First time SNMPv3 ... ProCurve Switch 2650 as example

I'm fairly new to network stuff and thus network management, so snmp too ... is fairly new to me, not to mention snmpv3 :) ...

After some digging around and efforts to understand what snmp is ... it turns out that snmp (v2) was simply a list of variables that can be read by supplying a password (that password is called public community name), and also read and write by supplying a password too (this one is called private community name) ...

It was clear that snmp version 1 and 2 had serious security issues. so when i found this HP ProCurve Switch 2650 that supports snmpv3, i decided to play around with it!

The game was not as straight forward as i thought! it was not only security enhancements that snmpv3 introduced, but rather a more complex and robust authorization and permissions system.

So, lets start with describing the hands on with this switch, i telnet to the switch , i enter it without a password, i switch to enabled mode and i set the password for operator and manager (enabled).

Now, i enabled SNMPv3 by doing :

ProCurve Switch 2650(config)# snmpv3 enable

and the switch created a user called "initial" and used authentication protocol MD5 and asked for authentication password. it set the privacy protocol to DES and asked for privacy password (ill talk a little more about those in a minute). afterwards i was asked if i want to create a user with SHA authentication protocol, i chose not to.

Now from the Linux shell, i used snmpwalk to test my settings, following snmp v2 syntax, i tried:

snmpwalk -v 3 -c MyCommunityName 192.168.254.1 sysUptime

and i got:

snmpwalk: No securityName specified (Sub-id not found: (top) -> sysUptime)

So fiddling a little more around, i would need to the user name (securityName), i found that in the snmpcmd manual pages, so next i tried was this:

snmpwalk -v 3 -u initial -c MyCommunityName 192.168.254.1 sysUptime

and i got:

Error in packet.
Reason: authorizationError (access denied to that object)
Failed object: SNMPv2-MIB::sysUpTime

So the authorization is the problem, looking for password to send got me to the -A option, also from the snmpcmd man pages, which is used to pass the authPassword, and the man page says its insecure to specify pass phrase on the command line, but i'll leave it for now, so i try:

snmpwalk -v 3 -u initial -A password123 -c MyCommunityName 192.168.254.1 sysUptime

but i still got the error:
Error in packet.
Reason: authorizationError (access denied to that object)
Failed object: SNMPv2-MIB::sysUpTime


Now i was a little frustrated, this looked as enough to get things to work! and i couldn't see why it wasn't! so fiddling more around and googling for examples of snmpwalk -v 3 syntax i got one that got things going! and here it is:
snmpwalk -v 3 -u initial -A password123 -l AuthNoPriv -c MyCommunityName 192.168.254.1 sysUptime

So what is the stroy with this -l AuthNoPriv ? again, the man pages came to rescue, according to the man pages:
-l secLevel
Set the securityLevel used for SNMPv3 messages (noAuthNoPriv|authNoPriv|authPriv). Appropriate pass
phrase(s) must provided when using any level higher than noAuthNoPriv. Overrides the defSecurityLevel
token in the snmp.conf file.


So it seems that this option tells the snmpv3 server that we are using the Auth password but not the privacy pass phrase, which reminds me with the 2 passwords i was asked for when creating the user "initial"! although i didn't understand why snmpwalk didn't guess that this is what i wanted by passing the authPass using the -A option :S. anyway, i was happy things worked for me ... for now!

So apparenly, the default security level would be (since i dont have snmp.conf file) (according to snmp.conf man page) noAuthNoPriv! which made me try and do the following:

snmpwalk -v 3 -u initial -A password123 -l AuthPriv -c MyCommunityName 192.168.254.1 sysUptime

and i got the error:
snmpwalk: USM generic error (Sub-id not found: (top) -> sysUptime)

The error was not really meaningful to me, but logically i had to supply the pricy pass phrase, again man snmpcmd came to rescue, and the option to supply the privacy pass phrase is -X, so now i try to do :

snmpwalk -v 3 -u initial -X password321 -A password123 -c MyCommunityName -l AuthPriv 192.168.254.1 sysUptime

And viola! it works :) And viola! i think i have a very good post about snmpv3 ! frankly i had hard time finding quick info about the errors i got in google, so if this info helped you, and you feel thankful, i would be thankful to you if you google a little about palestine, about the separation wall and the injustice its causing !

Oh! the private pass phrase is apparently used to secure communication, so its a good idea to use it !
That was it for today, and i think ill go crash into my pillow :) and apologies for the politics .

Windows for Linux Administrators I

I've never been a fan of M$ Windows, but lateley im forced to deal with Windows, So since im having a lot of trouble doing even simple things, i've decided to write a few notes i've learned that would help those who are familiar with linux to administrate windows machines, but you should also know that im not an expert in either systems, any any information provided here is my own interpretation of similarities between these two systems.

First, lets put a list of commands and their equivilent that i learned recently, i wont be talking about "dir" and "rem".

