Matt-J.co.uk : Ramblings

I was going to write about the new Nexus 4 i’ve finally managed to get my hands on, and why, after many years of my mobile phones all having names beginning with ‘i’, I’m actually finding this new android device hard to fault…

But this guy pretty much 100% summaries my thoughts for me, right down to why previous attempts for me running android have failed.. and therefore saves me the trouble! Worth a read, whichever side of the fence you are on!

http://gizmodo.com/5973073/an-iphone-lovers-confession-i-switched-to-the-nexus-4-completely

So the delivery of a new corporate laptop this week got me thinking;

It’s much more powerful, portable and generally nicer than anything I own and the fact of the matter is; if I’m near a computer for five out of the seven days every week, it’s going to be this one.

This ties into my last post about BYOD and staff ‘bringing their own data’. This works backwards to corporate-supplied devices too;

BYOD is currently, lets be honest, only really bringing your own ‘addon’ devices, and not your full digital working requirement.

BYODv2 in my mind will be where users fully bring every bit of local compute power they need to work, maybe minus the clutter/heavyness of standard peripherals such as screens and keyboards, instead have a uniform, wireless dock interface.

So for as long as there are corporate laptops, which their users are more likely to have on them than any personal laptop for a massive percentage of their weekly lives, there will always be remnants of their own personal data from lunchtimes, weekends, corporate travel, after works etc.

I digress, back to MY new shiny corporate laptop;

• I needed a kick to get all my data, which is currently spread everywhere into some semblance of order and peace of mind over backups etc.
• I hate always being on the wrong device for what I’m looking for (ooh, I took that photo on my iPhone, not my laptop/tablet/Nexus 4/Tomorrows device number seventy six and a half).
• I don’t like having to swap between personal/corp equipment, especially now the corp laptop is actually much more powerful than my own!

Turns out, this isn’t something I should have thought about, as while the cloud solves some of these data-everywhere questions, it also opens up a lot more choice, ie a lot more questions on howto go about all this, it’s amazing just how many branches you end up with in your mind when you try and tackle that which, on the face of it, is a simple ‘get to my data on my devices’ question.

Even without going into all the corporate access stuff, my personal digital life and (more to the point) access to it, created this monstrosity, can you do any worse? Have you had the same thoughts and come up with a solution that works well? Do you want to talk to me about cool ideas for BYODv2 above? Comment or e-mail.

-Matt

Oh dear, it’s 3AM again

A friend put me on to http://owncloud.org/, which despite it’s awful naming (oooh cloud! That’s new and good isnt it? snore!) is an open source implementation of some of Apples iCloud featureset (from what I can see) which can be hosted anywhere you want.

At first I was about to hit download, as a techy, running my own things in my own VM’s or somewhere I control the data security, backups etc, makes me feel a bit better; but then I realized something which I think a lot of people will realize, techy or not;

I’m already using my own Phone/Tablet for both work and for personal. My corporate dropbox/exchange/data stores will be much better backed up (one would hope) than anything I’m going to run locally and probably better than any very cheap consumer-level ‘cloud’ data stores; and even if not it doesn’t cost me anything.

… I’ll just backup/store my contacts/calendar/photo’s on there.

If you’re encouraging people to Bring their Own Devices to into your corporate infrastructure, don’t be surprised if they bring some personal data too. Expect ‘Personal’ or ‘Private’ or ‘NonWork’ directories to start appearing in users dropboxes, expect groups of contacts named ‘personal’ so they can filter them on their phone when they are not working. Have you capacity planned for this when thinking about BYOD?

For the record, I don’t think it’s such a bad thing and I think taking a hardline stance against this will slow down BYOD adoption; the company is making savings on client endpoints, the users therefore must feel it is ‘worth’ tying their own devices into a possibly restrictive corporate policy.

Just my 10p
Keep the change!

This isn’t really a proper post, more just some little notes I can point people too (which I guess, technically is a blog post, ahh well!).

So Virtualisation, have used VMWare products (most of) and Xen previously in production, with Virtualbox my desktop-virt product of choice for testing on my local machine for some years now, but times change and my current view is this;

- XEN is disappearing from many distro’s (including the ones I mainly use in production) and being replaced with KVM.
- VMWare VCenter/ESXi is a bit overkill for my test/home/local machine VM’s stuff.
- Virtualbox is good but annoys me that I need to install extra kernel modules etc and updates (even if it’s done through DKMS) when my kernel supports KVM anyway!

