So with the help of the Ubuntu guys on Linked In I have now managed to get my laptop running Ubuntu 10.10 64bit to connect via Cisco VPN.
Here is the solution to the problem.
1. Install vpnc package:
root> sudo apt-get install vpnc
2. Create the connect script, copy the contents below into a file called vpnconnect and place it on the path somewhere:
#!/bin/sh
sudo vpnc --local-port 0 --enable-ldes /etc/vpnc/vpn.conf
3. Copy over the .pcf file used by the Windows Cisco VPN client and use this as a basis for step 4.
4. We now need to create the vpn.conf file in the /etc/vpnc directory. The content of this file are as follows:
IPSec ID <your ipsec id>
IPSec gateway <your gateway address>
IPSec secret <your ipsec secret>
Xauth username <your username>
Xauth password <your password>
IKE Authmode psk
You can replace <your ipsec id> and <your gateway address> with the values contained within the pcf file. For the value to go in <your ipsec secret>, you need to post the encrypted group password value from the pcf file into the form on this webpage. It will then return the unencrypted value.
<your username> and <your password> should be obvious.
You now have everything required to connect, so run the script:
user> vpnconnect
After a few seconds it should come back with the message:
VPNC started in background
And give you a process id.
You should now be connected to the VPN.
Saturday 26 March 2011
Saturday 19 March 2011
Cisco vpn and ubuntu 10.10 64 bit - can't get it to work! :(
UPDATE: This is now working thanks to help via Linked In! The solution is contained within this blog entry
So having received a new work laptop, I thought I would take the bold step of trying to remove Microsoft from my desktop and therefore installed ubuntu 10.10 instead of windows. I do however have a windows vm for the tasks I can not move across.
One of the outstanding tasks for me to move to ubuntu is connecting to our work Cisco vpn.
I installed the vpnc plugin into the network manager and then imported our pcf file.
Connecting with this produces "vpn connection failed message", looking in the syslog file I find this section:
So as can been seen it all seems to fall apart when it could not get the port's parent device. I did some googling and found this link which suggests it is a bug in iproute2.
So I have therefore tried the following steps to recompile iproute2:
IPTABLES: Upgrade to latest version:
Download latest tar from www.netfilter.org
Install additional libraries and programs:
Linked the Ubunutu src directory:
Downloaded the latest version of iproute2 from:
So having received a new work laptop, I thought I would take the bold step of trying to remove Microsoft from my desktop and therefore installed ubuntu 10.10 instead of windows. I do however have a windows vm for the tasks I can not move across.
One of the outstanding tasks for me to move to ubuntu is connecting to our work Cisco vpn.
I installed the vpnc plugin into the network manager and then imported our pcf file.
Connecting with this produces "vpn connection failed message", looking in the syslog file I find this section:
Mar 19 19:36:37 hostname NetworkManager[1113]: <info> Starting VPN service 'org.freedesktop.NetworkManager.vpnc'...
Mar 19 19:36:38 hostname NetworkManager[1113]: <info> VPN service 'org.freedesktop.NetworkManager.vpnc' started (org.freedesktop.NetworkManager.vpnc), PID 3232
Mar 19 19:36:38 hostname NetworkManager[1113]: <info> VPN service 'org.freedesktop.NetworkManager.vpnc' appeared, activating connections
Mar 19 19:36:43 hostname NetworkManager[1113]: <info> VPN plugin state changed: 3
Mar 19 19:36:43 hostname NetworkManager[1113]: <info> VPN connection 'Cisco VPN' (Connect) reply received.
Mar 19 19:36:43 hostname kernel: [ 2066.184830] tun0: Disabled Privacy Extensions
Mar 19 19:36:43 hostname NetworkManager[1113]: SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/tun0, iface: tun0)
Mar 19 19:36:43 hostname NetworkManager[1113]: SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found.
Mar 19 19:36:43 hostname modem-manager: (net/tun0): could not get port's parent device
Mar 19 19:36:44 hostname avahi-daemon[1111]: Withdrawing workstation service for tun0.
