blog'o thnet

To content | To menu | To search

General

Entries feed - Comments feed

Sunday 23 December 2007

Tuning Is Evil

By Julien Gabel on Sunday 23 December 2007, 21:48

Each month, I hear many coworkers or specific application management teams asking about putting some system tunings in place, even on very recent operating system releases. All the time. Most of these settings comes from the Internet, are found in forum posts, or articles related to a subsystem, or in technical publications. And some of them comes from third party software providers, or editors. A very, very few settings are proposed or recommended by system administrators, or by knowledgeable people in tuning area.

The problem is that, most of the time, these tunings are related to another release of the operating system, are not updated to keep current with the Best Of Practices for a given OS release, or simply are not well understood and not applicable without affecting (badly) current running environments. More, already present tunings are reported as-is on upgraded and fresh installed systems without more thinking, or without be assured these are always applicable (or obsolete) and what are the new defaults (if not dynamic). One of the most representative example today of this is the new System V IPC facilities found from the GA Solaris 10, and later, operating system, where some Oracle DBAs always ask SA team for shared memory settings as found on Solaris 8 systems.

Although extract from the Solaris Internals and Performance FAQ for ZFS, here is a great excerpt we all must read carefully and try to keep in mind when modifying default behavior of a system:

Tuning is evil and should not be done...in general.

First, consider that the default values are set by the people who know most things about the effects of the tuning. If a better value exists, it would be the default. While alternative values might help a given workload, it could quite possibly degrade some other aspects of performance. Maybe, catastrophically so.

Over time, tuning recommendations might become stale at best or might lead to performance degradations. Customers are leery of changing a tuning that is in place and the net effect is a worse product than what it could be. Moreover, tuning enabled on a given system might spread to other systems, where it might not be warranted at all.

no comment

Monday 3 September 2007

Why Set a Local authorized_keys File in a NFS Shared Environment

By Julien Gabel on Monday 3 September 2007, 20:42

Why set the authorized_keys file to a local pathname on large UNIX environments, especially when NFS shares are used for home directories? Because this can address security problems.

First, you must remember that this special SSH file stores the public key of a remote account, letting the owner to be able to log-in using asymmetric keys along with the corresponding passphrase instead of the more classical challenge with appropriate password mechanism. (This eventually enable for non-interactive login through the use of an SSH agent, latter.)

The default path for the authorized_keys file is in a subdirectory of the home directory. This means that when the home of a UNIX account is hosted on a NFS share, all servers available in the same domain as the NFS resource will have access to the very same authorized_keys file, thus opening a security flaw. This is a security concern since by allowing one account on one server, you open this account to all servers in the same domain.

So, the first benefit to store the authorized_keys file in a local name space on each server is to authorize one--and only one--access to a given machine. The direct drawback is that there will be as many authorized_keys file as the number of servers in a domain (if a SSH access is needed on all servers). A side effect is that the path, mode and owner of the directory which will host the authorized_keys file may be better managed and hardened than before (even if SSH already check those things for sane defaults). It is particularly of interest when managing thousands of servers in heterogeneous UNIX environment, when Solaris, AIX, Linux and HP-UX doesn't have the same ownership same system paths (such as /var, for example).

one comment

Saturday 12 May 2007

Do You Ever See Kids Wearing Toy Pagers Playing Sysadmin?

By Julien Gabel on Saturday 12 May 2007, 18:33

Well, this little question was in fact extracted from a recent blog entry by Paul Boutin (which defines itself as former systems administrator), and was the starting point for one of most interesting explanation from Ben Rockwood (still him :)), entitled Systems Administration as a Career: A Response. But if I personally find its words so interesting to me it is just because... they can be mine!

Basically, I can have say the same thing. In the past, I was not really good at school. Just enough to be able to go further. I got a personal computer relatively late at home. And I found really, really late that I was particularly interested by Systems. In fact, it was late at High School when I discovered both UNIX, and the feeling I clearly want to be a System Administrator. When other students get development projects, I asked for sysadmin oriented tasks, even if that was not planned in the school's program. And I got one (building a NIS environment based on Solaris servers deserving heterogeneous clients for the upcoming centralized UNIX infrastructure at school--using Solaris, HP-UX, and RedHat Linux).

