Snow

This week I had the "Red Hat Enterprise Directory Services and Authentication" course and exam in Amsterdam.

In the course we had some very nice stuff, like Red Hat DS and at the end Red Hat Enterprise IPA... all very cool... but today I had the exam (due to the RedHat NDA I am not allowed to say anything about the exam, so I won't do it)... but a few hours after the exam I received my results... and I passed the exam

For a project I am working on migrating UNIX applications to Linux. Most of the scripting work supposed to be done in India, and that is where the issues came in. First you have a developer who knows how to work with M$ Technet and never worked with PERL before (at least 80% of the scripts is written in PERL).

First of all I introduced the user Net::LDAP within PERL, because they first did a ldapsearch, put the output into a ASCII file... and with a PERL script they structured the data... and loaded it into a Oracle database... so that was the first improvement.

Next there were several issues, like not good reading or understanding LDAP/PERL at all...

But at a certain moment, they start complaining about the fact that one of the scripts was slow... on the old system the script had a run time of 4 hours... and now it is up to 28 hours(!!!) So they requested me to investigate this.

First I found a 'main' kornshell script doing the next thing:

---

for VAR in a b d e f g i j k m n o p q r s t u v w x y z
do
   for NAME in "'" a b c d e f g h i j k l m n o p q r s t u v w x y z
   do
     ldap_script.pl $NAME $VAR
   done
done

---

The content of the ldap_script.pl was something like:

---

#!/usr/bin/perl
use Net::LDAP;
$ldap = Net::LDAP->new($LDAP_SERVER);
$ldap->bind($LDAP_DN, password=>$LDAP_PASSWD) or die "Cannot connect";
$LDAP_FILTER="(&(sn=$ARGV[0]*)(OfficeName=$ARGV[1]*))";
$mesg = $ldap->search(base=>$LDAP_BASE,
                      filter=>$LDAP_FILTER,
                     ) or die "Cannot connect";
push(@ENTRIES,$mesg->entries);
$ldap->unbind;

---

I thought that this costs a lot... loading PERL script, connecting to server, binding to it... et cetera... And this was done in the original script > 2000 times

So... I removed the loop out of the mainscript... and implemented it into the PERL-script, like this:

---

#!/usr/bin/perl

use Net::LDAP;

$ldap = Net::LDAP->new($LDAP_SERVER);
@LOOP=("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o",
       "p","q","r","s","t","u","v","w","x","y","z", "'");


$ldap->bind($LDAP_DN, password=>$LDAP_PASSWD) or die "Cannot connect";

foreach $LOOP1 (@LOOP)
{
  foreach $LOOP2 (@LOOP)
  {
     $LDAP_FILTER="(&(sn=$LOOP1*)(OfficeName=$LOOP2*))";
     $mesg = $ldap->search(base=>$LDAP_BASE,
                           filter=>$LDAP_FILTER,
                          ) or die "Cannot connect";
     push(@ENTRIES,$mesg->entries);
  }
}

$ldap->unbind;

---

And this runs within 3 hours!!! And it is flying!

There can be done more performance tuning... but that will be another project!

NOTE: Some of the software is very experimental!!! I had some issues that my .ics was totally removed when I added a new 'task' via lightning, please make a backup of your ics file!

Some while ago I wrote a small article about WebDAV and Calendar files. Until so far no results on reading the files into my Nokia , but... I found an extension for thunderbird to handle meeting-requests from Outlook clients

You can find information on the project website of 'lightning'. To configure your webdav, you need to click on the calendar button

Click in the left pane with the right button en select 'New Calendar', now you can use the wizard to select your calendar.

And now let the invitations come...

Yesterday evening I completed for 50% an entry from my wish-list regarding my servers. On the backup-MTA I now have TLS and authenication enabled on Sendmail

I wanted to have this enabled, because from my laptop I often setup an SSH-tunnel, but on other devices it wasn't really possible

After some Google-ing I found this page which was really helpfull in setting the stuff up on sendmail. The next step is to use TLS between the MTA's I own and TLS between other parties who provide TLS on their MTA.

