Category Archives: Weblog

SUE2014: Wrap up

snow-logo-200x67

As mentioned in my previous blog post, I went away after the CFengine workshop. I was so full of information and knowledge that I could not cope with additional inputs. I think that it was a very great day, the last time Snow did such an event, I didn’t even work there yet and I think Snow did a really good job after such a long time. Personally I would applaud this and hope to see this again next year. I challenge you as a reader of my blog to be there if that is possible, or to give a talk! Please contact me in case you are interested in that.

I cannot wrap up this blog-spree without thanking a few people from making this happen. The staff at Snow did tremendous work in little time to get this going, they really did a good job and handled everything fine! There were a few long days before the event started and everyone needed to work hard to make this a succes and I think they really earn a Thank You! from everyone whom visited the event (or are currently visiting the event!).

Hope to see you all next year!

Remko
Network and Security Consultant for Snow B.V. in Geldermalsen.

SUE2014: CFengine3 workshop / Mark Burgess

snow-logo-200x67

Instead of having more talks, I was invited to join the workshop from Mark Burgess around CFengine3. As someone who plays with puppet and have set that up on my VM’s and colocated machines  ( a good 10 machines, some servicing similar functions, some doing totally different things), I have some experience in configuration management, eventhough I am mainly a networking and security consultant :-)

What happend is difficult to describe, Mark is excellent in giving such a tutorial or workshop, and his motivation and energy is a real lot to cope with in little time.

The workshop itself was great, and that does not actually cover it as I mentioned but well this is the best word I can find about it. Comparing puppet and CFEngine is not actually fair, both do things in their own ways and have their way of doing it. Puppet has it’s advantages but clearly CFEngine has as well. As Security consultant I found that you are able to remotely tripwire a system, which means that in a group of machines, every other machine can check another machine for file changes and report to the hub (if you want) if there are differences. CFengine will try to fix these differences so that the system is again in the state you want it to have, still alerting you something was fishy and might need investigation. This all happends by default every 5 minutes. So basically you are most likely 2.5 minutes away from having a fix applied to your system automatically and still get the alert.

The concept of CFengine is that will only work on things that it is able to fix or repair for itself. “Self healing”. If that is not an option then you are most likely not using CFengine.

The syntax is a bit odd though, it’s something you really need to get used to since it is not as clear (for me) as a programming language where you have logic defined. Certain keywords describe the function of a variable and you can assign and request them depending on the keyword something will happen. That might get kinda ugly if you have $(variable[$(nested_variable)]), which is still pretty easy, but gets unreadable if you do complex things with it. Or at least that is my understanding.

Another thing that I miss is the standard library path. CFengine does some odd assumptions (my opinion) on where files are located. If you for example call out cf-agent -f $fileinyourdirectory it will lookup the $fileinyourdirectory in /var/cfengine/inputs/ instead of the directory you are in. You need to specify ./ in front of the filename to have it look in your current working directory (cwd). In addition some functions require the cfengine_stdlib file, which is fine but unless you are in the /var/cfengine/inputs/libraries directory, you need to either specify that it is in that directory, or a subdirectory instead of having it looking for that content in the default directories.

That said, since I am starting to learn puppet I will most likely stick around with it for a little while longer. CFengine surely has it’s potentials and I also had a little chat with Glen Barber from the FreeBSD Foundation yesterday, and he goes beserk on CFengine, things he showed me puzzled me.. but then again he gets puzzled by puppet stuff.

Many thanks to Snow and CFengine/Mark Burgess that I was able to be there, it was a hard three hours workshop, frying my brain entirely (I needed to go away immediatly after, because I couldn’t get more information in :-)) but it was well worth it. For me personally that was the best thing at the SUE2014!

SUE2014: Samba4 headsup / Jelmer Vernooij

snow-logo-200x67

After attending the talk of Mark there as a little break with coffee and we continued with Jelmer Vernooij’s Samba4 headsup.

This talk actually scared me a lot, as project member at the FreeBSD project, I know how big software projects could work, and that is not entirely how Samba works. Samba seemed to be lived by ‘tridge’ who every now and then wakes up from his cave and starts coding something, puts it all in one big file and throws it over the hedge hoping that people will pick it up.