Mar 19 19:36:44 hostname NetworkManager[1113]: SCPlugin-Ifupdown: devices removed (path: /sys/devices/virtual/net/tun0, iface: tun0)
Mar 19 19:36:44 hostname NetworkManager[1113]: <warn> VPN plugin failed: 1
Mar 19 19:36:44 hostname NetworkManager[1113]: <info> VPN plugin state changed: 6
Mar 19 19:36:44 hostname NetworkManager[1113]: <info> VPN plugin state change reason: 0
Mar 19 19:36:44 hostname NetworkManager[1113]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
Mar 19 19:36:38 hostname NetworkManager[1113]: <info> VPN service 'org.freedesktop.NetworkManager.vpnc' started (org.freedesktop.NetworkManager.vpnc), PID 3232
Mar 19 19:36:38 hostname NetworkManager[1113]: <info> VPN service 'org.freedesktop.NetworkManager.vpnc' appeared, activating connections
Mar 19 19:36:43 hostname NetworkManager[1113]: <info> VPN plugin state changed: 3
Mar 19 19:36:43 hostname NetworkManager[1113]: <info> VPN connection 'Cisco VPN' (Connect) reply received.
Mar 19 19:36:43 hostname kernel: [ 2066.184830] tun0: Disabled Privacy Extensions
Mar 19 19:36:43 hostname NetworkManager[1113]: SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/tun0, iface: tun0)
Mar 19 19:36:43 hostname NetworkManager[1113]: SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found.
Mar 19 19:36:43 hostname modem-manager: (net/tun0): could not get port's parent device
Mar 19 19:36:44 hostname avahi-daemon[1111]: Withdrawing workstation service for tun0.
Mar 19 19:36:44 hostname NetworkManager[1113]: SCPlugin-Ifupdown: devices removed (path: /sys/devices/virtual/net/tun0, iface: tun0)
Mar 19 19:36:44 hostname NetworkManager[1113]: <warn> VPN plugin failed: 1
Mar 19 19:36:44 hostname NetworkManager[1113]: <info> VPN plugin state changed: 6
Mar 19 19:36:44 hostname NetworkManager[1113]: <info> VPN plugin state change reason: 0
Mar 19 19:36:44 hostname NetworkManager[1113]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
So as can been seen it all seems to fall apart when it could not get the port's parent device. I did some googling and found this link which suggests it is a bug in iproute2.
So I have therefore tried the following steps to recompile iproute2:
IPTABLES: Upgrade to latest version:
Download latest tar from www.netfilter.org
tar -xvf iptables-1.4.10.tar
cd iptables-1.4.10
./configure
make
sudo make install
Install additional libraries and programs:
libdb4.8++-dev
bison
libatm1-dev
sudo apt-get install flex
Linked the Ubunutu src directory:
sudo ln -s /usr/src/linux-headers-2.6.35-27-generic /usr/src/linux
Downloaded the latest version of iproute2 from:
http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2
tar -xvf iproute-2.2.6.38.tar
cd iproute-2.2.6.38
cd lib
edit iproute.c to apply the patch
cd ..
edit the Makefile to have the correct path to db_185.h
export KERNEL_INCLUDE=/usr/src/linux/include
./configure
make
sudo make install
I then rebooted and tried again. Only to receive the same error in the log.
Anyone got any more ideas as to what is going wrong and what I can do to fix it?
Published with Blogger-droid v1.6.7
Thursday 17 March 2011
how to compile Apache 2.2 and openssl to support SNI
With the later versions of Apache 2.2 it is possible to build a system which supports SNI (subject name indication). This allows you to host multiple ssl websites on the same ip address. It is effectively a version of host headers for ssl.
I found surprisingly little information on the internet as to how to get this to work, so I thought I would create this to show how it is done!
The installation was performed on a virtual machine running opensuse 11.1 32bit, however I would imagine other Linux/unix versions would be similar.
First the installation of opensuse installs openssl however this is not compiled with TLS support built in, so it has to be recompiled to allow us to continue.
