Scott O'Brien

On a little side note to the tutorial series I’ve been writing up lately for building a ZFS fileserver. This one is about Why Google DNS is bad for your performance (well, depending on where you live)

A real quick run down, we all know what DNS does yeah? It translates domains like www.scottyob.com into IP addresses like 112.140.183.97. A DNS server has a job of translating these domain names to the IP addresses we can use.

Now, when it comes to Google DNS, if you believe in the propaganda http://code.google.com/speed/public-dns/ where Google DNS is said to

• Speed up your browsing experience
• Improve your Security.

What google doesn’t tell you is that it interferes with DNS servers that might try and give you a server that’s close to your home. I’ve been using Google DNS for months here at home, but only just have I decided against using it, and I’ll run through exactly what causes some performance issues.

I was trying to watch a program on iView on TPG’s internet connection. Now, TPG don’t have the best international links on peak times, so I first started getting frustrated at them for not letting me watch my iView program with buffer lags on my 8Mbit plan. I checked my Signal to Noise ratio and dropped packets, etc.. it was fine. I checked the bandwith going out on my ppp interface on the router to see if I was maxing out the net connection at home, but nope, that was fine too, so the problem must have been with TPG.

Looking at what was going on, I did a little traceroute to www.abc.net.au

traceroute: Warning: www.abc.net.au has multiple addresses; using 125.252.224.73
traceroute to a1632.g.akamai.net (125.252.224.73), 64 hops max, 52 byte packets
1 10.1.1.254 (10.1.1.254) 1.919 ms 1.260 ms 1.202 ms
2 * * *
3 202.7.173.17 (202.7.173.17) 27.056 ms 26.317 ms 26.693 ms
4 syd-sot-ken-crt1-ge-5-1-0.tpgi.com.au (202.7.162.173) 26.283 ms 26.884 ms 26.100 ms
5 ix-11-1-0-507.tcore2.tv2-tokyo.as6453.net (116.0.88.21) 153.325 ms 135.736 ms 126.568 ms
6 if-14-0-0-1720.core1.tv2-tokyo.as6453.net (209.58.61.121) 1481.461 ms
if-1-0-0-1715.core1.tv2-tokyo.as6453.net (209.58.61.125) 298.270 ms
if-14-0-0-1720.core1.tv2-tokyo.as6453.net (209.58.61.121) 282.141 ms
7 if-10-0-0-981.core3.hk2-hongkong.as6453.net (116.0.82.85) 208.232 ms
if-5-0-0.core3.hk2-hongkong.as6453.net (116.0.82.1) 199.170 ms
if-10-0-0-981.core3.hk2-hongkong.as6453.net (116.0.82.85) 206.027 ms
8 vlan31.icore1.hk2-hongkong.as6453.net (116.0.82.18) 219.937 ms 204.963 ms 196.273 ms
9 80.150.169.25 (80.150.169.25) 333.519 ms 306.138 ms 307.031 ms
10 80.156.224.6 (80.156.224.6) 358.402 ms 320.029 ms 349.133 ms
11 a125-252-224-73.deploy.akamaitechnologies.com (125.252.224.73) 332.188 ms 331.008 ms 314.833 ms

Looking at this traceroute, the first thing I thought was “Why on earth is ABC hosting it’s website in hongkong (or so the traffic has to go via hongkong.)? Immediately reject ABC would do this and I blame TPG’s stupid routing decisions.

Looking at the IP address further http://www.dnsstuff.com/tools/ipall/?tool_id=67&token=&toolhandler_redirect=0&ip=125.252.224.73 It looks like it’s hosted in Singapore, and some googling shows akamaitechnologies is the web host for ABC.. ok, so what is going on here?

then I did a little DIGging around on the ABC domain and check this out.

