Monthly Archives: October 2008

Mac OS X Mac OS X Server Mac Security

SANS Mac OS X Security Checklist

For the Cyber Defense Initiative, we just finished updating the security checklist for Mac OS X.  The new checklist is out and can be downloaded at:

http://www.sans.org/press/osxchecklist.php

Xsan

Xsan: Stripe Group Down Errors

If you are getting Stripe Group Down errors in your Xsan logs then this usually means there is a problem with your workstation accessing LUNs in the environment.  This can be an issue with a given workstation having problems seeing the SAN fabric or it can be a problem with any other system seeing the fabric.  You will notice the system having the error indicated in the logs.  Check Apple System Profiler (keep in mind Apple System Profiler sometimes requires a reboot to refresh the LUNs it has access to via Fibre Channel) to see if the indicated LUNs are present.  If all LUNs give an error (one per line) that the stripe group is down then you will typically have a bad cable, HBA, OS load or port on the switch (from the workstation or Metadata Controller).  If the error is intermittent then you may have a short in one of the above devices.  If all systems show the error then it is more likely the fiber (fibre) channel switch or the LUNs themselves having problems.

Happy troubleshooting!

Football

Georgia Tops LSU

In a 52 to 38 win Georgia knocked off the 13th ranked team in the land, the LSU Tiger, ending any shot that LSU had at a national title and increasing their own.  The BCS ranking now have them listed 6th in the nation after that win.  Next up is the Florida Gators in the annual showdown in Jacksonville.  Given that 2 teams ranked above Georgia are playing this weekend, a win against the Gators would put Georgia back into the top 5 with the potential of a national title ahead of them.

Articles and Books

Teens Convicted of Virtual Theft

A link sent to me by coworker Thomas about a couple of virtual thieves…  

http://www.boingboing.net/2008/10/23/teens-convicted-of-v.html

Active Directory Mac OS X Mac OS X Server Mac Security Mass Deployment Windows Server

Mac OS X: Directory Services Debug Log

When you’re trying to troubleshoot issues with Directory Services on Mac OS X sometimes the best thing you can do is put the directoryservices daemon into debug mode. To do so you would use the following command:

killall -USR1 Directory Service

By default errors get trapped into this file:

/Library/Logs/DirectoryService/DirectoryService.error.log

But when in debug mode using -USR1 you can see more specific errors in the /Library/Logs/DirectoryService/DirectoryService.error.log file.  You can then use commands such as tail in conjunction with grep in order to isolate issues to specific strings such as ADPlugin. If you choose to use -USR2 for debugging then the logs will get written into the /var/log/system.log file.
To disable verbose logging you can just restart the Directory Services daemon if you are in -USR1 or if you are using -USR2 debugging information will automatically stop writing to the log after 5 minutes.
Xsan

Xsan: Create a Volume

Once you have created your SAN you will want to build a volume. The volume is what is logically shown to end users running as Xsan clients and by default will automatically mount for them when they log into their computer. Creating the volume is a straight forward matter. To begin, open Xsan Admin and you will see a screen similar to the one below.

Xsan Admin

Click on Volumes in your SAN Assets side bar and you will see a blank listing of Volumes. Here, click on the + sign in the bottom right hand side of the screen. This will begin the volume creation wizard at the SAN Setup Screen.

SAN Setup Screen

Here, type the volume name and choose what type of data will reside on the volume. The options you choose here will directly impact the performance of the SAN in a variety of ways. You can click on the Advanced Settings… button to see the specific settings that will be applied based on your selection as can be seen below – and further customize them.

Advanced SAN Settings

The most import setting here is the Block Allocation size. Xsan uses the storage pool stripe breadth and volume block allocation size to decide how to write data to a volume and as writes typically impact performance more than reads, it is important to match these in a manner that makes sense given the type of data the SAN will be used to store. As of today Apple has not released an Xsan Tuning Guide for Xsan 2.x but the one for Xsan 1.x can be found at http://pdf.euro.apple.com/pdf/pn=Xsan_TuningGuide/Xsan_TuningGuide.pdf.

Per the setup Guide:

In general, smaller file system block sizes are best in cases where there are many small, random reads and writes, as when a volume is used for home directories or general file sharing. In cases such as these, the default 4 KB block size is best. If, however, the workflow supported by the volume consists mostly of sequential reads or writes, as is the case for audio or video streaming or capture, you can get better performance with a larger block size. Try a 64 KB block size in such cases.