As I wrote before, I did pass RHCE, RHCT and LPIC1. After a few weeks of study I also passed LPIC2 and ITIL

The results for ITIL:

---

Passing score: 65
Your score...: 67
Grade........: PASSED

Section Title                          Score
-------------------------------------- -----
General                                 66
Service Desk                            66
Incident Management                     25
Problem Management                      80
Change Management                       80
Configuration Management                75
Release Management                     100
Service Level Management                66
Availability Management                  0
Capacity Management                     50
IT Service Continuity Management       100
Financial Management for IT Services   100
Other ITIL Topics                      100
Relationships                           50

---

During the exam I start mixing up 'Availability management' and 'IT Service Continuity Management', which resulted into a score of 0 for Availability management

But I also passed LPIC 201 en LPIC 202.

LPIC 201 results:

---

Required score: 500
Your score....: 750
Status........: PASS

Section                              Percent Correct
------------------------------------ ---------------
Linux Kernel                               90%
System startup                             87%
Filesystem                                100%
Hardware                                   75%
File and Service Sharing                   87%
System Maintenance                         83%
System Customization & Automation          66%
Troubleshooting                            50%

---

LPIC 202 results:

---

Required score: 500
Your score....: 740
Status........: PASS

Section                              Percent Correct

------------------------------------ ---------------
Networking configuration                 85%
Mail & News                              92%
DNS                                      80%
Web Services                            100%
Network Client Management                66%
System Security                          80%
Network Troubleshooting                 100%

---

I have a Nokia N80ie, and use it the fetch my e-mail on it. On my server I use a self-signed certificate, which is not known by the Nokia, so everytime I have to permit access

So the first step is to fetch public certificate with openssl:

$ openssl s_client -showcerts -connect ssl-host:443

CONNECTED(00000003)
depth=0 /C=NL/ST=Zuid-Holland/L=Alblasserdam/O=FiWeb Communications/OU=NOC/CN=morpheus.adslweb.net/emailAddress=dev-null@adslweb.net
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=NL/ST=Zuid-Holland/L=Alblasserdam/O=FiWeb Communications/OU=NOC/CN=morpheus.adslweb.net/emailAddress=dev-null@adslweb.net
verify return:1
---
Certificate chain
0 s:/C=NL/ST=Zuid-Holland/L=Alblasserdam/O=FiWeb Communications/OU=NOC/CN=morpheus.adslweb.net/emailAddress=abuse@adslweb.net
i:/C=NL/ST=Zuid-Holland/L=Alblasserdam/O=FiWeb Communications/OU=NOC/CN=morpheus.adslweb.net/emailAddress=abuse@adslweb.net
-----BEGIN CERTIFICATE-----
MIIE6zCCA9OgAwIBAgIJAI4bJ/U0bPeqMA0GCSqGSIb3DQEBBAUAMIGpMQswCQYD
VQQGEwJOTDEVMBMGA1UECBMMWnVpZC1Ib2xsYW5kMRUwEwYDVQQHEwxBbGJsYXN
[...snip...]

Next step is to copy out the parts between:

-----BEGIN CERTIFICATE-----

end the

-----END CERTIFICATE-----

blocks (including the header and footer), so you have an ascii-file like this:

Now we have to convert the file into a x509 crt file (the filename of the certificate above is example.pem):

$ openssl x509 -in example.pem -inform PEM -out example.crt -outform DER

Now you have a crt file, you can now use bluetooth to transfer it to your Nokia. Your Nokia will ask you if you want to install the certificate, because it might be not valid.. but you just can continue on installing the certificate.

Every sysop might recognize this... I changed a config file some while ago... but what did I change and what is the history of that file. Besides of the changes, I want to have them in a backup

So I decided to setup a config-file repository, where the servers can commit automaticly their changes using SVN over SSH. I use SSH to have no password prompts but certificates. Only the user svn-backup can commit files to the repository. On both server I only checked out the repository-part concerning them.

