?

Log in

No account? Create an account

geekmerc

Recent Entries

Journal Info

Name
geekmerc

View

Navigation

April 15th, 2015

Some servers, including my Supermicro, don't handle the hybrid ISO on a USB stick very well. That is to say, they won't detect the EFI. Using a usb DVD rom with the actual DVD will do EFI just fine but USB sticks are smaller and more portable. There are a lot of ways I could fix it, but this was the easiest and quickest I found using the Centos 6.6 DVD-1 iso.

First, windows has serious issues with multiple partitions on removable USB sticks. There are ways around it, but I found it easier to just do this from Linux. There are gui tools that can do most of this on windows. For linux, you can bare metal, use cygwin, or run a quick virtual machine.

I used an 8GB stick. The downside is I suspect the "rescue" option on the boot won't be able to confirm/fix a lot of things because the packages won't be available to it. I haven't tested this, but it is a suspicion. If you want full functionality, you might consider a 16GB stick so you can hold two copies of the ISO. The other advantage of a 16GB stick is if you want to have DVD2 iso on it as well.

The process is simple. Parition the USB into 2 partitions. One will be type EFI (fat32/vfat). On an 8GB stick, it only needs to be 500MB. For a 16GB, you might consider 5GB. The second partition will be of type linux and will be the remainder of the drive.

Format the EFI partition with mkfs.vfat. Format the linux partition with mkfs.ext3 or mkfs.ext4.

Mount the DVD1 ISO( ie mount -o loop CentOS-6.6-x86_64-bin-DVD1.iso /mnt/dvd). Mount the EFI partition. Copy everything from /mnt/dvd to the EFI partition except for repodata and Packages directories(on 16GB, you could copy those directories as well for the rescue option). Copy the .iso file itself to the ext partition (copy dvd2 iso as well on a 16GB if you want it). Unmount and you are done.

During install, it will ask where the install image is. Select harddrive and the EFI paritition. After you do the base config and paritioning you get to the screen where it will handle the MBR. At this point I switch to terminal mode (ctrl-alt-F2), unmount isosource, and mount the ext partition to isosource. I then switch back to the gui (alt-f6) and continue. The next step will be installing the packages. Once done it will ask you to reboot. If you forget to switch at the right place, you'll get a popup saying that it can't find the iso file. Just switch to the shell and do the remount and click retry when you return.

I hope this is helpful to someone.

June 14th, 2014

Newer version have the ability to count the recipients from an acl_smtp_data block, but this version requires per_rcpt to be set in the acl_smtp_rcpt. The downside to this is that we do more updates. Of course, we have a whitelist for authenticated users. We could have altered their actual rate, but that would be more annoying in this layout. This is much easier in 4.82.1. The rates were set to 0 in this example, so all emails would be frozen in the queue unless whitelisted. That probably isn't desired in production.

acl_check_rcpt:

  warn    authenticated = *
          ratelimit = 0 / 1h / per_rcpt / strict / $authenticated_id
          set acl_c_freeze = $sender_rate

  warn    !authenticated = *
          ratelimit = 0 / 1h / per_rcpt / strict
          set acl_c_freeze = $sender_rate

acl_check_data:

  warn authenticated = *
       condition = ${lookup{$authenticated_id}lsearch{/maildisk/exim/noratel}\
                     {no}{yes}}
       condition = ${if def:acl_c_freeze}
       log_message = RATE LIMIT($authenticated_id): $sender_rate/\
                     $sender_rate_period \
                     (max $sender_rate_limit)
       control = freeze

  warn !authenticated = *
       condition = ${if def:acl_c_freeze}
       log_message = RATE LIMIT($sender_host_address): $sender_rate/\
                     $sender_rate_period \
                     (max $sender_rate_limit)
       control = freeze

  warn authenticated = *
       condition = ${lookup{$authenticated_id}lsearch{/maildisk/exim/noratel}\
                     {no}{yes}}
       ratelimit = 0 / 1h / per_mail / strict / $authenticated_id
       log_message = RATE LIMIT($authenticated_id): $sender_rate/\
                     $sender_rate_period \
                     (max $sender_rate_limit)
       control = freeze

  warn !authenticated = *
       ratelimit = 0 / 1h / per_mail / strict
       log_message = RATE LIMIT($sender_host_address): $sender_rate/\
                     $sender_rate_period \
                     (max $sender_rate_limit)
       control = freeze

June 14th, 2012

New Project - VM Hell

Share
So I had to scratch the LAG with SR-IOV plan. I don't need the SR-IOV performance boosts, and the RHEL kernel version is way behind the necessary support for the Intel drivers.

The servers seem to be okay. I do appear to have a problem with TSC and kvm-clock. I'm still narrowing it down, but it appears that the constant TSC isn't synced on the last 4 cores of the 16 core processors. I've at least narrowed it down to only having problems in the last 8 cores. This server used to have a 12 core chip. I put new 16 core chips in it, so it is probably that the BIOS wasn't updated to properly handle the last 4 cores in each chip. Currently I'm running segment tests in the last 8 to see if I can narrow it down more.

