Re: [OpenIndiana-discuss] New Zone User Questions
Hi there, would it be possible to compile your experience into some best practice topic on the wiki - similarily to what Reginald has done for his N40L installation? I think that would really help others as the subject is setting OI apart from any Linux distro... Cheers Stefan Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Zfs import fails
Hi, I had a zpool thats exported on another system and when i try to import, it fails. Any idea how to recover ? "format" shows all the disks. root@host:~# zpool import -FfX pool1 cannot import 'pool1': one or more devices is currently unavailable root@host:~# zpool import -f pool1 cannot import 'pool1': I/O error Destroy and re-create the pool from a backup source. Regards, Ram ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] New Zone User Questions
I'd just like to thank all of you again for all of the help and advice you gave me. I'm still reading, and re-reading, the posts and links you sent me. I'm still mulling over all that you said, and experimenting with them. While it may have seemed like we strayed a bit off-topic from time to time; yet in the process, you introduced me to concepts and techniques to make better use of zones, and the end result has been very much within the realm of this thread's topic. Many of these concepts are things that I'd already heard about, and yet you all have helped me see how they all fit together, and how I can better apply them to make better use of OpenIndiana. I started this thread saying that I'd entered the wonderful world of zones. Well, truly, this has opened me to a world that's even far more broad than that! Glory be to our holy God. Thank you very much! ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Buildable distro?
On 2013-02-06 03:21, Reginald Beardsley wrote: But then I could do RAIDZ2 if I had 4 drives ;-) Note that while this might give you better redundancy compared to raid10 (with a raidz2 you can tolerate loss of any two disks, and in a raid10 you can only tolerate loss of two disks from different sub-mirrors), the performance might be very noticeably different in favor of striping over mirrors. 2c :) ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Buildable distro?
Linux has long had the ability to rebuild itself as part of a distribution, at least for the ones I've played with to any degree. Is there anyone in a position to easily produce a buildable OI DVD? In particular, one that tracked the current build. Something that if I bought a machine and dedicated it to the task I could be set up to fix things by installing the distro. I spent a few hours reading wikis on the subject of building OI & illumos and was left with very low confidence that the contents were up to date. I was also left with the impression that setting up to do even a trivial task like turning on SD_INFO() would be quite labor intensive. I'm a geoscientist. So this is a tool I use, not an end goal. However, I do know a bit about operating systems and software. So I don't mind fixing things that affect me. Obviously, the overhead to understand the code for some things is prohibitive, but there is a lot of stuff (i.e. minor bugs) I could work on pretty easily. But setting up to build OI is not a pretty picture. FWIW I figured out that the hardware cost of building a bootable RAIDZ array as I did on the N40L was less than $3. It's not really bootable RAIDZ. It's a mirrored rpool in s0 with a RAIDZ pool in s1. I plan to move /export over to the RAIDZ pool, but haven't done it yet. But I've got 3 disks and can gracefully take a single disk failure while keeping the storage efficiency of RAIDZ. I'm trying to decide if I should add a 4th drive or not. 3.5 TB is a lot of space for my current needs, so 5.25 TB may be overkill. But then I could do RAIDZ2 if I had 4 drives ;-) Have Fun! Reg ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] weird packet garbling problem
I use ASA5505's always. I never had this problem with solaris 10&11, but those run on sun hardware. I also have solaris 10 on an old HP DL340 with bge's also without problem. And OI 1.57 on VMware also without the problems you describe. I use the cisco VPN windows client. Is your cisco the defaultgateway for your servers? Otherwise i think OI sees a packet comming in from (for example) 172.18.12.12 which is your vpn ip-address, it then can't figure out where to reply to and the messages start bouncing around??? Op 5 feb. 2013 om 02:34 heeft "Edward Ned Harvey (openindiana)" het volgende geschreven: >> From: Edward Ned Harvey (openindiana) >> [mailto:openindi...@nedharvey.com] >> >> I am having a really hard time coming up with a plausible explanation for >> this, >> other than some kind of kernel bug with openindiana... > > Found a new clue, which is totally unbelievable, yet totally enlightening. > > The firewall is a cisco asa 5505. We have both anyconnect & ipsec vpn for > mobile clients enabled. I tried them both, and got the same result for both > (thinking maybe it was a problem with the vpn client.) > > My home firewall is a pfsense device. So today, I enabled point-to-point > ipsec vpn between my home and work. Now I can sit at home with my laptop, > use the laptop VPN client to connect direct to the failing OI hosts... Or I > can disconnect my laptop vpn client, enable the firewall vpn, and then ssh to > the failing OI machines. > > When I use the IPSec or Anyconnect VPN client, I have the problem. When I > enable the site-to-site VPN, I don't have the problem. > > So I've reached two conclusions: > > -1- The problem is related to the Cisco ASA firewall, and mobile VPN > connectivity. > -2- The problem is related to OpenIndiana. (No problems connecting to other > ssh/vnc systems in the office, linux, mac, or windows.) > > I have not yet tried using a mac/linux VPN client. Might learn something > there too. > > I don't know why there would be a bad interaction between the OI machines and > the Cisco ASA. But there is. I think I'll probably try to lay it on Cisco > support next. They'll probably tell me to upgrade IOS. Even though this is > a relatively current stable version ... the most stable latest bugfix version > of the almost-latest line, last July. The one they recommended as "the most > stable one we're recommending for now." > > > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] SD_INFO() enable in oi_151a7 ??
