Monthly Archives: January 2011

Business Mac OS X Server

Active Announcement in the Morning!

For those who haven’t yet seen it, or who almost forgot due to crossing too many time zones, Active Storage, the makers of the Active RAID will be announcing their new product tomorrow morning. From what you see on the web site it looks to be some sort of rack mount device. Given their fantastic development work in the past, it’s sure to be a good addition to the bat-belts of the MacIT crowd. 9am Eastern, see ya’ there!

http://www.activestorage.com

Xsan

The Qlogic Command Line

For many environments, a Qlogic switch can be as simple as plugging it into the wall to get working. The web interface is a great tool and appropriate for many a configuration, but the interactive shell environment on the switches gives a few more options.

Let’s first get logged into the switch. The switch will have an IP address, so telnet into that address (I’ll use the my IP rather than the default IP of 10.0.0.1 that the switches ship with):

telnet 192.168.210.87

Once you provide a password you’ll be placed into an Interactive Command Line Interface SHell environment, which Qlogic calls CLISH.

Establishing connection…   Please wait.

*****************************************************

*                                                   *

*       Command Line Interface SHell  (CLISH)       *

*                                                   *

*****************************************************

SystemDescription   SANbox 5600 FC Switch

HostName            5600

EthIPv4NetworkAddr  192.168.210.87

EthIPv6NetworkAddr  ab50::2c0:eeaa:fe17:337e

MACAddress          00:c0:dd:07:37:7e

WorldWideName       10:00:00:c0:bd:07:27:74

SerialNumber        0240A00557

SymbolicName        CHARLES_HOME_TEST_5600

ActiveSWVersion     V7.4.0.16.0

ActiveTimestamp     Thu Mar 19 22:20:51 2009

DiagnosticsStatus   Passed

LicensedPorts       20

SwitchMode          Full Fabric

This switch supports a dual-stacked IPv4 and IPv6 network connection.

Use the ‘set setup system’ command to change the network settings.

Either IPv4 or IPv6 can be disabled, otherwise the switch will run in

dual-stack mode.

Because you need to be an administrator to do almost anything fun on these things, let’s start an administrative session by issuing the admin command in the interactive shell, followed by the start verb:

admin start

Next up, let’s look at our active ports using the show command, along with the port verb:

show port

Once we can see our ports, let’s check out one specific port, again using the show port, but this time specifying a port number:

show port 2

Which results in:

Port Number: 2

————

AdminState       Online              OperationalState Offline

AsicNumber       0                   PerfTuningMode   Normal

AsicPort         2                   PortID           030200

ConfigType       F                   PortWWN          20:02:00:d0:bb:07:34:75

DiagStatus       Passed              RunningType      Unknown

DownstreamISL    False               MediaPartNumber  AFBR-57D7APZ

EpConnState      None                MediaRevision    G2.3

EpIsoReason      NotApplicable       MediaType        800-MX-SN-I

IOStreamGuard    Enabled             MediaVendor      AVAGO

Licensed         True                MediaVendorID    0000176a

LinkSpeed        4Gb/s               SupportedSpeeds  1, 2, 4Gb/s

LinkState        Inactive            SymbolicName     Port2

LoginStatus      NotLoggedIn         SyncStatus       SyncLost

MaxCredit        16                  UpstreamISL      False

MediaSpeeds      2, 4, 8Gb/s         XmitterEnabled   True

ALInit             0                   LIP_F8_F7          0

ALInitError        0                   LinkFailures       0

BadFrames          0                   Login              0

BBCR_FrameFailures 0                   Logout             0

BBCR_RRDYFailures  0                   LongFramesIn       0

Class2FramesIn     0                   LoopTimeouts       0

Class2FramesOut    0                   LossOfSync         0

Class2WordsIn      0                   LostFrames         0

Class2WordsOut     0                   LostRRDYs          0

Class3FramesIn     0                   PrimSeqErrors      0

Class3FramesOut    0                   RxLinkResets       0

Class3Toss         0                   RxOfflineSeq       0

Class3WordsIn      0                   ShortFramesIn      0

Class3WordsOut     0                   TotalErrors        0

DecodeErrors       0                   TotalLinkResets    0

EpConnects         0                   TotalLIPsRecvd     0

FBusy              0                   TotalLIPsXmitd     0

FlowErrors         0                   TotalOfflineSeq    0

FReject            0                   TotalRxFrames      0

InvalidCRC         0                   TotalRxWords       0

InvalidDestAddr    0                   TotalTxFrames      0

LIP_AL_PD_AL_PS    0                   TotalTxWords       0

LIP_F7_AL_PS       0                   TxLinkResets       0

LIP_F7_F7          0                   TxOfflineSeq       0

This shows us a pretty good amount of information, from the link speed plugged into a given port to the brand of transceiver that is being used and the WWN of the actual , in this case, initiator. We also see whether or not IOStreamGuard is enabled (in this case we’re dealing with an initiator, so it is) and what the available media speeds are for the port as well as available speeds for that port. Also notice that the ports have no statistics. Here, we want to keep an eye on things like TotalErrors, LIPs (LIP*), LinkFailures, RxLinkResets and ALInitError. Basically, if it’s in the above list and it sounds bad then it probably is…

Because switches have been running in many cases for years, it turns out that sometimes you’ll find resetting port statistics to be pretty helpful as it will enable you to see only the latest information for troubleshooting. When troubleshooting, you can use the baseline options in the GUI, but every now and then while you’re troubleshooting, many will want to work with as small a subset of data as possible and so will want to clear out information regarding a port. The GUI can clear baseline stats, but not historical statistics. To clear these stats, we’re going to use the set command, along with the port (as we’re setting something on a port) followed by the clear verb and then the port number:

set port clear 1

You can also do the same command without indicating a port numbering order to clear ‘em all out:

set port clear

Show also comes with a an option to show logs:

show log

And to see more historical information:

show log archive

I usually pipe that information into a text file for easier parsing. Because the date seems off on most switches where people forget to put time servers in, running the date command will let you figure out an appropriate offset for log file isolation:

date

And one of my favorite commands tells me how long the switch has been up:

uptime

As with Mac OS X and linux, the ps command shows us running processes:

ps

And show interface is the equivalent of an ifconfig in a standard shell environment:

show interface

And many a problem is based on a port configuration issue, so to see information on a given port:

show config port 2

Which results in:

—-

Configuration Name: default

——————-

Port Number: 2

————

AdminState           Online

LinkSpeed            Auto

PortType             F

SymbolicName         Port2

ALFairness           False

DeviceScanEnabled    True

ForceOfflineRSCN     False

ARB_FF               False

InteropCredit        0

ExtCredit            0

FANEnabled           True

AutoPerfTuning       True

MSEnabled            True

NoClose              False

IOStreamGuard        Disabled

PDISCPingEnabled     True

Next up, let’s look at zoning. This is one of the most common things that you’ll need to use the command line for as you cannot enable the default zone using the GUI and the 9200 ships with it disabled. To start off, let’s use that show command, along with the config (as we’re going to be looking at a configuration option) and then zoning so we only see our options for zoning:

show config zoning

While we’re in admin mode, we’re not a mode to edit our configuration, so let’s jump into the config mode:

config edit

Now that we can actually edit our configuration, let’s run the set command, along with the config and then zoning:

set config zoning

On a 56xx, this brings up a little wizard that asks us 3 questions, the current answer to which is in brackets and can be retained by simply hitting the enter key for that option. Or, type the other option. In the following example we’re allowing the DefaultZone:

MergeAutoSave         (True / False)  [True ]

DefaultZone           (Allow / Deny)  [Deny ]  Allow

DiscardInactive       (True / False)  [False]

But on a 9×00 it brings up 4 options, the 4th being oft problematic as most Xsan’s these days seem to have more than 64 nodes per zone (although most Xsan environments are’t gonna’ hit the 10,000 limit):

Zoning Configuration Information

——————————–

MergeAutoSave         True

DefaultZone           Allow

DiscardInactive       False

ImplicitHZ            False

And then we’re saving our configuration to nvram:

config save

Now that you have a new configuration saved,  you can activate it to be live (be careful not to knock ports offline if you are in a production environment):

config activate

To then look at the zone sets configured on the device (or fabric):

zoneset list

And to see which is active:

zoneset active

And to see what this means (ie a list of wwnns per zone:

zoning active

The admin command has an option to use an end verb, which intriguingly ends an active administrative session:

admin end

Since we’re done, we’ll issue a quit command:

quit

Let’s log into a 9200 and look at one more thing before I wrap this little article:

login: admin

Password:

Establishing connection…   Please wait.

