Monthly Archives: December 2006

personal

Merry Christmas

Xsan

Just Some Notes On Xsan Planning

Planning an Xsan is perhaps the most complicated part of any deployment. First, start with one of two objectives, speed or size (or both). How big does the SAN need to be and what speeds does the SAN (aggregate speed of all clients) need to be able sustain? That becomes the primary design consideration. Beyond that, you’ll also want to plan how it will get backed up and when, the makeup of the clients (Mac, PC, Linux), how permissions will get handled for new files written to the SAN, etc.

Metadata

Xsan needs an out-of-band metadata network. This network is used to transfer information, or metadata on files being written to the SAN. The metadata network on an Xsan should be low latency. Nothing should potentially interfere with the transfer of data. Therefore, make sure that you disable all the management features of your switch. But make sure it’s a good switch. I prefer to use a managed switch, disabling all the management features.

Additionally, each volume you create needs a dedicated Metadata Storage Pool with at least one LUN in the pool. This LUN shouldn’t be used for anything else. When looking to carve up storage into pools, consider that a mirror of 2 of your drives on your fibre channel array should be used for the metadata LUN. This means that the 16 bay or 24 bay chassis with let’s say 3TB drives in each bay is now a 14 or 22 bay chassis and you have 6TB less of storage. This isn’t a bad thing as the metadata LUN should be dedicated to that task and should be really fast. The rebuild should be fast as well, in the event of a drive failure; therefore, the mirrored drive approach within the LUN.

The Components

Fiber Channel is a technology for transmitting data between computer devices similar to SCSI but with networking components based on fiber optics. Fiber Channel is especially suited for attaching computer servers to shared storage devices and for interconnecting storage controllers and drives. Apple uses Fiber Channel for Xsan, it’s storage virtualization platform. All of the objects that make up a Fiber Channel network are referred to as the fabric. These typically include HBAs (the card that goes in a machine), cabling, transceivers, a fiber channel switch and the fiber channel controllers on the storage.

A RAID can be split into multiple logical units, referred to as a LUN. Each side, or channel, of the RAID is, by default a single LUN. When the LUNs are formatting (which generally takes awhile) you will start to see them in disk utility. Do not assign a file system to them yet if you are to use them with Xsan. Instead you will use the Xsan Admin interface or cvlabel command to label each of your LUNs, which marks them as able to be used by Xsan.

In Xsan you can take multiple LUNs (when presented over fibre channel) and stream data to them in a round-robin fashion. When doing so you will group them together in what Xsan calls Storage Pools. Each Storage Pool has a maximum throughput of about 4 LUNs worth of storage, although they can have affinities that map more storage and therefore more throughput (thus no maximums). You can then lump multiple Storage Pools into a given Volume to obtain substantial volume sizes as well as increasing your aggregate bandwidth between hosts.

The default stripe breadth on a metadata storage pool is 256 blocks. Quantum recommends using a 16 or 64 block stripe breadth for metadata storage pools. If you have a relatively small volume with a small number of files then use 16 and if you have a larger environment with big files use 64. As with many things re: Xsan the tuning per environment is where you will get the biggest bang for your buck, but it is worth noting that no matter which way you go, this is a setting that should be changed on each deployment in order to keep with Quantum best practices.

In Xsan, the PIO HiPriWr shows you how latent the connection to your LUNs is. If the connection to any of your LUNs is too high then it can cause instability and worse, potential volume integrity issues. If you run into issues with this kind of latency then you should fix it. But if you can’t, then you can deal with it programatically using the Buffer Cache Size. Increasing the buffer will allow for more caching, which will in turn allow for more latent LUNs to have less effect on the overall performance, health and viability of the SAN. Additionally, the iNode Cache should be increased for the same purpose (although more specifically to allow for iNodes to be written if you have latency on your Metadata LUN(s).
These settings are defined in the volume setup wizard but can be updated in the VOLUMENAME.cfg file of your SAN volume, in /Library/Preferences/FileSystems/Xsan/config.

