Partitioning with parted for LVM

Disk partitioning and volume management can be complicated like when you've got disks in RAID groups carved into LUNs connected via fiber channel to a NAS which is pooling the LUNs and then creating file systems and then sharing NFS to VMware hosts which is creating virtual disk files which the guests see as local disks which they can then partition and add them as physical volumes to volume groups carved into logical volumes which are then formatted with file systems and mounted before you can finally start storing some files... And changes are done online.

Now I've written about LVM before (http://archangel.thenibble.org/2010/11/disk-management-with-logical-volume.html) and to re-iterate, if you're using any main GNU Linux distro, you should use LVM.

Skipping the SAN, NAS, and virtual layers, when adding a new local disk, general practice is to create a partition on that disk with "parted" and add that partition as a PV (rather than doing a whole disk which can be harder to resize for LVM). With parted, create "GPT" partition tables instead of DOS as GPT will work for all drive (partition) sizes. Partition sizes can also be given in percentage which is useful both for the start of the disk which automatically aligns the partition as well as for the end of the disk to use all available space.

Example session:

# parted /dev/sdc
GNU Parted 2.1
Using /dev/sdc
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) mklabel
New disk label type? gpt
(parted) mkpart
Partition name?  []?
File system type?  [ext2]?
Start? 0%
End? 100%
(parted) set
Partition number? 1
Flag to Invert? lvm
New state?  [on]/off?
(parted) p
Model: VMware Virtual disk (scsi)
Disk /dev/sdc: 53.7GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt

Number  Start   End     Size    File system  Name  Flags
 1      1049kB  53.7GB  53.7GB                     lvm

(parted) q
Information: You may need to update /etc/fstab.

# pvcreate /dev/sdc1

  Physical volume "/dev/sdc1" successfully created

... vgcreate / vgextend, lvcreate, mke2fs, and so on.

Ciao

Squid Proxy and WCCP

The last few days I've been struggling to get a transparent proxy setup for our network using WCCP from our Cisco ASA firewall to a Squid proxy.

I had a hard time getting my Squid proxy handling transparent caching from our Cisco ASA with WCCP(2), mostly with getting the GRE working. I was working mostly with this page:

http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#WCCP_-_Web_Cache_Coordination_Protocol

The biggest confusion for me was that the GRE was not a point-to-point tunnel. In the end it was working as a sort of pseudo interface to handle the GRE encapsulation and the NAT redirection pushed packets through that interface as the glue.

“modprobe ip_gre”

This creates a generic GRE tunnel gre0; which you can see with “ip tunnel”. Load this module on boot. With CentOS and other RedHats

echo modprobe ip_gre >> /etc/rc.modules

chmod +x /etc/rc.modules

An IP interface needs to be brought up for gre0, but doesn’t have to connect to anything. Many examples I saw used a localnet address like 127.0.0.2. I used the following (no 172.16.x.x in my network, it’s a dummy address):

/etc/sysconfig/network-scripts/ifcfg-gre0

DEVICE=gre0

BOOTPROTO=static

IPADDR=172.16.1.6

NETMASK=255.255.255.252

LOCAL_DEVICE=eth0

ONBOOT=yes

IPV6INIT=no

Lastly iptables glues the GRE to Squid (we use 10.x.x.x addresses for our network):

cat /etc/sysconfig/iptables

# Generated by iptables-save v1.3.5 on Tue Mar 11 15:45:13 2014

*nat

:PREROUTING ACCEPT [26:6791]

:POSTROUTING ACCEPT [86:5532]

:OUTPUT ACCEPT [86:5532]

-A PREROUTING -s 10.0.0.0/255.0.0.0 -d ! 10.0.0.0/255.0.0.0 -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination $HOST-IP:$SQUID-PORT

COMMIT

Rp_filter disabled and ipforwarding enabled as indicated in the document.

And Bob’s your uncle!

MySQL Replication

MySQL replication is very flexible for running multiple servers. Most MySQL administrators should already have a copy of "High Performance MySQL" (Baron Schwartz, Peter Zaitsev, Vadim Tkachenko); if you don't, get this book as it is top notch and will guide you through most configurations imaginable. Rather than repeat what is already written, here's a few things I've found that can help make things simpler.

There are a few things with replication you need to be attentive to.

• Set a unique "server-id" for each server
• Keep your binary logs (and relay logs) with your databases
• Initialize your slave cleanly
• Run your slave "read-only" 
• Use "skip-slave-start" if the slave is used as a backup

Figure out a scheme to create a unique "server-id". If your database hosts all have unique number in their name, you could use that. I've been using their IP addresses converted to decimal (IP Decimal Converter). Even if you're aren't thinking about master-master or many slaves configurations today, starting with this set will save you the trouble later of having to reinitialize everything.

Unlike best practices on other platforms like SQL Server, with MySQL it is going to be simpler to keep the binary logs with the databases. Like if you try to initialize slaves with LVM snapshots, capturing binary logs with databases in one snapshot is going to be the best. And moving binary logs later is a challenge. So for the "log-bin" and "relay-log", set these to a file name only and not a full path ("mysql-bin", and "<hostname>-relay-bin").

