Does every geek take a photo of Google in Zürich?

Maybe not all… my col­leagues wouldn’t have gone there if I wouldn’t have said some­thing…

To be hon­est, I would have ex­pec­ted some­thing a little bit more shiny/​geeky/​… to take a pic­ture of (any­way, if you don’t see it: I have a real smile in my face on the pic­ture, so the geek in me en­joyed tak­ing the photo).

 

Alexander Leidinger in front of Google CH
Me in front of Google CH

 

Google CH
Google CH

 

StumbleUponXINGBalatarinBox.netDiggGoogle GmailNetvouzPlurkSiteJotTypePad PostYahoo BookmarksVKSlashdotPocketHacker NewsDiigoBuddyMarksRedditLinkedInBibSonomyBufferEmailHatenaLiveJournalNewsVinePrintViadeoYahoo MailAIMBitty BrowserCare2 NewsEvernoteMail.RuPrintFriendlyWaneloYahoo MessengerYoolinkWebnewsStumpediaProtopage BookmarksOdnoklassnikiMendeleyInstapaperFarkCiteULikeBlinklistAOL MailTwitterGoogle+PinterestTumblrAmazon Wish ListBlogMarksDZoneDeliciousFlipboardFolkdJamespotMeneameMixiOknotiziePushaSvejoSymbaloo FeedsWhatsAppYouMobdiHITTWordPressRediff MyPageOutlook.comMySpaceDesign FloatBlogger PostApp.netDiary.RuKindle ItNUjijSegnaloTuentiWykopTwiddlaSina WeiboPinboardNetlogLineGoogle BookmarksDiasporaBookmarks.frBaiduFacebookGoogle ClassroomKakaoQzoneSMSTelegramRenrenKnownYummlyShare/​Save

Com­plete net­work loss on Sol­aris 10u10 CPU 2012-​10 on vir­tu­al­ized T4-​2

The prob­lem I see at work: A T4-​2 with 3 guest LDOMs, vir­tu­al­ized disks and net­works lost the com­plete net­work con­nectiv­ity “out of the blue” once, and maybe “sporadic” dir­ectly after a cold boot. After a lot of dis­cus­sion with Or­acle, I have the im­pres­sion that we have two prob­lems here.

1st prob­lem:
Total net­work loss of the ma­chine (no zone or guest LDOM or the primary LDOM was able to have re­ceive or send IP pack­ets). This happened once. No idea how to re­pro­duce it. In the logs we see the mes­sage “[ID 920994 kern.warning] WARNING: vnetX: ex­ceeded num­ber of per­mit­ted hand­shake at­tempts (5) on chan­nel xxx”. Ac­cord­ing to Or­acle this is sup­posed to be fixed in 148677 – 01 which will come with Sol­aris 10u11. They sug­ges­ted to use a vsw in­ter­face in­stead of a vnet in­ter­face on the primary do­main to at least lower the prob­ab­il­ity of this prob­lem hit­ting us. They were not able to tell us how to re­pro­duce the prob­lem (seems to be a race con­di­tion, at least I get this im­pres­sion based upon the de­scrip­tion of the Or­acle en­gin­eer hand­ling the SR). Only a re­boot helped to get the prob­lem solved. I was told we are the only cli­ent which re­por­ted this kind of prob­lem, the patch for this prob­lem is based upon an in­ternal bu­gre­port from in­ternal tests.

2nd prob­lem:
After cold boots some­times some ma­chines (not all) are not able to con­nect to an IP on the T4. A re­boot helps, as does re­mov­ing an in­ter­face from an ag­greg­ate and dir­ectly adding it again (see be­low for the sys­tem con­fig). To try to re­pro­duce the prob­lem, we did a lot of warm re­boots of the primary do­main, and the prob­lem never showed up. We did some cold re­boots, and the prob­lem showed up once.

In case someone else sees one of those prob­lems on his ma­chines too, please get in con­tact with me to see what we have in com­mon to try to track this down fur­ther and to share info which may help in maybe re­pro­du­cing the prob­lems.