RHEL is okay, although it has a variety of annoyances. However, I at least get the pleasure of sending in tickets and annoying someone else with my problems. I also needed familiarity with it to support sister company engineers who are required to run it.

Back to learning!

April 26th, 2012

New Project - VM heaven

Share
This post is a little premature. I'm working on a new project to migrate our email servers into a VM cluster. We got the new hardware in, which has 4x 16 core AMD processors, 256GB of memory, 6 900GB SAS disks (roughly 3.5TB in RAID6 mode), and 12 GE ports (4 onboard and 2x4 Intel cards added). I'm still building the Virtualization Host system. We decided on RHEL6 using KVM manually instead of RHEV3 or another hypervisor. The hardware supports SR-IOV for at least the Intel GE ports, so I'm looking into that. Generally observing it, it looks like a good idea to run SR-IOV. However, I require LACP/LAG for some applications. I'm unsure if RHEL can handle both and a quick search on google doesn't provide any documentation.

My next post, if successful, will be how to configure LACP/LAG to work with SR-IOV in a VM environment on RHEL6.

Firefox seems to not know how to spell a lot of technical terms. :)

November 1st, 2011

It's been a long time since I posted, so I thought I'd share some of my more recent adventures in the world of routing.

We'll start with Hauwei. They are easier to pick on.

I unfortunately have had the privilege to work on a Hauwei router recently, as well as a fleet of their install engineers. I kid you not, but I actually had this told to me, "The Hauwei guys have made changes to the Cisco 7600, but they don't know the command to save the configuration." ???? Their understanding of their own software is limited, and their ability to understand basic routing concepts leaves much to be desired for. I actually had to explain to them that to route between all their different OSPF areas, they needed to tie them together with an area 0. Finally, I swear that they took every command in the Cisco IOS tree, looked it up in a thesaurus and found a synonym to use. exit = quit, show = display, etc. It's absolutely annoying.

I've also had the privilege of learning and working on Alcatel for a sister company. They improperly engineered the initial network, performing a perfect bait and switch. "Sorry, we can't do layer-2 only with ERPS. We'll need to do this with MPLS." Then their expanded module cards on the 7210-M had a little issue that caused the software to lose connection to the hardware when 4x10GE are in the system. The side effect of this is that the hardware stays up, some protocols seem to work, but traffic fails to forward. This equates to, "Yes, the LSP can still come through here, but we'll discard all the packets." So, after spending many hours asking the right questions about their layer-2 setup, that is thrown out the window and some crappy layout with MPLS is used. Given MPLS, there's no reason to maintain a ring topology, so we upgraded critical nodes to 7450 and created an inner bypass ring on the DWDM. Then we find the other problems.

Fast Re-Route has been out since around 2004? Juniper has had support for it since it was in early draft stage. Alcatel still does not support the entire RFC. From the 7210 up to the 7750, there is NO admin group support for FRR. Why? It makes no sense. Admin Groups (affinity for Cisco guys, though Cisco implementation is horrid) are supported for primary and secondary LSPs. It's part of their OSPF and CSPF implementations. The only thing missing is the configuration statement to use it!

Now, I realize the 7210-M is a small non-redundant pizza box, but it's perfect for those small towns that just cannot cost justify using a 7450 or even a 7705. However, for some strange reason, Alcatel decided not to implement SRLG on the 7210-M. It's in their main codebase, but wasn't implemented on this small box.

Why are these features important? Well, either one can be used in a shared risk deployment on a DWDM ring to make sure FRR paths are built going the correct direction. This is especially noticeable when you have an inner long distance ring and then pick up small towns along the DWDM ring as legs between the inner ring nodes. When there's a fiber cut (or DWDM node failure), it will effect the leg as well as the inner bypass route. However, without admin groups for FRR or SRLG, there is no way to tell the nodes to build FRR paths the correct way.

Well, this isn't completely true. Alcatel at least supports manual bypass tunnels. So if you don't mind using the inefficient facility method, you can configure a bunch of manual bypasses as a workaround. It's more management, more things that can fail, requires careful planning and verification, and facility backup mechanisms are less efficient than one-to-one.

Did I mention that Alcatel engineers weren't the ones who noticed the problem? How about the fact that it took many hours and conference calls to explain the problem. Then once they understood the problem somewhat, I had to research, test, verify, and report the only available mechanisms to fix the problem and why their software fails.

So to wrap up, Hauwei and Alcatel support is worse than Cisco, their configurations are more complicated than they should be, and their feature sets are sorely lacking.

For the record, despite all the things I have to wait on Juniper to complete in software (features they already have roadmapped), I have found better support, features, and capabilities in the Juniper hardware than any of the other vendors I've played with (the aforementioned plus lots of Cisco and some Brocade/Foundry).

