Let's say we want to block access to the creatively named www.badsite.com.
I bet you've already configured DNS server to resolve the name in your router, if not
Router(config)# ip name-server 1.1.1.1 2.2.2.2
Router# ping www.techrepublic.com
Translating "www.techrepublic.com"...domain server (1.1.1.1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.239.113.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Router#
To actually block the undesirable Web site, we need to create an access control list (ACL) to define exactly what we want to block. Here's an example:
Router(config)# access-list 101 deny tcp any host www.badsite.com eq www
Allow to all rather than above
Router(config)# access-list 101 permit tcp any any eq www
Check your access like in router
Router# sh run | inc access-list 101
access-list 101 deny tcp any host 66.116.109.62 eq www log <-- you can block by address and also using log to monitor with syslog. i.e Kiwi Syslog Server.
Tuesday, November 17, 2009
TCPDump: Capture and Record Specific Protocols / Port
Q. How do I capture specific protocol or port such as 80 ( http ) using TCPDump tool under Linux / UNIX? How do I recording Traffic with TCPDump and find problems later on?
A. TCPDump is a tool for network monitoring and data acquisition. It can save lots of time and can be used for debugging network or server related problems. Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression.
Monitor all packets on eth1 interface
tcpdump -i eth1
Monitor all traffic on port 80 ( HTTP )
tcpdump -i eth1 'port 80'
Monitor all traffic on port 25 ( SMTP )
tcpdump -vv -x -X -s 1500 -i eth1 'port 25'
Where,
• -vv : More verbose output
• -x : When parsing and printing, in addition to printing the headers of each packet, print the data of each packet.
• -X : hen parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII. This is very handy for analysing new protocols.
• -s 1500: Snarf snaplen bytes of data from each packet rather than the default of 68. This is useful to see lots of information.
• -i eth1 : Monitor eth1 interface
Capturing traffic information using cronjobs
tcpdump can be used to find out about attacks and other problems. Let us say your webserver facing problem everday at midnight. Enter following command into cron. It will schedule capturing of 30,000 packets and writing raw data to a file called port.80.debug.txt:
@midnight /usr/sbin/tcpdump -n -c 30000 -w /root/port.80.debug.txt
Next day you can log into your box and read the /root/port.80.debug.txt file:
tcpdump -X -vv -r /root/port.80.debug.txt
This simple technique can be used record and debug problems.
Further readings:
• man page tcpdump
A. TCPDump is a tool for network monitoring and data acquisition. It can save lots of time and can be used for debugging network or server related problems. Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression.
Monitor all packets on eth1 interface
tcpdump -i eth1
Monitor all traffic on port 80 ( HTTP )
tcpdump -i eth1 'port 80'
Monitor all traffic on port 25 ( SMTP )
tcpdump -vv -x -X -s 1500 -i eth1 'port 25'
Where,
• -vv : More verbose output
• -x : When parsing and printing, in addition to printing the headers of each packet, print the data of each packet.
• -X : hen parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII. This is very handy for analysing new protocols.
• -s 1500: Snarf snaplen bytes of data from each packet rather than the default of 68. This is useful to see lots of information.
• -i eth1 : Monitor eth1 interface
Capturing traffic information using cronjobs
tcpdump can be used to find out about attacks and other problems. Let us say your webserver facing problem everday at midnight. Enter following command into cron. It will schedule capturing of 30,000 packets and writing raw data to a file called port.80.debug.txt:
@midnight /usr/sbin/tcpdump -n -c 30000 -w /root/port.80.debug.txt
Next day you can log into your box and read the /root/port.80.debug.txt file:
tcpdump -X -vv -r /root/port.80.debug.txt
This simple technique can be used record and debug problems.
Further readings:
• man page tcpdump
Change MAC address of your Linux machine
1. First shutdown your eth0
ifdown eth0
2. Check you MAC Address
ifconfig -a | grep HWaddr
3. Change to new mac address
ifconfig eth0 hw ether 00:11:09:11:69:80
4. Turn back on your eth0
ifup eth0
ifdown eth0
2. Check you MAC Address
ifconfig -a | grep HWaddr
3. Change to new mac address
ifconfig eth0 hw ether 00:11:09:11:69:80
4. Turn back on your eth0
ifup eth0
Exchange 2003 Server Database Repair with ESEUTIL
Public Folder Store
D:\Exchsrvr\bin\eseutil.exe –mh D:\Exchsrvr\mdbdata\pub1.edb
D:\Exchsrvr\bin\eseutil.exe –cc D:\Exchsrvr\mdbdata\pub1.edb
D:\Exchsrvr\bin\eseutil.exe –p (or) -r D:\Exchsrvr\mdbdata\pub1.edb (use this on last resort)
D: \Exchsrvr\mdbdata\pub1.stm
Mailbox Store
D:\Exchsrvr\bin\eseutil.exe –mh D:\Exchsrvr\mdbdata\priv1.edb
D:\Exchsrvr\bin\eseutil.exe –cc D:\Exchsrvr\mdbdata\priv1.edb
D:\Exchsrvr\bin\eseutil.exe –p (or) -r D:\Exchsrvr\mdbdata\priv1.edb (use this on last resort)
D:\Exchsrvr\mdbdata\priv1.stm
D:\Exchsrvr\bin\eseutil.exe –k D:\Exchsrvr\mdbdata\e00.log
D:\Exchsrvr\bin\eseutil.exe –k D:\Exchsrvr\mdbdata\e00.chk
D:\Exchsrvr\bin\eseutil.exe –ml D:\Exchsrvr\mdbdata\e00.log
Go under d:\exchsrvr\mdbdata\
D:\Exchsrvr\bin\eseutil.exe /r e00 -i
D:\Exchsrvr\bin\eseutil.exe –mh D:\Exchsrvr\mdbdata\pub1.edb
D:\Exchsrvr\bin\eseutil.exe –cc D:\Exchsrvr\mdbdata\pub1.edb
D:\Exchsrvr\bin\eseutil.exe –p (or) -r D:\Exchsrvr\mdbdata\pub1.edb (use this on last resort)
D: \Exchsrvr\mdbdata\pub1.stm
Mailbox Store
D:\Exchsrvr\bin\eseutil.exe –mh D:\Exchsrvr\mdbdata\priv1.edb
D:\Exchsrvr\bin\eseutil.exe –cc D:\Exchsrvr\mdbdata\priv1.edb
D:\Exchsrvr\bin\eseutil.exe –p (or) -r D:\Exchsrvr\mdbdata\priv1.edb (use this on last resort)
D:\Exchsrvr\mdbdata\priv1.stm
D:\Exchsrvr\bin\eseutil.exe –k D:\Exchsrvr\mdbdata\e00.log
D:\Exchsrvr\bin\eseutil.exe –k D:\Exchsrvr\mdbdata\e00.chk
D:\Exchsrvr\bin\eseutil.exe –ml D:\Exchsrvr\mdbdata\e00.log
Go under d:\exchsrvr\mdbdata\
D:\Exchsrvr\bin\eseutil.exe /r e00 -i
Tuesday, October 27, 2009
Route Commands (Linux / Windows)
You can add static route or persistent route on both OS.