Other options for this portion of the volume setup include:

  • Allocation Strategy – How data is written to the Affinity Tags (see below for more information on Affinity Tags). The Allocation Strategy of Round Robin is used by default and in most cases is recommended. You can use Balanced if you want to make sure that your Affinity Tags are written to in a consistent manner or Fill if you want to rotate between Affinity Tags in a manner where each is filled with data in sequence; however choosing either option will typically degrade performance.
  •  Spotlight – Use to enable and disable Spotlight for volumes (given that Spotlight is not currently working effectively in 2.x, this should typically be disabled)
  •  Access Control Lists – Use to enable and disable ACLs on the volume. This should typically be enabled
  •  Windows ID Mapping
  •  Allocation Settings – Always check with a technical project manager before customizing any of these settings.
  • File Expansion Min – Set the number of minimum blocks written to the SAN for each new file created. This can be customized to speed up writes for large files by increasing it or to speed up the writes for a large number of smaller files by decreasing it.
  • File Expansion Increment – The number of blocks used for each incremental size above the File Expansion Min.
  • File Expansion Max – The maximum number of blocks used for the file. Can help to reduce fragmentation on your volume
  • Cache Settings – Always check with a technical project manager before customizing any of these settings.
  • iNode Cache Size – an iNode is a data structure holding information about files in a Unix file system. There is an iNode for each file and a file is uniquely identified by the file system on which it resides and its iNode number on that system. Xsan is just a file system and uses iNodes to keep track of the data that resides on the file system.
  • Buffer Cache Size – the buffer cache is

Once you have the settings as required you can click OK and then Continue to start setting up your Affinity Tags (formerly referred to as Storage Groups in Xsan 1.x). When building your Affinity Tags it is important that each be similar in number of LUNs and expected performance as the others that are in the same volume with the exception of the metadata Affinity Tag. The metadata Affinity Tag should sit on its own RAID controller in order to keep from having any data writing while trying write metadata.

Typically there is one LUN per RAID controller. Since your Affinity Tags should be setup similar to one another in a volume your Affinity Tags need to contain similar data to one another. This means that if you have 12 data LUNs then you will typically want 3 data Affinity Tags, each with 4 LUNs. This would in actuality require 13 LUNs as you always want one LUN dedicated to metadata. If you choose to use an unbalanced setup then please consult a technical project manager prior to doing so.

The options for an Affinity Tag (as can be seen below) are:

  • Any Data – the Affinity Tag can be used to house metadata or User Data
  • Journaling and Metadata Only – the Affinity Tag can be used exclusively for metadata, or the data that keeps track of where the pieces of the user data resides on the SAN
  • User Data Only – the Affinity Tag can be used only for Data that is written to the volume
  • Only data with affinity – force data written to the Affinity Tag to a specified folder
  • Stripe Breadth – The size of each stripe of data (in blocks) written to one Affinity Tag before moving on to the next.

metadata

When setting up the stripe breadth the breadth times the Block Allocation assigned earlier in the process should alway equal 1 megabyte (MB). Per the setup guide:

The Mac OS X (or Mac OS X Server) operating system, which handles file data transfers for Xsan, performs 1 megabyte (MB) data transfers. As a result, Xsan gets maximum efficiency from the operating system when it transfers blocks of data that are a multiple of 1 MB. At the other end of the transfer, the LUN also works well when it receives 1 MB of data at a time. So, when data is written to a storage pool, you get the best performance if 1 MB of data is written to each LUN in the storage pool The amount of data Xsan writes

to a LUN is determined by the product of two values you specify when you set up a volume:

  • The volume’s block allocation size (in kilobytes)
  • The stripe breadth of the storage pools that make up the volume (in number of allocation blocks)

transfer size = block size x stripe breadth

For example, the default Xsan block size of 4 KB combines with the default storage pool stripe breadth of 256 blocks to produce a transfer size of 1 MB. If you increase the block size to 64 KB, for example, to suit data streaming, set the stripe breadth to 16 blocks, so the product of the two remains 1 MB.

Now it is time to setup your metadata controllers for your volume. Here you will see each system that is set as a Metadata controller. Typically 2 should suffice for any given volume or set of volumes. Each Metadata controller on a volume will appear in Activity Monitor as an instance of the fsm process and performance in terms of memory and processing required for the fsm process can be tracked as with any other service.

Failover

At the Volume Failover Priority screen you can customize the order of priority assigned to a metadata controller (MDC). Simply drag items higher or lower in the list to make them higher or lower priority. By default the top item in the list will always be the default MDC. More than 3 MDCs can cause unneeded latency on the volume, so feel free to deactivate any that are not needed.

When you click Continue you will now see your new Volume (as can be seen below). The Affinity Tags along with the percentage of each that is consumed with data will also appear along with the capacity of the pool (under the Size column), the Available disk space (under the Available column) and the active MDC (under the Hosted By column). The structure of the volume in terms of Affinity Tags and LUNs can also be seen here.