 Create a script to (re)initialize a slave. If your environment is on the messy side and there's a lot of strange things that people are doing in the databases, you are going to find your slave is at risk of getting out of sync with the master. I would suggest re-initializing the slave(s) as often as possible, like monthly. Even if your environment is pristine, you will inevitable make changes from time to time and will want to have had a consistent tool for initializing slaves. Again, "High Performance MySQL" has several good ways of doing this. LVM snapshots and rsync are what are in my scripts. The Percona Toolkit (including the former Maatkit) also has some good tools for you.
Running a slave in "read-only" ensures only "root" can make changes which helps ensure the slave integrity. If you want to have a writable slave, e.g. one out of sync with the master, why use replication? Load data as needed and skip the whole replication thing. Even so, very bad schema (like tables with no unique keys) are still susceptible to falling out of sync as replicated transactions may not behave consistently. There may be other reasons for slaves to fall out of sync, but this has been my problem so I couldn't attribute any out-of-sync issues to anything else.

For a server that is intended to be the backup of the primary, the "skip-slave-start" is necessary for the times you do use the backup server. It means every time you restart MySQL, you have to manually issue "start slave" which prevents the backup server from downloading transactions from the primary server like after you have made a cut-over and are trying to restore the primary.

Monitoring Network Traffic at Home

Since the news last week about LG "smart" TVs ignoring privacy settings and sending all your viewing and media information to LG, BBC News LG investigates Smart TV 'unauthorised spying' claim, I started looking at increasing monitoring of network activity at home and see what my Wii or Sony Blu-ray player or other devices are up to.

Virtually any router allows you to enable SNMP which is enough to collect aggregate interface traffic. I have been using Cacti for recording traffic for years.

What I've found is that DD-WRT has something called "rflow" to send live packet information to a monitoring server - an equivalent of Cisco NetFlow. The Network Traffic Analysis With Netflow And Ntop guide is very good, and on Ubuntu the ntop server is readily available. This gives a live view of what systems are connecting to what, how much traffic is passing on different protocols and top users. Great if there's any question of who is hogging all the tubes.

But not enough to tell if your "smart" DVD player is reporting to Sony that you enjoy "midget porn" in the privacy of your own home (I'm not judging; that was the example in the BBC article). For that, I will need to look at some bigger iron - Snort to really go whole hog.

Simple web page for generating passwords

I find it annoying not to have APG handy when I want to create a password. I also don't like using random websites online for this either because I can't trust that they aren't logging their output. So I put a simple little form and using PHP to invoke APG to create passwords. My form right now is very simple and doesn't support all of the APG options, but it will do:

https://alia.thenibble.org/passwords/

Here's the simple code I'm using:

https://docs.google.com/document/d/12CViQAEW6q2moZ4GtkJllsD0-8pazpVMfeYjlrBz-4s/pub

Use owncloud for RSS feeds

Sorry hosted services, I will be using my owncloud with the "news" plugin for my feeds.

Whipping Up a Quick Site

Recently I helped set up a quick site along the lines of a proof of concept for a community type site and had decided to use Google Sites and we were very well rewarded with the richness of what is readily available after getting a bit used to how everything is put together.

I feel like there is almost no technical knowledge required, it just takes a bit of getting used to. Not much, but some. When you are first trying to layout your site, you have to poke around for a bit to figure out what things need to be changed on the page, the page layout, the page template, or the site layout. I don't want to do a mock-up and the site we put together will get taken down too soon to be used as a reference - as long as you have some idea for a layout for the site you want, you can make it in Google Sites. Sketch it out on paper works fine, just fine. There will be a couple places where some HTML knowledge is useful, not necessary but useful if you want something too align or look a very specific way.

Now for the cool stuff.

Site templates - there are a bounty of free site templates everything from generic Pokemon theme to a complete Strata community site with calendars and council meeting minutes etc. 

And if you can't readily find a site template that helps get you started, it is super easy to put a site together even from scratch. Managing the site layout and using page templates make building your site very fast. You get the look and feel you want for your pages together quickly so you can work on the content. A handy trick with your page templates is you can give a default "parent" page so you can create many pages in one section.

In your site layout, you can have a main navigation bar. The nav bar you put together manually putting your main pages and sections. When you put sub-pages in the main nav bar, it makes nice little pull-down menus. It sure beats the stock left-hand nav section which lists all your pages in alphabetical order - get rid of that ugly thing.

And then there's the widgets. The best integration on Google Sites is obviously Google's other products: Calendar and Docs. An event or other calendar can be dropped right in your site and then regular sharing rules apply.

One of the features of Google Docs (or is it Drive now?) that is particularly useful for your site is the "forms". You can create contact forms, polling data, and probably a lot more than I've seen in my quick tour. 

The contact form is interesting because what you can do is change the form responses to send notifications for when it is filled out. This will give you a stock contact form so you don't have to put an email address on the site and only takes a minute or two to put up.

Any information your gathering like from a poll comes with rich analytics out of the box. The form responses have full reports on response selection and trending. Which you can publish or not as appropriate.

Lastly I will mention you can of course use your own domain for the site. Anonymous visitors to your site will see the custom domain. Users logged in to sites will be instead redirected to sites.google.com/a/sitename/page/blah/blah/blah... 

Super quick and easy. 

Google Sites is "free" so remember "If you're not paying for the product, you are the product."

... And even if you pay for the product, you may still be the product.

</rant>