1. On Windows (Static Route)
# Route add 172.16.1.0 mask 255.255.255.0 192.168.10.1
# Route add –p 172.16.1.0 mask 255.255.255.0 192.168.10.1
2. On Linux (Static Route)
#Route add –net 172.16.1.0 netmask 255.255.255.0 gw 192.168.10.1
OR
You can create “route-eth1” file depend on your route nic card situation -
# vi /etc/sysconfig/network-script/route-eth1
GATEWAY0=192.168.10.1
NETMASK0=255.255.255.0
ADDRESS0=172.16.1.0
1. On Windows (Static Route)
# Route add 172.16.1.0 mask 255.255.255.0 192.168.10.1
# Route add –p 172.16.1.0 mask 255.255.255.0 192.168.10.1
2. On Linux (Static Route)
#Route add –net 172.16.1.0 netmask 255.255.255.0 gw 192.168.10.1
OR
You can create “route-eth1” file depend on your route nic card situation -
# vi /etc/sysconfig/network-script/route-eth1
GATEWAY0=192.168.10.1
NETMASK0=255.255.255.0
ADDRESS0=172.16.1.0
VMware ESX Server Host Backups / Restore
Backing up the VMware ESX Server host is not a recommended practice since a typical ESX build takes minutes from start to finish. Since all critical data is stored on the SAN, it is not necessary to backup the Service Console.
In the event that VMware ESX Server host has a large amount of customization, backups may be conducted of the files and directories. Within the environment there should not be extensive changes to the default environment to warrant the backups.
ESX Files and Directories to Back Up
File Description
/etc/passwd - The password file containing the local users for the VMware ESX Server host service console.
/etc/shadow - The shadow password file containing local users and encrypted passwords for the VMware ESX Server host service console.
/etc/group - The group file for containing local security groups for the VMware ESX Server host service console.
/etc/grub.conf - The boot information for the grub boot loader.
/etc/vmware - The configuration files for VMware ESX host.
/boot - The boot partition for VMware ESX host. It should be noted that these should be default.
/home/ - Any user information that is stored on the home directory on the local machine.
To perform the backup, a file can be generated using the following command:
# tar –cvf esx1-backup.datestamp.tar /etc/passwd /etc/shadow /etc/group /etc/grub.conf /etc/pam.d /etc/vmware /boot/ /home/
VMware ESX Server Host Restore
Normally, VMware ESX Server should be reinstalled and connected to the shared storage. If the above steps were conducted, complete restoration can be performed through the following steps:
1. Re-install ESX with the same partition configuration as the original host.
2. SFTP files back on.
3.
Remove the /etc/vmware & /boot directories by typing the following commands
# cd /
# rm –Rf /etc/vmware
# rm –Rf /boot
4.
Restore the backup set on the new ESX host. Be sure to overwrite existing files on restore! For example, from the root directory you can issue the following command to restore from the original tarball:
tar –xvf..tar
# tar –xvf esx1-backup.datestamp.tar
5. Reboot.
In the event that VMware ESX Server host has a large amount of customization, backups may be conducted of the files and directories. Within the environment there should not be extensive changes to the default environment to warrant the backups.
ESX Files and Directories to Back Up
File Description
/etc/passwd - The password file containing the local users for the VMware ESX Server host service console.
/etc/shadow - The shadow password file containing local users and encrypted passwords for the VMware ESX Server host service console.
/etc/group - The group file for containing local security groups for the VMware ESX Server host service console.
/etc/grub.conf - The boot information for the grub boot loader.
/etc/vmware - The configuration files for VMware ESX host.
/boot - The boot partition for VMware ESX host. It should be noted that these should be default.
/home/ - Any user information that is stored on the home directory on the local machine.
To perform the backup, a file can be generated using the following command:
# tar –cvf esx1-backup.datestamp.tar /etc/passwd /etc/shadow /etc/group /etc/grub.conf /etc/pam.d /etc/vmware /boot/ /home/
VMware ESX Server Host Restore
Normally, VMware ESX Server should be reinstalled and connected to the shared storage. If the above steps were conducted, complete restoration can be performed through the following steps:
1. Re-install ESX with the same partition configuration as the original host.
2. SFTP files back on.
3.
Remove the /etc/vmware & /boot directories by typing the following commands
# cd /
# rm –Rf /etc/vmware
# rm –Rf /boot
4.
Restore the backup set on the new ESX host. Be sure to overwrite existing files on restore! For example, from the root directory you can issue the following command to restore from the original tarball:
tar –xvf
# tar –xvf esx1-backup.datestamp.tar
5. Reboot.
SQL injection
Ref: http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/
SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed
Here is a nice SQL injection cheat sheet. Currently only for MySQL and Microsoft SQL Server, some ORACLE and some PostgreSQL
Table Of Contents
About SQL Injection Cheat Sheet
Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks
Line Comments
SQL Injection Attack Samples
Inline Comments
Classical Inline Comment SQL Injection Attack Samples
MySQL Version Detection Sample Attacks
Stacking Queries
Language / Database Stacked Query Support Table
About MySQL and PHP
Stacked SQL Injection Attack Samples
If Statements
MySQL If Statement
SQL Server If Statement
If Statement SQL Injection Attack Samples
Using Integers
String Operations
String Concatenation
Strings without Quotes
Hex based SQL Injection Samples
String Modification & Related
Union Injections
UNION – Fixing Language Issues
Bypassing Login Screens
Enabling xp_cmdshell in SQL Server 2005
Other parts are not so well formatted but check out by yourself, drafts, notes and stuff, scroll down and see.
SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed
Here is a nice SQL injection cheat sheet. Currently only for MySQL and Microsoft SQL Server, some ORACLE and some PostgreSQL
Table Of Contents
About SQL Injection Cheat Sheet
Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks
Line Comments
SQL Injection Attack Samples
Inline Comments
Classical Inline Comment SQL Injection Attack Samples
MySQL Version Detection Sample Attacks
Stacking Queries
Language / Database Stacked Query Support Table
About MySQL and PHP
Stacked SQL Injection Attack Samples
If Statements
MySQL If Statement
SQL Server If Statement
If Statement SQL Injection Attack Samples
Using Integers
String Operations
String Concatenation
Strings without Quotes
Hex based SQL Injection Samples
String Modification & Related
Union Injections
UNION – Fixing Language Issues
Bypassing Login Screens
Enabling xp_cmdshell in SQL Server 2005
Other parts are not so well formatted but check out by yourself, drafts, notes and stuff, scroll down and see.
Friday, October 23, 2009
Intelligent Platform Management Interface (IPMI) driver
If you receive this message, your hardware does not support IPMI or the corresponding add on hardware is not supported. For Dell servers this is in the DRAC component, for HP servers its in the ILO.