So, first back up the existing openssl executable:
root> cp /usr/bin/openssl /usr/bin/openssl.orig
Now download the latest openssl source code from www.openssl.org and place it in /tmp. When I did this the version available was 1.0.0d, so the rest of the document will reference this version. Extract the tar file and install it with the following commands:
root> cd /tmp
root> tar -xvzf openssl1.0.0d.tar.gz
root> cd openssl1.0.0d
root> ./config --prefix=/usr --openssldir=/usr/local/openssl enable-tlsext shared
root> make
root> make install
Openssl is now installed, so we confirm this by checking the version, with the following command:
root> openssl version
This should return the version installed, ie 1.0.0d
So we can now move onto the Apache installation, download the latest Apache 2.2 from www.apache.org, and place it in /tmp. I downloaded version 2.2.17, so will reference this version from this point forwards.
Compile and install it with these commands:
root> cd /tmp
root> tar -xvzf http-2.2.17.tar.gz
root> cd http-2.2.17
root> ./configure --prefix=/usr/local/apache-2.2.17 --with-mpm=worker --enable-deflate --enable-mime-magic --enable-proxy --enable-ssl --with-ssl=/usr/bin --disable-status --enable-vhost-alias --disable-cgid --disable-userdir --enable-rewrite --enable-mods-shared='isapi file_cache cache disk_cache mem_cache ext_filter expires headers usertrack unique_id status info cgi cgid speling'
root> make
root> make install
Apache should now be installed into the /usr/local/apache-2.2.17 directory.
I then like to symlink it to /usr/local/apache so run the command:
root> ln -s /usr/local/apache-2.2.17 /usr/local/apache
We now need to configure the ssl to use sni, so first make sure Apache will load the ssl configuration, to do this uncomment the following line in the /usr/local/apache/conf/http.conf file:
Include conf/extra/http--ssl.conf
We now need to create the ssl configuration file. For test purposes, we will create a new one, so let's move the old one out of the way:
root> cd /usr/local/apache/conf/extra
root> mv httpd-ssl.conf httpd-ssl.conf.orig
Now recreate the httpd-ssl.conf file with the following contents:
Save this file.
Next we need to create stubs for the two sites mentioned in the file above. So lets create these now:
root> cd /
root> mkdir www
root> cd www
root> mkdir example1
root> mkdir example2
We are now in a position to try and start apache:
root> cd /usr/local/apache/bin
root> ./apachectl start
You should find that apache returns with no errors, however upon checking with the following command:
root> ps -ef |grep http
You will find it is not running. However the fact that no errors were returned to the screen, shows that apache is successfully compiled with SNI support.
If you look in the error logs in /usr/local/apache/logs you will see that it is missing information about the ssl certificates.
This is now configured in the usual way you would do for a single SSL website, so will not be covered here. To run multiple sites, each site definition in the httpd-ssl.conf file can now reference different certificates.
A word of note however, not all web browsers support TLS which is required for this to work. Browsers that do not support TLS will use the first defined site in the httpd-ssl.conf file, therefore this should be defined as being the default site. The list of browsers not supporting TLS is wide-ranging and can be found with a quick internet search. One suprise for me is Internet Explorer 8 running on Windows XP does not support TLS, it does however support TLS on Windows Vista and later.
I hope this helps getting SNI working with Apache.
I found surprisingly little information on the internet as to how to get this to work, so I thought I would create this to show how it is done!
The installation was performed on a virtual machine running opensuse 11.1 32bit, however I would imagine other Linux/unix versions would be similar.
First the installation of opensuse installs openssl however this is not compiled with TLS support built in, so it has to be recompiled to allow us to continue.
So, first back up the existing openssl executable:
root> cp /usr/bin/openssl /usr/bin/openssl.orig
Now download the latest openssl source code from www.openssl.org and place it in /tmp. When I did this the version available was 1.0.0d, so the rest of the document will reference this version. Extract the tar file and install it with the following commands:
root> cd /tmp
root> tar -xvzf openssl1.0.0d.tar.gz
root> cd openssl1.0.0d
root> ./config --prefix=/usr --openssldir=/usr/local/openssl enable-tlsext shared
root> make
root> make install
Openssl is now installed, so we confirm this by checking the version, with the following command:
root> openssl version
This should return the version installed, ie 1.0.0d
So we can now move onto the Apache installation, download the latest Apache 2.2 from www.apache.org, and place it in /tmp. I downloaded version 2.2.17, so will reference this version from this point forwards.
