14.5.10
Moving a Symantec BackupExec 12.5 installation to another server
As part of our server consolidation and virtualisation project, we had to move an existing Symantec BackupExec 12.5 installation to another server. Symantec's document ID 319367 gives a very detailed procedure for performing this migration which worked to a tee for us. Give yourself about two or three hours to run through the entire procedure.
8.4.10
Virtual servers and SANs
Tempora mutantur nos et mutamur in illisWe're undergoing a major project to consolidate most of our server infrastructure as virtual machines under Windows 2008 Hyper-V. Suffice to say this is going to be a pretty intense 6 weeks, but at the same time it's a rare opportunity. We're also installing Active Directory (having previously been under NetWare's eDirectory, but never heavily used), so we also get to build a new domain from the ground up.
The primary motivator for this was that one of the core business applications here now requires an AD environment going forward. We then looked at how we could best take advantage of the new capabilities we'd have with AD, and that some of the hardware was past its life expectancy. Then we looked at other smaller projects planned for the ywar, and realised what infrastructure was needed for those. We had initially planned on a traditional server-based architecture for this refresh but suddenly realised that this was a prime candidate for virtualisation, and even more than that, it only made sense to do all this with a SAN. Once we got it all priced out and saw that for a relatively small increase in price we could make our environment extremely flexible in terms of service provisioning, well one thing led to another, and here we are.
There are a few challenges we have to deal with:
- Our current internal DNS server is BIND9 running under Ubuntu Linux, and for the sake of making sure that "weird stuff doesn't happen", this needs to be moved to Windows.
- We're moving from an externally hosted MDaemon mail server to an internally hosted Exchange server, so there is an obviously large transition there.
- All of the virtual machines are hosted in one physical server. Our disaster recovery plan calls for a second virtual host to be located offsite and be ready to take over primary operation within one business day should our entire head office go up in flames. Data replication is the tricky part here.
This will indeed be a tremendous learning experience.
18.1.10
Ubuntu 9.10 upgrade
Haven't posted in a while as I am living a real life.
For anyone keeping track, all of the ACPI problems I've talked about earlier went away with the upgrade to Ubuntu 9.10 on my HP Mini. I get "dual" processors now so things run even more smoothly, and the very fast startup/shutdown/hibernate time is a real treat.
For anyone keeping track, all of the ACPI problems I've talked about earlier went away with the upgrade to Ubuntu 9.10 on my HP Mini. I get "dual" processors now so things run even more smoothly, and the very fast startup/shutdown/hibernate time is a real treat.
12.9.09
Ubuntu and the HP Mini 5101 — follow-up
Labels:
hardware,
HP Mini 5101,
Linux
I'm very much enjoying using my Mini 5101. It performs much better than I expected, and now that I have my corporate VPNs and SSH tunnels set up in Ubuntu I have a fully portable support platform, for just such an emergency. I even have a 3G USB modem working (more on that some other time as there is a new model coming out I want to try as well).
Just to clean up some loose ends, I think the ACPI issue has to do with a strange BIOS setting. Intel Atom processors are all single-core as far as I am aware, and yet the dual-core option int he BIOS was enabled by default. Once I disabled this I haven't had any other boot problems since.
The webcam was easy enough to set up simply by making sure the camera was enabled in the BIOS and installing the luvcview and uvccapture packages.
Why would I bother with Windows?
Just to clean up some loose ends, I think the ACPI issue has to do with a strange BIOS setting. Intel Atom processors are all single-core as far as I am aware, and yet the dual-core option int he BIOS was enabled by default. Once I disabled this I haven't had any other boot problems since.
The webcam was easy enough to set up simply by making sure the camera was enabled in the BIOS and installing the luvcview and uvccapture packages.
Why would I bother with Windows?
1.9.09
The miracle of DomainKeys
Labels:
encryption,
messaging,
security
I work for a company that has in-house software for sending email bulletins to registered customers. The largest problem has been fighting off the major email providers — Rogers, Sympatico, MSN/Hotmail and Google — from flagging these messages as spam.
For some, just making sure that you have a correctly configured MX entry in your DNS along with a proper reverse lookup on the IP is enough. Of course, you usually have to talk to your ISP about reverse lookups, even if you have your own DNS server. If you're a big enough company that you own your own block of IPs, then make your cheques payable to me at...
