this would enable us to grow and shrink as needed and give us a similiar flexibility to the NFS volumes we are so used to dealing with.  Turns out shrinking is still iffy.  I’ve tried it twice now and had catestrophic failures both times.  The filer seems to handle it fine, but the host just flat out fails to see it as a valid filesystem once the lun gets smaller.

With multipath configured correctly what we see with an fdisk -l is 5 new ‘disks’.  sdX – sd{X+4} and dm-X.  So depending on how many existing scsi devices (including other luns) we have sde,f,g,h and dm-0 (assuing a, b, c already existing and no other san luns).  What’s a little confusing is that each of these devices is the same disk, you don’t want to use the sdX devices for anything (unless it’s a onetime operation) in case you lose a path.  So you do everything to the dm-X device created by multipath.  The other confusing thing is that while these are ‘disks’ they also are not.  You can create partitions on them but you don’t really need to, so it kinda confuses your brain in what you are used to dealing with.

So the original plan with LVM was to create a partition consisting of the entire disk, add it as a PV, create a volume group, then a LV on the volume group of the whole size.  It struck several of us that this really was overkill.  Where LVM shines is when you have lots of descrete storage objects and you want to group them all together.  Logically this ‘thing’ is a single lun where all the physical abstraction is already done (with about 4 levels of abstraction in the case of NetApp).  The other alternative, which I ended up doing for this particular implementation, was to just create a filesystem right on dm-0.  I didn’t create a partition, didn’t do LVM, just mkfs.ext3 /dev/dm-0.  Worked like a charm, no wasted space, very simple.

There is a gotcha though.  Multipath has the annoying habit of renaming the multi-disk device (dm-X) when the host reboots and it encounters additional luns.  So if you add a lun to a machine that already has one then reboot it’s possible, nigh on likely, that they will swap dm-1 and dm-0 to the opposite of what you expect.  This is pretty annoying from a mounting standpoint.  This is one potential winning point for LVM, since the LVM data is written to the disk itself you can have a consistent name which to use in fstab etc.  But all that overhead just for a consistent name?  Am I really getting anything else out of LVM in this scenerio?

Enter ext2/3 labels.  Most SAs I know don’t like labels because if you do things like label a disk ‘/’ and try to put it in another machine for recover purposes, you probably won’t get the disk you expect (it’ll depend on bus order).  However labels give us a way to consistently name a dm device regardless of what multipath wants to call it.  This also lets me give meaningful symbolic names to SAN disks that may move hosts (oracle volumes is their current use, so there are 2, 1 for primary and 1 for standby).  So I use e2label /dev/dm-0 FOO to label my san disk.  Then in fstab I use LABEL=FOO. An interesting side effect is that df output shows the uuid of the disk rather than it’s multipath name, but other than that it seems to work.

Next I need so spend a bunch of time with a non-critical volume and figure out all the ins and outs of growing and (maybe) shrinking the fileystem.  All of the above work was done on a RHEL5 system (64bit), my feeling is that all bets are off when it comes to RHEL4 and LVM might be a very real hard requirement.  I also wonder if multipath is the right way to go.  Would it be possible to use LVM to create a fault tolerant storage device?

This was my second trip to LISA, I went last year in Dallas.  This year was definatly better.  It being in San Diego meant not only the the weather was fantastic, but there was also lots to do outside of the conference.  I think that particular locale made it easier for people on the west coast to come.  For those that haven’t been, LISA consists on basically 2 ‘tracks’, which you can mix and match.  The technical sessions, which are later in the week and the training sessions, which run the entire week long (up to 2 per day).  This year I took a full week of training.

All in all the training is good.  There’s a bit of a trick to it.  You have to take classes on things that you don’t know anything about because they tend not to be very advanced.  Also from year to year the training doesn’t seem to improve much, many of the instructors are using their same slides from the previous year (or further back).  The Technical sessions are more like 2 hour lectures on a particular topic.  They are not geared toward training but more toward presenting.  I’ve never found them that interesting.

By far where LISA wins out is what’s called the ‘Hallway Track’.  This is basically the hobnobbing in the halls with other SAs and going out to dinner and all the conversations that occur as a result of that.  Each year I’ve found that amazingly useful.  Most SAs operate in a bit of a vacum, they may have a small (or large) team, but there’s a heirarchy there.  If they are in a solo shop they don’t usually have someone to bounce ideas off of.  Even if they do company size, budget, etc limit the focus.  The people you meet with at LISA cover all sorts of areas from the large financial sector, to academia, to startups.  It’s those different perspectives that are really valuable and why I go back each year.

I am however disappointed that LISA has been shrinking a bit, they need to improve their training and try to attract different groups of SAs.  I think alot of small shop SAs don’t come to LISA because it has this air of being only for really large installs.  If you are serious about your craft as an SA you hope to one day be in a large install, either by growing the one you have or moving into one.  I think it’s important for small SAs to attend a conference like this to learn about techniques they could implement before they get too big.