Compile and install it with these commands:
root> cd /tmp
root> tar -xvzf http-2.2.17.tar.gz
root> cd http-2.2.17
root> ./configure --prefix=/usr/local/apache-2.2.17 --with-mpm=worker --enable-deflate --enable-mime-magic --enable-proxy --enable-ssl --with-ssl=/usr/bin --disable-status --enable-vhost-alias --disable-cgid --disable-userdir --enable-rewrite --enable-mods-shared='isapi file_cache cache disk_cache mem_cache ext_filter expires headers usertrack unique_id status info cgi cgid speling'
root> make
root> make install
Apache should now be installed into the /usr/local/apache-2.2.17 directory.
I then like to symlink it to /usr/local/apache so run the command:
root> ln -s /usr/local/apache-2.2.17 /usr/local/apache
We now need to configure the ssl to use sni, so first make sure Apache will load the ssl configuration, to do this uncomment the following line in the /usr/local/apache/conf/http.conf file:
Include conf/extra/http--ssl.conf
We now need to create the ssl configuration file. For test purposes, we will create a new one, so let's move the old one out of the way:
root> cd /usr/local/apache/conf/extra
root> mv httpd-ssl.conf httpd-ssl.conf.orig
Now recreate the httpd-ssl.conf file with the following contents:
# Ensure that Apache listens on port 443
Listen 443
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443
# Go ahead and accept connections for these vhosts
# from non-SNI clients
SSLStrictSNIVHostCheck off
<VirtualHost *:443>
# Because this virtual host is defined first, it will
# be used as the default if the hostname is not received
# in the SSL handshake, e.g. if the browser doesn't support
# SNI.
DocumentRoot /www/example1
ServerName www.example.com
# Other directives here
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /www/example2
ServerName www.example2.org
# Other directives here
</VirtualHost>
Save this file.
Next we need to create stubs for the two sites mentioned in the file above. So lets create these now:
root> cd /
root> mkdir www
root> cd www
root> mkdir example1
root> mkdir example2
We are now in a position to try and start apache:
root> cd /usr/local/apache/bin
root> ./apachectl start
You should find that apache returns with no errors, however upon checking with the following command:
root> ps -ef |grep http
You will find it is not running. However the fact that no errors were returned to the screen, shows that apache is successfully compiled with SNI support.
If you look in the error logs in /usr/local/apache/logs you will see that it is missing information about the ssl certificates.
This is now configured in the usual way you would do for a single SSL website, so will not be covered here. To run multiple sites, each site definition in the httpd-ssl.conf file can now reference different certificates.
A word of note however, not all web browsers support TLS which is required for this to work. Browsers that do not support TLS will use the first defined site in the httpd-ssl.conf file, therefore this should be defined as being the default site. The list of browsers not supporting TLS is wide-ranging and can be found with a quick internet search. One suprise for me is Internet Explorer 8 running on Windows XP does not support TLS, it does however support TLS on Windows Vista and later.
I hope this helps getting SNI working with Apache.
Published with Blogger-droid v1.6.7
Sunday 13 March 2011
quick point in time Oracle database recovery on Netapp
As we have now started to move our production databases onto the Netapp, we thought we should do some testing to prove it can yield advantages in our infrastructure.
To summarise our setup first, we have three elements to our database setup on netapp:
1. The database server - this holds Oracle home, redo logs and controlfile
2. Netapp cluster node a - this holds the dbfs for the database, along with the controlfile
3. Netapp cluster node b - this holds the redo logs, flash recovery area (including archive log) and controlfile
We therefore think this offers us enough resilience in that we can lose any one of the above three elements in our setup without any data loss.
The Netapp volumes (items 2 & 3 above) are snapshotted every 2 hours during the working day, to reduce the restoration time should anything happen. This is done via a cron job on the Oracle host which co-ordinates this, with putting the database into hot backup mode to ensure consistency. It also backs up the controlfile to trace, so that we can recreate it if necessary.
In this test we wanted to test restoration of a database to a time prior to a corruption occuring.
The tests were carried out on a production database, so we therefore wanted a way to simulate this. So we performed the following.