SPF is a step forward -- it works sort of like a "call-display" for email servers. Your mail server knows what IP is connecting to send the message and can look up the SPF record to see if this IP is allowed to send messages for that domain. However, for some ISPs and mail providers, this still isn't strong enough.
DomainKeys was first introduced by Yahoo! and was then developed further by other major messaging providers to become an open standard. It works on the principle that if you're a spammer, you won't have your own domain necessarily, or a DNS server under your control that you can post public encryption keys to, or be willing to invest the computational time required to digitally sign some of your email headers. (In the last case, the time really is only fractions of a second, but when you need to send out millions of messages quickly before you get caught, every millisecond counts.)
There are plenty of good tutorials on how to set up DomainKeys, so I won't go through step-by-step here. However, I can give you the general picture of what needs to be done. You will need:
After this is configured, you need to publish your DomainKeys public key so that other mail servers are able to verify the digital signatures on those message headers. This is accomplished by two DNS TXT records. The first is a policy record published as _domainkey.yourdomain and simply states whether or not all messages are signed and how seriously you are using DomainKeys. A good way to start is to set the text to "t=y o=~". this tells everyone you're in testing mode and that some messages may not be signed. You can tighten this up after you've confirmed everything is working.
The second is the selector record which contains the actual public key. This is published to your DNS as selectorname._domainkey.domain and in its simplest form contains "p=" followed by the long garbled string of characters that is your DomainKeys public key. There are other options available, such as being able to explicitly declare cipher type, length, etc. but this information is enough to get things started. Your mail server software also needs to be told the name of your selector record as that information is included in the message headers.
That's it.
The biggest protection this provides is proof that a message really did come from your domain. As many spammers try to spoof the message sender's address in order to bypass more simplistic email filters, this is a way of proving whether or not a message really was delivered from your mail server or not. At least for now.
For some, just making sure that you have a correctly configured MX entry in your DNS along with a proper reverse lookup on the IP is enough. Of course, you usually have to talk to your ISP about reverse lookups, even if you have your own DNS server. If you're a big enough company that you own your own block of IPs, then make your cheques payable to me at...
SPF is a step forward -- it works sort of like a "call-display" for email servers. Your mail server knows what IP is connecting to send the message and can look up the SPF record to see if this IP is allowed to send messages for that domain. However, for some ISPs and mail providers, this still isn't strong enough.
DomainKeys was first introduced by Yahoo! and was then developed further by other major messaging providers to become an open standard. It works on the principle that if you're a spammer, you won't have your own domain necessarily, or a DNS server under your control that you can post public encryption keys to, or be willing to invest the computational time required to digitally sign some of your email headers. (In the last case, the time really is only fractions of a second, but when you need to send out millions of messages quickly before you get caught, every millisecond counts.)
There are plenty of good tutorials on how to set up DomainKeys, so I won't go through step-by-step here. However, I can give you the general picture of what needs to be done. You will need:
- a mail server that supports DomainKeys
- a public/private key pair
- the ability to post a text record to the DNS server for your domain
After this is configured, you need to publish your DomainKeys public key so that other mail servers are able to verify the digital signatures on those message headers. This is accomplished by two DNS TXT records. The first is a policy record published as _domainkey.yourdomain and simply states whether or not all messages are signed and how seriously you are using DomainKeys. A good way to start is to set the text to "t=y o=~". this tells everyone you're in testing mode and that some messages may not be signed. You can tighten this up after you've confirmed everything is working.
The second is the selector record which contains the actual public key. This is published to your DNS as selectorname._domainkey.domain and in its simplest form contains "p=" followed by the long garbled string of characters that is your DomainKeys public key. There are other options available, such as being able to explicitly declare cipher type, length, etc. but this information is enough to get things started. Your mail server software also needs to be told the name of your selector record as that information is included in the message headers.
That's it.
The biggest protection this provides is proof that a message really did come from your domain. As many spammers try to spoof the message sender's address in order to bypass more simplistic email filters, this is a way of proving whether or not a message really was delivered from your mail server or not. At least for now.
27.8.09
Ubuntu and the HP Mini 5101
Labels:
hardware,
HP Mini 5101,
Linux
I just got a new HP Mini 5101 netbook and the first thing I had to do was rip out Windows and install Ubuntu. I'm just more productive that way.
Unfortunately, not all of the hardware works "out of the box". After two days of Google research, I've got two important things working.