Another point of disappoitment is with the vendors.  As an employee for what easily can be described as a vendor we don’t have a presence at LISA (except as attendees).  There were probably only 25 vendors this year and most of them were in the SAN space.  SUN was there, but they didn’t really seem into promoting their product.  FreeBSD was there as well, but they are kinda preaching to the choir with their userbase if you ask me.  Fedora had no presence there, Red Hat had nothing.  Where were all the security product vendors?  Where were the groupware vendors?  Splunk always shows up and does a good job.  In fact I started using Splunk last year after talking with their sales guys at LISA ’07. Alot of people at LISA are either buying or making the technical recommendation and indirectly buying the products that their companies will use.  Reductive Labs personally has LISA to thank for at least one contract.  I wouldn’t have bought a support contract with them if I hadn’t met Luke and had some really good discussions with him.

The after hours stuff at LISA is also excellent.  They have BoFs (Birds of a Feather) sessions about a wide range of topics.  Anyone can run a BoF, they are meant to be informal roundtable discussions about a particular topic.  They often stray off the technical, there was a hockey bof last year, and their’s usually a semi-secret scotch bof every year as well.

Next year LISA will be in Baltimore.  I will likely go because it’s so close and I get alot out if each year.  Even when I don’t learn alot of training, being around a bunch of other SAs and spending a week discussing methods and other aspects of SA always invigorates me and gets me all fired up for when I return to work.  It’s kinda like a career reset.  When your job has you beaten down and you’re burned out sometimes a vacation helps release that pent of stress.  Sometimes however getting away from work but staying technical and learning about other ways of doing your job can be an even bigger boost.

This is such a horrible approach.  It almost immediately leads to spaghetti and data bleed.  Nowhere else in computer science that I know of is this approach even attempted.  Almost everyone tries to come up with some way to replicate this type of functionality into their configuration management system.  They think that this will save them time and allow them to generalize their configs in a sane way.  What it really results in is a mess of what comes from where and when you need to make changes where a particular stub should go.  Almost immediately you’ve created confusion, and created an inheritance that is arbitrary at best.

I think the problem actually stems from a top down approach to config management.  People seem to think that consolitation occurs from the top down, when in reality it comes from the bottom up.

The way I approach this problem is to come up with a way to model your changes as individual configs that are additive from the bottom up.  Apache is actually a very good example of this.  If you look at the add on components, (mod_perl, mod_python, squirrelmail, etc) they add in their own configs that add up to a global configuration for a single apache server.

Take sudoers for example.  People always want to have some concatenation scheme for sudoers so that they can have global configs that everyone inherits then a role (say webserver) config that gets picked up, then host specfic configs that allow for one off host configurations.  A better approach is to be able to add single config records for each thing you need and build a total config, rather than start from the top and work down, start at the bottom and build up.

In the scope of puppet, this is done rather nicely with a type.  Types allow you to add a single record in the appropriate place and not rely on any type of inheritance to determine where and if a configuration lands on a given server.  In the example above I would have a sudo type that I would put at each class level to only add the sudo config for that class.  I don’t have to concern myself with what level of inheritance I’m at (global or otherwise)  or what order things are in because I’m just inserting a configuration record rather than a trying to manage a whole section of a file.

• download the custom CA cert from wherever it may be
• double click it, it will launch Keychain Access
• add said cert to the X509Anchors chain
• restart any apps that are going to look for that cert

That’s it, easy in a mac kinda way.

One of the downsides to it is that it’s for the most part unreleased.  I wouldn’t call it proprietary but it has no advocate inside of Red Hat that is pushing to release it.  Honestly it probably isn’t ready, it joins in my opinion a long list of great tools that aren’t quite ready to be consumed by the masses.  There is hope though for those admins out there that are looking at the 25+ server mark and wondering how the hell they are going to keep everything updated without going insane.  Recently I found a great paper  that looks to address the overall problem as well as some things that I’ve seen specifically with our solution.

The problem with what Red Hat uses is that it’s really well suited for 50+ machines, but the learning curve is very steep, and initial setup is very time consuming.  The stuff that the guys at Oxford have come up with seems to have a much lower learning curve, much easier setup time, and will still scale very very well into the 100′s of systems range.

if [ ! -z "$SSH_AUTH_SOCK" ]; then
    screen_ssh_agent=/var/tmp/${LOGNAME}/state/ssh-agent-screen
    if [ "$TERM" = "screen" ]; then
        SSH_AUTH_SOCK=${screen_ssh_agent}; export SSH_AUTH_SOCK
    else
        if [ ! -d "$(dirname ${screen_ssh_agent})" ]; then
            mkdir -p $(dirname ${screen_ssh_agent})
        fi
        ln -snf ${SSH_AUTH_SOCK} ${screen_ssh_agent}
    fi
fi

Enjoy…