Is SD_INFO() enabled in the oi_151a7 kernel? Looking at sddef.h, it appears that it might be turned off, but w/o knowing what flags were used in the build it's just a guess. In any case, where do the messages get written? I put the requisite entries in /etc/system as described in sddef.h, but have not been able to get a trace to help determine why sd-config-list isn't working for the Toshiba drive. Thanks, Reg FWIW According to the comments, the vendor-product string comparison is case sensitive w/ leading, trailing blanks and repeated blanks elided. However, other comments and the code suggest it is case insensitive. The string is extracted from the scsi inquiry command and assumes that the vendor and product fields are contiguous. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] For serviio 1.2beta, could sfe-encumbered -> ffmpeg and libffmpeg be updated to version 1.1.1??
FWIW, libass is available in SFE, freetype-2 is in DEV and so is Fontconfig. You should be safe with these three at least. Don't know about the versions, though. Cheers Stefan Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] New Zone User Questions
On 2013-02-05 10:34, dormitionsk...@hotmail.com wrote:
On Feb 5, 2013, at 2:10 AM, Andrej Javoršek wrote:
Now you are moving from complex to "mind bogging complex" :)
But yes with OI you can create network (datacenter) in a box (switches,
routers, servers):
http://www.c0t0d0s0.org/permalink/Upcoming-Solaris-Features-Crossbow-Virtualisation.html
Regards
Andrej
Well, I just laid down to go to sleep, and it just clicked. Is this what Ian
means, to have a zone for our MySql, one for Apache, one for Tomcat, one for
email, etc. ? And using port forwarding to go to the appropriate zone?
Yes - for those zones that need it (I elaborate an example below).
For example, your database zone should not see the internet, only
the web-server needs that (Apache or Tomcat in your case, or maybe
both). And for this accessibility you only allow certain ports on
the firewall settings. In fact, with NAT in place, those ports that
you don't explicitly define for forwarding from outside connections
would have nowhere to go and would be dropped - adding somewhat to
your counter-internet security.
And do expect that your systems will be constantly scanned and at
least simple common break-ins will be attempted - not because there
are many malicious people that have something against you, but because
over time they gathered control over many sick PCs ("bots") and those
scan for targets on their own in spare time.
Don't use trivial passwords for anything that faces the internet ;)
And I'm not sure I understand your comment about the Crossbow-Virtualisation --
yes, that'd be much more complex. But is what I said about hooking up
additional hardware routers to do the port forwarding something that would work
and would fall within the realm of reasonably accepted practices?
And you all don't normally do the Crossbow Virtualization, right?
Actually, most of us do now without even noticing. For example,
the exclusive-IP zones require a dedicated NIC. Back when the
feature was introduced, it was limited to the physical network
adapters, or at most the VLAN pseudo-interfaces - one per NIC.
Now with Crossbow we can create VNICs which became the foundation
for the common use of exclusive-IP zones and a decline of use-cases
for shared-IP zones (basically, with alias addresses on a common
NIC between the GZ and several zones, with GZ's routing table
inherited into a zone - caused "interesting" problems when there
were different subnets and different default routers were needed
for the GZ and LZs, within one routing table, and a common set
of firewall rules in the GZ).
A further commonly used feature of Crossbow is etherstubs - you
can think of them as virtual ethernet switches to which VNICs
can be connected, so that services in zones can securely and
quickly interact over usual TCP/IP without packets ever hitting
the physical wire. This can be used for lab modelling of nets
with zones and VMs attached to different switches, as well as
for "production" use of the fruits of such experiments.
I *think* I just made a leap in my head about all this stuff.
It certainly would be easier to make zones for each of these services, rather
than complex ones with many of them. It kind of goes along with what we
programmers do, breaking tasks down into small classes, etc.