Using Google DNS (8.8.8.8, hosted in America)

; <<>> DiG 9.6.0-APPLE-P2 <<>> www.abc.net.au @8.8.8.8

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16084

;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;www.abc.net.au. IN A

;; ANSWER SECTION:

www.abc.net.au. 882 IN CNAME www.abc.net.au.edgesuite.net.

www.abc.net.au.edgesuite.net. 21581 IN CNAME a1632.g.akamai.net.

a1632.g.akamai.net. 2 IN A 63.150.131.41

a1632.g.akamai.net. 2 IN A 63.150.131.33

;; Query time: 161 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Sun Jul 3 00:37:00 2011

;; MSG SIZE rcvd: 135

And using TPG’s DNS servers (203.12.160.35)

macshell:~ scott$ dig www.abc.net.au @203.12.160.35

 

; <<>> DiG 9.6.0-APPLE-P2 <<>> www.abc.net.au @203.12.160.35

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11673

;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

 

;; QUESTION SECTION:

;www.abc.net.au. IN A

 

;; ANSWER SECTION:

www.abc.net.au. 523 IN CNAME www.abc.net.au.edgesuite.net.

www.abc.net.au.edgesuite.net. 12274 IN CNAME a1632.g.akamai.net.

a1632.g.akamai.net. 10 IN A 202.7.177.66

a1632.g.akamai.net. 10 IN A 202.7.177.83

 

;; Query time: 29 msec

;; SERVER: 203.12.160.35#53(203.12.160.35)

;; WHEN: Sun Jul  3 00:38:20 2011

;; MSG SIZE  rcvd: 135

 

So there we go, hosted in Sydney Australia.. So how does the traceroute compare?

macshell:~ scott$ traceroute www.abc.net.au

traceroute: Warning: www.abc.net.au has multiple addresses; using 202.7.177.83

traceroute to a1632.g.akamai.net (202.7.177.83), 64 hops max, 52 byte packets

1  10.1.1.254 (10.1.1.254)  1.711 ms  1.134 ms  1.100 ms

2  * * *

3  202.7.173.17 (202.7.173.17)  27.047 ms  26.072 ms  26.502 ms

4  syd-sot-ken-ak2-83.tpgi.com.au (202.7.177.83)  26.540 ms  26.835 ms  26.540 ms

Different nameservers can be set up to resolve to different addresses based on geographic positioning, in more of a first in best dressed kind of effort.  So if you’re using Google DNS servers (8.8.8.8), it so happens that because this is in America (check out their IP address, CA), then I started getting update servers and the like on DNS that were closest in latency terms to America then Sydney Australia.

Simply by changing from Google DNS servers to my ISP’s, I get healthier latency, and am no longer sending traffic over saturated overseas links.  So how does this compare with ABC iView?  Well, check it out

And when I’m using my own ISP’s DNS

Cifs Share

CIFS (Common Internet File System), the protocol windows users for all it’s ‘windows file sharing’ is the method I’ll allow for my desktops and roaming computers to access files on the file server.

Before we begin, Make sure we install the CIFS kernal modules

# pkg install SUNWsmbs # pkg install SUNWsmbskr

next we issue this command to make sure it auto starts

# svcadm enable -r smb/server

I’ve decided for every day use, I want a data store on the server, so..

# zfs create datastore/homes # zfs create datastore/homes/scott

now, set up compression on my home directory

# zfs set compression=on datastore/homes

Time to do some setup so we can log into this share, I’ll make the box join the workgroup ‘home

# smbadm join -w home

To start sharing with windows boxes, I need to change the pam.conf file to generate windows passwords too. Add the line below /etc/pam.conf

other password required pam_smb_passwd.so.1 nowarn

reset the password for my user scott, then I’ll be able to authenticate with him

# passwd scott

The next step is setting up guest access. You may remember we created a media share datastore/media. We want to share that with guests to the network (on the trusted subnet anyway). Before we go ahead and set that up, we want to map the windows Guest user to the unix user nobody.

