Finally got Jumbo Frame to work. Tutorials on Internet is usually incomplete.
Based on http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1007654
Say you have two NICs in ESXi, NIC 1 has been set up with vSwitch0 for VM and Management Network. NIC 2 has been set up with vSwitch1 for iSCSI storage network. Below settings must be done via commands. There is no GUI in VI client for these setups.
Now login over SSH to your ESXi.
List current MTU of vSwitches:
$ esxcfg-vswitch -l
set the MTU to 9000 (Jumbo Frames) for vSwitch1
$ esxcfg-vswitch -m 9000 vSwitch1
Verify the change.
$ esxcfg-vswitch -l
$ esxcfg-nics -l
Now we need to create a Jumbo Frames-enabled VMkernel interface. If there are already VMkernel ports configured to this vswitch, they must be removed first. There is no way to edit existing VMkernel ports to support Jumbo Frames. They must be created with Jumbo Frame parameters.
First, we create a VMkernel connection with Jumbo Frames support, Run this command to create the port group StorageNetwork on Jumbo frame-enabled vSwitch1
esxcfg-vswitch -A StorageNetwork vSwitch1
Then create a VMkernel connection with Jumbo Frame support:
esxcfg-vmknic -a -i 10.56.51.78 -n 255.255.255.0 -m 9000 StorageNetwork
Verify:
esxcfg-vmknic -l
To test it, we can ping Jumbo Frame-enabled NAS with large packet from this ESXi host. Note, there is 28 bytes overhead, although in most cases, 9000 also works.
ping -s 8972 10.56.51.1
Or to ping this ESXi host from a system connected in the same subnet assuming these systems are also Jumbo Frame enabled and the switch has Jumbo Frame enabled:
From Linux:
ping -c 4 -s 8972 -M do 10.56.51.78
From Windows:
ping 10.56.51.78 -f -l 8972
That is all
Thursday, August 12, 2010
Wednesday, May 19, 2010
CentOS Apache Mod Security Installation
A very straightforward installation of mod security on apache CentOS.
Copied from http://secfx.wordpress.com/2009/10/31/modsecurity-installation/
What is ModSecurity?
ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
Apache Installation
yum install httpd-devel mod_ssl libxml2 libxml2-devel \
curl-devel pcre-devel gcc-c++
service httpd stop
ModSecurity Installation
wget http://www.modsecurity.org/download/modsecurity-apache_2.5.10.tar.gz
tar -xzvf modsecurity-apache_2.5.10.tar.gz
cd modsecurity-apache_2.5.10
cd apache2
./configure
make
make install
mkdir /etc/httpd/conf/modsecurity
cp ../modsecurity.conf-minimal /etc/httpd/conf/modsecurity/
Settings
vi /etc/httpd/conf/httpd.conf
# ModSecurity
LoadFile /usr/lib/libxml2.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so
Include conf/modsecurity/modsecurity.conf-minimal
service httpd start
ls /var/log/httpd
access_log error_log modsec_audit.log modsec_debug.log
tail /var/log/httpd/error_log
[Sat Oct 31 20:22:35 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Oct 31 20:22:36 2009] [notice] ModSecurity for Apache/2.5.10 (http://www.modsecurity.org/) configured.
[Sat Oct 31 20:22:36 2009] [notice] Digest: generating secret for digest authentication …
[Sat Oct 31 20:22:36 2009] [notice] Digest: done
[Sat Oct 31 20:22:37 2009] [notice] Apache/2.2.3 (CentOS) configured — resuming normal operations
Copied from http://secfx.wordpress.com/2009/10/31/modsecurity-installation/
What is ModSecurity?
ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
Apache Installation
yum install httpd-devel mod_ssl libxml2 libxml2-devel \
curl-devel pcre-devel gcc-c++
service httpd stop
ModSecurity Installation
wget http://www.modsecurity.org/download/modsecurity-apache_2.5.10.tar.gz
tar -xzvf modsecurity-apache_2.5.10.tar.gz
cd modsecurity-apache_2.5.10
cd apache2
./configure
make
make install
mkdir /etc/httpd/conf/modsecurity
cp ../modsecurity.conf-minimal /etc/httpd/conf/modsecurity/
Settings
vi /etc/httpd/conf/httpd.conf
# ModSecurity
LoadFile /usr/lib/libxml2.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so
Include conf/modsecurity/modsecurity.conf-minimal
service httpd start
ls /var/log/httpd
access_log error_log modsec_audit.log modsec_debug.log
tail /var/log/httpd/error_log
[Sat Oct 31 20:22:35 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Oct 31 20:22:36 2009] [notice] ModSecurity for Apache/2.5.10 (http://www.modsecurity.org/) configured.
[Sat Oct 31 20:22:36 2009] [notice] Digest: generating secret for digest authentication …
[Sat Oct 31 20:22:36 2009] [notice] Digest: done
[Sat Oct 31 20:22:37 2009] [notice] Apache/2.2.3 (CentOS) configured — resuming normal operations
Tuesday, April 6, 2010
XenServer is not a suitable platform for production yet
Built two XenServer using version 5.5 Update 2 and played with it for a few days. The advantage of XenServer over Hyper-V and VMware ESX/i is that it provides an environment supports live migration without a separate management server (vCenter in VMware's case), and it is free. Beyond this, for example HA, are all paid features and requires a separate management server.
Its disadvantage are not very obvious but they show themselves after some playing. Unfortunately these advantages are deal killers to a production environment.
1. Snapshot takes same amount of disk space as original VM. Actually it is a copy of VM.
2. Unable to revert to a snapshot by simple mouse clicks. You need to tear down the original VM, then use the snapshot as template to create a new VM. The new VM needs to be reconfigured.
3. Difficult to configure multiple NICs and multiple LANs. Need to use local command line or local console menu workaround
4. Host will lose NIC configuration after forced shutdown or unplugging cable
5. Disk space management is backward. After using snapshots for some period of time, wasted disk space need to be reclaimed with special utility. The reclaim process requires all VMs on the host to be off.
6. Paravirtualization swaps out OS kernel, cause reliability, compatibility, portability and scalability issues.
7. Paravirtualization is only available for limited OS and versions based on available templates. It is very difficult to create templates from scratch for new OS by users. Citrix does not regularly release new templates.
The bottom line: Citrix XenServer, at present stage, only provides best price value (free) for non-critical multi-host environment with limited OS choice and slow update cycle.
Its disadvantage are not very obvious but they show themselves after some playing. Unfortunately these advantages are deal killers to a production environment.
1. Snapshot takes same amount of disk space as original VM. Actually it is a copy of VM.
2. Unable to revert to a snapshot by simple mouse clicks. You need to tear down the original VM, then use the snapshot as template to create a new VM. The new VM needs to be reconfigured.
3. Difficult to configure multiple NICs and multiple LANs. Need to use local command line or local console menu workaround
4. Host will lose NIC configuration after forced shutdown or unplugging cable
5. Disk space management is backward. After using snapshots for some period of time, wasted disk space need to be reclaimed with special utility. The reclaim process requires all VMs on the host to be off.
6. Paravirtualization swaps out OS kernel, cause reliability, compatibility, portability and scalability issues.
7. Paravirtualization is only available for limited OS and versions based on available templates. It is very difficult to create templates from scratch for new OS by users. Citrix does not regularly release new templates.
The bottom line: Citrix XenServer, at present stage, only provides best price value (free) for non-critical multi-host environment with limited OS choice and slow update cycle.
Subscribe to:
Posts (Atom)