So I’ve moved a lot of home/test/local machine VM’s to KVM.

KVM Vs XEN
Not going into performance (many, many better testers have spent more time looking at this than I), but just to clear up a couple of things. The reason distro’s have moved away from XEN DOM-0/DOM-U support in favor of KVM is that “KVM is Linux, XEN isnt”.

By this, we mean;
- KVM is a hypervisor made from the components of your Linux kernel, it is this Linux kernel of the your linux install placed onto the bare metal that runs on the privileged area of your processor, providing hardware assisted virtualization to guests on CPU’s that support VT-x/AMD-v. You’ll notice in this install you can still see the virtualisation CPU extensions in ‘/proc/cpuinfo’ as it’s this OS that IS the hypervisor;

processor : 2
vendor_id : GenuineIntel
cpu family : 6
model : 23
model name : Intel(R) Core(TM)2 Quad CPU Q9400 @ 2.66GHz
stepping : 10
cpu MHz : 2666.583
cache size : 3072 KB
physical id : 0
siblings : 4
core id : 2
cpu cores : 4
apicid : 2
initial apicid : 2
fpu : yes
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good aperfmperf pni dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm sse4_1 xsave lahf_lm dts tpr_shadow vnmi flexpriority
bogomips : 5333.16
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:


- XEN on the other hand is nothing todo with linux, it’s a separate hypervisor that runs it’s own non-linux microkernel and then boots one instance of linux as it’s first guest, called DOM-O, this first guest has the privileges to control the underlying XEN hypervisor, but it’s still a guest, you wont see your CPU flags even in your DOM-0 because it’s not linux running directly on the hardware, it’s XEN. You can also see this in grub, notice how your kernel and initrd are both passed to XEN as modules, it’s XEN grub is actually booting.

Hardware Virtualization – Peripherals (virtual)
So with hardware virtualization, we are no longer having to translate/emulate instructions (or VM’s memory pages with the newer EPT stuff) to and from the processor, that’s handled in hardware reducing massive overhead. However, even though the code is running ‘native’ on the processor, we still have to present hardware to our guest OS’s.
This was previously done by emulating very common hardware (read; old) in software to present to guests (so that guests will already have the drivers for that hardware).

Implementing old hardware does not necessarily limit the virtual hardware devices to the same performance limits as the original hardware (for example the motherboard models implemented in KVM/VMWare/XEN etc can support way more PCI/PCIe ‘devices’ than the original board had slots for).

KVM Uses QEMU to present the device hardware to each virtual machine and there is some performance degradation by having the following peripherals emulated in software;

- Network Cards
- Storage controllers for HDD/SSD storage

VirtIO / Paravirtualized Hardware
To get around this, the idea of paravirtualized hardware has been created. This changes the Virtualization model somewhat from;

The guest OS doesn’t know it’s being virtualized, it runs on what it thinks is standard hardware using drivers the OS already has.

to;

We don’t really care that the guest OS knows it’s on a Virtualization host, so why not improve throughput to the hosts hardware by giving the guests drivers to better interact with the host/hypervisor layer in terms of passing I/O for disks, network cards etc.

This of course means the guest OS will needs special drivers based on whatever hypervisor we are using underneath, but then dispenses with the idea that it’s ‘real’ hardware, these paravirtualized guest drivers implement a more direct way of getting I/O to and from the hypervisor without having to emulate a fake piece of hardware in software.

VMWare has the VMNET(1/2/3) network card, for which you need drivers from the ‘VMWare Guest Tools’ installer. This is a paravirtualized NIC which has no basis on any real network card and gives better performance than the e1000e offered as another option in VMWare.

XEN had the xenblk and xennet drivers which did the same thing for NIC’s and Storage controllers. VMWare has paravirt storage controller drivers too I just can’t remember their names :)

KVM (and now Virtualbox can too) use something called ‘VirtIO’.

What is VirtIO?
VirtIO is exactly the same principal as the above offerings from VMWare and XEN, only it’s a movement to standardize paravirtualized peripheral drivers for guest operating systems accross multiple virtualization platforms, instead of each Hypervisor development team implementing their own guest-side drivers.

So for KVM, if you want better performance out of your Network/Disk I/O within a virtual machine, you’ll be wanting to use ‘VirtIO’ devices instead of emulated hardware devices.