*****************************************************

*                                                   *

*       Command Line Interface SHell  (CLISH)       *

*                                                   *

*****************************************************

SystemDescription   SANbox 9000 Series

HostName            Qlogic9200

EthIPv4NetworkAddr  192.168.210.88

EthIPv6NetworkAddr  <undefined>

MACAddress          00:c0:dd:0c:12:ce

WorldWideName       10:00:00:c0:ee:1d:72:db

ChassisSerialNumber 0816B50816

SymbolicName        Charles_Home_9200

ActiveSWVersion     V7.8.0.8.0

ActiveTimestamp     Fri Dec 26 17:50:21 2008

POSTStatus          Passed

PrimaryCPU          CPU0

SecondaryCPUStatus  HotStandby (switch is Fault Tolerant)

And that last thing is to look at the environmental statistics on the 9200. To do so we’re going to continue on with that show command:

show env

Which gives us:

Temperature(C) Sensors:

Blade ID  Sensor  Description  Status  Current  High Warn  High Alarm

——–  ——  ———–  ——  ——-  ———  ———-

IO0            0  BOARD        Normal       41         75          85

IO0            1  DS1780_0     Normal       42         65          70

IO0            2  DS1780_1     Normal       41         65          70

IO0            3  MAX1617      Normal       42         65          70

IO0            4  ASIC         Normal       51         95         100

IO1            0  BOARD        Normal       43         75          85

IO1            1  DS1780_0     Normal       42         65          70

IO1            2  DS1780_1     Normal       41         65          70

IO1            3  MAX1617      Normal       42         65          70

IO1            4  ASIC         Normal       51         95         100

IO2            0  BOARD        Normal       41         75          85

IO2            1  DS1780_0     Normal       41         65          70

IO2            2  DS1780_1     Normal       40         65          70

IO2            3  MAX1617      Normal       41         65          70

IO2            4  ASIC         Normal       50         95         100

IO3            0  BOARD        Normal       40         75          85

IO3            1  DS1780_0     Normal       40         65          70

IO3            2  DS1780_1     Normal       39         65          70

IO3            3  MAX1617      Normal       40         65          70

IO3            4  ASIC         Normal       48         95         100

IO4            0  BOARD_0      Normal       38         75          85

IO4            1  BOARD_1      Normal       38         75          85

IO4            2  DS1780_0     Normal       39         65          70

IO4            3  DS1780_1     Normal       37         65          70

IO4            4  MAX1617      Normal       41         75          90

IO4            5  ASIC         Normal       73        110         120

IO6            0  BOARD        Normal       43         75          85

IO6            1  DS1780_0     Normal       42         65          70

IO6            2  DS1780_1     Normal       42         65          70

IO6            3  MAX1617      Normal       42         65          70

IO6            4  ASIC         Normal       52         95         100

IO7            0  BOARD        Normal       41         75          85

IO7            1  DS1780_0     Normal       41         65          70

IO7            2  DS1780_1     Normal       41         65          70

IO7            3  MAX1617      Normal       41         65          70

IO7            4  ASIC         Normal       49         95         100

CPU0           0  BOARD        Normal       41         75          85

CPU0           1  DS1780_0     Normal       40         65          70

CPU0           2  DS1780_1     Normal       40         65          70

CPU0           3  MAX1617_0    Normal       42         75          90

CPU0           4  ASIC_0       Normal       60        110         120

CPU0           5  MAX1617_1    Normal       42         75          90

CPU0           6  ASIC_1       Normal       54        110         120

CPU1           0  BOARD        Normal       41         75          85

CPU1           1  DS1780_0     Normal       41         65          70

CPU1           2  DS1780_1     Normal       41         65          70

CPU1           3  MAX1617_0    Normal       43         75          90

CPU1           4  ASIC_0       Normal       57        110         120

CPU1           5  MAX1617_1    Normal       42         75          90

CPU1           6  ASIC_1       Normal       53        110         120

Voltage Sensors:

Blade ID  Sensor  Description  Status  Current  Low Alarm  High Alarm

——–  ——  ———–  ——  ——-  ———  ———-

IO0            0  1.5V         Good       1.50       1.31        1.68

IO0            1  1.25V        Good       1.24       1.00        1.50

IO0            2  2.5V         Good       2.49       2.20        2.82

IO0            3  3.3V         Good       3.31       2.99        3.62

IO0            4  12V          Good      11.69      10.00       13.31

IO0            5  1.2V         Good       1.19       1.04        1.38

IO0            6  1.8V         Good       1.80       1.61        1.99

IO0            7  1.8V_ANALOG  Good       1.78       1.61        1.99

IO0            8  2.5V_ANALOG  Good       2.37       2.10        2.82

IO1            0  1.5V         Good       1.50       1.31        1.68

IO1            1  1.25V        Good       1.24       1.00        1.50

IO1            2  2.5V         Good       2.49       2.20        2.82

IO1            3  3.3V         Good       3.31       2.99        3.62

IO1            4  12V          Good      11.69      10.00       13.31

IO1            5  1.2V         Good       1.19       1.04        1.38

IO1            6  1.8V         Good       1.80       1.61        1.99

IO1            7  1.8V_ANALOG  Good       1.78       1.61        1.99

IO1            8  2.5V_ANALOG  Good       2.39       2.10        2.82

IO2            0  1.5V         Good       1.50       1.31        1.68

IO2            1  1.25V        Good       1.24       1.00        1.50

IO2            2  2.5V         Good       2.51       2.20        2.82

IO2            3  3.3V         Good       3.31       2.99        3.62

IO2            4  12V          Good      11.69      10.00       13.31

IO2            5  1.2V         Good       1.19       1.04        1.38

IO2            6  1.8V         Good       1.80       1.61        1.99

IO2            7  1.8V_ANALOG  Good       1.78       1.61        1.99

IO2            8  2.5V_ANALOG  Good       2.37       2.10        2.82

IO3            0  1.5V         Good       1.50       1.31        1.68

IO3            1  1.25V        Good       1.24       1.00        1.50

IO3            2  2.5V         Good       2.49       2.20        2.82

IO3            3  3.3V         Good       3.31       2.99        3.62

IO3            4  12V          Good      11.75      10.00       13.31

IO3            5  1.2V         Good       1.19       1.04        1.38

IO3            6  1.8V         Good       1.80       1.61        1.99

IO3            7  1.8V_ANALOG  Good       1.78       1.61        1.99

IO3            8  2.5V_ANALOG  Good       2.39       2.10        2.82

IO4            0  2.5V         Good       2.50       2.20        2.80

IO4            1  1.25V        Good       1.24       1.00        1.50

IO4            2  3.3V         Good       3.32       3.02        3.58

IO4            3  5V           Good       4.92       4.37        5.55

IO4            4  12V          Good      11.75      10.00       13.31

IO4            5  1.5V         Good       1.48       1.31        1.68

IO4            6  1.8V         Good       1.78       1.61        1.99

IO6            0  1.5V         Good       1.50       1.31        1.68

IO6            1  1.25V        Good       1.24       1.00        1.50

IO6            2  2.5V         Good       2.49       2.20        2.82

IO6            3  3.3V         Good       3.31       2.99        3.62

IO6            4  12V          Good      11.69      10.00       13.31

IO6            5  1.2V         Good       1.19       1.04        1.38

IO6            6  1.8V         Good       1.80       1.61        1.99

IO6            7  1.8V_ANALOG  Good       1.76       1.61        1.99

IO6            8  2.5V_ANALOG  Good       2.39       2.10        2.82

IO7            0  1.5V         Good       1.48       1.31        1.68

IO7            1  1.25V        Good       1.24       1.00        1.50

IO7            2  2.5V         Good       2.48       2.20        2.82

IO7            3  3.3V         Good       3.31       2.99        3.62

IO7            4  12V          Good      11.69      10.00       13.31

IO7            5  1.2V         Good       1.20       1.04        1.38

IO7            6  1.8V         Good       1.80       1.61        1.99

IO7            7  1.8V_ANALOG  Good       1.78       1.61        1.99

IO7            8  2.5V_ANALOG  Good       2.37       2.10        2.82

CPU0           0  1.55V        Good       1.54       1.42        1.68

CPU0           1  1.25V        Good       1.24       1.00        1.50

CPU0           2  1.8V         Good       1.79       1.60        1.99

CPU0           3  3.3V         Good       3.31       2.99        3.62

CPU0           4  12V          Good      11.69      10.00       13.31

CPU0           5  ASIC_0_1.5V  Good       1.47       1.31        1.68