To check if IPMI is available on the ESX host, type the following command in the ESX Server console and press Enter:
1. dmidecode | grep IPMI
If this returns a value, IPMI is available for you hardware. If it does not return a value it is not available and contact your hardware vendor.
To avoid the message during bootup, the following command needs to be executed in the ESX Server console:
1. chkconfig --level 0123456 ipmi off
To check if IPMI is available on the ESX host, type the following command in the ESX Server console and press Enter:
1. dmidecode | grep IPMI
If this returns a value, IPMI is available for you hardware. If it does not return a value it is not available and contact your hardware vendor.
To avoid the message during bootup, the following command needs to be executed in the ESX Server console:
1. chkconfig --level 0123456 ipmi off
Thursday, October 22, 2009
VMware ESX Server 3.5 Update 2 to Update 3
Ref: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006651
Ref: http://ict-freak.nl/2007/10/31/how-to-install-vmware-esx-302-update-1/
http://download3.vmware.com/software/esx/ESX350-200806202-UG.zip
http://download3.vmware.com/software/esx/ESX350-200901401-SG.zip
http://vmetc.com/2008/07/26/esx-35-update-2-released-with-new-fixes-and-new-features/
##############################################################################
http://download3.vmware.com/software/vi/ESX350-200810201-UG.zip
http://download3.vmware.com/software/vi/ESX350-200810202-UG.zip
http://download3.vmware.com/software/vi/ESX350-200811401-SG.zip
http://download3.vmware.com/software/vi/ESX350-200811402-SG.zip
http://download3.vmware.com/software/vi/ESX350-200803214-UG.zip
http://download3.vmware.com/software/vi/ESX350-200810205-UG.zip
http://download3.vmware.com/software/vi/ESX350-200901401-SG.zip
http://download3.vmware.com/software/vi/ESX350-200901402-SG.zip
http://download3.vmware.com/software/vi/ESX350-200901404-BG.zip
http://download3.vmware.com/software/vi/ESX350-200901405-BG.zip
http://download3.vmware.com/software/vi/ESX350-2000901406-BG.zip
http://download3.vmware.com/software/vi/ESX350-200901407-BG.zip
http://download3.vmware.com/software/vi/ESX350-200901408-BG.zip
http://download3.vmware.com/software/vi/ESX350-200901409-SG.zip
http://download3.vmware.com/software/vi/ESX350-200901410-SG.zip
Ref: http://ict-freak.nl/2007/10/31/how-to-install-vmware-esx-302-update-1/
http://download3.vmware.com/software/esx/ESX350-200806202-UG.zip
http://download3.vmware.com/software/esx/ESX350-200901401-SG.zip
http://vmetc.com/2008/07/26/esx-35-update-2-released-with-new-fixes-and-new-features/
##############################################################################
http://download3.vmware.com/software/vi/ESX350-200810201-UG.zip
http://download3.vmware.com/software/vi/ESX350-200810202-UG.zip
http://download3.vmware.com/software/vi/ESX350-200811401-SG.zip
http://download3.vmware.com/software/vi/ESX350-200811402-SG.zip
http://download3.vmware.com/software/vi/ESX350-200803214-UG.zip
http://download3.vmware.com/software/vi/ESX350-200810205-UG.zip
http://download3.vmware.com/software/vi/ESX350-200901401-SG.zip
http://download3.vmware.com/software/vi/ESX350-200901402-SG.zip
http://download3.vmware.com/software/vi/ESX350-200901404-BG.zip
http://download3.vmware.com/software/vi/ESX350-200901405-BG.zip
http://download3.vmware.com/software/vi/ESX350-2000901406-BG.zip
http://download3.vmware.com/software/vi/ESX350-200901407-BG.zip
http://download3.vmware.com/software/vi/ESX350-200901408-BG.zip
http://download3.vmware.com/software/vi/ESX350-200901409-SG.zip
http://download3.vmware.com/software/vi/ESX350-200901410-SG.zip
Monday, October 19, 2009
How to update VMware ESX patch using CLI
Using VMware Update Manager is pretty easy for VMware patch update but I would like to share about how to update VMware ESX patch using command line interface here as an alternative way.
First download VMware patch from VMware download web site said for an example:
VMware ESX 3.5 Update 2
Latest Version: 3.5 Update 2 | 8/13/2008 | Build: 110268
Login with your username & password and click YES for agree with VMware Inc. term and condition.
Option 1:
Once completed the VMware patch download, you can either copy the patch source file to Apache or IIS web server and unzip it said http://your.webserver.com/esxupdate/
Before continue with VMware ESX host patch, you can vmotion all VMware guest from ESX host 1 to VMware ESX host
2. Connect to VMware ESX host 1 box using SSH,
Enter server maintenance mode:
vimsh -n -e /hostsvc/maintenance_mode_enter
Tips: How can I check whether ESX host is in maintenance mode.
vimsh -n -e /hostsvc/runtimeinfo | grep inMaintenanceMode | awk ‘{print $3}’
Turn Off Firewall:
esxcfg-firewall –allowOutgoing
ESX patch update:
esxupdate -r http://your.webserver.com/esxupdate/ update
Option 2:
Copy patch source files into ESX host itself said for an example folder /download/esxupdate
Enter maintenance mode:
vimsh -n -e /hostsvc/maintenance_mode_enter
Turn Off Firewall:
esxcfg-firewall –allowOutgoing
ESX patch update:
cd /download/esxupdate; esxupdate update
Login another SSH session and monitor patch update log:
tail -f esxupdate.log
Let’s wait for a while and VMware host patch should be in progress now. The ESX host should be reboot once the patch completed.
Turn On Firewall:
esxcfg-firewall –blockOutgoing
Exit maintenance mode:
vimsh -n -e /hostsvc/maintenance_mode_exit
Again, we can check ESX host patch update using command:
cat /proc/vmware/version
OR
vmware -v
OR
esxupdate -l query
Congratulation! You’re done. You should have latest VMware ESX patch now!
Please feel free to comment to make it more useful to everyone.
http://malaysiavm.com/blog/how-to-update-vmware-esx-patch-using-cli/#comments
http://sanderdaems.wordpress.com/category/vmware/
First download VMware patch from VMware download web site said for an example:
VMware ESX 3.5 Update 2
Latest Version: 3.5 Update 2 | 8/13/2008 | Build: 110268
Login with your username & password and click YES for agree with VMware Inc. term and condition.