[root@tank] svn co \
svn+ssh://svn-backup@svnserver.example.com/repos/config-files/tank \
/usr/data/svn-config

And in the crontab for the user root, we have the next entry:

45 * * * */usr/local/backup/svn-backup.sh

And in the svn-backup script we have the next lines:

---

#!/bin/bash
#
# Subversion script to backup configfiles
#
# Written by Pieter de Rijk <pieter -at- de-rijk.com>

SVN_BACKUP_PATH="/usr/local/svn-backup"

cp -R /usr/local/etc/ $SVN_BACKUP_PATH/usr/local/etc/ > /dev/null 2> /dev/null
cp -R /etc/ $SVN_BACKUP_PATH/etc/ > /dev/null 2> /dev/null
rm -rf $SVN_BACKUP_PATH/usr/local/etc/squid/errors
rm -rf $SVN_BACKUP_PATH/usr/local/etc/squid/icons/*.jpg
rm -rf $SVN_BACKUP_PATH/usr/local/etc/squid/icons/*.gif
cd $SVN_BACKUP_PATH \
/usr/local/bin/svn up > /dev/null 2> /dev/null
for files in "`/usr/local/bin/svn status $SVN_BACKUP_PATH | grep ^\?`";
do
   ADD_FILE=`echo $files | awk '{ print $2 }'`
   if [ ! -z $ADD_FILE ];
   then
     /usr/local/bin/svn add $ADD_FILE
   fi
done
/usr/local/bin/svn commit -m "[`hostname -s`] Config changes `date`"

---

And when something change I receive a message

Only users in the wheel group can checkout the repositories, but are not allowed to commit

As I wrote before some vendor promissed me a 16-core machine.... and indeed we received it. Now I have my 'toy' placed in the basement. Besides of some trouble putting a modified version of RHEL 4.5 on it, it works fine. At this moment I've installed RHEL 4.6 and it works fine.

But to test the 16-cores I decide to compile a brand new kernel:

[root@cool-system]$ mkdir -p /tmp/kernel-test; cd /tmp/kernel-test/
[root@cool-system]$ tar -xjvf ~/downloads/linux-2.6.24.tar.bz2
[root@cool-system]$ cd linux-2.6.24
[root@cool-system]$ make mrproper
[root@cool-system]$ cp /boot/config-2.6.9-67.ELlargesmp ./.config
[root@cool-system]$ echo y | make oldconfig
HOSTCC scripts/basic/fixdep
HOSTCC scripts/basic/docproc
HOSTCC scripts/kconfig/conf.o
[..snip..]
#
# configuration written to .config
#
[root@cool-system]$ time make -j 32 bzImage
scripts/kconfig/conf -s arch/x86/Kconfig
CHK include/linux/version.h
UPD include/linux/version.h
[..snip..]
Setup is 11352 bytes (padded to 11776 bytes).
System is 1835 kB
Kernel: arch/x86/boot/bzImage is ready (#1)

real 0m40.887s
user 5m15.688s
sys 2m1.029s
[root@cool-system]$ _

During the compile, all the 16-cores are working hard

For a project at work, I did some benchmark tests of the impact of SSH-tunnels on HTTP-traffic. And as we should suspect is true, on this test the traffic slows down with a factor 6. I did this, because some off-shore company out of India came up with some bad results from a benchmark, but they used SSH-tunnels.

So time for some testing... I did 6 types of tests using ApacheBench:

1. 10.000 requests with 200 concurrent connections without HTTP-keepalive via direct request to
   port 80 on the server
2. 10.000 requests with 200 concurrent connections with HTTP-keepalive via direct request to
   port 80 on the server
3. 10.000 requests with 200 concurrent connections without HTTP-keepalive via SSH-tunnel to
   port 80 on the server
4. 10.000 requests with 200 concurrent connections with HTTP-keepalive via SSH-tunnel to port
   80 on the server
5. 10.000 requests with 200 concurrent connections without HTTP-keepalive via SSH-tunnel with
   compression to port 80 on the server
6. 10.000 requests with 200 concurrent connections with HTTP-keepalive via SSH-tunnel with
   compression to port 80 on the server



For details check the report.