Sys­tem setup:

  • T4-​2 with 4 HBAs and 8 NICs (4 * igb on-​board, 4 * nxge on ad­di­tional net­work card)
  • 3 guest LDOMs and one io+control do­main (both in the primary do­main)
  • the guest LDOMs use SAN disks over the 4 HBAs
  • the primary do­main uses a mirrored zpool on SSDs
  • 5 vswitch in the hy­per­visor
  • 4 ag­greg­ates (aggr1 – aggr4 with L2-​policy), each one with one igb and one nxge NIC
  • each ag­greg­ate is con­nec­ted to a sep­ar­ate vswitch (the 5th vswitch is for machine-​internal com­mu­nic­a­tion)
  • each guest LDOM has three vnets, each vnets con­nec­ted to a vswitch (1 guest LDOM has aggr1+2 only for zones (via vnets), 2 guest LDOMs have aggr 3+4 only for zones (via vnets), and all LDOMs have aggr2+3 (via vnets) for global-​zone com­mu­nic­a­tion, all LDOMs are ad­di­tion­ally con­nec­ted to the machine-​internal-​only vswitch via the 3rd vnet)
  • primary do­main uses 2 vnets con­nec­ted to the vswitch which is con­nec­ted to aggr2 and aggr3 (con­sist­ency with the other LDOMs on this ma­chine) and has no zones
  • this means each en­tity (primary do­main, guest LDOMs and each zone) has two vnets in and those two vnets are con­figured in a link-​based IPMP setup (vnet-linkprop=phys-state)
  • each vnet has VLAN tag­ging con­figured in the hy­per­visor (with the zones be­ing in dif­fer­ent VLANs than the LDOMs)

The pro­posed change by Or­acle is to re­place the 2 vnet in­ter­faces in the primary do­main with 2 vsw in­ter­faces (which means to do VLAN tag­ging in the primary do­main dir­ectly in­stead of in the vnet con­fig). To have IPMP work­ing this means to have vsw-linkprop=phys-state. We have two sys­tems with the same setup, on one sys­tem we already changed this and it is work­ing as be­fore. As we don’t know how to re­pro­duce the 1st prob­lem, we don’t know if the prob­lem is fixed or not, re­spect­ively what the prob­ab­il­ity is to get hit again by this prob­lem.

Ideas /​ sug­ges­tions /​ info wel­come.

Which crypto card to use with FreeBSD (ssh/​gpg)

The re­cent se­cur­ity in­cid­ent triggered a dis­cus­sion how to se­cure ssh/​gpg keys.

One way I want to fo­cus on here (be­cause it is the way I want to use at home), is to store the keys on a crypto card. I did some re­search for suit­able crypto cards and found one which is called Fei­tian PKI Smart­card, and one which is called Open­PGP card. The Open­PGP card also ex­ists in a USB ver­sion (ba­sic­ally a small ver­sion of the card is already in­teg­rated into a small USB card reader).

The Fei­tian card is re­por­ted to be able to handle RSA keys upto 2048 bits. They do not seem to handle DSA (or ECDSA) keys. The smart­card quick starter guide they have  (the Tun­ing smart­card file sys­tem part) tells how to change the para­met­ers of the card to store upto 9 keys on it.

The spec of the Open­PGP card tells that it sup­ports RSA keys upto 3072 bits, but there are re­ports that it is able to handle RSA keys upto 4096 bits (you need to have at least GPG 2.0.18 to handle that big keys on the crypto card). It looks to me like the card is not handle DSA (or ECDSA) cards. There are only slots for upto 3 keys on it.

If I go this way, I would also need a card reader. It seems a class 3 one (hard­ware PIN pad and dis­play) would be the most “future-​proof” way to go ahead. I found a Reiner SCT cy­ber­Jack secoder card reader, which is be­lieved to be sup­por­ted by OpenSC and seems to be a good bal­ance between cost and fea­tures of the Reiner SCT card read­ers.

If any­one read­ing this can sug­gest a bet­ter crypto card (keys upto 4096 bits, more than 3 slots, and/​or DSA/​ECDSA  sup­port), or a bet­ter card reader, or has any prac­tical ex­per­i­ence with any of those com­pon­ents on FreeBSD, please add a com­ment.

For­cing a route in Sol­aris?

I have a little prob­lem find­ing a clean solu­tion to the fol­low­ing prob­lem.

A ma­chine with two net­work in­ter­faces and no de­fault route. The first in­ter­face gets an IP at boot time and the cor­res­pond­ing static route is in­ser­ted dur­ing boot into the rout­ing table without prob­lems. The second in­ter­face only gets an IP ad­dress when the shared-​IP zones on the ma­chine are star­ted, dur­ing boot the in­ter­face is plumbed but without any ad­dress. The net­works on those in­ter­faces are not con­nec­ted and the ma­chine is not a gate­way (this means we have a machine-​administration net­work and a production-​network). The static routes we want to have for the ad­dresses of the zones are not ad­ded to the rout­ing table, be­cause the next hop is not reach­able at the time the routing-​setup is done. As soon as the zones are up (and the in­ter­face gets an IP), a re-​run of the routing-​setup adds the miss­ing static routes.

Un­for­tu­nately I can not tell Sol­aris to keep the static route even if the next hop is not reach­able ATM (at least I have not found an op­tion to the route com­mand which does this).