Jelmer iterated through the history of the Samba project, and demonstrated that it is a hack-ish project with superglue attached so that things work and perhaps if you are lucky keep working. I somehow missed the actual headsup about Samba4 and forthcoming plans on where the project will head towards.

I now know that eventhough I find samba an amazing product which works fairly well most of the time, is actually one scary project and perhaps they need to do something about the PR around it. My suggestion would be that there is much more positive talk around the project, showing what you CAN do, demonstrating what Samba4 now has (AD Domain Controller support) and how that works as an example. And what hopefully will work at some point in time.

Another suggestion that I would have is to look at big operating system projects and appoint a ‘core’ team, that by consensus will lead the project and give an estimate on where things should be heading towards. Keep away from getting multiple developer communities to develop samba3 and samba4, it will be one big mess.

This talk didn’t actually give me what I hoped to get, Jelmer tried his best and he knows a lot, do not get me wrong, but the suggestion of the talk title and the actual talk were too far apart.

SUE2014: The collapse of complex infrastructure / Mark Burgess

snow-logo-200x67

As promised I would write up a little blog about  some of the talks I attended. The day went a bit different then first anticipated because I also followed the CFEngine 3 workshop from Mark. I will write something about that as well in a different blog post.

Mark talked about the collapse of complex infrastructures, and made parallels to the collapse of complex societies. Did you know that societies actually go through the same problems as we have in our infrastructures?

One of the key points that Mark pointed out is that we are good in making things bureaucratic, making things breakup so that everyone does it’s own thing, and with that thing you have a chain of different groups working on one product or service but all doing their own thing. The cost of communicating with eachother increases as the complexity of the company or social group increases. At some point this does not work anymore. And there is the collapse. This is not a problem perse, sometimes we need complexity to get our product or thing going, but we need to acknowledge that and guide the proces to for example ease the communications between those complex groups. They should be as autonomous as possible, lowering the cost of communications etc.

We really need to properly look at our information from society’s and use that information to make us better companies. We can learn from the mistakes that were made, but still we manage to keep making the same mistakes. The beast is made more complex, the cost of doing something increases and finally the beast is no longer servicing what we need.

I started my worklife at the ING Bank back in 2001, we saw this happening exactly there, split, split, split, split, instead of one group doing all the work with people with specialities, 7 groups went doing the work, and they were not able to properly communicate with each other. Getting things done did cost a huge amount of effort and time. The beast grew to wild and no one had autonomous powers to prevent this thing from happening. Later on I understood that this kept changing even after I left, I honestly have no idea how it works now or whether that performs as it should. But at least I can see real life examples in my work past where these things happened.

Snow Unix Event 2014

Today I will be at the office for the Snow Unix Event 2014 (SUE2014 for short). The day will consist of several interesting people like Mark Burgess who will talk about “The collapse of Complex Infrastructures”. Since we try to reduce complexity in larger and larger infrastructures this sounds like an very interesting talk.

Next up will be “The Samba4 headsup” by Jelmer Vernooij, there are rather large changes int he Samba4 code, for the first time you will be able to setup a domain controller with Samba in the Active Directory world, Jelmer is going to talk about that and more.

My collegue Martijn Posthuma will talk about RHEV/RHSS and how you can use an hypervisor for storage functionality. Since I do not know much about how that all works, I am very interested in hearing what the possibilities are.

As pre-final of the day John D. Cook will inform us how you can build an reliable system on top of unreliable parts.Since that is what we all do I am eager to learn more about this.

Finally on the day itself is Ronny Lam who will talk about Software Defined Datacenters, SDN and NFV. Ronny is an old collegue of us and joined NetYCE a few years ago, doing the things he will talk about. Central orchestration and defining how things should look  is the main thing companies are heading if you ask me.

The day seems interesting and I will write about the events as they pass by. They will be prefixed with SUE2014: Talkname / host, so that you can easily read what the talk is about and how I think we can use this.