Bluetooth and wired networking work fine with the default installation of Ubuntu 9.04. The trouble spots come from ACPI, WiFi and sound.
Getting the WiFi interface up and working was easy. Just install the linux-restricted-modules package and reboot. Everything comes up on its own then.
Sound was a little more tricky. You need to do two things:
I wrote this entry on my new HP Mini and I have to say the best thing about this netbook is the keyboard. It's almost full sized so I don't feel cramped or like I need a special keyboard wand.
More as I find other things that don't quite work as expected. I haven't tried the webcam yet, but I'm not sure that I even care about it at this point.
Unfortunately, not all of the hardware works "out of the box". After two days of Google research, I've got two important things working.
Bluetooth and wired networking work fine with the default installation of Ubuntu 9.04. The trouble spots come from ACPI, WiFi and sound.
Getting the WiFi interface up and working was easy. Just install the linux-restricted-modules package and reboot. Everything comes up on its own then.
Sound was a little more tricky. You need to do two things:
- Install the linux-backports-modules package for your kernel version (sudo apt-get install linux-backports-modules-`uname -r`)
- Add the line options snd-hda-intel model=laptop to the file /etc/modprobe.d/alsa-base.conf then reboot.
I wrote this entry on my new HP Mini and I have to say the best thing about this netbook is the keyboard. It's almost full sized so I don't feel cramped or like I need a special keyboard wand.
More as I find other things that don't quite work as expected. I haven't tried the webcam yet, but I'm not sure that I even care about it at this point.
13.8.09
VMware Server and Multi-Core CPUs
It's always been confusing to me as to what to do with VMware Server guests running on a host that has a multi-core processor.
First, just to clarify, from the information I have gathered VMware will assign a single physical processor to each virtual processor on a guest machine. If you have a multi-core processor, and your host operating system recognises each core as a separate CPU, then each virtual CPU on a guest will be assigned to a single core on your host.
You can get really fancy with assigning specific cores by tinkering with the VMX configuration file.
I've noticed that once I change my guest machine to use multiple CPUs, the CPU usage on my host shoots up to almost 100% and seems to stay there. Curiously though, this doesn't seem to affect any of the other processes running on the host. The answer, as stated in the VMware Knowledge Base, is that the host is executing the "system idle" process on the guest.
On Windows, when your processor isn't doing anything, Windows will execute a sort of 'do nothing' command that shows up in Task Manager as the "System Idle" process. It literally does nothing, and any unused CPU cycles go to this process. (Don't ask me why, I'm just the messenger here.) Unfortunately, VMware seems to translate this as an actual process and executes it on the host, but there it also does nothing. However, the host doesn't recognise this translation as an idle process and shows the VMware process itself as using those CPU cycles. So, even though it looks like your host is doing a lot while your guest is doing nothing, neither are really doing anything.
That still doesn't make me feel comfortable when I first see high CPU usage on my systems, but as long as it isn't causing any problems then I'll just leave things be.
First, just to clarify, from the information I have gathered VMware will assign a single physical processor to each virtual processor on a guest machine. If you have a multi-core processor, and your host operating system recognises each core as a separate CPU, then each virtual CPU on a guest will be assigned to a single core on your host.
You can get really fancy with assigning specific cores by tinkering with the VMX configuration file.
I've noticed that once I change my guest machine to use multiple CPUs, the CPU usage on my host shoots up to almost 100% and seems to stay there. Curiously though, this doesn't seem to affect any of the other processes running on the host. The answer, as stated in the VMware Knowledge Base, is that the host is executing the "system idle" process on the guest.
On Windows, when your processor isn't doing anything, Windows will execute a sort of 'do nothing' command that shows up in Task Manager as the "System Idle" process. It literally does nothing, and any unused CPU cycles go to this process. (Don't ask me why, I'm just the messenger here.) Unfortunately, VMware seems to translate this as an actual process and executes it on the host, but there it also does nothing. However, the host doesn't recognise this translation as an idle process and shows the VMware process itself as using those CPU cycles. So, even though it looks like your host is doing a lot while your guest is doing nothing, neither are really doing anything.
That still doesn't make me feel comfortable when I first see high CPU usage on my systems, but as long as it isn't causing any problems then I'll just leave things be.
Subscribe to:
Posts (Atom)
Posts
