Wednesday, August 18, 2010

NetApp - Simulator and ESX Networking

This is a known problem with running the Data ONTAP simulator on ESX 3.5 and above.

Symptoms
After installing the Data ONTAP simulator within a guest VM and starting up the simulator, you cannot access (ssh/telnet/http) the Simulator's IP address.
Problems running the Data ONTAP Simulator on VMware ESX

Solution

Modify the 'Promiscuous Mode' setting to 'Accept' on the vswitch to which the guest VM (hosting the Data ONTAP simulator) is connected to. From within the VI Client, perform the following:

  1. Select 'Configuration' Tab.
  2. Select 'Networking'.
  3. Select 'Properties' for the vswitch.
  4. Under 'vswitch', select 'Edit'.
  5. Select 'Security' Tab.
  6. Change the dropdown for 'Promiscuous Mode' to 'Accept'.
  7. Click OK.

Monday, August 16, 2010

Putty - Improve Putty settings on Windows

Improving Putty settings on Windows

Configure your Putty first, then make entries.

This is important advice. First configure your environment before you start using it. This is especially true for Putty, since you always start off from the default, it is important to configure the default entry before you create entries from these defaults. It will save you a lot of time afterwards to get things straight.

So before you make any changes, open the default template in Category: Session by selectingDefault Settings and pressing the Load button.

Make SSH the default.
If you have an older version of Putty, chances are that you have Telnet as the default protocol. Changing it to SSH will probably save you some time when you start Putty out-of-the-blue. For this go to Category: Session and select SSH.

Keep windows around.
Putty cleverly exits when you leave a session, but I don't like that. I like to be able to still copy&paste from console even when one of my sessions times out or I closed one bash/session too many. Since I consider terminal output as possible interesting information I don't want to loose that by mistake (or inconsiderate intent). So you'd want to set in Category: Session the optionClose window on exit to Never.

Annoying PC bell.
Some systems have quite annoying (and loud) PC speaker bell sounds and since I am not fond of audible notifications (and I can imagine my colleagues even less when I frantically expand stuff in bash) I always enable visual bell in Category: Terminal > Bell and select Visual bell.

I also like to have taskbar notifications (when eg. putty is minimized or in the background) so I setTaskbar/caption indication on bell to Flashing.

Increase scrollback buffer.
By default Putty buffers 200 lines of output, which is too little in lots of circumstances. And the moment you actually need this number increased, chances are you already lost some information you wanted. So it is wise to increase this number. What I do is go to Category: Window and increase Lines of scrollback to 20000.

Scrollback behavior
One thing I hate about terminal consoles is that if you are scrolling back output while the system is still producing output, the terminal jumps back to the bottom. I can see why this is the default, people might be confused if they are not aware that they are looking at the terminal buffer.

So in Category: Window I disable the Reset scrollback on display activity but I do enableReset scrollback on keypress.

Choose a good font.
The newer Putty binaries are able to make use of ClearType which drastically improves the font quality compared to Antialiased. Go to Category: Window > Appearance, choose ClearTypeand a nice font. I prefer Lucida Console, 9-point.

When you are there, you might want to change the Gap between text and window edge to 3pixels.

Use proper character encoding.
Nowadays all Linux systems are able to use Unicode (UTF-8) so to make sure that the output in Putty (especially everything non-ascii) looks fine, go to Category: Window > Translation and change the character set to UTF-8, make sure that also the line drawing characters use Unicode as well.

Linux copy-and-pasting.
I prefer to do an implicit copy when selecting and using the middle mouse button for pasting. So I go to Category: Window > Selection and set the Action of mouse buttons to xterm (Right extends, Middle pastes)

When you are there, also enable the option Paste to clipboard in RTF as well as plain text, which is nice when you are copy-and-pasting to emails or text documents that allow fonts and colours. Your console output will look much the same as it does on your screen!

Change dark colours on a black background.
One of the more annoying things with terminal applications (xterm has the same issue) is that by default dark-blue is too dark to be visible on a black background. Not only is this frustrating, it makes the experience for new users so bad that they prefer to disable colours (or hate the ls colour output or syntax highlighting in vim).