Option 1:
Once completed the VMware patch download, you can either copy the patch source file to Apache or IIS web server and unzip it said http://your.webserver.com/esxupdate/
Before continue with VMware ESX host patch, you can vmotion all VMware guest from ESX host 1 to VMware ESX host
2. Connect to VMware ESX host 1 box using SSH,
Enter server maintenance mode:
vimsh -n -e /hostsvc/maintenance_mode_enter
Tips: How can I check whether ESX host is in maintenance mode.
vimsh -n -e /hostsvc/runtimeinfo | grep inMaintenanceMode | awk ‘{print $3}’
Turn Off Firewall:
esxcfg-firewall –allowOutgoing
ESX patch update:
esxupdate -r http://your.webserver.com/esxupdate/ update
Option 2:
Copy patch source files into ESX host itself said for an example folder /download/esxupdate
Enter maintenance mode:
vimsh -n -e /hostsvc/maintenance_mode_enter
Turn Off Firewall:
esxcfg-firewall –allowOutgoing
ESX patch update:
cd /download/esxupdate; esxupdate update
Login another SSH session and monitor patch update log:
tail -f esxupdate.log
Let’s wait for a while and VMware host patch should be in progress now. The ESX host should be reboot once the patch completed.
Turn On Firewall:
esxcfg-firewall –blockOutgoing
Exit maintenance mode:
vimsh -n -e /hostsvc/maintenance_mode_exit
Again, we can check ESX host patch update using command:
cat /proc/vmware/version
OR
vmware -v
OR
esxupdate -l query
Congratulation! You’re done. You should have latest VMware ESX patch now!
Please feel free to comment to make it more useful to everyone.
http://malaysiavm.com/blog/how-to-update-vmware-esx-patch-using-cli/#comments
http://sanderdaems.wordpress.com/category/vmware/
Update VMWare 3.5.0
Update VMWare 3.5.0, 64607 (update 1) to VMware ESX Server 3.5.0 build-110181 (update 2)
download
ESX350-200806201-UG.zip
ESX350-200806202-UG.zip
ESX350-200806812-BG.zip
copy them to ESX 3.5 Update 1 /tmp folder
unzip ESX350-200806201-UG.zip / ESX350-200806202-UG.zip / ESX350-200806812-BG.zip
1. cd ESX350-200806202
# esxupdate update
2. cd ESX350-200806201
# esxupdate update
Note: After update ESX350-200806201 system will automatically rebooted.
After that login to maintenance mode then, just choose on grub menu or [vimsh -n -e /hostsvc/maintenance_mode_enter]
3. cd ESX350-200806812
# esxupdate update
#vmware -v (to check which version you're using)
# tail -f esxupdate.log
download
ESX350-200806201-UG.zip
ESX350-200806202-UG.zip
ESX350-200806812-BG.zip
copy them to ESX 3.5 Update 1 /tmp folder
unzip ESX350-200806201-UG.zip / ESX350-200806202-UG.zip / ESX350-200806812-BG.zip
1. cd ESX350-200806202
# esxupdate update
2. cd ESX350-200806201
# esxupdate update
Note: After update ESX350-200806201 system will automatically rebooted.
After that login to maintenance mode then, just choose on grub menu or [vimsh -n -e /hostsvc/maintenance_mode_enter]
3. cd ESX350-200806812
# esxupdate update
#vmware -v (to check which version you're using)
# tail -f esxupdate.log
Tuesday, October 13, 2009
Technical differences between VMware ESXi and ESX
(Ref: http://dsumsky.blogspot.com/2008/08/technical-differences-between-vmware.html)
I have spent some time with looking for more details about VMware ESXi compared to VMware ESX. I summarized the main differences in this article but I think it's not complete. There have to be more features missing in ESXi because of service console removal. So, what next did I discover?
* ESXi is supported on smaller set of certified hardware because it is standalone system and it doesn't depend on RHEL service console which provides drivers for other hardware.
* You can manage ESXi with RCLI on Linux or Windows platform but Virtual Infrastructure client is more comfortable and easier to use. Further, if you deployed ESXi without Virtual Infrastructure licence, RCLI will have read-only access only. The drawback of VI client is that it is available for Windows platform. The solution may exist in using Wine emulator but the installation isn't as straightforward as on Windows plartform. The Wine application database contains this entry about VI client installation but I haven't tried it yet.
* You can manage your ESX server directly via serial cable but ESXi is missing this feature.
* ESXi kernel is missing jumbo frames support in TCP/IP stack which allows to send larger frames out onto physical network. It can help to achieve higher throughput with NFS or iSCSI protocols.
* ESXi doesn't support NetQueue technology which is boosting 10G Ethernet performance.
* Finally, VMware in cooperation with Mellanox Technologies supports Infiniband host channel adapters on ESX. ESXi is missing it.
The previous six points are related to the technical aspects of ESX and ESXi hypervisor. These points aren't complete as well but they are quite important for common deployment of VMware technologies. If you know about something else, please share it at my blog. For further information, check these links:
# VMware ESX 3.5 release notes
http://www.vmware.com/support/vi3/doc/vi3_esx35_vc25_rel_notes.html
# VMware ESXi 3.5 release notes
http://www.vmware.com/support/vi3/doc/vi3_esx3i_i_35u1_vc25u1_rel_notes.html
# ESX and ESXi comparison (VMware knowledge base)
http://kb.vmware.com/kb/1006543
# Differences between ESXi and ESX (VMware knowledge base)
http://kb.vmware.com/kb/1003345
############################################################################
One of the most significant frustrations of using ESXi instead of ESX (and in my mind validates the adage - you get what you pay for) is what we've called the ESX Root Lockdown problem at my company.
ESXi can erratically hang due to a bug where it internally writes to a non existent partition. There is no way to contact or communicate with the ESX server except physically reboot it. In previous versions this would hang all guest vms - a recent patch still hangs ESX while the GuestVms continue to run.
We've seen this happen sometimes upto thrice in one day on SATA based (vmware certified) servers with an LSI logic controller. Needless to say in a data center - these kinds of breakdowns can causes endless furstration and time loss.
###########################################################################
I have spent some time with looking for more details about VMware ESXi compared to VMware ESX. I summarized the main differences in this article but I think it's not complete. There have to be more features missing in ESXi because of service console removal. So, what next did I discover?
* ESXi is supported on smaller set of certified hardware because it is standalone system and it doesn't depend on RHEL service console which provides drivers for other hardware.
* You can manage ESXi with RCLI on Linux or Windows platform but Virtual Infrastructure client is more comfortable and easier to use. Further, if you deployed ESXi without Virtual Infrastructure licence, RCLI will have read-only access only. The drawback of VI client is that it is available for Windows platform. The solution may exist in using Wine emulator but the installation isn't as straightforward as on Windows plartform. The Wine application database contains this entry about VI client installation but I haven't tried it yet.
* You can manage your ESX server directly via serial cable but ESXi is missing this feature.
* ESXi kernel is missing jumbo frames support in TCP/IP stack which allows to send larger frames out onto physical network. It can help to achieve higher throughput with NFS or iSCSI protocols.
* ESXi doesn't support NetQueue technology which is boosting 10G Ethernet performance.
* Finally, VMware in cooperation with Mellanox Technologies supports Infiniband host channel adapters on ESX. ESXi is missing it.