1. Ran the database backup script - this produced Netapp snapshots of both the dbf and logs volumes - time A
2. Created a test user in the database and created a test table A under this schema - time B
3. Waited 5 minutes
4. Created a test table C under our test user schema - time C
5. Ran our database backup script again - time D
In our test we then assumed the corruption occurred just before creating the second table, ie just before time C, we therefore wanted to restore the database to a time between B and C, whereby our test user should only have 1 object (table A).
We obviously did not want to do this restoration against a production database, so we would identify the files we would need and would copy these to another database server and restore it there, effectively making a copy of the database at a time between B and C.
First, we need to identify the dbf snapshot, from before the corruption, ie that created at time A above. Login to the Netapp and issue the command:
snap list DBF_VOLUME
Where DBF_VOLUME is replaced with the volume name of your volume containing the dbfs.
This will produce a list of snapshots against the volume. From this list it should be easy to find the one corresponding to our time A.
We then need to go into this snapshot directory and copy its contents to our separate database host.
Next we need to identify the snapshot containing the logs from a time after the restore point, ie time D.
Repeat the snap list command against the logs volume and identify the one corresponding to time D. Copy the contents of this snapshot to our separate database host.
We now have everything to restore our database.
First, as this is on a secondary host, the location of the files nay be different so we can edit the trace version of the controlfile script, to reflect our new locations.
Once this is done, we can run this against the downed database in our secondary host.
Next, we need to issue the recover database command to roll the database forward from time A to a time between B and C. To do this login to the database as the sys user as sysdba:
sqlplus / as sysdba
Then recover the database:
sqlplus> recover from '.....' database until time '#time#';
Where the ..... is the location of the flash recovery area on the secondary Oracle host and #time# is a time between time B and C in the format: yyyy-mm-dd:hh24:mi:ss
You may find that the recovery still asks for the archivelog files in turn, if it does, type in the actual location - there should not be many as the period of time we are covering is small (just over 5 minutes)
Once the recovery is finished it should return the message:
Media recovery complete
We now need to open the database, however as we have done a point in time recovery, we need to add the resetlogs parameter:
sqlplus> alter database open resetlogs;
We can now log in as the test user and confirm that it only contains table A.
We have proved the concept works and by regularly (every 2 hours) snapshotting the database this method of restoration should remain quick and allow us to respond well to the demands of the business.
To summarise our setup first, we have three elements to our database setup on netapp:
1. The database server - this holds Oracle home, redo logs and controlfile
2. Netapp cluster node a - this holds the dbfs for the database, along with the controlfile
3. Netapp cluster node b - this holds the redo logs, flash recovery area (including archive log) and controlfile
We therefore think this offers us enough resilience in that we can lose any one of the above three elements in our setup without any data loss.
The Netapp volumes (items 2 & 3 above) are snapshotted every 2 hours during the working day, to reduce the restoration time should anything happen. This is done via a cron job on the Oracle host which co-ordinates this, with putting the database into hot backup mode to ensure consistency. It also backs up the controlfile to trace, so that we can recreate it if necessary.
In this test we wanted to test restoration of a database to a time prior to a corruption occuring.
The tests were carried out on a production database, so we therefore wanted a way to simulate this. So we performed the following.
1. Ran the database backup script - this produced Netapp snapshots of both the dbf and logs volumes - time A
2. Created a test user in the database and created a test table A under this schema - time B
3. Waited 5 minutes
4. Created a test table C under our test user schema - time C
5. Ran our database backup script again - time D
In our test we then assumed the corruption occurred just before creating the second table, ie just before time C, we therefore wanted to restore the database to a time between B and C, whereby our test user should only have 1 object (table A).
We obviously did not want to do this restoration against a production database, so we would identify the files we would need and would copy these to another database server and restore it there, effectively making a copy of the database at a time between B and C.
First, we need to identify the dbf snapshot, from before the corruption, ie that created at time A above. Login to the Netapp and issue the command:
snap list DBF_VOLUME
Where DBF_VOLUME is replaced with the volume name of your volume containing the dbfs.
This will produce a list of snapshots against the volume. From this list it should be easy to find the one corresponding to our time A.
We then need to go into this snapshot directory and copy its contents to our separate database host.