So if you are like me, go to Category: Window > Colours and select ANSI Blue in the Select a colour to adjust to Red:74 Green:74 Blue:255. I do the same for ANSI Blue Bold toRed:140 Green:140 Blue:255.

Keeping idle sessions active.
Another frustrating problem is induced by the time-to-live of inactive or idle TCP sessions on firewall or switch configurations. At some companies this is put aggressively low so that TCP sessions that have no activity for 1 minute or even 30 seconds are being dropped. If you are using an SSH connection over such a network device, you have to take care to send keep-alive packets over your idle session. To do this go to Category: Connection and set Seconds between keepalives (0 to turn off) to 25.

Enable X11 forwarding.
Together with Xming, Putty allows you to run graphical Linux applications on your Windows system, so enabling X11 forwarding by default can be useful. To enable this, got to: Connection > SSH > X11 and enable Enable X11 forwarding.

Also dynamic forwarding is very useful to connect to systems on a remote network, even when you do not know in advance having it enabled can be useful. This option however reserves a local port on the system so enabling it by default is not really practical. However you can still enable it from a running Putty by selecting Change settings.

Finally, saving the default.
Now, don't forget to save the changes you just made to the default template. If you loaded the Default Settings at the start, return back to Category: Session and press the Save button. Now you are done !

Putty settings summary.
Category: Session
Connection type: SSH
Close window on exit: Never

Category: Terminal > Bell
Action to happen when a bell occurs: Visual bell (flash window)
Taskbar/caption indication: Flashing

Category: Window
Lines of scrollback: 20000
Reset scrollback on keypress: Checked
Reset scrollback on display activity: Unchecked

Category: Window > Appearance
Font: Lucida Console, 9-point
Font quality: ClearType
Gap between text and window edge: 3

Category: Window > Translation
Character set: UTF-8
Handling of line drawing characters: Unicode

Category: Window > Selection
Action of mouse buttons: xterm (Right extends, Middle pastes)
Paste to clipboard in RTF as well as plain text: enabled

Category: Window > Colours
ANSI Blue: Red:74 Green:74 Blue:255
ANSI Blue Bold: Red:140: Green:140 Blue:255

Category: Connection
Seconds between keepalives (0 to turn off): 25

Category: Connection > SSH > X11
Enable X11 forwarding: enabled

Friday, August 13, 2010

Linux - Tuning NFS for better performance

The Network File System (NFS) is still very popular on Linux systems, but it can use some help to increase performance by tweaking the relatively conservative defaults that most Linux distributions ship with. This can be done by tweaking both NFS servers and clients.

On the server side, you must ensure that there are enough NFS kernel threads to handle the number of connections by the clients. You can determine whether or not the default is sufficient by looking at RPC statistics using nfsstat on the NFS client:

# nfsstat -rc
Client rpc stats:
calls retrans authrefrsh
3409166 330 0

Here you can see that the retrans value is quite high, meaning that retransmissions were often necessary since the last reboot. This is a clear indication that the number of available NFS kernel threads on the server is insufficient to handle the requests from this client. The default number of threads for rpc.nfsd to start is typically eight threads.

To tell rpc.nfsd to use more kernel threads, the number of threads must be passed as an argument to it. Typically, most distributions will have a file such as/etc/sysconfig/nfs to configure this; on a Mandriva Linux system, the configuration item RPCNFSDCOUNT in /etc/sysconfig/nfs is used to determine the number of kernel threads to pass to rpc.nfsd. Increase this number — perhaps to 16 — on a moderately busy server, or increase up to 32 or 64 on a more heavily used system. Re-evaluate using nfsstat to determine whether or not the number of kernel threads is sufficient; if the retrans setting is 0 then it is enough; but, if the client still needs to retransmit, increase the number of threads further.

On the client side of things, remote NFS mounts should be mounted with the following options:

rsize=32768,wsize=32768,intr,noatime

By default, most clients will mount remote NFS file systems with an 8-KB read/write block size; the above will increase that to a 32-KB read/write block size. It will also ensure that NFS operations can be interrupted if there is a hang and will also ensure that the atime won’t be constantly updated on files accessed on remote NFS file systems.