The previous six points are related to the technical aspects of ESX and ESXi hypervisor. These points aren't complete as well but they are quite important for common deployment of VMware technologies. If you know about something else, please share it at my blog. For further information, check these links:
# VMware ESX 3.5 release notes
http://www.vmware.com/support/vi3/doc/vi3_esx35_vc25_rel_notes.html
# VMware ESXi 3.5 release notes
http://www.vmware.com/support/vi3/doc/vi3_esx3i_i_35u1_vc25u1_rel_notes.html
# ESX and ESXi comparison (VMware knowledge base)
http://kb.vmware.com/kb/1006543
# Differences between ESXi and ESX (VMware knowledge base)
http://kb.vmware.com/kb/1003345
############################################################################
One of the most significant frustrations of using ESXi instead of ESX (and in my mind validates the adage - you get what you pay for) is what we've called the ESX Root Lockdown problem at my company.
ESXi can erratically hang due to a bug where it internally writes to a non existent partition. There is no way to contact or communicate with the ESX server except physically reboot it. In previous versions this would hang all guest vms - a recent patch still hangs ESX while the GuestVms continue to run.
We've seen this happen sometimes upto thrice in one day on SATA based (vmware certified) servers with an LSI logic controller. Needless to say in a data center - these kinds of breakdowns can causes endless furstration and time loss.
###########################################################################
Differences between VMware ESXi and ESX
(Ref: http://dsumsky.blogspot.com/2008/08/differences-between-esxi-and-esx.html)
VMware ESXi hypervisor is free of charge now but what are the reasons to use it instead of VMware ESX? And what advantages does it have?
The most important advantage is you don't need to pay for it. Furthermore, it supports all VMware Infrastructure features if you buy proper licences - you can vmotion virtual machines, schedule resources, backup them via VCB and so on. If you really want to save more bucks you don't have to pay the support which is required in case of VMware Infrastructure. The new option is to pay per incident.
What are the main differences? As I written here, the ESXi hypervisor is OS independent (it is without service console) and its installation requires only 32MB of disk space. The negative thing is that it lacks VirtualCenter agent, VCB and update manager. These features are included in VMware Infrastructure Foundation edition and higher by default. If you would like to manage ESXi hosts you need to buy agent licences.
It remains last important question. How can we control ESXi hosts remotely if we don't have service console? The ESXi hypervisor doesn't have SSH access by default but supports RCLI or Remote Command Line Interface. The RCLI allows to perform remote command line operations on an ESXi host from your management station. If you still prefer SSH to RCLI you can enable it according this article.
So, are you going to deploy it? If so, you can write me about your experience with the product. I would like to know your story.
###########################################################################
ESXi also avoids an increasingly important performance issue with the ESX Service Console related to interrupt sharing. See http://kb.vmware.com/selfservice/documentLink.do?externalID=1003710.
With no Service Console, ESXi allows all interrupts to be load balanced, giving better I/O throughput for low-end and mid-range servers.
############################################################################
VMware ESXi hypervisor is free of charge now but what are the reasons to use it instead of VMware ESX? And what advantages does it have?
The most important advantage is you don't need to pay for it. Furthermore, it supports all VMware Infrastructure features if you buy proper licences - you can vmotion virtual machines, schedule resources, backup them via VCB and so on. If you really want to save more bucks you don't have to pay the support which is required in case of VMware Infrastructure. The new option is to pay per incident.
What are the main differences? As I written here, the ESXi hypervisor is OS independent (it is without service console) and its installation requires only 32MB of disk space. The negative thing is that it lacks VirtualCenter agent, VCB and update manager. These features are included in VMware Infrastructure Foundation edition and higher by default. If you would like to manage ESXi hosts you need to buy agent licences.
It remains last important question. How can we control ESXi hosts remotely if we don't have service console? The ESXi hypervisor doesn't have SSH access by default but supports RCLI or Remote Command Line Interface. The RCLI allows to perform remote command line operations on an ESXi host from your management station. If you still prefer SSH to RCLI you can enable it according this article.
So, are you going to deploy it? If so, you can write me about your experience with the product. I would like to know your story.
###########################################################################
ESXi also avoids an increasingly important performance issue with the ESX Service Console related to interrupt sharing. See http://kb.vmware.com/selfservice/documentLink.do?externalID=1003710.
With no Service Console, ESXi allows all interrupts to be load balanced, giving better I/O throughput for low-end and mid-range servers.
############################################################################
VMware or Citrix?
(REF: http://dsumsky.blogspot.com/search/label/esx)
Citrix released their virtualization solution named XenServer (from version 5, article XenServer is free) for free but only the time will show if it was a right decision. At first glance, it seems like a marvelous thing but there are some facts which should be investigated first. Together with XenServer, it was released central management solution XenCenter.
Let's have a look at their rival VMware (vSphere 4). XenServer is fully comparable to VMware ESX or ESXi. But what about XenCenter management? It's something more than VMware vSphere client but not so valuable as VMware vCenter Management Server. Citrix XenCenter is not the right choice in case of comparison to vCenter. The right one is Citrix Essentials but this one is not for free already. The main differences between Citrix XenCenter and Essentials are:
* XenCenter is missing alerting capabilities like send me an email when "CPU usage is too high" or when some error condition like "virtual machine power on failure" appears
* XenCenter is missing high availability support
* XenCenter is not able to show you performance data older than one day for physical or virtual servers
Now, let's try to propose a simple high availability (HA) solution based on Citrix/VMware products and compare their prices. Let's suppose we have 2 (3) entry level servers where each have 2 CPUs with max 6 cores per CPU (6 CPUs total). The servers are connected to a shared disk storage. The CPU speed or memory capacity is not important now. And we require HA solution to protect our virtual machines from hardware failure. Follows the analysis:
- Citrix Essentials Enterprise (1 license = 1 server):
* XenServer - 2 licenses = 0$ (3 lic = 0$)
* Essentials Enterprise - 2 lic = 5500$ (3 lic = 8250$)
* Essentials Preffered Support (optional) - 1 lic = 1500$
* Total cost = 7000$ or 9750$ for 3 servers
* Total cost without support = 5500$ or 8250$ for 3 servers
- VMware vSphere 4 Standard Edition (1 lic = 1 CPU):
* vSphere 4 Standard - 4 licenses = 3180$ (6 lic = 4770$)
* vShpere 4 Standard 1y Gold Support - 4 lic = 1092$ (6 lic = 1638$)
* vCenter 4 Foundation - 1 lic = 1495$
* vCenter 4 1y Gold Support - 1 lic = 545$
* Total cost = 6312$ or 8448$ for 3 servers
* Support is mandatory
- VMware vSphere 4 Essentials Plus Bundle (1 lic = 1 CPU)
* Licenses for 3 hosts plus vCenter Server for Essentials plus 1y Gold Support = 3624$
* Total cost = 3624$ for 2 or 3 servers
The prices of proposed solutions are quite different. In my opinion, the most valued solution is based on new VMware product line vSphere 4 Essentials.