Ofcourse I hope that we will redo this all next year, and since you are most likely already too late when you read this (except a few who are already on the guest list :)) and that you will be there as well, either as someone who gives the talks or as someone who will follow the talks. Stay tuned!

http://sue2014.snow.nl  & http://snow.nl

IPv6 outage

It seems that some of my services running IPv6 are not (well) reachable. The HE.net tunnel appears to be broken, the tunnel endpoint is not responding to anything at the moment.

This could include some calendaring services for my private users. Apologies for the inconvience.

Multilingual blog -> stop.

The above says it all. I stopped maintaining the two versions of my blog. I do not have the time nor interest to keep up with them. In addition the additional domain that was servicing the content is scheduled to be removed at the end of the year. IF all went well the main bilingual content had been made available as regular posts within my blog. No distinction between dutch/english versions just perhaps two blog entries for the same content (well except that the language differs).

For now evilcoder.nl will redirect traffic to evilcoder.org, which is not set to expire anytime (at all) soon.

iSCSI

So. Last night I figured that I wanted to play with disks delivered from my QNAP 659-pro. I ofcourse can mount disks directly via NFS but that is less awesome (sorry, we are watching Chuck via Netflix, and captain Awesome.. is just.. awesome) then having a virtual disk ready for you with a predefined size. At home I have two fully loaded mac Mini’s , with VMware Fusion on it. Combined I run like 12 VM’s, all with a minimal disk attached via VMware. But ofcourse those are only local and are not backupped at the moment, because of space requirements.

Last night while playing with the QNAP settings, I got distracted by this thing called iSCSI, and I know that one can use that to provision disks from the storage and offer that to the host, like it were a locally attached disk. Couldn’t get it working last night (tired), but now in the garden and in the sun, I noticed what went wrong. Examples talk about  a very different IQN that the clients use via FreeBSD. Ofcourse I should have figured that out last night but didn’t see it.
The correct IQN is iqn.1994-09.org.freebsd:hostname where hostname should be replaced with the name of YOUR system :-).

This way I got a disk:

da1 at iscsi13 bus 0 scbus3 target 0 lun 0
da1: <QNAP iSCSI Storage 4.0> Fixed Direct Access SCSI-5 device da1: Serial Number <my serial number>
da1: 20480MB (41943040 512 byte sectors: 255H 63S/T 2610C)

Which you can easily newfs, or partition as needed. Currently this does nothing locally, but I am going to consider having all storage required VM’s have a storage disk on the QNAP directly so that that data is safe, no need to backup the rest of the data because when I finally have puppet running that is just a matter of redeploying the host and reattaching the storage to have the machine available again.

I just love automation :-)

Raspberry Pi

Recently I ordered two Raspberry Pi’s. Everyone is enthusiastic about them, or well at least most people, and I am going to do a little project with them. I ordered two IR capable camera’s (forgot the LED’s, if someone has ideas to get good working IRleds for a good price?) and with them I am trying to find out why our youngest cat does odd things in the house during the night. We suspect cats from the neighbours or our own cat that is sitting in front of the backdoor (The other cat that is).

So far I run the default OS on it; raspbian (modified Debian) but in the future I would like the OS of my choice.. FreeBSD. I am not sure though whether or not the IR Pi-Camera board is supported on FreeBSD already. But given that there are two Pi’s and they are not active in the project yet, I can still experiment with them (backup the current SD card and write an alternative image to the card).

If people have suggestions on the usage and such, please let me know :)

Mac os X 10.9 ‘cannot assign requested resource’

So,

Now that I am running a Mac Mini with several VM’s to play around with, I started noticing that they periodically blow up. At some point in time the machine starts nagging and can no longer setup IPv4 connections. If you issue a telnet to a certain host on IPv4, you will get the message that the host ‘cannot assign requested resource’. Which is unfixable. If you see that and issue a netstat -an for example, you will see many open sessions (thousands) which seem to be stuck. The only real way to get rid of the problem is to reboot the machine.. and that is fine, were it not that the machines are used as 24/7 access devices and just should not be rebooted because of these silly things.

Are there people that run into that as well? Did you find a solution for that? I know that more people run into it and have reported this with Apple, but I didn’t see a solution there yet.

Ofcourse this is a luxury problem.. but hopefully we can fix this :)

Thanks