Starting with the ugly "cmd" of windows, we can see that we can use the command "set" to display environment variables, which is the same as what we have in Linux! nice! thats a good starting point. and and interesting example of how things might be a little diffrent, lets try to print the current directory, in linux we would simply type pwd, in windows, you'll do "echo %CD%", where %CD% is an environment variable that holds the "Current Directory".

Variables in windows are put between percentage signs , %VARNAME% and are not case sensetive.

Now the first thing i wanted to do was listing users i have and gather info about them, but in my case, the machine i have access to, via rdestop, is an Active Directory server, which i hope to be able to switch to SAMBA 4 when the later is ready ... so ... how do we do that in active directory?

the command to do so is called dsquery, it stands for "Directory Service Query" and is one tool from the "Directory Service" tools suite that comes with windows 2003, i dont know about older versions.

Now ill try to see how it works, so i look at :

dsquery /? | more

Looks unixish ... heh :), reading a little there i managed to list users (first 100) using the command:

dsquery user

and then i filtered out myself using the command find! an interesting tool that provides similar functionality to some unix tools. lets suppose my name was "Edward Saeed", i do :

dsquery user| find "Edward Saeed"

but note that you Have to use the quotes, and the string IS case sensitive ... inconsistency ... i belive ... but i could use /I to make it case insensitive!

So now we know that find "something" is similar to the "grep" command in unix!

reading find /? shows that find can also count lines! so find /C "something" is equivilent to "grep "something" | wc -l" . thats good to hear ... who can live without grep and wc :)

Thats it for today :), i'll be packing and hitting the road .

Maybe next time ill be trying to rewrite a few bash scripts in this windowish fashion.

;)

all printable ASCII characters in one c++ like string

Today i was looking for a string with all printable ASCII characters for usage in some C++ code, i could not find one quickly on google, so i though ill post it here :) I will probably need it sometime in the future ... here it goes :)

char fullset[]="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!\"#$%&'()*+,-./:;<=>?[\\]^_{|}~";

Reverse DNS records for subnets larger than 24

I've been playing lately with DNS, and it seems there is a need to create zones with less than 255 ip ... so i had to dig a little around, i took a look at mkrdns tool and RFC2317, i wrote a little php script that might be useful to understand what should be done, without deploying automation tool ... the thing is ... i cant test it :(, but anyway, ill post it here, so please, if you have any comments, if you find anything that is incorrect, or any enhancements, please let me know.

<?php
/*
* Author: Maysara A. Abdulhaq
* Contact: maysara(dot)abdulhaq(at)gmail(dot)com
* Usage: Guides howto add revese domains
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
* GNU General Public License for more details.
*/
function reverse_domain_name($ip,$class=24)
{
 $octets= explode(".",$ip);
 $octetcount=(int) ($class/8);
 for ($i=$octetcount -1 ;$i >= 0 ;$i--)
  $dn= $dn."$octets[$i].";
 $dn= $dn."in-addr.arpa";
 $mask= (~((1<<(8-$class%8))-1)&255);
 $rangebeg = (((int)$octets[$octetcount]) & $mask);
 $rangeend = (((int)$octets[$octetcount]) & $mask)+((1<<8-$class%8) -1);

 echo "You have Entered IP: ".$ip." with subnet: ".$class."\n";
 echo "So the reverse domain is : ".$dn."\n";
 echo "and the range of ips is $rangebeg to $rangeend\n";
 echo "If you wish to use a domain for mapping similar to mkrdns, you can use domain name \n";
 echo "A: $rangebeg-$rangeend.$dn\n";
 echo "B: $rangebeg.$dn\n";
 echo "Or, similar for what is suggested in RFC2317:\n";
 echo "C: $rangebeg/$class.$dn\n";

 echo "for each entry, a CNAME record must be added to $dn \n";
 echo "A: $octets[$octetcount]  CNAME $octets[$octetcount].$rangebeg-$rangeend.$dn\n";
 echo "B: $octets[$octetcount]  CNAME $octets[$octetcount].$rangebeg.$dn\n";
 echo "C: $octets[3] CNAME $octets[3].$rangebeg/$class.$dn\n";
 echo "in addition to the PTR in the above mentioned domain name\n";
 echo "$octets[3] PTR some.domain.tld\n";
 
}

 if ( $argc != 3){
  echo "Usage: $argv[0] IP MASK\n";
  echo "Example: $argv[0] 111.222.121.212 27\n";
  exit(1);
 }
 if ( $argv[2] < 24){
  echo "Error:the mask should be larger than 24\n";
  exit(1);
 }
 reverse_domain_name($argv[1],$argv[2]);

?>

what the hell is a LUN

Well, playing around with iSCSI i stumbled with LUN ... and according to wikipedia, LUN stands for Logical Unit Number, and its apparently related to scsi and/or raid, and apparently they are logical portions of disks, still what does that mean ?