More information can be found here; http://www.linux-kvm.org/page/Virtio

VirtIO also includes a driver to allow memory balooning, much like VMWare with the baloon driver within the VMWare guest tools.

It is worth mentioning here that this information is NOT the same as Intel VT-d or single root IO virtualization (SR-IOV) these are also related to virtual machine/guest OS’s and how they interface with hardware, but in a very different way;

- VT-d technology allows for a physical device (such a NIC or graphics card in a physical PCI-E slot on the host machine) to be passed directly to a guest, the guest will use the drivers for that particular device and will speak natively to and from the hardware. This required VT-D extensions on a CPU to work and a hypervisor capable of utilizing the technologies.

- SR-IOV allows for multiple virtual machines to see hardware devices, ie share the physical hardware device yet all still access the raw hardware natively just as one guest could with VT-d technology above. IE, 10 guests could share 1Gb/s each of a 10Gb/s physical network card, using the physical network card drivers directly in the guest (to support all that network card’s features and remove the need for the hypervisor to be involved in the I/O) without the need for emulated hardware or paravirtualized drivers. The hardware device (such as a NIC) needs to be designed to support SR-IOV and so far only a handful of hardware components have been.

I have had a trusty Solaris box at home now for 5-6 years running a few things;
- ZFS for my files, sharing out through SMB for media, iSCSI for playing with Netbooting and VMware shared storage.

- Xen (More recently) running on a Solaris Dom0 hosting a number of Centos5 DomU’s for other linux server based stuff.

- Multicast/Bonjour spoofing and apple filesharing making an excellent ‘fake’ timemachine for backing up my Macbook pro onto ZFS (works flawlessly and doesn’t have a single disk prone to failure unlike the time capsules

Over that time, I’ve either in-place upgraded, or overwritten the OS and let the new version of Solaris import the ZFS pool from;

Solaris 10, Solaris SNV_8X (Sun Internal), Solaris SNV_9X (Sun Internal), OpenSolaris (SNV_1XX), Oracle Solaris Express (SNV_151).

And everything was pretty much good :) Until now, now I tried to take the latest update, moving to the newly released Solaris 11.

Lots of things have changed in Solaris 11 compared to the SNV/OpenSolaris/SolarisExpress years (well, i’m not saying there hasn’t been a lot of changes during that time, just none that have negatively affected me, where as these do);

- Support removed for Linux branded Solaris Zones
- Support removed for Solaris 11 to be a Xen Dom0, or indeed be the base of any form of visualization solution apart from Solaris zones and VirtualBox (Guessing to allow Oracle to push it’s visualization product)
- No check in the ‘pkg update’ procedure as to wether the Xen kernel was in use before upgrade.

So, cutting to the POINT OF THE POST, I updated, a new boot environment was created, update successful, rebooted, boot fails!

You could just boot the previous Boot Environment, which works, but this is what you’ll need to do to boot the new BE;

1. Open the grub menu.lst from /rpool/boot/grub/menu.lst
2. Find the last entry in the file (named after the Boot Environment you’re having issues with)
3. Remove the references to Xen, as below;

Before;


title example-solaris-1
findroot (pool_rpool,0,a)
bootfs rpool/ROOT/example-solaris-1
kernel$ /boot/$ISADIR/xen.gz console=vga dom0_mem=2048M dom0_vcpus_pin=false watchdog=false
module$ /platform/i86xpv/kernel/$ISADIR/unix /platform/i86xpv/kernel/$ISADIR/unix -B $ZFS-BOOTFS
module$ /platform/i86pc/$ISADIR/boot_archive


After;

title example-solaris-1
findroot (pool_rpool,0,a)
bootfs rpool/ROOT/example-solaris-1
kernel$ /platform/i86pc/kernel/$ISADIR/unix -B $ZFS-BOOTFS
module$ /platform/i86pc/$ISADIR/boot_archive


We have just removed the Xen kernel and options and instead told grub to boot the ‘normal’ Solaris kernel. It seems pkg update don’t check for this when upgrading.

Now reboot and try the Boot Environment from the grub menu, should load fine and after some information about upgrading the SMF versions, you’ll be ready to login.