One solu­tion to this prob­lem would be to add an ad­dress at boot to the in­ter­face which does not have an ad­dress at boot-​time ATM (prob­ably with the de­prec­ated flag set). The prob­lem is, that this sub­net (/​28) has not enough free ad­dresses any­more, so this is not an op­tion.

An­other solu­tion is to use a script which re-​runs the routing-​setup after the zones are star­ted. This is a prag­matic solu­tion, but not a clean solu­tion.

As I un­der­stand the in.routed man-​page in.routed is not an op­tion with the de­fault con­fig, be­cause the ma­chine shall not route between the net­works, and shall not change the rout­ing based upon RIP mes­sages from other ma­chines. Un­for­tu­nately I do not know enough about it to be sure, and I do not get the time to play around with this. I have seen some in­ter­st­ing op­tions re­gard­ing this in the man-​page, but play­ing around with this and sniff­ing the net­work to see what hap­pens, is not an op­tion ATM. Any­one with a config/​tutorial for this “do not broad­cast any­thing, do not ac­cept any­thing from outside”-case (if pos­sible)?

Why are game console/​TV com­pan­ies not im­ple­ment­ing this?

At the week­end a friend vis­ited me. We have not seen since each other since a long time. As we stud­ied both com­puter sci­ence, parts of our dis­cus­sion where off course tech­no­logy re­lated. Parts of the dis­cus­sion where about cur­rent TV’s and game con­soles (he par­ti­cip­ated in the design of the PS3 CPU, so he is well aware about the tech­nical lim­it­a­tions of the hard­ware the cur­rent game con­soles use).

Dur­ing our dis­cus­sion we talked about the soft­ware lim­it­a­tions of such hard­ware.

Cur­rent TV’s come for ex­ample with some pre­defined in­ter­net chan­nels, but not with a real web browser. We think that people which keep a TV for 10 years or longer (like for ex­ample our par­ents and prob­ably both of us too) this will res­ult in a loss of fea­tures after some years, be­cause those chan­nels will get less at­ten­tion of case to ex­ist at all. There is also no way to switch to al­tern­at­ives then, ex­cept by buy­ing a new TV (we ex­pect that there will be no firm­ware up­date in such a case). With a real web browser this would not be an is­sue (it may be more easy to enter URL’s with a real key­board than with a re­mote con­trol, but let us do small steps here). Game con­soles are a bit bet­ter in this re­gard, but there we have the prob­lem that some web­sites are too much memory hungry (they do not in­clude the user agent of the game con­sole browsers in the same class as smart phones or tab­let PCs… from the size as­pect they are not, but from the memory and com­put­ing power as­pect they are more sim­ilar).

I would ex­pect that the TV sta­tions do not want to have TVs with really good browsers, be­cause then you may not need a TV sta­tion any­more. But this is what users would use if it would be there.

An­other de­fi­cit is that there is not a mail pro­gram in game con­soles and TV’s. For writ­ing mails you need a real key­board, but for a quick check if there is mail (e.g. X un­read mails, or maybe even dis­play­ing the sub­ject line of the emails) or maybe to just read without an­swer­ing a solu­tion without a key­board con­nec­ted would already be enough.

I ex­pect that con­sole man­u­fac­tur­ers do not want to spend money for some­thing people are not will­ing to give much money for, re­spect­ively for some­thing where they can not make money with (an email ser­vice from the con­sole com­pany would be an­other mail ser­vice ad­di­tional to the one for the PC and maybe ad­di­tional to the one of the smart phone… people do not need 10 email ac­counts, one is enough).

An­other over­looked fea­ture is some kind of VoIP+Video fea­ture (at least for the game con­soles which have op­tion­ally a cam­era, but IMO this is also pos­sible for the next gen­er­a­tion of TV’s with build-​in web­cams). At least the of­fer­ings from Sony and Mi­crosoft are power­ful enough to come with some kind of video con­fer­en­cing soft­ware. It does not mat­ter much if this is Skype or the Google ver­sion of this, or some other wide­spread one (MS surely wants to use their own stuff), it just has to be one which is in wide­spread use to be ad­op­ted by the people.This does not need to be in HD, even a small video would already be much more than what is avail­able ATM.

Ba­sic­ally I gave the an­swer to my ques­tion (the title of this post­ing) my­self (ex­cept for the video con­fer­en­cing stuff)… but on the other hand this would be some­thing which could set a product apart from oth­ers. For the PS3 this may be now one of the things which could show up in the Homebrew scene, now that the se­cur­ity of the PS3 is com­prom­ised. For the Wii at least the email part could be eas­ily done. The rest… would have to catch up in case some­thing like this shows up for the PS3 and is used ex­tens­ively.