# idmap add winname:Guest unixuser:nobody

then we’ll allow guest access to our media box

# zfs set sharesmb=name=media,guestok=true datastore/media

I also want to make my home directory only accessible by me, so I’m going to own the directory

chown scott /datastore/homes/scott chgrp staff /datastore/homes/scott chmod 700 /datastore/homes/scott

and share it

# zfs set sharesmb=name=scott datastore/homes/scott

So there we have it, a media folder anyone can access, and a ‘scott’ share that I’ll need to authenticate with (HOME\scott user)

NFS Shares

Now we’ve got CIFS set up for our clients, I want to set up NFS shares for other Linux boxes on the network (at this point, only my router) to be able to access. The idea is that my router will have all the home directories on the FileServer (so it’ll get the advantages of snapshots, etc) we well as not being limited to the dying 60GB hard disk for torrenting and such things.

As mentioned, I’m only interested in NFS shares with my router at this point, so we’ll make sure my routers IP address (10.12.1.254) is restricted in the shares.

The first thing we want to try is setting up the nfs mount on our homes directory.

# zfs set sharenfs=root=@10.12.1.254,rw=@10.12.1.254 datastore/homes

Now, on my debian router box I want to see if I can mount this (assuming the directory /home2/scott exists on the client)

sudo mount -t nfs -o nfsvers=3 10.12.1.1:/datastore/homes/scott /home2/scott

and Ta-Da! My home directory is mounted. What I want to do now is to set up auto-mounts. That is, when a directory is accessed for my users home directory, it’d mount it on the fly.

First, install the autofs package

apt-get install autofs

Add the following line into /etc/auto.master

/home2 /etc/auto.home -–timeout=60

and the following into the file /etc/auto.home

* -fstype=nfs,rw,nosuid,soft,vers=3 server:/datastore/homes/&

the * and /datastore/homes/& do their magic by automatically mounting the required directory when needed (as long as the /etc/init.d/autofs is started)

Now lets add a place for our downloads

# zfs create datastore/media/downloads # zfs set sharenfs=root=router,rw=router datastore/media/downloads

I chose to just mount this using the automounter under the home2 directory, I added this to the /etc/auto.home file

downloads -fstype=nfs,rw,nosuid,soft,vers=3 10.12.1.1:/datastore/media/downloads

Pretty neat, now when you head to a directory that’s not mounted yet (like /home2/scott/) in the linux client, it will auto mount the required NFS volume and presto, we’ve got ourselves network storage.

Other posts to come in the series:
1. Selecting the hardware
2. Installing the Operating System
3. Setting up File systems & Snapshots
4. Allowing access through NFS & SAMBA
5. Setting up encrypted off-site backups
6. Configuring Windows & Linux clients to dump backup info to the FileServer
7. My router setup, configuring IP tables & torrents on a low-powered server.

Note: This post is one in a series aimed to be a tutorial eventually, it’s not currently finalised and at the moment exists as a place for collating thought and collecting feedback

Setting up the FileSystems is a trivial task.  First, you can see that when we’ve created a storage pool ‘datastore’ it created a filesystem for us (also called datastore) that can act as a container for child file systems.  I’m going to go ahead and create a place to store my media and downloads now

zfs create datastore/media

for now I’ll also want a place to store my backups.  It’s worth noting that while my media filesystem will contain compressed MP3’s and the like, it’s kind of a waste of CPU power to compress it, but my backups will be a lot of PHP pages and what not, so lets go ahead and enable compression on this one

# zfs create datastore/backups
# zfs set compression=on datastore/backups

As appalled as I am of my mums backup habits, one of the requirements of this server was to provide a medium for backing up her data without her having to do anything, so lets set up backup locations for my laptop (MacShell) and a place for mum (mum) assigning both of these 20GB quota’s (ok, MacShell gets 120GB)

# zfs create datastore/backups/MacShell
# zfs create datastore/backups/mum
# zfs set quota=120G datastore/backups/MacShell
# zfs set quota=20GB datastore/backups/mum
# zfs get datastore/backups/mum

Now, the idea is that a cron job will run rsyncing over the files every hour, on the hour.  For many reasons (in case I get a virus and need to revert back, in case somebody hacks in and does bad stuff, etc, etc) I’m going to choose to create Snapshots so I can roll back to a previous version.