Yes. It is now common for a website content management system
(CMS), such as Magnolia or to extent Alfresco, to rely on a
database, for example. You can set up MySQL (or PgSQL) in one
zone - or two for replicated redundancy - and their webserver
clients in another. This way even if there is a break-in to
your webserver zone, there are no database files to mangle
and corrupt. You can also manage their backups separately, and
with greater precision see what is your bottleneck if the server
no longer copes well with its load.
Note however that increasing complexity does add some latency
by itself, and in case of database-backed websites, you might
need some tricks to ensure that the HTTP server starts after
the DBMS server - this is easily solvable by SMF dependencies
within one environment, but harder to solve in separated setups.
Again, in this particular case your webserver would actually
be a Java application server and can by itself manage database
connection pools (instead of having the CMS webapp connect to
the DB directly) and thus delay its initialization until the
DB connection succeeds.
Guidance, please?
I'd start with that page I posted on NAT for local zones.
As a further tip, since at least some of your zones are likely
going to be talking to the internet, and you have a phone-line
connection, you would most likely benefit from setting up a
"caching DNS server" (one of the most trivial setups, google
for that) in the zone which you use for NAT/routing tasks,
and publish it via DHCP or static config to your internal
zones - and maybe to the rest of your local net.
This way your systems would likely do less queries to the global
naming sys
Re: [OpenIndiana-discuss] New Zone User Questions
On 2013-02-05 09:51, dormitionsk...@hotmail.com wrote: On Feb 5, 2013, at 12:11 AM, Andrej Javoršek wrote: "Or am I missing something here? (And that's entirely possible!)" You are not gonna like my answer since it ads even more complexity but you can (theoretically) use single IP and have a lot of globally available services in different physical or virtual computers by using NAT and port Peter, you can try to use the techniques outlined in this wiki page: http://wiki.openindiana.org/oi/Using+host-only+networking+to+get+from+build+zones+and+test+VMs+to+the+Internet I wrote it for a slightly different particular purpose, but most of the steps and ideology should be applicable to generic server zones. In essence, whatever zones you have would use addresses on a virtual switch defined inside your OI server, and a single local or global zone with the publicly-accessible address would do the NAT/Routing and if need be - DHCP for the other local zones. HTH, //Jim ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] For serviio 1.2beta, could sfe-encumbered -> ffmpeg and libffmpeg be updated to version 1.1.1??
Added info: Quoting from the beta test forum on serviio.org, "compile FFmpeg with libass and link with FreeType2 and Fontconfig libraries." Not sure what this entails exactly or even if this is unreasonable for openindiana. Well. If it can happen, thanks in advance! On 2013-02-05 00:14, openindiana-discuss-requ...@openindiana.org wrote: Message: 1 Date: Mon, 04 Feb 2013 21:06:51 +0100 From: "Hans J. Albertsson" To:openindiana-discuss@openindiana.org Subject: [OpenIndiana-discuss] sfe-encumbered -> ffmpeg and libffmpeg be updated to version 1.1.1?? Message-ID:<511014db.5070...@branneriet.se> Content-Type: text/plain; charset=ISO-8859-1; format=flowed I guess Milan or Ken Mays might be the people to ask about this?? Current compile and link options (including the librtmp inclusion) are just right, I think. 1.1.1 contains stuff for new video stream types. The latest version of libRTMP must also be used and referenced for the new ffmpeg to work. I think. This is to enable running the next beta, 1.2, of serviio.org, Serviio is possibly the only reasonably complete DLNA server that runs w/o any special preps on OpenIndiana. Installing serviio.org on openindiana is no more complex than expanding a tarball and running a jar. You can put an SMF def in place if you like. Contact me if there's an interest. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] New Zone User Questions
"And you all don't normally do the Crossbow Virtualization, right?" I did it once (fully blown) to connect 4 zones (DNS, 2 apache, mysql) with single public IP v4 and class of IP v6 into internet. It is also only way to do with single box (and without additional routers). But than I bought Mikrotik RB750 that can do all the same with lower complexity. Regards Andrej On Tue, Feb 5, 2013 at 10:34 AM, dormitionsk...@hotmail.com < dormitionsk...@hotmail.com> wrote: > > On Feb 5, 2013, at 2:10 AM, Andrej Javoršek wrote: > > > Now you are moving from complex to "mind bogging complex" :) > > But yes with OI you can create network (datacenter) in a box (switches, > > routers, servers): > > > http://www.c0t0d0s0.org/permalink/Upcoming-Solaris-Features-Crossbow-Virtualisation.html > > > > Regards > > Andrej > > > > Well, I just laid down to go to sleep, and it just clicked. Is this what > Ian means, to have a zone for our MySql, one for Apache, one for Tomcat, > one for email, etc. ? And using port forwarding to go to the appropriate > zone? > > And I'm not sure I understand your comment about the > Crossbow-Virtualisation -- yes, that'd be much more complex. But is what I > said about hooking up additional hardware routers to do the port forwarding > something that would work and would fall within the realm of reasonably > accepted practices? > > And you all don't normally do the Crossbow Virtualization, right? > > I *think* I just made a leap in my head about all this stuff. > > It certainly would be easier to make zones for each of these services, > rather than complex ones with many of them. It kind of goes along with > what we programmers do, breaking tasks down into small classes, etc. > > Guidance, please? > > > > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] New Zone User Questions