Well, after looking around a bit, and finding a lot of talking about LUN and LUN explained ... etc, it turns out that from the iscsi-initiator host OS (client) point of view, a LUN is simply a disk ... every LUN regardless of being the only one in a given iscsi-target or whether there are multiple LUNs in an iscsi-target, its a disk, and if things are configured correctly, every LUN will give you a disk device like /dev/sdx or something similar .

So why have multiple targets each with one LUN or have multiple LUNs in one iscsi-target? again, as far as i understood from this very helpful post, from the client (initiator) perspective, its the same thing ... all are disks. just accessed with seperate iscsi-initiator procedure or with a single one, from server (target) perspective, distributing LUNs is just a managerial issue, and seperating LUNs into multiple targets helps the administrator to make policies about who is allowed to access which LUNs by distributing them among targets, and possibly setting authentication.

So ... what does all the talking about using LVM and software raid and other stuff all about ? well, after understanding that the LUN is somehow simply a disk to the client, you can do with it whatever you do with a disk! or multiple disks :) ... so you can format the LUN (now its a disk, like /dev/sdf) or you can use LVM to create Logical volume from multiple disks, which might be iscsi LUN or just old good regular disks :), or setup software raid , again, all this can be done on regular disks, scsi or sata or ata ... and now on LUNs too, you basically stop talking about LUN after iscsi-initiator is done with logging to the target and getting the LUN, afterwards, you treat it as a disk.

Now possibly you have RAID and LVM ...etc on the server side ... whats the story there ? and whats the strory with the word "carved" that is used in a couple of places online when talking about LUNs? ... the idea if fairly simple, when you have LUN on the target, you define where the real storage is going to happen, so on the target you define Path to where the actual storage will happen so you say for example Path=/iscsi-exports/2GBDISK1.iso or Path=/dev/sdc or Path=/dev/sda5 ...etc. as you can see you can put any file that you usually use for read and/or write to, and as you might already know, even regular files can be treated as disk volumes and you can mount them using a loop device. so these partions, disks, regular files or even iscsi LUN from a diffrent iscsi-target (which would appear as devices) can be used for a LUN, now these files, partions, disks ..etc, can reside on a hardware raid, or be part of an LVM, or software raid or anything else you can think of you can store data on, and might as well be a regular disk partion or a whole disk that is used as a LUN :).

Note:please feel free to correct me if there is something wrong or unclear in this post

Oracle RAC on ISCSI ... the small details ... round two

Now im starting over with installing oracle 11g RAC on iSCSI, the first round (actually that was probably the 5th round, but first round i write about) failed due lack of A)storage on iscsi target B)too little memory on one of the nodes.

So now i have a new iSCSI target setup on debian etch from backports, and im setting up a new powerful node to serve as a node in the Oracle RAC.

So i installed Enterprise Linux fine and i am following the same steps described in the "round one" post.

While trying to configure the iSCSI target, a question poped into my mind, what diffrence would it be if i configure a single target with multiple LUN or if i configure multiple targets each with single LUN, i have no idea what diffrence it makes.

So after a while of digging arond, i realized that the script provided from oracle howto will only work properly if you have one LUN in each target, but i had multiple LUNs in my iscsi-targets to have more space ... so i had to modify the script that returns the names of devices for persistant naming, here is the diff:

--- iscsidev.sh.bak 2008-05-10 19:44:49.000000000 +0300
+++ iscsidev.sh 2008-05-10 19:44:25.000000000 +0300
@@ -4,6 +4,7 @@
 
 BUS=${1}
 HOST=${BUS%%:*}
+LUN=${BUS##*:}
 
 [ -e /sys/class/iscsi_host ] || exit 1
 
@@ -16,5 +17,5 @@
    exit 1
 fi
 
-echo "${target_name##*.}"
+echo "${target_name##*.}LUN$LUN"

traffic control ... learning tc

Well, what do i want to do today, i want to try to distribute traffic in a fair way between clients on my network, so it seemed as a starting point i should start playing with tc.

So i started reading tc man page thoroughly, after a while of playing around with it i tried creating a qdisc using
tc qdisc add dev eth1 root pfifo
notice that anything less didnt work with me ! that went fine, now i want to view what i did, and the command tc qdisc show dev eth1 did it fine, now i tried to delete the qdisc i created using tc qdisc del dev eth1 root and it went well too.

Now i tried tc qdisc show dev eth1 and apparently there is a qdisc there!! i try to delete that but i get RTNETLINK answers: No such file or directory !!! later i realized this is probably a mandatory qdisk for every interface ... although found nothing about it in the man page, but a quick google search for "default qdisc" yielded this very informative link.

Now, what i understand so far that we have 3 elements working together, qdisc, class and rule ... and to put it in simple words, i think that qdisc ( a general framework for what we are talking about ) classifies packets into classes using some rules, and decides later according to the classification which packets should go out to the network interface.

As Expected, a year and a half later (sep 2009), i get back to reading on the topic, and i have no clue where i got the word rule! the word is "filter"!

this time i have used tc actually, i used iptables to "mark" certain packets, which then a tc "filter" captured them and sent them to a "class" that limits the bandwidth !!