There are rumors that VMware is the most expensive solution. I don't think so if I check the numbers above. Citrix's solution not covered by support is cheaper then VMware's solution with support but only for 2 servers. If I would like to add third server I would have to pay another license in case of Citrix. In case of VMware, I have still one spare license so I will use it. At first glance, XenServer seems to be free of charge but the price of added value by Citrix Essentials doesn't scale as well as in case of VMware vSphere 4 Standard Edition or vSphere 4 Essentials Plus. And what is your opinion to the topic?
Citrix released their virtualization solution named XenServer (from version 5, article XenServer is free) for free but only the time will show if it was a right decision. At first glance, it seems like a marvelous thing but there are some facts which should be investigated first. Together with XenServer, it was released central management solution XenCenter.
Let's have a look at their rival VMware (vSphere 4). XenServer is fully comparable to VMware ESX or ESXi. But what about XenCenter management? It's something more than VMware vSphere client but not so valuable as VMware vCenter Management Server. Citrix XenCenter is not the right choice in case of comparison to vCenter. The right one is Citrix Essentials but this one is not for free already. The main differences between Citrix XenCenter and Essentials are:
* XenCenter is missing alerting capabilities like send me an email when "CPU usage is too high" or when some error condition like "virtual machine power on failure" appears
* XenCenter is missing high availability support
* XenCenter is not able to show you performance data older than one day for physical or virtual servers
Now, let's try to propose a simple high availability (HA) solution based on Citrix/VMware products and compare their prices. Let's suppose we have 2 (3) entry level servers where each have 2 CPUs with max 6 cores per CPU (6 CPUs total). The servers are connected to a shared disk storage. The CPU speed or memory capacity is not important now. And we require HA solution to protect our virtual machines from hardware failure. Follows the analysis:
- Citrix Essentials Enterprise (1 license = 1 server):
* XenServer - 2 licenses = 0$ (3 lic = 0$)
* Essentials Enterprise - 2 lic = 5500$ (3 lic = 8250$)
* Essentials Preffered Support (optional) - 1 lic = 1500$
* Total cost = 7000$ or 9750$ for 3 servers
* Total cost without support = 5500$ or 8250$ for 3 servers
- VMware vSphere 4 Standard Edition (1 lic = 1 CPU):
* vSphere 4 Standard - 4 licenses = 3180$ (6 lic = 4770$)
* vShpere 4 Standard 1y Gold Support - 4 lic = 1092$ (6 lic = 1638$)
* vCenter 4 Foundation - 1 lic = 1495$
* vCenter 4 1y Gold Support - 1 lic = 545$
* Total cost = 6312$ or 8448$ for 3 servers
* Support is mandatory
- VMware vSphere 4 Essentials Plus Bundle (1 lic = 1 CPU)
* Licenses for 3 hosts plus vCenter Server for Essentials plus 1y Gold Support = 3624$
* Total cost = 3624$ for 2 or 3 servers
The prices of proposed solutions are quite different. In my opinion, the most valued solution is based on new VMware product line vSphere 4 Essentials.
There are rumors that VMware is the most expensive solution. I don't think so if I check the numbers above. Citrix's solution not covered by support is cheaper then VMware's solution with support but only for 2 servers. If I would like to add third server I would have to pay another license in case of Citrix. In case of VMware, I have still one spare license so I will use it. At first glance, XenServer seems to be free of charge but the price of added value by Citrix Essentials doesn't scale as well as in case of VMware vSphere 4 Standard Edition or vSphere 4 Essentials Plus. And what is your opinion to the topic?
Sunday, October 11, 2009
Linux Firewall for Reference
#!/bin/sh
echo "Stopping firewall and allowing everyone..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 10.242.144.3 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 10.242.144.3 --sport 110 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
In order to block incoming / outgoing port 110 simply use target REJECT instead of ACCEPT:
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 110 -j REJECT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 110 -d 0/0 --dport 1024:65535 -j REJECT
/sbin/iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
#Port Forward SMTP to the mailserver
iptables -t nat -A PREROUTING -p tcp -d 172.16.0.1 --dport 25 -j DNAT --to-destination 192.168.0.113:25
iptables -A FORWARD -p tcp -d 192.168.0.113 --dport 25 -j ACCEPT
#SNAT for port 25 and 110
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.113 --dport 25 -o eth1 -j SNAT --to-source 172.16.0.1
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/21 --dport 110 -o eth1 -j SNAT --to-source 172.16.0.1
***/etc/init.d/iptables contains:
# (1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# (2) User-defined chain for ACCEPTED TCP packets
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP
# (3) INPUT chain rules
## Rules for incoming packets from LAN
iptables -A INPUT -p ALL -i eth1 -s 10.12.1.0/8 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 10.12.1.0 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 116.168.1.2 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -d 10.12.1.255 -j ACCEPT
## Rules for incoming packets from the Internet
# Packets for established connections
iptables -A INPUT -p ALL -d 116.168.1.2 -m state --state \
ESTABLISHED,RELATED -j ACCEPT
# REJECT THESE JERKS from accessing anything (HACKERS):
iptables -A INPUT -p tcp -s 66.232.147.175 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s 67.169.132.93 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s 202.9.128.100 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s 202.9.183.254 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s 202.153.41.139 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s 210.51.188.113 -j REJECT --reject-with tcp-reset
# TCP rules
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 21 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 25 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 110 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 113 -j okay
# UDP rules
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 53 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j ACCEPT
# ICMP rules
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 11 -j ACCEPT
# (4) FORWARD ip rules
# Accept packets I want to forward
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# (5) OUTPUT ip rules
# ONLY output packets with local addresses (NO spoofing)
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 10.12.1.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 116.168.1.2 -j ACCEPT
# (6) POSTROUTING ip rules
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 116.168.1.2
# uncomment the bottom for DHCP if it works first
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo "Stopping firewall and allowing everyone..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 10.242.144.3 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 10.242.144.3 --sport 110 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
In order to block incoming / outgoing port 110 simply use target REJECT instead of ACCEPT:
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 110 -j REJECT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 110 -d 0/0 --dport 1024:65535 -j REJECT
/sbin/iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
#Port Forward SMTP to the mailserver
