I need a firewall cluster for $DAYJOB. I could grab any BSD, throw it on commodity hardware, and make it work. I’ve done that. Repeatedly. I could plug OpenVPN into Radius. I could set up CARP and rsync-based config replication. But I decided to try pfSense instead. Here’s why, and what happened… Continue reading “pfSense experiences”
I started writing books on computer in the 1980s. I used a Commodore plus/4, a Macintosh Classic, a mid-90s Mac laptop, and assorted UNIX boxes. This assortment of platforms has taught me something important: as an author, I don’t want my writing tied to any single software vendor. My documents should be in a format that I can easily access on any operating system or platform. This excludes proprietary solutions, such as the Commodore plus/4’s text editor, MacWrite, or Microsoft Word.
OpenOffice interested me right away. I could write and mark up documents, and they would be stored in XML. Even if OOo died tomorrow, I could find a Perl script to extract my text. Oracle buying Sun, and getting OOo with it, is enough to make the paranoid angels who live in the back of my head start their chorus. Oracle cannot take away the software that’s freely available today, but Oracle has absolutely mastered the proprietary software business model. Oracle is excellent at extracting every possible dollar from every available asset. And Oracle is smarter than I am.
That’s why the new Document Foundation LibreOffice interests me. It’s a proactive move to block Oracle from dominating the free office suite space. (I’d like to commend the Document Foundation on not waiting for Oracle to toss them overboard.) And the Document Foundation is sponsored by several companies who have publicly committed to, and are even built upon, an open-source ecosystem. I downloaded and installed LibreOffice on my laptop.
LibreOffice is supposedly the latest OpenOffice, plus fixes for many long-standing bugs that outside developers couldn’t get into the main OpenOffice code. They’ve replaced the Oracle logos in the latest OOo update, and the window decorations are slightly different. The LibreOffice beta looks and feels just like OOo. OOo crashed on me every few weeks, and I haven’t run LibreOffice long enough to reproduce such a crash, but on the whole it seems perfectly fine.
My one complaint is that LibreOffice didn’t import my OOo dictionary. I write many documents with specialized vocabulary, and I spent a great deal of time getting everything into my OOo spellcheck dictionary. LibreOffice means that I have to start over. In the grand scheme, however, this is a minor annoyance compared to the threat that Oracle poses to my writing.
The Document Foundation has stressed that they are not offering an OOo fork. Oracle is welcome to join with them, or otherwise demonstrate their good intentions. I feel confident in predicting that in 2012, however, LibreOffice will be a better choice than OOo.
OpenNebula users know that NFS is just too slow for virtual machine disk images. Fiber Channel works, but is too expensive for me. Rather than deal with disk image speed issues, I’m using NFS on ZFS for file storage and booting my systems diskless. Diskless servers have a lot of advantages, but speed isn’t one of them. This is fine for most applications, but a few things (databases come to mind) perform better on a speedy disk. I want the ability to use diskless machines where appropriate, but use cheap networked disk when necessary. Ideally, I want iSCSI on top of ZFS. Short of ideal, I’ll take iSCSI any way I can get it. I want the virtualization server to attach to the iSCSI target, and then offer that target to the VM as if it was a local disk.
There’s an alpha one-iSCSI-target-per-VM transfer manager driver. It’s intended for a Linux iSCSI server, which I don’t have and don’t intend to run. Instead, I have a stack of cheap NAS appliances. Here’s how I got one target per VM running in my OpenNebula instance. Continue reading “opennebula with one iscsi target per VM”
I’ve been asked to do an interview on AT&T’s Tech Channel. I’m no Steven Bellovin, but what the heck. It’ll be recorded in NYC on 11 November 2010, the day before NYCBSDCon starts. No idea when it’ll actually be available.
The TechChannel shows are available online. It seems that they’re also used as content snippets in real TV shows. One day, if I’m lucky, my head will appear on a TV near you, with a text label beneath it and my words taken completely out of context. Probably in a faux-reality TV show about ghost hunting or something. Ah, fame at last…
I use KVM and OpenNebula on Ubuntu for virtualization. Getting such a cluster up and running is easy, but making it perform well takes much more work. Many times, the statement “my virtualization cluster works well” is equivalent to “I’m not paying attention.” My FreeBSD hosts help point out problems, though. All of my FreeBSD servers send me a daily email to tell me they’re still alive and to point out potential issues. That’s how I found out I was getting network collisions on my virtualized hosts, and here’s how I investigated them. Continue reading “Network collisions running hosts under KVM”
For those who wonder why I don’t publish more fiction: I have this weird idea that I should get paid for my work. The amount doesn’t matter a great deal — this story made enough for a couple of hot fudge sundaes. The Internet has made “getting published” almost meaningless, but: if a piece of writing isn’t good enough that someone will buy it, I don’t want it out there with my name on it.
I’d much rather have less work available of higher quality than publish reams of sewage.
Post summary: Get wireshark. Use it. It might not solve your problem, but it will tell you who to blame. Continue reading “debugging iSCSI”
Yesterday’s biannual royalty statement contained an unexpected surprise: it included ebook royalties for Absolute BSD (published in 2002) and the first edition of Cisco Routers for the Desperate (published in 2004). Both are out of print, and have newer editions. While the royalties for these books played out over several years, I certainly never expected to see any new sales of either of these books.
It turns out that both of these are available through ebook licensing services, such as ebooks.com.
This leaves me with mixed feelings. There’s no real cost to having ebooks available. For all I know, someone has a serious, legitimate need for high-quality documentation on FreeBSD 4. Reliable documentation from that era is hard to find, and you have dig to find answers. I don’t want to forbid people from buying it.
But I suspect that most people who buy these older ebooks made a mistake. They really wanted the newer editions.
In my mind, the obvious thing to do is to have the licensing service put up a warning along the lines of “This ebook is obsolete. You probably want this other book.” That’s what my publisher’s online bookstore does. But licensing services are independent companies. I can’t dictate to them.
I could tell my publisher to rescind all rights to sell these older books, and force ebooks.com to remove them from their catalog, and to heck with people who need documentation for older kit.
What do you think?
I’m leaving my getting hit in the head lesson when the boss calls. Some unmentionable orifice is firing DOS attacks at a couple of our SIP servers. My mission, should I choose to accept it, is to find and block the attackers. (Should I choose to not accept it, then my mission will be to listen to Fearless Leader whine about it. I can’t stand whining.) Fortunately, I have flow data for one of the servers under attack. Continue reading “Finding a SIP DoS attack via flow analysis”
Mr. Beijtlich is bad for my humility. Apparently I have to stop asking him to tech review books, so that he can write actual reviews rather than just announce to all his readers that I’m utterly awesome.
This is the sort of commentary that I keep on hand for when my morale is low.