CPU0           6  2.5V         Good       2.50       2.20        2.80

CPU0           7  ASIC_1_1.5V  Good       1.45       1.31        1.68

CPU0           8  3.3V         Good       3.30       3.02        3.58

CPU1           0  1.55V        Good       1.54       1.42        1.68

CPU1           1  1.25V        Good       1.24       1.00        1.50

CPU1           2  1.8V         Good       1.77       1.60        1.99

CPU1           3  3.3V         Good       3.31       2.99        3.62

CPU1           4  12V          Good      11.69      10.00       13.31

CPU1           5  ASIC_0_1.5V  Good       1.45       1.31        1.68

CPU1           6  2.5V         Good       2.49       2.20        2.80

CPU1           7  ASIC_1_1.5V  Good       1.45       1.31        1.68

CPU1           8  3.3V         Good       3.30       3.02        3.5

The reason I wanted to look at using the show env command with the 9200 is that it is one of the few that is supported in the 9200 and not in the 5600 series switches. Also, I thought it worth mentioning that given that the environmental options  are much different between the 9200 and 5600, Lithium, a popular tool for monitoring Xsan environments will show errors that the 9200 has problems in the event you add it to a Lithium Console (which makes my iPad go batty with vibrations). To see the information on the snmp configuration, you guessed it:

show setup snmp

Uncategorized

iPad Deployment

If you are like me then while the rumor mills were bugging you, you were focused on intel about mass deployment. Todays announcement of the iPad was a huge tell about much of what administrators will need to know, but obviously not all – only time will tell with some things.

Little can be easier than deploying a MacBook (or a thousand) if you have the right tools at your disposal. Not so with an iPhone. It comes down to that pesky configuration utility and docking the thing to get the xml file onto it (or visiting a site from a browser). As we’ve seen, for 1 or 2 devices the deployment is a dream. For 1,000 to 2,000 maybe notsomuch. And given that they are priced so much less than a laptop and can do much of what a school might need to do then I would anticipate a number of educational purposes and therefore mass deployments.

But no

iPhone

iPhone Life Article

An excerpt-turned-article of mine just appeared in iPhone Life Magazine. IT’s called The Inevitability of the iPhone in the Enterprise:

http://www.iphonelife.com/issues/2011March-April/InevitabilityIPhoneEnterprise

Hope you enjoy!

Articles and Books

Law Firms and iPads

Josh Barrett, of tabletlegal.com posted a mini-review of my latest book, the Enterprise iPhone and iPad Administrator’s Guide. It’s an interesting look at iPads making their way into law firms despite the often reluctant IT admins who have to support them. Big thanks to Josh for a favorable review!

Mac OS X Mac OS X Server Mac Security Mass Deployment

The Mac OS X App Store & Managed Environments

The Mac OS X App Store was released earlier this month as a part of the Mac OS X 10.6.6 update. The App Store, with over 1,000 applications (including a couple of server tools), allowing people to download and install applications on Mac OS X computers without needing to understand how to click through the screens of a standard package installer, drag applications from disk images into the /Applications folder or basically how to do practically anything except for click and provide a valid credit card number. As with the App Store that debuted with the iPhone, the App Store for Mac OS X is clearly aimed at residential customers, but being that these computers are used in enterprises around the world, the impact to managed environments cannot be discounted. I decided to do plenty of testing and reading before I wrote this up, so hopefully you’ll find it helpful, if not very timely.

The first and probably most important aspect of the App Store to most who are charged with managing large numbers of Mac OS X computers is that only administrative users can install software from the App Store. This little fact makes the App Store itself a non-issue for most enterprises, who do not make typical users administrative users. Because only administrative accounts can download and install applications, there is little risk created from leaving the App Store on client computers.

Applications installed from the App Store can only be deployed into the /Applications directory. These applications are owned by System, with read-only access given to the wheel group and everyone else. No ACLs are used, so while a single user purchases the software any user on the system can open it. If you copy the software to another computer then you will be prompted to authorize it using the same Apple ID that was used to purchase it.