iptables -t nat -A PREROUTING -p tcp -d 172.16.0.1 --dport 25 -j DNAT --to-destination 192.168.0.113:25
iptables -A FORWARD -p tcp -d 192.168.0.113 --dport 25 -j ACCEPT
#SNAT for port 25 and 110
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.113 --dport 25 -o eth1 -j SNAT --to-source 172.16.0.1
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/21 --dport 110 -o eth1 -j SNAT --to-source 172.16.0.1
***/etc/init.d/iptables contains:
# (1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# (2) User-defined chain for ACCEPTED TCP packets
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP
# (3) INPUT chain rules
## Rules for incoming packets from LAN
iptables -A INPUT -p ALL -i eth1 -s 10.12.1.0/8 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 10.12.1.0 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 116.168.1.2 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -d 10.12.1.255 -j ACCEPT
## Rules for incoming packets from the Internet
# Packets for established connections
iptables -A INPUT -p ALL -d 116.168.1.2 -m state --state \
ESTABLISHED,RELATED -j ACCEPT
# REJECT THESE JERKS from accessing anything (HACKERS):
iptables -A INPUT -p tcp -s 66.232.147.175 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s 67.169.132.93 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s 202.9.128.100 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s 202.9.183.254 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s 202.153.41.139 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s 210.51.188.113 -j REJECT --reject-with tcp-reset
# TCP rules
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 21 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 25 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 110 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 113 -j okay
# UDP rules
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 53 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j ACCEPT
# ICMP rules
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 11 -j ACCEPT
# (4) FORWARD ip rules
# Accept packets I want to forward
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# (5) OUTPUT ip rules
# ONLY output packets with local addresses (NO spoofing)
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 10.12.1.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 116.168.1.2 -j ACCEPT
# (6) POSTROUTING ip rules
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 116.168.1.2
# uncomment the bottom for DHCP if it works first
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Friday, October 9, 2009
Nvidia Driver Installation for Linux
yum install yum-priorities
echo 'priority=1' >> /etc/yum.repos.d/CentOS-Base.repo
echo 'priority=1' >> /etc/yum.repos.d/CentOS-Media.repo
echo 'priority=2' >> /etc/yum.repos.d/epel.repo
echo 'priority=2' >> /etc/yum.repos.d/epel-testing.repo
echo 'priority=3' >> /etc/yum.repos.d/adobe-linux-i386.repo
echo 'priority=3' >> /etc/yum.repos.d/rpmfusion-free-updates.repo
echo 'priority=3' >> /etc/yum.repos.d/rpmfusion-free-updates-testing.repo
echo 'priority=3' >> /etc/yum.repos.d/rpmfusion-nonfree-updates-testing.repo
echo 'priority=3' >> /etc/yum.repos.d/rpmfusion-nonfree-updates.repo
wget http://apt.sw.be/redhat/el5/en/x86_64/RPMS.dag/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
rpm -K rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
yum --localinstall rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
yum localinstall rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
yum check-update
yum search nvidia
yum install nvidia-x11-drv.x86_64
./latestnvidiadriver.run -s -N
nvidia-xconfig --mode nvidia-auto-select --twinview --no-xinerama --force-generate
http://elrepo.org/tiki/tiki-index.php
yum --enablerepo=elrepo-testing install nvidia-x11-drv kmod-nvidia
echo 'priority=1' >> /etc/yum.repos.d/CentOS-Base.repo
echo 'priority=1' >> /etc/yum.repos.d/CentOS-Media.repo
echo 'priority=2' >> /etc/yum.repos.d/epel.repo
echo 'priority=2' >> /etc/yum.repos.d/epel-testing.repo
echo 'priority=3' >> /etc/yum.repos.d/adobe-linux-i386.repo
echo 'priority=3' >> /etc/yum.repos.d/rpmfusion-free-updates.repo
echo 'priority=3' >> /etc/yum.repos.d/rpmfusion-free-updates-testing.repo
echo 'priority=3' >> /etc/yum.repos.d/rpmfusion-nonfree-updates-testing.repo
echo 'priority=3' >> /etc/yum.repos.d/rpmfusion-nonfree-updates.repo
wget http://apt.sw.be/redhat/el5/en/x86_64/RPMS.dag/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
rpm -K rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
yum --localinstall rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
yum localinstall rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
yum check-update
yum search nvidia
yum install nvidia-x11-drv.x86_64
./latestnvidiadriver.run -s -N
nvidia-xconfig --mode nvidia-auto-select --twinview --no-xinerama --force-generate
http://elrepo.org/tiki/tiki-index.php
yum --enablerepo=elrepo-testing install nvidia-x11-drv kmod-nvidia
Friday, October 2, 2009
VMware ESX Server References
The VMware Infrastructure product consists of Workstation, ACE, GSX, and ESX.
The VMware Administration product is composed of VMware Virtual Center Server (VC),
VMware High Availability (HA), Distributed Resource Scheduling (DRS), SAN, iSCSI,
and NAS, and VMotion. The last product suite is VMware Tools, which is composed of
the VMware Converter the new Physical to Virtual (P2V) and VMware Consolidated
Backup (VCB).
http://www.dell.com/us/en/enterprise/servers/pedge_r805/pd.aspx?refid=pedge_r805&s=biz&cs=555
http://content.dell.com/us/en/enterprise/virtualization.aspx
http://vmworld.com/
http://blogs.vmware.com/
http://www.bluelane.com/
http://www.catbird.com/
http://www.gear6.com/
http://www.platespin.com/
http://www.rpath.com/
http://www.surgient.com/
http://www.veeam.com/
http://www.vizioncore.com/
http://www.vkernel.com/
http://www.vmlogix.com/
http://vmblog.com/
http://weblog.infoworld.com/
http://www.virtual-strategy.com/
http://www.rtfm-ed.co.uk/
http://www.virtualization.info/
http://searchservervirtualization.techtarget.com/
http://searchvmware.techtarget.com/
http://www.virtualizationconference.com/
http://www.infoworld.com
http://www.infoworld.com/
http://www.interop.com/
http://searchvmware.techtarget.com/
http://www.linuxworldexpo.com/
The VMware Administration product is composed of VMware Virtual Center Server (VC),
VMware High Availability (HA), Distributed Resource Scheduling (DRS), SAN, iSCSI,
and NAS, and VMotion. The last product suite is VMware Tools, which is composed of
the VMware Converter the new Physical to Virtual (P2V) and VMware Consolidated
Backup (VCB).
http://www.dell.com/us/en/enterprise/servers/pedge_r805/pd.aspx?refid=pedge_r805&s=biz&cs=555
http://content.dell.com/us/en/enterprise/virtualization.aspx
http://vmworld.com/
http://blogs.vmware.com/
http://www.bluelane.com/
http://www.catbird.com/
http://www.gear6.com/
http://www.platespin.com/
http://www.rpath.com/
http://www.surgient.com/
http://www.veeam.com/
http://www.vizioncore.com/
http://www.vkernel.com/
http://www.vmlogix.com/
http://vmblog.com/
http://weblog.infoworld.com/
http://www.virtual-strategy.com/
http://www.rtfm-ed.co.uk/
http://www.virtualization.info/
http://searchservervirtualization.techtarget.com/
http://searchvmware.techtarget.com/
http://www.virtualizationconference.com/
http://www.infoworld.com
http://www.infoworld.com/
http://www.interop.com/
http://searchvmware.techtarget.com/
http://www.linuxworldexpo.com/
Exchange Server 2003 Stuffs
Storage Groups
Containers within Exchange that are used to hold data stores (Mailboxes and public folders). By default, one storage group is created within Exchange called the “First Storage Group”.