The convention I want is hourly.HOUR, daily.DAY, weekly.WEEK for up to 7 days and 4 weeks.  This also means that once I delete a file, I won’t recover the space that it took (once a snapshot of the file has been created) in my data pool until the end of the 4 week period.  for instance, hourly.0 will be the last hours snapshot, hourly.1 will be the 2nd last hours snapshot, etc.

the following bash script will take care of the desired snapshots.  It’s based on a concept I took from this rolling snapshots made easy post but I like my scripted way of doing rotating snapshots much better.

#!/bin/bash

#print out usage
if [ $# -ne 2 ]
then
echo “Usage: snapshot.sh [snapName] [max]”
echo “  eg. snapshot.sh hour 24″
fi

#if the max snapshot already exists, just delete it
if [ `zfs list -t snapshot | grep datastore@$1.$2 | wc -l` -eq 1 ]
then
zfs destroy -r datastore@$1.$2
fi

#
for ((i=$2-1; i >= 0; i–)); do
if [ `zfs list -t snapshot | grep datastore@$1.$i | wc -l` -eq 1 ]
then
#this snapshot exists, so we want to move it up one
zfs rename -r datastore@$1.$i @$1.$[$i+1]
fi
done

zfs snapshot -r datastore@$1.0

so with this snapshot beauty in place, lets say I had an existing file and structure in place

root@thumper:/datastore/backups/MacShell# pwd
/datastore/backups/MacShell
root@thumper:/datastore/backups/MacShell# tree
.
|– hello_world.txt
`– someDir
`– someFile.dat

1 directory, 2 files

BUT, I had a snapshot in place

# /snapshot.sh hourly 24

then I did something silly like delete my entire backup directory (Oh No!!)

# rm -R *
# ls -l
total 0

never fear! check the snapshots

root@thumper:/datastore/backups/
MacShell/.zfs/snapshot/hourly.0# tree
.
|– hello_world.txt
`– someDir
`– someFile.dat

they’ll eventually roll off my snapshot cycle and be removed in 4 weeks with my plan, but hey, pretty good at this point

See Part 2 for a post on how to set up cron jobs to automatically call this script

Other posts to come in the series:
1. Selecting the hardware
2. Installing the Operating System
3. Setting up File systems & Snapshots
4. Allowing access through NFS & SAMBA
5. Setting up encrypted off-site backups
6. Configuring Windows & Linux clients to dump backup info to the FileServer
7. My router setup, configuring IP tables & torrents on a low-powered server.

Note: This post is one in a series aimed to be a tutorial eventually, it’s not currently finalised and at the moment exists as a place for collating thought and collecting feedback

This will be my first blog post into a guide of setting up a fileserver using Solaris (well, OpenIndiana) and ZFS to create a fileserver that has a main purpose of being a reliable server (the focus on this build is more about reliability then throughput).

My build will probably be different then most. One of the deciding factors in me choosing my hardware would have to be physical space and energy requirements. With this server, I’ve got this relatively unused space sitting behind my 27” monitor that is reserved for the box and as the primary purpose of this box is to backup and store my data in an effort to become paperless, the power requirements are going to be trying aimed at being energy efficient.

I have found a nice tower that I’d like to use that is attractive for a few reasons. It will fit the space behind my monitor nicely but also comes with a very efficient power supply.

For the CPU, at the time of writing (March 2011), the new Sandy Bridge processors are looking like they give a big bang for your buck in terms of power usage. The only problem now is that I have to find a mini-itx motherboard that is compatible with the sandy bridge architecture (has to be mini-itx because of the form factor of the case) and has enough SATA ports (or the ability to expand to meet my requirements) and is compatible with OpenIndiana. So far, the best I’ve found is the the DH67CF. Unfortunately for a fileserver that’s going to be hosting important information, this build won’t support ECC memory, which is pretty important as you can see here (probably a better article required to link there) but hopefully not regrettably, I’ll chose to risk it.