When an administrative user purchases an application, they are not prompted for a system password, only an App Store password, which uses the same Apple ID used for the iTunes Store and the iOS App Store. Application updates are handled using the familiar Updates screen borrowed from the iOS App Store, which includes the nifty Update All option.

As far as controlling the user’s experience with the App Store, there are a few options. Administrators can remove the App Store application bundle (which can be replaced any time) from /Applications. Administrators can also black list the application using managed preferences/parental controls. A Dock item is added by default and can be removed as well. Removing both the Dock item and the Application bundle will then remove the App Store menu item from the Apple menu. You can also block the hosts at apple.com, which includes itunes.apple.com, ax.itunes.apple.com, ax.init.itunes.apple.com, albert.apple.com, metrics.sky.com and possibly gs.apple.com. These will communicate over ports 80 and 443, according to the operation being used. There is also a launch daemon at /System/Library/LaunchAgents/com.apple.storeagent.plist that should be unloaded and likely removed if you’re going to outright disable the App Store. However, the only real way I would personally disable is using a managed preference.

There is also a property list file for the App Store that can be used to manage the application in Workgroup Manager in ~/Library/Preferences/com.apple.storeagent.plist. However, there isn’t much that can be done here at this time.

Because applications are tied to users, when a user moves computers you will want to backup and restore the applications for the user. To do so, here’s the captain obvious article for ya’: http://support.apple.com/kb/HT4482.

The App Store is not a replacement for a good patch management system. Software distribution cannot be managed centrally using the App Store and Software Update Server in Mac OS X Server does not currently cache applications from the App Store. Trying to think of a way to shoehorn the App Store into a software distribution system such as JAMF’s Casper Suite, Absolute Manage or FileWave is just asking for a world of pain, so let’s pretend that we never brought it up. If your organization isn’t able to license one of the aforementioned products, check out Star Deploy from http://www.stardeploy.com/StarDeploy/Home.html or munki from http://code.google.com/p/munki. Finally, I think that Apple’s done a great job with the App Store for a version 1 release. I think that my wife loves it and that over time if Apple chooses to do more with it then great; otherwise, all of the options we’ve been using, from the installer command on, are still at our disposal.

VMware

Registering VMs w/ VMware ESX & ESXi

To register a virtual machine using VMware’s ESX and ESXi is a pretty straight forward process. You will use the vmware-cmd and vmware-cmd.pl respectively. On ESX, simply issues the vmware-cmd followed by the path to your vmx file and then the register verb. For example, if the path to the vmx were /VMs/XP/xp.vmx then you would use the following command to register that virtual machine to ESX:

vmware-cmd /VMs/XP/xp.vmx register

ESXi (and vSphere) are just a bit more complex (what, bein’ perl and all). You will need to define the -H for the host, the -U for username and the -P for password as well. The path to the vmx and the register verb follow the operators.

Mac OS X Mass Deployment

Screen Sharing Through Absolute Manage

Awhile back I did a short article that looked at using the vnc:// handler to programatically interface with the Screen Sharing application and a follow up article on invoking RDP via CoRD from the command line. Well, if you are an Absolute Manage user, you can also remotely control client computers through the admin without passing username and password information (trust stems from the agent and server relationship). This is a pretty neat feature.

Absolute Manage has registered the lanrevagent:// handler at installation time (Admin). The syntax for invoking lanrevagent is similar to a REST interface, except here you define the command, followed by what exactly to run that command against. The command to remotely control a host is remotecontrolagent. The easiest way to indicate an agent to be controlled is to define a computername that the agent can control, done by following the remotecontrolagent command with ?computername=<the actual computer name to be used>. When defining the computername you will need to replace any special characters with their URL encoded representation (ie – for a space that would be a %20). This is really actually very straight forward. To control a computer named Krypted MacBook, you would use the following URL from a browser:

lanrevadmin://remotecontrolagent?computername=Krypted%20MacBook

Or simply use the terminal command:

open lanrevadmin://remotecontrolagent?computername=Krypted%20MacBook

Using the open command allows for variable substitution, which makes this yet another addition to the possibilities surrounding automating administration tasks through help desk software without having to expose passwords to intermediate administrators. Provided that host names are in synchronization between servers, you then have the ability to invoke commands against Absolute Manage using other products as part of your management lifecycle or some form of middleware.