Entries from October 2008.
The good thing about being up at 3am is that, with a laptop, you can keep yourself entertained by whipping up a quick spreadsheet of the rack, switch and console server layout for the new server room.
The bad thing is that you may not trip over Sun's handy-dandy power calculators (like for the X4140 or the X4440 until the next day, leaving you twelve hours to wonder blearily if you've blown your server room's power budget all in one go.
Seen while applying software updates to a new Mac at $WORK:
The Aluminum Keyboard Firmware Update will update the keyboard firmware on your aluminum Apple Keyboard. Important: Do not interupt the update, your keyboard will not function while it is being updated.
I guess a mouse crashing is not entirely out of the question...
When I was at LISA, one of the sysadmins I met mentioned a firewall unit testing script that a coworker of his had come up with. The idea was to run your OpenBSD firewall in a QEMU instance, then try passing traffic back and forth to make sure everything worked as expected. I've been looking for that tool to be released, but haven't seen it....or anything else like it either…
Until today, that is, when I stumbled on NetUnit. It's a Java-based tool that tests basic network connectivity, using XML files to specify tests. So far he's got tests for ICMP/port 7 (which I never knew was the echo port), TCP ports, HTTP/HTTPS and MySQL. Not bad at all, except for my lack of Java experience.
Of course, now I want to write my own tester using Perl and QEMU. Like I've got time. But here's an idea for anyone who can use it: test your firewall using three instances of QEMU (inside, outside and firewall), and have the inside and outside hosts communicate using the serial port. "I'm gonna send an echo request, did you see it?" "Yes, did you see the reply?" It's a bit more feedback than simply noting the lack of the expected reply.
And it's not at all like conversations that start out with, "I sent you an email. Did you get it?"
I was >this< close to writing my own damn set of Perl scripts to test a firewall, but I decided to search one last time. Good thing, too: ftester looks pretty close to perfect.
I'm having trouble right now getting ftestd to work on an OpenBSD 4.3 system; this may be because I'm trying to get it to listen on an interface that's part of a bridge. I'll have to look into this further. But testing it out between my laptop and desktop works a treat, whether my laptop is running OpenBSD or Linux 2.6. Sweet!
Matt asked how Amanda worked for people, and whether they'd recommend anything else. I tried to leave a comment, but Blogger's CAPTCHA (god, I hate that acronym) never seems to work for me. So here goes. (Irony of a man w/an email-based comment system complaining about someone else's left as exercise f/t reader.)
Amanda: Nice, but: At my last job (2.5 years ago now), we started running into problems when backing up a 1TB RAID5 array...simple Promise disk array, nothing special or terribly fast. Amanda would take hours to do an estimate of the backups…which, since Amanda tries to pack tapes as full as it can, it does all the time. This got to be a huge pain, and we didn't find a solution to this problem before I left. (We were using GNU tar for Amanda; not sure if that had anything to do with it, and I can't remember what the alternatives were…maybe dump? Dunno.) Not sure what the current state is.
Bacula: +1 on the nice. Very, very good at my current job; absolutely no problems with it at all. And the documentation is enough to cry for, it's so complete and wonderful and thorough and accurate and well done. Clients for Unix, Windows, and Mac. Total filesystmes here are…uh…less than 1TB, definitely, although it's creeping up there. So the smaller size may have something to do with it.
You can configure OpenSSH's ~/.ssh/authorized_keys file to
restrict the commands that key is allowed to run via SSH...thus, say,
restricting a particular key to running rsync or dump. You can also
restrict it to connections only from certain hosts; as the manual
points out, this means that "name servers and/or routers would have to
be compromised in addition to just the key."