Phase Short Descr                         # Request/sec  Avg tim per request 
===== =================================== ============== ===================

   01 Direct                                     6323.94            0.158 ms
   02 Direct + Keepalive                         6319.27            0.158 ms
   03 SSH                                        1047.83            0.954 ms
   04 SSH + Keepalive                            1138.74            0.878 ms
   05 SSH + Compression                           824.09            1.213 ms
   06 SSH + Compression + Keepalive              1012.70            0.987 ms
===== =================================== ============== ===================

At work we received from a vendor, as they told us, a quad quad-core (16 cores total) to test our applications So we start installing it with RHEL4. And we only saw 8 cores... so we start mailing to the vendor with screenshots... and one of the screenshots was of the boot-session... it was telling us that we have 4 Intel dual-core Xeon MP packages.

But the vendor thought really that it was a quad quad-core, after he had contact with Intel, we found out it were indeed quad dual-cores The appologize and will sent next week the right CPUs So we will play with them

At my work, I needed to reinstall a server which is located in a datacenter in Amsterdam and I am located in Rijswijk. But the servers have a managament-interface (RSA 2 of IBM) and the capability to mount a local image to the server

So I tried... using Firefox but it didn't work at all.. It didn't detect the image

After about 1 day a collegue of mine suggested to use MS Internet Explorer... and guess what... It worked So I didn't had to go to Amsterdam

Today, I did the RHCE-exam again. The first time I didn't pass the RHCE-part, so I became RHCT. Since today I am also RHCE

My end results:

---

SECTION I:    TROUBLESHOOTING AND SYSTEM MAINTENANCE
RHCE requirements:  completion of compulsory items (50 points)
                    overall section score of 80 or higher
RHCT requirements:  completion of compulsory items (50 points)

Compulsory Section I score:                        50.0
Non-compulsory Section I score:                    50.0
Overall Section I score:                           100

SECTION II:  INSTALLATION AND CONFIGURATION
RHCE requirements: score of 70 or higher on RHCT components (100 points)
                   score of 70 or higher on RHCE components (100 points)

RHCT requirement:  score of 70 or higher on RHCT components (100 points)

RHCT components score:                             100.0
RHCE components score:                             100.0

RHCE Certification:                                PASS

---

Today I received an e-mail that I passed the LPIC101 and LPIC102 exams.

The results of LPIC101:

---

Your Score: 660
Required Passing Score: 500
Status: Pass

Test Section Information
Percent Correct Section

 50%            Hardware  Architecture
100%            Linux Installation & Package Management
 89%            GNU & Unix Commands
 68%            Devices, Linux Filesystems, Filesystem Hierarchy Standard
 71%            The X Window System

---

The results of LPIC102:
Your Score: 680
Required Passing Score: 500
Status: Pass

Test Section Information
Percent Correct Section

100%            Kernel
 75%            Boot, Initialization, Shutdown and Runlevels
 50%            Printing
 60%            Documentation
 60%            Shells, Scripting, Programming and Compiling
100%            Administrative Tasks
 87%            Networking Fundamentals
 91%            Networking Services
100%            Security
So I am now LPIC-1 certified!

On the 1st of November I will do the LPIC-101 and LPIC-102 examsn during 'Linux World' in Utrecht. So currently I am reading/learning out of a very big book of O'Reilly.

I am very curious and I hope that I pass the test in one time But I will keep you informed

Previous week I had the RHCE Rapid Course... I passed the RHCT exam (100/100 points), but didn't pass the RHCE exam (needed 70 points... had 67.9).

So I requested to do the exam again asap... And I know what I did wrong, but I am not allowed to tell you anything about the exam

Within a few weeks I also gonna do the LPIC101 and LPIC102, still left are LPIC201, LPIC 202 and ITIL. After this, I will be on (still this year) level-4 of the Snow certification level.