DoDI 8520.2 and ECA Certificates

It looks like this has been out for some time but this is the first time I’ve encountered a server configured for it. Essentially, the network engineers removed all of the trusted CAs from the “Trusted Root Certification Authorities” tab except for ones they needed and DoDI 8520.2 ECA vendors. Why was this a problem you ask? Well, the developer who was administrating the server needed to connect to our webserver from the remote server in the datacenter to retrieve files to update the server. Our SSL certificate was from a non ECA vendor hence the company certificate wasn’t trusted. Clearly this isn’t just for client side certs (or at least that’s how the datacenter folks interpreted it!)

Couple of useful links:
http://www.identrust.com/certificates/eca/

http://iase.disa.mil/pki/eca/

Linux and Active State Power Management

Last year I had an odd issue when installing CentOS 6.0 on a Supermicro motherboard with an Intel PCIe quad port GB nic using an 82576 chip. I got by the initial kernel panic by using pci=noaer as a kernel option but later encountered really weird kernel panics regarding the Intel nic again which required an additional pcie_aspm=off in my grub file. Pretty odd stuff really since this was a server and I wasn’t worried about managing my power consumption since we’re a small company and I simply want the server to stay on. There’s a number of good articles about ASPM & Linux over on the Phoronix.com website which I found very interesting.

Initial bug report from RHEL: https://bugzilla.redhat.com/show_bug.cgi?id=704758

A number of Kernel parameters one can use at boot time to help troubleshoot things: http://www.kernel.org/doc/Documentation/kernel-parameters.txt

Initial Phoronix News article that got me wondering if Linux’s implementation of ASPM might be my problem: http://www.phoronix.com/scan.php?page=news_item&px=MTAwMjg

I can see how ASPM would be really important to laptop users sure, but when I’m installing a server I don’t need stuff shutting down on me when not in use. (Of course this is different for datacenters!)

 

Properly Partitioning a HW RAID Volume over 2TB in size

Like most geeks I’ve got lots of files and a need for spacious network shares. However, as soon as you go over a 2TB partition, you’ll encounter problems w/ how to correctly partition a drive or RAID volume using the newer 4096 sector spec called simply Advanced Format. I initially stumbled upon a series of articles written by Roderick W. Smith over on IBM’s DeveloperWorks when searching how to properly check partition alignment under Linux for SSDs but quickly had an “Uh Oh” moment when I realized SSDs weren’t my only problem and I had in fact been flying blind on larger than 2TB partitions under Linux. Thankfully I didn’t have systems in production where this was a problem but I was literally building a system at work where this could bite me in the rear!

To bottom line it for you, if you’re using software RAID or a true HW RAID setup, you need to stripe your file system across the partition in accordance to the number of discs involved, type of RAID and the stripe size in KBs. My example below is strictly regarding Areca ARC RAID cards and might not be applicable to your setup.

I’m using an ARC-1680ix-24 w/ 4GB of ram on board. I’ve got 24 – 500GB HDs with one volume using all HDs in a RAID 6 raidset. So, for me the math is such when using EXT4 filesystem:

chunk size = 128KB (For Areca ARC-1680s it's your Stripe size.)
block size = 4KB (My desired partition is over 2TB. 6.5TB to be exact.)
stride = chunk / block 
       = 128KB / 4KB 
       = 32
Stripe-width = stride * (( # disks in RAID) - # of RAID parity disks)
             = 32 * ((using all 24 disks) - RAID 6 uses 2 parity disks)
             = 32 * (24 - 2)
             = 32 * 22
             = 704

so in other words, once I’ve created the basic partition on my device and I’m ready to format it as EXT4 I’ll end up using:

mkfs.ext4 -v -m .1 -b 4096 -E stride=32,stripe-width=704 /dev/sdd1

I’m not going to go into every detail of the line so please read RAID Setup over on Kernel.org for the skinny.