On Feb 5, 2013, at 2:10 AM, Andrej Javoršek wrote: > Now you are moving from complex to "mind bogging complex" :) > But yes with OI you can create network (datacenter) in a box (switches, > routers, servers): > http://www.c0t0d0s0.org/permalink/Upcoming-Solaris-Features-Crossbow-Virtualisation.html > > Regards > Andrej > Well, I just laid down to go to sleep, and it just clicked. Is this what Ian means, to have a zone for our MySql, one for Apache, one for Tomcat, one for email, etc. ? And using port forwarding to go to the appropriate zone? And I'm not sure I understand your comment about the Crossbow-Virtualisation -- yes, that'd be much more complex. But is what I said about hooking up additional hardware routers to do the port forwarding something that would work and would fall within the realm of reasonably accepted practices? And you all don't normally do the Crossbow Virtualization, right? I *think* I just made a leap in my head about all this stuff. It certainly would be easier to make zones for each of these services, rather than complex ones with many of them. It kind of goes along with what we programmers do, breaking tasks down into small classes, etc. Guidance, please? ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] New Zone User Questions
Now you are moving from complex to "mind bogging complex" :) But yes with OI you can create network (datacenter) in a box (switches, routers, servers): http://www.c0t0d0s0.org/permalink/Upcoming-Solaris-Features-Crossbow-Virtualisation.html Regards Andrej On Tue, Feb 5, 2013 at 10:00 AM, dormitionsk...@hotmail.com < dormitionsk...@hotmail.com> wrote: > > Something like http://httpd.apache.org/docs/2.2/mod/mod_proxy.htmlmaybe? > > > > -- > > Ian. > > > Oh, and Ian, I'll look at this again in the morning. But Apache is so > hard for me! I'm just grateful I have it working with a reasonably simple > setup. > > Thanks again. > > I do appreciate it. > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] New Zone User Questions
On 02/04/2013 05:33 PM, dormitionsk...@hotmail.com wrote: > I'm half-German, raised in a predominately German community with old > German values like, "If you aren't going to do it right, don't to it > at all." I've really had to tone down on that through the years > here, let me tell you! This is very much off-topic...but toning down those attitudes is, in my opinion, a very bad idea. I believe wholeheartedly in "do it right or don't do it at all", and I believe my life, and my work, are much better for it. Just my $0.02.. -Dave -- Dave McGuire, AK4HZ New Kensington, PA ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] New Zone User Questions
> Something like http://httpd.apache.org/docs/2.2/mod/mod_proxy.html maybe? > > -- > Ian. Oh, and Ian, I'll look at this again in the morning. But Apache is so hard for me! I'm just grateful I have it working with a reasonably simple setup. Thanks again. I do appreciate it. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] New Zone User Questions
On Feb 5, 2013, at 12:11 AM, Andrej Javoršek wrote: > "Or am I missing something here? (And that's entirely possible!)" > > You are not gonna like my answer since it ads even more complexity but you > can (theoretically) use single IP and have a lot of globally available > services in different physical or virtual computers by using NAT and port > mapping techniques or reverse proxying requests from internet into your > NATed LAN. > eg. Google's enormous cloud (www.google.com) is seen (from my location) by > only 5 v4 and 1 v6 IP address. > > Regards Andrej You know what? You're right! (Of course.) And I even know how to do port forwarding - on a router, anyway. Well, maybe... The router that's hooked up to our modem is using One-to-One NAT. So, our router has the first IP address of our block of five. The other four addresses point to servers. So, do I understand this right - theoretically, I could take one or more of those IP Addresses that are pointing to servers, and attach another router in its place, and do port forwarding for that IP Address to that server and multiple zones? If that would work, theoretically, that might be within my limited networking abilities. If I was to get into proxies, I'd have to learn a whole lot more about networking, and I'm not sure I want to do that! It'd probably save me a whole lot of grief if I did learn more about networking, but I have enough going on in my head without that. Thanks for the suggestions, Andrej and Ian. I appreciate it. It adds more complexity, but it's worth thinking about. And I shudder to ask this, but this could also be done within the server itself, too, without buying extra routers, right? ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