If NFS file systems are mounted via /etc/fstab, make the changes there; otherwise, you will need to make them to any configuration files belonging to your chosen automounter. In the case of amd, the /etc/amd.net file would look like:

/defaults fs:=${autodir}/${rhost}/root/${rfs};opts:=nosuid,nodev,rsize=32768,wsize=32768,intr,noatime
* rhost:=${key};type:=host;rfs:=/

By tweaking the defaults of NFS servers and clients, you can make using NFS faster and more responsive, particularly if you make heavy use of NFS file systems.

Linux - How to Find the Block Size

To find the block size for the second partition of the first HDD, the following can be used:

/sbin/dumpe2fs /dev/hda2 | grep 'Block size'

Because dumpe2fs provides a large amount of information, it is convenient to use the filter grep to remove everything from the output except the block size. Because grep is case-sensitive and the word Block begins with an upper case (i.e., capital) B, it is necessary to use an upper case B in this command.

DNS Conditional Forwarding in Windows Server 2003

Conditional forwarding is a new feature of DNS in Windows Server 2003 that can be used to speed up name resolution in certain scenarios. They can also be used to help companies resolve each other's namespace in a situation where companies collaborate a merger is underway. This article will look in detail at how conditional forwarding works, how to configure it, and when you might use it. But first, let's briefly review the concepts of forwarding and forwarders in traditional DNS, starting with different types of name queries.

Forwarders and Forwarding

When a name server is queried in DNS, the way it responds depends on the type of query issued, which can be either iterative or recursive. In an iterative query, the client asks the name server for the best possible answer to its query. The name server checks its cache and the zones for which it is authoritative and returns the best possible answer to the client, which could be either a full answer like "here is the IP address of the host you are looking for" or a partial answer like "try this other name server instead, it might know the answer." In a recursive query, things work a little different for here the client demands either a full answer (the IP address of the target host) or an error message like "sorry, name not found." In Windows DNS, client machines always send recursive queries to name servers, and name servers usually send iterative queries to other name servers.

Sometimes this process isn't enough however. A simple example is a company that has Active Directory deployed on its internal network and uses a private top-level domain like .local for its forest. For example, say a company has a single Active Directory domain named test2003.local, a domain controller (and DNS server) named SRV220 and has a dedicated connection to the Internet. A user named Bob goes to his desktop computer named DESK231, opens Internet Explorer, and tries to access Google (www.google.com). Here's what happens DNS-wise as far as name resolution is concerned:

  1. DESK231 sends a recursive query to SRV220 asking to resolve www.google.com into its associated IP address.
  2. SRV220 looks in its DNS database and finds zone information only for the test2003.local domain, realizes www.google.com is not part of that domain, decides it has no way of knowing how to resolve www.google.com into an IP address, and what happens next depends:
    1. If, when you promoted your standalone server to the role of domain controller using dcpromo, your machine was disconnected from the Internet and there were no other DNS servers on your network, then dcpromo creates a root zone (".") in its DNS database that specifies itself as the root name server for all DNS name resolution (that is, "the buck stops here"). In this case, SRV220 realizes it can't answer the query and returns a "name not found" error to the client and Bob can't open the Google home page.
    2. If however, when you promoted your server to a domain controller, your machine was connected to the Internet, then Windows contacts the first available Internet root name server and downloads a list of all Internet root name servers, which becomes its list of root hints. In that case name resolution now continues as follows:
  3. SRV220 sends an iterative query to the first available Internet root name server, which responds with the IP address of a name server authoritative for the .com top-level domain.
  4. SRV220 sends a second iterative query to the name server authoritative for .com, and this machine responds with the IP address of a name server authoritative for the google.com domain.
  5. SRV220 sends a third iterative query to the name server authoritative for google.com, and this machine responds with the IP address of the host named www.google.com.
  6. SRV220 returns the IP address of www.google.com to DESK231 and Bob sees the Google home page appear in his browser.