I'll conclude this with my current top 3 favorite Juniper commands:

show | compare rollback.?
show | match <regex> | display set
commit confirm

January 31st, 2011

ISP DHCPv6-PD delegation logic


If Relay Packet
    if per customer field (interface/vlan/auth?)
        goto suballocation-delegate
    else
        issue configured delegation size (or nak if not permitted)
else
    if per customer local information (interface/vlan/auth?)
        goto suballocation-delegate
    else
        issue configured delegation size (or nak if not permitted)

:suballocation-delegate
if this is a refresh AND prefix/length covers duid's delegation and undelegated only
    then rewrite delegation as the larger prefix (CPE is consolidating it's requests)
    if new delegation is > allocation
        issue as allocation length
    else
        issue as delegation length

if HINT <= configured allocation size
    delegation = HINT
elsif HINT > allocation size
    delegation = allocation size
else (no HINT)
    delegation = <unset>
If existing allocation matches customer field
    if existing delegation matches duid
        if delegation = <unset>
            if multiple /64 entries for duid set delegation = /64
            else set delegation = shortest duid entry -1 length
        check for available space in current reservation and after existing delegations for new delegation (boundary aligned, of course)
        if space available
            if new delegation appended outside of current duid reservation, extend reservation to cover new delegation
            issue new delegation
        if space unavailable
            configurable
            issue nak
            check for deaggregate space to issue new delegation from within allocation
            if delegation would fit with renumber, issue delegation into new allocation, freeing current allocation after renumber completes
    else
        if delegation = <unset>
            set delegation = /64 (CPE will expand this if supported)
        check for available space in allocation, using sparse allocation mechanism
            if space available
                create duid reservation
                issue new delegation
            if space unavailable
                configurable
                issue nak
                if delegation would fit with renumber, issue delegation into new allocation, freeing current allocation after renumber completes
                issue largest delegation possible
else
    issue new allocation assigned to customer field
    if delegation = <unset>
        set delegation = /64 (CPE will expand this if supported)
    issue delegation

Router logic (local DHCPv6-PD or DHCPv6-PD relay):

When a new prefix is delegated, router will analyze routes destined to the same IPv6 next-hop addres as the new delegation and determine if it can expand the route to cover existing routes as well. If it is able to expand the route without changing the existing flow of traffic (no more specific routes can exist except those to the same next-hop), then it will issue the aggregate route and remove the smaller routes.

The router MUST still remember the state of the DHCPv6 prefix bindings (as it would normally do anyways to remove the routes if the prefix expired) so that it can adjust the active routing table as necessary.

August 9th, 2010

Waiting for the clock to scroll into the wee hours of the night so that I can perform service interrupting maintenance. Nothing major tonight. Just changing the spanning tree priority on a switch so it will naturally elect as root. Something that should have been done by my predecessor, but that's just the start of the list.

I'm happy to finally have at least one NSP providing dual stacked IPv4/v6 BGP to me without a tunnel. Now if I can just get the rest of the network upgraded and figure out the smoothest transition for my customers. Well, it's about that time.

March 31st, 2009

For the record, I nominate iPwn for the first IPv6 worm's name. Apple may not approve, but worm names are getting rather boring. Now on to the topic at hand.

When you initially look at the IPv6 address space and layout and how current worms randomly scan across the net, the initial presumption is that IPv6 will slow down if not stop such worms. Sadly, I believe it just means the worm, like everything else, must evolve to a new level.

Read more...Collapse )

February 12th, 2009

Tornado = Work + Halt

Share
I'd have to say the hardest part at this point of dealing with the damage caused by the tornado that hit Lone Grove is the limited sleep and the huge amount of resources being dedicated to the telephone company to get repairs done. I'm exhausted

December 11th, 2008

Too many projects

Share

The number of projects that I'm dealing with for work is a little overwhelming. Currently ordering new OC12 circuits, planning for the future DWDM ring between OKC and DFW so we can push 10-80Gb, reinstalling all the servers to the latest release of Solaris 10 with ZFS boot support (which entails my new method of jumpstart installs with new finish scripts, everything recompiled using Sun Studio 12 and packaged for install through the jumpstart), determining the best solution for future network layout including fiber to the cabinet with 2 mile coverage for future over copper technologies including VDSL2, determining the appropriate routers which will support the higher bandwidth rates and our needs for IPv6, playing with video over IP technologies and set top boxes to determine nominal bandwidth that we should offer to customers and which technologies they might want to learn about, and writing new probe scripts for pulling IP->customer information from the network for tracking purposes on some of the newer end node equipment like Motorola canopy. I also need to finish reworking the REST interface on RT for ease of adding user information into the system that works with our rewrites to the code. The helpdesk needs to get off that old software. Also need to write the processing scripts for abuse@ reports to automatically pull customer information based on the report.

Read more...Collapse )
Powered by LiveJournal.com