Next we need to identify the snapshot containing the logs from a time after the restore point, ie time D.
Repeat the snap list command against the logs volume and identify the one corresponding to time D. Copy the contents of this snapshot to our separate database host.
We now have everything to restore our database.
First, as this is on a secondary host, the location of the files nay be different so we can edit the trace version of the controlfile script, to reflect our new locations.
Once this is done, we can run this against the downed database in our secondary host.
Next, we need to issue the recover database command to roll the database forward from time A to a time between B and C. To do this login to the database as the sys user as sysdba:
sqlplus / as sysdba
Then recover the database:
sqlplus> recover from '.....' database until time '#time#';
Where the ..... is the location of the flash recovery area on the secondary Oracle host and #time# is a time between time B and C in the format: yyyy-mm-dd:hh24:mi:ss
You may find that the recovery still asks for the archivelog files in turn, if it does, type in the actual location - there should not be many as the period of time we are covering is small (just over 5 minutes)
Once the recovery is finished it should return the message:
Media recovery complete
We now need to open the database, however as we have done a point in time recovery, we need to add the resetlogs parameter:
sqlplus> alter database open resetlogs;
We can now log in as the test user and confirm that it only contains table A.
We have proved the concept works and by regularly (every 2 hours) snapshotting the database this method of restoration should remain quick and allow us to respond well to the demands of the business.
Published with Blogger-droid v1.6.7
Sunday 6 March 2011
Htc desire vs blackberry 9800 torch
So after having my htc desire for a few months, it was suggested I try out the blackberry torch as it would address one of my complaints of the desire - that of connectivity to our novell messenger service.
Well, after trying it out for a weekend I can not wait to get my htc back tomorrow!
Whilst it is true that I can use novell messenger with the blackberry - the web browser and keyboard has absolutely done my head in!
The web browser on the blackberry is often very unresponsive, sometimes it will work perfectly, then at other times it will not respond on clicking links until you hold you finger down on the link until the popup appears and you can then select open link. I never had any problems like this with the htc.
On the blackberry the slide out keyboard is too small, resulting in many incorrect keypresses. The on screen keyboard does not provide feedback to keypresses like the htc does. Also it does not appear possible with both keyboards to hold down the alt key, for instance if you wish to write something in capitals you have to press alt before each character, on the htc a second press of the upper case key keeps it in upper case mode until you press it again.
Then we come onto applications, a lot of the stuff I had working on the htc, I have not managed on the blackberry, eg maps - it never displays for me, navigation, geocaching - charged for on blackberry, etc, etc
On the plus side the camera on the blackberry is much better than that on the htc!
So all in all, I find the blackberry fine for the occasional email, etc, in terms of making my life easier, please bring back my htc!
Well, after trying it out for a weekend I can not wait to get my htc back tomorrow!
Whilst it is true that I can use novell messenger with the blackberry - the web browser and keyboard has absolutely done my head in!
The web browser on the blackberry is often very unresponsive, sometimes it will work perfectly, then at other times it will not respond on clicking links until you hold you finger down on the link until the popup appears and you can then select open link. I never had any problems like this with the htc.
On the blackberry the slide out keyboard is too small, resulting in many incorrect keypresses. The on screen keyboard does not provide feedback to keypresses like the htc does. Also it does not appear possible with both keyboards to hold down the alt key, for instance if you wish to write something in capitals you have to press alt before each character, on the htc a second press of the upper case key keeps it in upper case mode until you press it again.
Then we come onto applications, a lot of the stuff I had working on the htc, I have not managed on the blackberry, eg maps - it never displays for me, navigation, geocaching - charged for on blackberry, etc, etc
On the plus side the camera on the blackberry is much better than that on the htc!
So all in all, I find the blackberry fine for the occasional email, etc, in terms of making my life easier, please bring back my htc!
Wednesday 2 March 2011
Iscsi Lun alignment with sqlserver and Netapp
How to get totally confused in one easy step! Had some one-to-one Netapp training today, and came up with an issue that had both of us scratching our heads. We still don't fully know the answers!
It started with us running our performance autosupport file through the Netapp partner tool. This indicated misalignment on one of our luns.