Now that's a lot of steps, and if the company has a slow WAN link to the Internet then you're using valuable bandwidth. A better approach than "going up to root" to resolve www.google.com would be to configure a forwarder. A forwarderis a name server that handles name queries that can't be resolved by another name server. Let's see how the above scenario works when a forwarder is configured on the internal name server SRV210:

  1. DESK231 sends a recusrive query to SRV220 asking to resolve www.google.com into its associated IP address.
  2. SRV220 looks in its DNS database and finds zone information only for the test2003.local domain, realizes www.google.com is not part of that domain, decides it has no way of knowing how to resolve www.google.com into an IP address, and checks its list of forwarders to see if any forwarders have been configured for it.
  3. On the forwarders list it finds the IP address of the external name server hosted by the company's Internet Service Provider, so it forwards the query to the ISP's name server to handle.
  4. The ISP's name server goes up to root as needed (which can involve two or more additional queries) to resolve www.google.com into its IP address and returns this address to SRV220.
  5. SRV220 returns the address to Bob and he sees Google appear in his browser.

Note that this procedure takes about the same number of steps as before, but most of these steps are performed offsite by the ISP's name server, so the amount of bandwidth used over the Internet connection is considerably less and the processing load on the internal name server SRV220 is minimized as well. And these are good things from an administrator's perspective. Of course, if the forwarder doesn't respond within the timeout configured, the server can either try another forwarder (if configured) or use root hints (if available) or give up and return an error.

On Windows 2000, forwarders are configured using the General tab of the DNS server's properties sheet in the DNS console:

What's different in Windows Server 2003 is the concept of conditional forwarding, which I'll look at next.

What Conditional Forwarding Does

A conditional forwarder is one that handles name resolution only for a specific domain. For example, you could configure your name server to forward any requests for hosts in the domain google.com directly to a specific name server that is authoritative for the google.com domain. What this does is speed up the name resolution process by eliminating the need to go up to root to find this authoritative server. In this case our previous example would now look like this:

  1. DESK231 sends a recusrive query to SRV220 asking to resolve www.google.com into its associated IP address.
  2. SRV220 looks in its DNS database and finds zone information only for the test2003.local domain, realizes www.google.com is not part of that domain, decides it has no way of knowing how to resolve www.google.com into an IP address, and checks its list of forwarders to see if any forwarders have been configured for it.
  3. On the forwarders list it finds a conditional forwarder configured, which specifies the IP address of an authoritative name server for the google.com domain, so it forwards the query to this name server to handle it.
  4. The google.com name server immediately resolves www.google.com into its IP address without the need of going up to root and returns this address to SRV220.
  5. SRV220 returns the address to Bob and Google quickly shows up in his browser, prompting Bob to say, "Hey, the network sure is fast today!"

Let's now see how to configure this in Windows Server 2003 DNS.

How to Configure Conditional Forwarding

First let's find a name server authoritative for the google.com domain. To do this we'll use the WHOIS lookup tool on the NetworkSolutions website at http://www.networksolutions.com/en_US/whois/index.jhtml. Go to this page, type google.com into the WHOIS search box, enter the code displayed (a feature that prevents mass lookups by automated programs), and the following results are displayed:

google.com

Whois Server Version 1.

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to
http://www.internic.net
for detailed information.

Domain Name: GOOGLE.COM
Registrar: ALLDOMAINS.COM INC.
Whois Server: whois.alldomains.com
Referral URL:
http://www.alldomains.com
Name Server: NS2.GOOGLE.COM
Name Server: NS1.GOOGLE.COM
Name Server: NS3.GOOGLE.COM
Name Server: NS4.GOOGLE.COM
Status: REGISTRAR-LOCK
Updated Date: 03-oct-2002
Creation Date: 15-sep-1997
Expiration Date: 14-sep-2011

Let's find out the IP address of name server NS1.GOOGLE.COM using ping:

Now that we have the IP address of one of the name servers authoritative for the google.com domain, we can configure Windows Server 2003 DNS to conditionally forward all name queries for this domain to this name server.