I’ve chosen to go with RAIDZ-2 to give two redundant hard disks in my data pool (with a total of 4 hard drives.) The reason being that if they are coming from the same batch then as hard disks stand, it’s likely that two will fail at more or less a similar time. It’s also worth mentioning for the critical data on my fileserver I’m going to be implementing remote off-site backups so while a dead pool will be frustrating, the likelihood of recovering some data should not be compromised.

I’ve decided that 2TB of storage should be sufficient for my requirements. For my storage array I’ve chosen to go with 4 1TB drives [[ToDo: Choose hard disks and why]] set up in Raidz-2.

Other things that I might require to put in are I/O expansion cards for more SATA drives.

Other posts to come in the series:
1. Selecting the hardware
2. Installing the Operating System
3. Setting up Snapshots
4. Allowing access through NFS & SAMBA
5. Setting up encrypted off-site backups
6. Configuring Windows & Linux clients to dump backup info to the FileServer
7. My router setup, configuring IP tables & torrents on a low-powered server.

I want to write a quick and dirty blog post to tell you a little solution on downloading HTTP files in your off-peak usage using linux.

The tools I’ll be using for this is my old favourite wget and a new tool, “at”.

The at daemon is required to be running first, so on debian or ubuntu

/etc/init.d/atd start

Then downloading your file at an off-peak time (4am for me) is as simple as

echo “wget –c http://ubuntu.virginmedia.com/releases//maverick/ubuntu-10.10-desktop-i386.iso” | at 04:00

Simple hey

As you may have been aware from my previous blog posts, I’ve been trying to make my life digital, that means any papers I get, I scan and file on a FileServer (with remote backups, etc, etc).

My scanner at home has a document feeder on it. The problem is that it doesn’t do duplex, only a set of sides. So far, I can scan one side of the document, flip the paper of, then scan the back pages. This will result two PDF’s with two sets of pages
Set A: 1,3,5,7
SET B: 8,6,4,2

To merge the two, I could open them both up in Adobe PDF, Preview and start clicking and dragging my time away, but that’s pointless. I’d like to introduce you to Automator in OSX.

Using a pdftk binary for OSX and the automator script above, all I need to do now is select my two pdf documents (Set A & B), right hand click, then select ‘Duplex Merge PDF’s’. After that, I’ll have a nice merged.pdf file on my desktop that’s the resulting page.

(the shell script uses pdftk to make a /tmp/2.pdf file that’s a set 2,4,6,8. Copies the Set A to /tmp/1.pdf and then pipes it through some pdf tools built into OSX to merge the sets into 1,2,3,4.. etc

Who needs to spend lots of money on a duplex scanner hey?

Is your Apple Mac feeling slow?

p.s. this is a joke, don’t actually do it

I’ve recently come up across some problems with the CRUD generator in Symfony, so in case anyone is googling for a solution out there, I’ll try and help you along (or at least bump up the page references to the articles that helped me )

I had a problem today where I was trying to use Symfony’s (1.4) generate-admin CRUD generator. The issue was that my titles were not sortable when adjusting the fields to display in the generator.yml file

config:
actions: ~
fields: ~
list:
batch_actions: {}
object_actions: {}
display: [pin, firstName, lastName, location, institution]
filter:
display: [firstName, lastName]
form: ~
edit: {}
new: {}

The issue with the firstName and lastName fields is that, if written like first_name and last_name it will fail to become sortable. I found a solution as to why in a blog post from a man with the same issue (Symfony 1.2)

Foreign keys not Sortable:
Another issue I had was where there is a foreign key in Symfony, the CRUD generator won’t know how to make this sortable. I solved this by moving to ahAdminGeneratorThemesPlugin for the generate-admin modules.. Read the read-me in that guide and you’ll be sweet!