The second issue I found after this is that my SMB shares were not available, seemed that the SMB service was stopped due to dependencies, starting the following services magically made my shares come back to life;


svcadm enable idmap
svcadm enable smb/client
svcadm enable smb/server


Verify with ‘share’;

matt@F43-PSRV1:~# share
IPC$ smb - Remote IPC
Matt /F43Datapool/Matt smb -
Public /F43Datapool/Public smb -
c$ /var/smb/cvol smb - Default Share


I hope this helps someone, the last thing I have to work out is whether VirtualBox will provide as stable a solution for my Linux VM’s as Xen (as it seems to be the only option I have now, apart from moving back to Linux and losing ZFS/SFM/Crossbow/Comstar etc which I really don’t want to do).

That said, it really annoys me that Oracle have removed such a simple and powerful combination of Xen Dom0 and ZFS in the base solaris image, it served a perfect need for people who don’t need a full, separate, virtualization product such as testing, home use, small businesses etc. Why remove Dom0 support but keep DomU support! Anyone know?

Here’s something that seems a little interesting, O2 appear to be sending a header of the end users mobile number, to any website visited over their mobile data network.

Header is ‘x-up-calling-line-id’
Other networks don’t feel the need, I wonder what their reasoning is, either way, questionable privacy fail here!

More info here;
http://lew.io/headers.php

n So, it turns out i’m one of the lucky 46,524 ElReg (The Register) readers who has had their e-mail address spammed to a few thousand people… who have in turn, kindly placed it on PasteBin, random torrent sites, many forums, the side of the moon with a laser and other such annoying places!

And yet, i’m not that annoyed!

Here’s why… and I think in this day and age of everyone worrying about every bit of data, it’s important;

1. I’m called Matt and my blog is at www.matt-j.co.uk. Is it really that hard for a targeted phishing attack to work out an e-mail address in the first place?

2. It’s the register, a website that takes pride in highlighting technical cockups, basterdisations, IT Fo Pah’s and Comical! Yahoo! Related! Exclamation! Mark! Frenzy! Issues! before they’ve even sat down for the morning caffeine…. So no matter how annoyed we are all individually feeling, I’m pretty sure as an organization they’ll be feeling ten times worse for being beaten at their own game.

3. Did I mention it’s the register? I’m finding it quite hard (Maybe a psychologist wants to tell me why) to get annoyed with such an instutution within the industry, somewhere that generally gives you a good morning roundup of crap you need to concern your little head with.

But mainly because (and this is the important bit I was talking about at the beginning, the rest was just to test your stamina and determination!)…
They owned up, instantly, in an e-mail to everyone affected, disclosing figures that are far too un-rounded to be made up!

Yes, I think that’s it… Look at the recent Blackberry incident, it wasn’t that the service was down, it was that no-one from blackberry would give any of the circling vultures a single word for hours, even as speculation grew, nothing, twitter messages a-plenty… nothing! THAT’S the problem.

So ElReg, as much as you’ve amassed a million cocks to put yourself (and my e-mail address) in such a bastardy situation, it’s not going to stop me reading your news in a morning, fair play for making a hard decision.

And everyone else, I don’t claim to know much about business, but if you’re sucking at an all time low when competitors around you selling exactly the same service/product/moon etching laser are doing well, you may want to look at becoming more open and transparent with your customers.

Just my 10p, keep the change!

Matt

Hi all,

Came accross this issue the other day and since i’m currently stuck on a train between London Euston and Manchester, with what could be called a passable excuse of an internet connection, I’ll take a moment to document it, hope it saves someone else some head-scratching.

Issue: If using a Policy-Map based service policy within IOS to filter traffic on an interface and the undelying class-map is edited with any ‘match protocol http <more>‘ statements, the policy-map stops processing traffic, effectivley turning itself off for that interface.

Consider the following, two interfaces;

Vlan 1: 192.168.0.1/24

Loopback 99: 192.168.100.1/24

We the create a simple class-map to match ICMP traffic and use this in a policy-map with a match action of ‘drop’.

We now assign this to the output of the loopback99 interface, with the following command;

conf t
interface loopback 99
service-policy output TEST_POLICY_1
exit
exit

This should now block ICMP traffic (such as an echo/ping) to the interface IP;

We can also see the policy-map status for the interface, showing packets flowing through the assigned service policy and that drops are occuring;

Here is the issue, when we add/change any match criteria in the class-map (TEST_CLASS_1) relating to HTTP, the policy map stops working.