To configure conditional forwarding, open the DNS console under Administrative Tools, right-click on the DNS server node, select properties to open the Properties sheet for the DNS server, and select the Forwarding tab:

If you compare this to the previous figure for Windows 2000 DNS above, you'll see a few differences. First, if you just want to configure a regular forwarder here, leave "All other DNS domains" selected in the DNS domain listbox, enter the IP address of the forwarder (typically the address of your ISP's name server) in the dotted box, and click Add. If you want to add a conditional forwarder however, do the following. First, click the New button and type the name of the domain you want your name server to conditionally forward to:

Click OK and the new domain appears in the top listbox (make sure it is selected for the next step):

Now type the IP address of your conditional forwarder into the dotted box and click Add to add it to the selected domain's forwarders list:

Click OK to apply the change and close the properties sheet and you're done. Now any name queries for the google.com domain that are issued against the name server are forwarded directly to the name server for the google.com domain to resolve.

Using Conditional Forwarding

When might you want to use conditional forwarding in the real world? I can think of several situations where it might be useful:

  • To improve name resolution between two separate companies that need to provide their users with access to resources in the other company's intranet. This sort of situation is common in a merger situation or between supply-chain partners. Just set up DNS servers in each company to forward name requests for resources in the other company's network directly to the IP addresses of name servers in the other company and you're done. Of course, this can also be done using stub zones as I discussed in my previous article DNS Stub Zones in Windows Server 2003 and I'll compare the two approaches in a moment.
  • To improve name resolution within an Active Directory implementation that has a disjointed namespace (separate forests or multiple domain trees) or a deep hierarchy of subdomains. In this kind of situation you can set up conditional forwarding so users in one domain can avoid having to go all the way to root to find resources in a separate forest, another domain tree, or way down the domain hierarchy in a tree. Again, stub zones could also be used for this purpose if desired.
  • And then there's using it simply to forward name queries for specific Internet sites like google.com as in the example above, but that example was meant only to be illustrative of the procedure for configuring conditional forwarding on your name server--my company has no plans on merging with Google anytime soon.

Summary

Finally, is there anything you need to watch out for regarding using conditional forwarding? Two things come to mind First, conditional forwarding is suitable if you are dealing with a fixed DNS infrastructure. That means in a merger or supply-chain scenario you must be sure the other company doesn't plan on changing their DNS infrastructure by decommissioning old name servers, deploying new ones, or changing the IP addresses of existing ones. If they do change their infrastructure and don't inform you of this, then your name server may suddenly find itself forwarding queries to non-existing name servers resulting in failed name queries and frustrated users flooding help desk with calls. In that case, it might be better to create stub zones on your name servers for zones for which the other company's name servers are authoritative. That's because stub zones automatically update themselves with the current list of name servers in the zone while configuring forwarders is a process that has to be done manually. Same thing in a large enterprise that has a complex Active Directory forest--if you aren't sure that administrators in other divisions of your company are going to tell you in advance when they change their DNS infrastructures, don't implement conditional forwarding--use stub zones instead.

The second caveat concerning conditional forwarding is not to get to carried away implementing it. You might think you could improve name resolution for your users by adding dozens of forwarders for the most popular Internet sites they use for work purposes, but this might be a bad idea. The reason is, when you have a long list of conditional forwarders configured, your name server has to go through the entire list until it either finds the domain requested or fails to find it, in which case standard forwarding is used (if configured), after which root hints is tried and standard recursion employed. The result of this is that your name server has to perform extra processing to go through the forwarders list each time a query is received, and in addition to increasing the CPU load on your server this can also result in slower name resolution rather than faster due to the time it takes to process an especially long list. And if the forwarder itself is also part of your own company's DNS infrastructure then be aware that the added load of receiving forwarded queries from other name servers and performing recursive queries to resolve them means your forwarders will experience especially heavy CPU utilization and may need to have their hardware beefed up considerably to handle it. So if you do plan on using conditional forwarding, particularly within your own enterprise, be sure to use it only where it really makes a difference and use it sparingly.