Also See

• An interesting post on doing more with the admin generator http://blog.centresource.com/2010/01/13/code-that-saves-the-day-symfony-admin-generator/
• Jobeet Backend Modules page (Very useful) http://www.symfony-project.org/jobeet/1_4/Doctrine/en/12

It’s a new year and time to start getting new years resolutions into action. I’ve moved into my new area in the study so I’ve started setting it up how I like.

I’ve put my router in bridge mode (so it just acts as a layer two modem/bridge) and let my router then establish a pppoe session with my ISP and do all the routing with iptables (I’ve got to update my firewall script and services running on the box and post up the how-to’s later on for that.) Now the little crappy d-link thing doesn’t fall over and die when torrenting (the router will do all the routing and torrenting without hogging up entries in the NAT table is always a good thing)

One of my new years resolutions is to digitise everything (and make it reliable to do so) so I don’t have to worry about any paper floating around in my life (I HATE paperwork). To do this, I want to add a few more features in my home network, whilst improving security (especially after my VoIP was hacked a while ago)

I’m splitting my network into ‘trusted’ and ‘not so trusted’ zones. The beauty is because my router now has two nicks, putting a small 8 port switch into the equation will allow me to route traffic between these zones in a nice firewalled way.

I’d generally be lazy and put WPA-PSK security on the access point.

I feel safe doing this, from a zdnet article

All you need to do is use WPA-PSK security with a random alpha-numeric pass-phrase that has a minimum of 10 characters. I estimated that a truly random alpha-numeric 10-character pass-phrase using modern single-core computers will take one thousand PCs working in parallel 500 years to crack

I lol’d a bit where it says “.. you could run WEP (104 bit AKA 128) security, which might take a semi-skilled script kiddy using two PCs in an active attack configuration 10 minutes to break.

At the moment, my wireless is secured by only a 64 bit WEP key (shock horror!) Why? Because I’ve got damn devices like the Nintendo DS sitting on here which I’ve been wasting a bit of time on lately that don’t support WPA.

I could hide my SSID, do MAC filtering and not run DHCP, all that jazz, but the end of the story is that this can all be hacked by people who know what they’re doing (Mac addresses can be spoofed, if you’re using your wireless network then you’re still broadcasting stuff.)

I’m not terribly worried at the moment if someone hacks in, they can steal some of my crappy 1.5Mbit internet, they can print to my printer (have fun). My workstations themselves are to some degree protected, but what about when I build my file server and start storing bank statements, tax file numbers? all that stuff? The more layers of security the better! (I learnt this the hard way, trust me)

As I’ve already said, the way I’m lessening my fear of these security problems is by splitting my network into trusted and not so trusted zones.

User Isolation security means that the wireless clients won’t be able to see each other on the network. I’ll allow traffic too and from certain devices on the trusted network (the printer for instance.) but to gain access to any of my secure boxes (Fileserver, other workstations) then wireless clients will have to first connect through WEP, then establish a secured VPN connection into the trusted zone. With this setup, even if someone breaks into my WiFi, good on them, they get crippled net (I might cripple WiFi net bandwidth to the net, not decided yet) and access to.. well, my printer again *sigh*

Network stack lol!

so I’ve moved back home with the family now. One thing I’ve been meaning to do is to digitise my life and get set up on the cloud. I think it’ll be really basic to start off with. VPN access in to my home network, firewall everything off, then create a few layers of the network.

The issue is that I want to go paperless. I want to set up a ZFS Fileserver to store and snapshot all my data with remote encrypted backups of important documents and the like. I want to make sure hackers can’t get in and take any of this data of gain access to the network. The problem is my DS still needs access with WEP to go on the net. I’m thinking of splitting my network into two subnets. One for wireless and one for wired devices and just add things like the printer and ssh access to the fileserver through the firewall to access the LAN subnet..

I’ll be blogging the setup of my new computer, my fileserver and home network setup. Before I can really dig into this though, I need to get my study set up.