I also I added a ‘match protocol smtp’  before this, but you’ll just have to trust me that the policy-map continued working after that, only the addition of HTTP inspection caused a failure.

And now our traffic fails to pass through the policy-map, allowing ICMP which should be dropped;

The only workaround I have found is to remove the service policy from the interface and then re-add it after a class-map change, this restores correct functionality;

The following further output (too large for a screenshot) shows that while ‘broken’, the traffic was not even hitting the policy-map (as can be seen through traffic counters);

APCI877#sh policy-map interface loopback99
Loopback99

Service-policy output: TEST_POLICY_1
Class-map: TEST_CLASS_1 (match-any)
20 packets, 2000 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol icmp
20 packets, 2000 bytes
5 minute rate 0 bps
Match: protocol smtp
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http host "bob.com"
0 packets, 0 bytes
5 minute rate 0 bps
drop


Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
APCI877#ping 192.168.100.1 source vlan 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
APCI877#ping 192.168.100.1 source vlan 1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
APCI877#sh policy-map interface loopback99
Loopback99
Service-policy output: TEST_POLICY_1
Class-map: TEST_CLASS_1 (match-any)
20 packets, 2000 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol icmp
20 packets, 2000 bytes
5 minute rate 0 bps
Match: protocol smtp
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http host "bob.com"
0 packets, 0 bytes
5 minute rate 0 bps
drop

Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any


I have has a search via google and looked around the cisco bug toolkit, but couldnt see anything exactly matching this behaviour. I will be testing on the latest IOS 15.1 at some point (when i’m infront of a router that has a little more flash/ram).

Any suggestions, comments or blaringly obvious known cisco bugs i’ve missed are welcome on this one!

Matt

Last week I had the missfortune of needing to get some low bandwidth endpoints online for a client, these unmanned locations would have a few peices of technology sat behind an ADSL router with an IPSEC VPN back to a central location,bog standard stuff!

Naturally, I’d specified Cisco 877 ISR routers (as anything newer was overkill) allowing a good level of remote management, monitoring and control.

Base configuration was written offline, router is then connected to a BT ADSL2+ socket and an issue I immediatley recognised reared it’s ugly head;

PPPATM: ATM0 0/38 [0], Event = Vaccess Down
%LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
%DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
%LINK-3-UPDOWN: Interface ATM0, changed state to down

Errors would repeat every 30 seconds to 5 minutes, nearly two years on, 877′s still don’t support BT’s ADSL2+ connections it seemed!

Expecting a new, working ADSL firmware update in that timeframe, I headed to the cisco.com website and was bitterly dissapointed, even the firmware release ‘patch’ of yesteryear had been removed (which we didn’t have much luck with anyway when it first came out).

I knew we were looking for at least 4.0.0.18 (or 4.0.18 depending on where you see it written), backed up by many sources (just search for ADSL2+ BT Cisco 877).

What’s clear however, is that 4.0.0.18 as talked about all over the place doesn’t seem to be solving anyones problems and after getting hold of a copy by searching google for the what the filename would be based on the 4.0.0.17 download ( http://www.alcatron.net/cisco877/firmware/adsl_alc_20190_4.0.018.bin ) I once again confirmed this, even setting the line type to only ADSL2+ to rule out any negotiation issues still saw consistent drops every minute or so;

conf t
int atm0
dsl operating-mode adsl2+


(At this point it is probably worth mentioning that the 877 will use new firmware as long as it is called ‘adsl_alc_20190.bin’ and is found in the routers flash on startup (if not, the default firmware in the IOS will be used), further details and screensots courtesy of alcatron.net here!)

Eventually, after a lot of firmware testing, I found that cisco have some ‘by request’ only firmware versions which not many people seem to know about.
After testing internal version 4.0.223, I can confirm that my ADSL2+ link suddenly became stable and has continued this way ever since (Now over one week).

I think it’s a little strange that Cisco has kept this one so tightly under wraps.
Anyway, I am not suggesting that this firmware is fit, safe or even sensible to use, but it has resolved my issues here and if you’re reading this and at the very end of your patience with an 877/ADSL2+ combination, you can find the firmware at the link below;

http://downloads.netmetix.net/Cisco/Firmware/adsl_alc_20190_4.0.223.bin

I hope this helps! Let me know if you have sucess with this, would be interested to see how many people are still affected.