 
So from Soup to Nuts:

    Use parted to create the partition table on my new volume & create a massive single partition at the right offset:
parted /dev/sdd
    Once in the parted tool:
mklabel gpt
unit s
mkpart primary 2048s 100%
name 1 BFS
quit

 

    Next, you’ll need to create an EXT4 filesystem inside your newly created partition from above:
mkfs.ext4 -v -m .1 -b 4096 -E stride=32,stripe-width=704 /dev/sdd1
    Now you’ll want to add it to your fstab file so let’s grab the UUID from blkid next:
blkid -o list
    And edit your /etc/fstab file so it will automount it at boot time
.
UUID=8e0a7d10-blah-blah-tomatoes-are-yummy-b4a0f6a13c15 /bfs ext4 defaults  1 2
.
    Finally, create the mount point and mount it.
sudo mkdir /bfs
mount /bfs

Here’s a couple of links I found note worthy while going down this rabbit hole:
https://raid.wiki.kernel.org/index.php/RAID_setup#Calculation (shows the actual formula shown above & values)
http://insights.oetiker.ch/linux/raidoptimization.html (a great read)
http://ubuntuforums.org/showthread.php?t=1715375  (Rod weighs in with helpful advice in the Ubuntu forums)
http://www.gnu.org/software/parted/manual/parted.html  (parted’s man page over on GNU.ORG)
http://en.wikipedia.org/wiki/Ext4
http://lwn.net/Articles/377897/  (talks about 4KB sector size disks and let the panic ensue!)
http://whattheit.wordpress.com/2011/08/23/linux-aligning-partitions-to-a-hardware-raid-stripe/  (lots of theory but looks incomplete)
Last 4 links are from Rod Smith:
http://www.rodsbooks.com/gdisk/advice.html  (using gdisk but applicable to parted)
http://www.rodsbooks.com/gdisk/index.html  (main gdisk site!)
http://www.ibm.com/developerworks/linux/library/l-4kb-sector-disks/  (talks about the severe performance effects if you gloss over this stuff!)
http://www.ibm.com/developerworks/linux/library/l-gpt/  (good overview of GPT & understanding why they’re moving away from MBR)

(Personal Note: By finally posting this up on my blog I can close 10 tabs I’ve had open since middle of 2011!)

Bootable USB flash drive

This one took a while. Essentially I had lost my other bootable USB flash drive and needed to make another one. I had previously used an HP utility which did the heavy lifting for me but I couldn’t find it on the interwebs nor my HD to save my life. I essentially had to use FreeDOS and SysLinux to get the job done. I’m pretty sure the wiki page I found was using an older version so I had to download FreeDOS 1.0 to find the fat32lba.bss file which was eluding me.

I will never lose this USB thumb drive…ever…bit of a nightmare really.

 

Useful links:

http://sourceforge.net/apps/mediawiki/freedos/index.php?title=USB

http://www.kernel.org/pub/linux/utils/boot/syslinux/ (I grabbed version 4.05!)

http://www.freedos.org/download/

 

Sendmail’s tweakable settings in the sendmail.mc file

Recently had a question at work about the maximum number of recipients Sendmail would allow thru our in-house server. I wasn’t sure but knew I hadn’t personally configured a hard limit. Did some quick searching and stumbled upon confMAX_RCPT_PER_MESSAGE as the answer. I haven’t set it to anything in our config but didn’t know what the default limit was in Sendmail so I did some digging. Stumbled upon the following links of value (to me at least!)

http://www.sendmail.com/sm/open_source/docs/m4/tweaking_config.html

Answer: infinite number. Sendmail doesn’t have a limit (now it does!)

Also stumbled upon Centos.org’s version 5 Deployment Guide on running the m4 macro command to build a new Sendmail.cf file.

http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s3-email-mta-sendmail-changes.html

 

USN Rollback on a Domain Controller

This one bit me in the behind a while back. Essentially, the AD server was restored from a snapshot but had USN numbers that were younger than another servers’ USN numbers which was trying to connect to the AD server. This put the AD server into “disabled” mode so it wasn’t being used for AD stuff. The only way I could permanently fix my USN rollback issue was by keeping the other server off and restoring it to a previous snapshot as well. Long story short, this sucked to fix.