 

Mac OS X Mac OS X Server Mac Security

Recursively Remove ACLs

The following command can be used to recursively remove all ACLs from a tree of your folder hierarchy:

chmod -RN /path/to/directory

FileMaker

Biometrics in Rapid Application Development

I originally posted this at http://www.318.com/TechJournal

Biometric systems measure the physical traits of users to offer a high level of security. As part of their nature biometric security requires users be present in order to log into the systems they protect. Biometric systems typically rely on the combination of a biometric trait and a password. They can also rely on the use of an access card, resulting in a situation where there are three forms of security present to access a system.

Biometrics measure physical traits such as hand geometry, retinal patterns, facial scans, fingerprints or voice patterns. The use of biometrics has a potential in a number of situations where security requirements are greater than the typical username and password combination. Fingerprint scans are relatively quick, taking approximately 2-3 seconds on average.

Biometric systems can be trained to work for multiple users. They can authorize different levels of access to systems. A fingerprint sensor can be used in conjunction with a Biometric plug-in for FileMaker database security. The Biometric plug-in does not work directly with or replace FileMaker’s built-in password scheme. Instead it offers another layer of security directly within FileMaker

It is possible to fool a biometric system. No security system is truly foolproof. However, biometrics offer a new layer of security that would otherwise not be present. Requiring passwords in conjunction with a biometric trait such as a fingerprint is better than allowing authentication based solely on the biometric trait. By matching the password to the biometric trait the system becomes more secure than if it was using just one of the two security mechanisms.

Biometric systems aren’t as expensive as they once were. For example, Puppy Suite for Mac OS X Fingerprint Identification Unit and authentication software bundle. Lightweight and small, the Puppy unit offers the ultimate in convenience with a new level of safekeeping. The Puppy ranges from $80 to $130. USB drives that provide biometric authentication are fairly inexpensive now as well, with at least 10 companies offering products.

While there are few other solid packages for Mac OS X, it is possible to purchase Windows-based biometric solutions for as low as $30. There is a biometric mouse called the BioMouse. IBM has perhaps gone as far with their laptops as any other company in biometric product offerings with a laptop that does not boot without the use of a fingerprint from an authorized user.

Biometrics is going to become an integral component of security. As the price of biometric solutions comes down the product offerings are becoming more numerous. While most biometrics are not foolproof, they do offer an additional layer of security in an emergently insecure world where Information Technology is concerned.

personal

Dungeons and Dragons

I walked into my office and caught people playing Dungeons and Dragons.  It brought a smile to my face.  I haven’t played since I was in the 8th grade (or 7th) but I remember those days fondly, with Rob, Jason, Steve, etc.  And seeing that my office is as geeky as it should made me very happy.  It was on a Saturday, btw, so they weren’t playing D&D instead of working.  :)

Mac OS X

Spotlight Keystroke Luv

Command-Spacebar can be used to invoke the spotlight box. Then type the name for an application and hit enter. This will open the app.

Mass Deployment

Extending LANDesk

You can add data to the /Library/Application Support/LANDesk/data/ldscan.core.data.plist file, which affords a little extensibility. Nice.

Mac OS X Server Mac Security

Mail Archival on the Open Source Mac

Need mail archival for Mac OS X Server? Love Open Source? Check out Mail Archiva at http://www.mailarchiva.com

Mac OS X Mac Security

HOWTO: arp poisoning made easy

So arp can display the table for name to Ethernet address resolution.  That’s pretty easy, just run arp with a -a flag and it will show you all the other systems in your arp table.  the table is managed dynamically.  But what if you wanted to set one in there statically.  Well, you could use the arp with a -s flag followed by the host name and then the ethernet address you want to assign for that host name.  If you point a host name to an invalid address then you’ve poisoned your arp cache.