Knowing that the Netapp block size is 4k (4096 bytes), so we checked the starting offset for the disk by running the msinfo32.exe (in the c:\Windows\servicepackfiles\I386), this showed the offset as 32256, dividing this by 4096 gave a figure of 7.875, ie not directly divisible, thus confirming the blocks as bring out of alignment.
We therefore did some more digging and found this article:
http://msdn.microsoft.com/en-us/library/dd758814(v=sql.100).aspx
Working through this it appears that the 32256 is the default and if you use the Microsoft disk management tool there is no way to change this, the solution is to use the diskpart program.
We therefore destroyed the partition and set about recreating it with the diskpart commands:
diskpart
list disk
select disk <number>
create partition primary align=32
assign letter=<drive letter>
We then went back into the disk management tool and formatted it as ntfs.
Upon checking in the msinfo32 tool again, the offset is now 32768, and therefore directly divisible by 4096.
So far so good.
Let's check the alignment, to do this we set off a large copy of data to the Lun and in another window set off a perfstat to the filer with a 1 minute duration. Perfstat can be downloaded from the software area of the Netapp website.
We then checked the perfstat output file, searching for the string "perfstat_lun" which is at the start of the section we are interested in.
Here we found the the writes were being performed to bucket 1, thereby being 512 bytes out of alignment (all reads and writes should go to bucket 0 when in alignment).
Strange! The offset is divisible by 4096, but is out of alignment by 512. When the offset was 512 less, we were still showing misalignment!
So we thought, let's recreate the Lun again with the original offset (32256), by using the disk management tool again.
Repeating the test by writing data and running a perfstat job at the same time. Thus time the report showed all the writes into bucket 0!
Even stranger, the lun is now in alignment with the same as the original settings!
So why is it now in alignment when it originally wasn't?
How come it is in alignment when the starting offset is not divisible by 4096?
All, we seen to have learnt on this is how to check for maligned luns, but not how to select a suitable offset should maligned luns be found. However it appears that it is always worth recreation luns with the same settings should misalignment be found!
It started with us running our performance autosupport file through the Netapp partner tool. This indicated misalignment on one of our luns.
Knowing that the Netapp block size is 4k (4096 bytes), so we checked the starting offset for the disk by running the msinfo32.exe (in the c:\Windows\servicepackfiles\I386), this showed the offset as 32256, dividing this by 4096 gave a figure of 7.875, ie not directly divisible, thus confirming the blocks as bring out of alignment.
We therefore did some more digging and found this article:
http://msdn.microsoft.com/en-us/library/dd758814(v=sql.100).aspx
Working through this it appears that the 32256 is the default and if you use the Microsoft disk management tool there is no way to change this, the solution is to use the diskpart program.
We therefore destroyed the partition and set about recreating it with the diskpart commands:
diskpart
list disk
select disk <number>
create partition primary align=32
assign letter=<drive letter>
We then went back into the disk management tool and formatted it as ntfs.
Upon checking in the msinfo32 tool again, the offset is now 32768, and therefore directly divisible by 4096.
So far so good.
Let's check the alignment, to do this we set off a large copy of data to the Lun and in another window set off a perfstat to the filer with a 1 minute duration. Perfstat can be downloaded from the software area of the Netapp website.
We then checked the perfstat output file, searching for the string "perfstat_lun" which is at the start of the section we are interested in.
Here we found the the writes were being performed to bucket 1, thereby being 512 bytes out of alignment (all reads and writes should go to bucket 0 when in alignment).
Strange! The offset is divisible by 4096, but is out of alignment by 512. When the offset was 512 less, we were still showing misalignment!
So we thought, let's recreate the Lun again with the original offset (32256), by using the disk management tool again.
Repeating the test by writing data and running a perfstat job at the same time. Thus time the report showed all the writes into bucket 0!
Even stranger, the lun is now in alignment with the same as the original settings!
So why is it now in alignment when it originally wasn't?
How come it is in alignment when the starting offset is not divisible by 4096?
All, we seen to have learnt on this is how to check for maligned luns, but not how to select a suitable offset should maligned luns be found. However it appears that it is always worth recreation luns with the same settings should misalignment be found!
Subscribe to:
Posts (Atom)