 

Couple of links:

http://exchangeserverpro.com/recovering-a-single-domain-controller-from-a-usn-rollback

http://social.technet.microsoft.com/Forums/zh/winserverDS/thread/8d287ba9-fff8-4a93-998a-86e64e4b85f8

 

Configuring Windows Time Service on a Domain Controller

I’m getting ready to migrate our AD servers to a virtual environment and one of the things that can get messed up is the AD servers’ time. Also, I’m joining some non Windows systems to the Windows domain which might encounter some time sync issues since they aren’t currently configured to use the domain’s NTP server (easy fix I know but I’m saving that for another post!)

Short story long, your AD server typically uses its’ CMOS time versus an external NTP server which is all fine and good so long as A) it’s a real hardware server not a virtualized one and B) No other servers in your infrastructure use other NTP servers (ie. Linux server ‘A’ isn’t using tick.usno.navy.mil which will have a different time then your main AD server which is going off of it’s CMOS clock!)

So, I did some searching on the interwebs and stumbled upon a couple of useful links on how to modify your registry on your AD server so it:

A) Uses an external time source versus the CMOS time & date.

B) Has a number of servers to attempt time updates from (use spaces to delimit servers! and don’t forget to append “,0x1” at the end if you’re using a FQDN versus an IP Address!)

C)…I forget C!

 

Anyhow, here’s some links I wrangled up.

http://support.microsoft.com/kb/816042#method2

http://www.windowsnetworking.com/articles_tutorials/configuring-windows-time-service.html

 http://www.sole.dk/how-to-configure-your-virtual-domain-controllers-and-avoid-simple-mistakes-with-resulting-big-problems/ (this one was most helpful!)

 

 

 

Installing SharePoint 2010 ENT and got error on installing Sync Framework 1.0

Just finished installing a fresh server with SharePoint 2010 Enterprise so an employee could look at the business intelligence dashboard stuff. While doing the install, I received an error about the MS Sync Framework 1.0 failing which caused the whole thing to screech to a halt. It would appear that I installed the .NET 4.0 stuff via Windows Updates which caused the .NET 1.0 Sync Framework to puke on me. Thankfully, MS had a hotfix for that which resolved my issue. You can see the Microsoft Sync Framework Runtime v1.0 listed on SharePoint 2010’s HW & SW requirements list.

http://support.microsoft.com/kb/962229

After I manually installed the hotfix, the “Install software prerequisites” continued and I had the SharePoint 2010 site up and running before lunch!

How much is your time worth again??

This is a classic! So I’m sitting at the keyboard, it’s after 5pm and I’m just now remembering about a part I need for a home computer case. It’s nothing special, just an extra switch for resetting the system. I go to the place where I bought the power switch (Danger Den for what it’s worth) and say to myself, “Hey! That’s <some dollar amount> and I bet ya I can find it cheaper if I search for it real quick!” About two hours have just gone by…that’s right, I said 2 hours! Long story short, after having realized I’ve spent a ton of time searching on Mouser, Digikey and Newark for a switch I hope is similar to what I’ve already got, I finally realize I’ve spent more time searching down my quarry then what ever difference in savings I could have had. Oh don’t worry, I finally found the exact switch and guess what, the price was within $1 dollar. Yep. Let that sink in for a minute.

 

Man, I’ve got to get better at this!

 

NOTE: If I did buy them in bulk, say 1,000 switches, I could have saved $3 bucks a switch! Ha! Vindication is mine!

WordPress install on Win 2008 R2

I’ve installed WordPress websites several times on various Linux distros w/o issue but today I needed to install WordPress on a Windows 2008 R2 Server for the first time. Thankfully WordPress.org had an entire webpage up on just how to do it. Looks like they’re using a Microsoft publishing site called Web App Gallery or Web Platform Installer to install not only WordPress but also any dependencies and also do the initial configuration. The only problem I had was getting WordPress to update itself via FTP. Not only do you need to install the FTP server under the IIS additional roles but you need to explicitly give that FTP user account modify & write permissions to your wwwroot folder which is housing your WordPress files.

WordPress IIS page:
http://codex.wordpress.org/Installing_on_Microsoft_IIS

Microsoft’s Web App Gallery page:
http://www.microsoft.com/web/downloads/platform.aspx

Return top
 
Icons made by Freepik from www.flaticon.com is licensed by CC BY 3.0