This storage group will hold up to 5 data stores. Up to 3 additional (4 total) storage groups can be created if you are running Exchange Enterprise edition while Exchange Standard edition only supports the First Storage Group.
Most small and medium sized companies (up to approximately 1,500 mailboxes) will have no reason to use additional storage groups and for simplicity, they should be avoided. You may need additional storage groups if your company requires:
1. More than 5 data Stores
2. The use of circular logging on only some of the data stores
3. A Different location for the Transaction logs
Stores or data stores
Created in Exchange 2000 as either a mailbox store or a public folder store. By default, two stores are created in the first storage group, the mailbox store and the public folder store.
Exchange enterprise edition supports up to 5 data stores ( 4 TB max, theoretically) in each storage group, 20 stores total. Exchange Standard edition only supports the two default stores and limits these stores to a maximum of 16 GB each.
This limitation is a very important factor in determining whether to purchase exchange standard or enterprise edition. There are several reasons that you may want to create additional stores, including:
1. Easier mailbox management & organization
2. more efficient mailbox recovery
3. mailbox rule requirements (i.e size of mailbox, deleted item retention)
4. increased performance (database can be located on different hard drives)
5. separate administrative mailboxes (i.e postmaster, webmaster)
Description Exchange Standard Exchange Enterprise
Storage Group 1 4
Data Stores per storage group 2 5
Maximum size of each data store 16 GB 4 TB
Database Files
Each data store is made up of two database files, a .edb file and a .stm file. These database files together make up the data store and should not be separated.
.EDB file MAPI Based Database
.STM file Streaming Database, contains Native Internet content
Transaction Logs
Used in each storage group to record changes to the database. Changes are committed or rolled back based on the success of the transaction. Transaction Logs are used in Disaster recovery scenarios to completely restore mailboxes.
What Should you Backup?
1. Mailbox Stores
2. Public Stores
3. System State (Active Directory, Registry, IIS Metabase, basically system specific settings)
4. IIS Metabase
Repair the Database
- Can do more harm than good
- You should have a Normal (Full) Backup of your Exchnage Server database before running these utilities (Online or Offline)
ESEUTIL – command line tool that checks the Exchange database for consistency and repairs the database (depending upon the switches used).
ISINTEG – command line tool that is used to restore specific messages or attachments. It understands the data in the store rather than the database.
- Microsoft Support may be a better option
- Recovering from a backup is usually a better option. Adequately troubleshoot your server assuming database corruption.
Replace the Database (Using NTBackup)
1. Make sure that you have a good normal (Full) Backup of the store and Transaction before starting this procedure
2. Dismount the store
3. Start the restore process the Normal restore files first
4. Specify any Differential or Incremental restore files next. Be sure to check the last Backup set option IF the specified file is lastest backup
5. Mount the Store (if not specified in the restore)
Complete Server Replacement
1. New Server hardware or Same Server
2. Make sure HD Partitions are the same size or bigger than before
3. Install Server 2003 with all Service packs, Hot Fixes, etc.
4. Server should have the same name as before
5. Rejoin the Exchange Server to the domain
6. Verify AD Connectivity
7. Install Exchange 2003 with disaster recovery switch
8. Install Exchange Service Packs, Hot Fixes, etc.
9. Restore Data Stores and Transaction Logs
10. Restore any additional Exchange configuration (scripts, connectors, etc.)
Containers within Exchange that are used to hold data stores (Mailboxes and public folders). By default, one storage group is created within Exchange called the “First Storage Group”.
This storage group will hold up to 5 data stores. Up to 3 additional (4 total) storage groups can be created if you are running Exchange Enterprise edition while Exchange Standard edition only supports the First Storage Group.
Most small and medium sized companies (up to approximately 1,500 mailboxes) will have no reason to use additional storage groups and for simplicity, they should be avoided. You may need additional storage groups if your company requires:
1. More than 5 data Stores
2. The use of circular logging on only some of the data stores
3. A Different location for the Transaction logs
Stores or data stores
Created in Exchange 2000 as either a mailbox store or a public folder store. By default, two stores are created in the first storage group, the mailbox store and the public folder store.
Exchange enterprise edition supports up to 5 data stores ( 4 TB max, theoretically) in each storage group, 20 stores total. Exchange Standard edition only supports the two default stores and limits these stores to a maximum of 16 GB each.
This limitation is a very important factor in determining whether to purchase exchange standard or enterprise edition. There are several reasons that you may want to create additional stores, including:
1. Easier mailbox management & organization
2. more efficient mailbox recovery
3. mailbox rule requirements (i.e size of mailbox, deleted item retention)
4. increased performance (database can be located on different hard drives)
5. separate administrative mailboxes (i.e postmaster, webmaster)
Description Exchange Standard Exchange Enterprise
Storage Group 1 4
Data Stores per storage group 2 5
Maximum size of each data store 16 GB 4 TB
Database Files
Each data store is made up of two database files, a .edb file and a .stm file. These database files together make up the data store and should not be separated.
.EDB file MAPI Based Database
.STM file Streaming Database, contains Native Internet content
Transaction Logs
Used in each storage group to record changes to the database. Changes are committed or rolled back based on the success of the transaction. Transaction Logs are used in Disaster recovery scenarios to completely restore mailboxes.
What Should you Backup?
1. Mailbox Stores
2. Public Stores
3. System State (Active Directory, Registry, IIS Metabase, basically system specific settings)
4. IIS Metabase
Repair the Database
- Can do more harm than good
- You should have a Normal (Full) Backup of your Exchnage Server database before running these utilities (Online or Offline)
ESEUTIL – command line tool that checks the Exchange database for consistency and repairs the database (depending upon the switches used).
ISINTEG – command line tool that is used to restore specific messages or attachments. It understands the data in the store rather than the database.
- Microsoft Support may be a better option
- Recovering from a backup is usually a better option. Adequately troubleshoot your server assuming database corruption.
Replace the Database (Using NTBackup)
1. Make sure that you have a good normal (Full) Backup of the store and Transaction before starting this procedure
2. Dismount the store
3. Start the restore process the Normal restore files first
4. Specify any Differential or Incremental restore files next. Be sure to check the last Backup set option IF the specified file is lastest backup
5. Mount the Store (if not specified in the restore)
Complete Server Replacement
1. New Server hardware or Same Server
2. Make sure HD Partitions are the same size or bigger than before
3. Install Server 2003 with all Service packs, Hot Fixes, etc.
4. Server should have the same name as before
5. Rejoin the Exchange Server to the domain
6. Verify AD Connectivity
7. Install Exchange 2003 with disaster recovery switch
8. Install Exchange Service Packs, Hot Fixes, etc.
9. Restore Data Stores and Transaction Logs
10. Restore any additional Exchange configuration (scripts, connectors, etc.)