New Volume

Here you will have a number of options available (as can be seen below), by clicking on a Volume name and clicking on the Cog Wheel.

Volume Options

Use the Edit Notification Settings to assign email updates to administrators of the SAN. Use Edit Failover Priorty to add or remove MDCs or just change their priority. Use the Force failover to test failover between MDCs and use Start and Stop to Start and Stop the volume.

Your volume setup is now complete and you can move on to adding Computers that can see the volume.

Business

Symantec Continues to Beef Up SaaS Solution Offerings

Symantec has purchased MessageLabs for about $700 Million.  This move brings filtered services for spam and web traffic to the Symantec Protection Network, a pseudo-Software as a Service arm of Symantec.  You will now be able to filter for spam through Symantec products before it enters your environment and then again once messages are in the environment if you want to go that route, for maximum customizable protection.  You can also backup online through the Protection Network and establish remote access services.  I guess that theoretically you could just let Symantec do all the work, provided you trust they’ll do a good job with it…

Windows XP

Windows XP: Reset Product Key

Microsoft is getting more and more picky about that product key and the Genuine Advantage program.  So if you’re finding that the warnings and annoy-ware are getting to be too much to handle then reset it.  To do so, first edit the HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrent VersionWPAEventsODBETimer registry key to be some number or letter.  This will overwrite your existing product key and allow you to enter a new one.  Next, click on Start and then Run and enter the following command (assuming Windows is installed in the c:Windows directory):

C:Windowssystem32oobemsoobe /a

This will bring up the Activate Windows wizard.  Here, select to update using a telephone service representative.  Here, select a location and type in your new Windows product key.  Then click Next and restart.  When Windows comes back up if the product key is taken then you will be looking at the Registration wizard.  Complete and you’re done.  Much easier than reinstalling Windows XP.

Final Cut Server

Final Cut Server: iMovie Integration

Final Cut Server isn’t built for working with iMovie and iMovie isn’t built for working with Final Cut Server. Therefore, when you’re using the two of them together it is important to keep a few things in mind.  

Using Final Cut Server Assets with iMovie

First, when importing media into iMovie from Final Cut Server then it will need to be in either dv, mpeg-2 or mpeg-4 formats. Next, if you’re importing 1080i media then by default it will be converted into 960×540, a significant change from working with uncompressed media. Additionally, when you import media into iMovie, the default setting is to copy the media into the iMovie library. Finally, if you are going to be dragging media from the Final Cut Server window straight into iMovie, this is supported but you will first need to cache the media to your hard drive. To do so, you can just drag the media into an existing Event in iMovie and then when you’re prompted (as seen below) select Add to Cache.

Another way to cache the media is to Control-Click on the asset and select Add to Cache, as seen below.

While the primary representation of the asset is being cached to your computer you will see the following in your Final Cut Server window:

If you are unsure as to what format the media you are using is being kept in then you can click on the asset and then in the left side of your Final Cut Server screen you will see something similar to the following, which will list the format (this file is in dv format):

Importing Media into Final Cut Server from iMovie

In addition to bringing media into iMovie from Final Cut Server you can also take your media from iMovie and make them into Final Cut Server assets. This is because Final Cut Server has built-in support for dv, mpeg-2 and mpeg-4 files. To migrate data from events in iMovie to Final Cut Server just drag the media files (dv by default) into Final Cut Server from the Finder. These files are automatically stored in the ~/Movies/iMovie Events/EVENT NAME (where EVENT NAME is the name of the event shown within iMovie). If the files are not shown in this folder then you can Control-Click on an item in the event browser and then select Reveal in Finder as seen below:

Once you have located the media from iMovie then you can drag it into Final Cut Server. Then follow the steps you would normally follow to complete the upload and transcoding of your assets. Alternatively you can use the Import feature of Final Cut Server to import the media.

Additionally you may choose to import your projects into Final Cut Server.  When working with Projects, Final Cut Server is not going to have as seamless an integration as you are used to with your Final Cut Studio or Final Cut Pro project files. When you import a Final Cut Pro project, all of your linked assets will be imported into Final Cut Server. However, when you are working with iMovie projects you will be accessing a bundle, which does not have all of the original elements of your media attached to it, nor the appropriate metadata. Instead, your projects will be seen as a bundle. To import the bundle, click on the Project from within iMovie and then drag it over to your Final Cut Server library (or Control-Click on it and then select Reveal in Finder and then drag it into your Final Cut Server library. 

You will then be asked whether to Create a Bundle Asset or Create Individual Assets. Click on Create Bundle Asset and the data will be imported into Final Cut Server.