Since then, I am a really passionate SA, and OSS believer. Today, I have more than six year playing this role, sometimes differently depending on customers needs and always evolving technologies. I can honestly say that I have permanently something new to learn, to try, to manage, or to build. More, I found myself to be in a great place to work with a lots of very nice--and sometimes totally nuts--guys, coming from very different backgrounds such as database and network engineers, managers, end-users, and pretty nice internet IT-communities. So no, really, I didn't want to change my role anytime soon.

Last, if you are a staff manager for a system administrator right now, and think that its career evolution will obligatory go through project or team management, I urge you to read (or think more closely about) Ben's points one more time. Really. You will see that there are a lot of things which can be done in this area, as defined by benr.

no comment

Tuesday 8 May 2007

Best Practices in Installation Locations and Filesystem Hierarchies

By Julien Gabel on Tuesday 8 May 2007, 14:03

As it is repeatedly discussed at work these days, I think it may worth mentioning there exists official locations to install bundled and unbundled packages, and well defined paths with a recommended purpose for most major players in UNIX and UNIX-like platforms such as Solaris, GNU/Linux and FreeBSD for example.

For Solaris (and OpenSolaris derived distributions), you can consult the Recommended Installation Locations for Solaris-compatible Software Components document from the Architecture Process and Tools community, along with the filesystem(5) manual page online, or on an installed system.

For a GNU/Linux environment, you can read both the Linux Standard Base and the Filesystem Hierarchy Standard recommendations.

Although the BSD are not so well-known as GNU/Linux, there are some very good and alive projects. More, the documentation available for each distributions are well written, and frequently updated. For these systems, and most notably FreeBSD and HP-UX systems, you can read the hier(7) manual page online, or on a live system.

As a side note, it is interesting to note that Ian Murdock (founder of the famous Debian GNU/Linux distribution, and just joining Sun to head up operating system platform strategy) is also the chair of the Linux Standard Base—while Sun is a member of the Linux Foundation (which host the LSB project). Maybe can we expect more standardization between these two major players in the future?

no comment

Tuesday 20 February 2007

Bad Online Reports on Windows Vista

By Julien Gabel on Tuesday 20 February 2007, 19:47

Generally speaking, i am not really a big supporter of the Windows operating system. And most of the time, i wait to see and try something to get an opinion on it. But after seeing these three reports against recent Microsoft products (two on Windows Vista, one about Office 2007), i will certainly wait a little before even trying them, at least until the already planned (scheduled?) Service Pack 1 will be out (at least for Windows Vista).

I will not say much about it right now. Go reading the reports to get an idea of what frightened me in the first place, if you care:

no comment

Wednesday 10 January 2007

What is about... Virtualization

By Julien Gabel on Wednesday 10 January 2007, 22:38

As we hear more and more things about server or data center virtualization nowadays, i found those those two articles to be very clear and interesting in explaining what is really involve behind this general term (virtualization).

The first one came from the developerWorks, whereas the second one is hosted on InformationWeek. Worth reading, really.

no comment

Thursday 4 January 2007

Learning Curves for Common Editors

By Julien Gabel on Thursday 4 January 2007, 22:45

Well, not a so very fresh nor a very interesting news, but i found this one funny. So, here it is:

Classical learning curves for some common editors

[Click on the picture to enlarge it.]

That's all... sorry.

no comment

Tuesday 16 May 2006

Zouk Web Sites

By Julien Gabel on Tuesday 16 May 2006, 19:30

Since a friend of mine told me recently to give him my very favorite links about zouk music on the Net, here it is. In fact, i currently post this one listening a web radio station using RealPlayer plugin running on top of OpenSolaris on my personal Sun Ultra 20 Workstation ;)

  1. ZoukStation.com [fr]
  2. Zouker.com [fr]
  3. ZoukOnWeb [fr]
  4. Sol2Zouk [fr]

Don't hesitate to email me if you have some good web sites too; i promise you to update this entry, if any!

one comment

Tuesday 28 March 2006

The alt.sysadmin.recovery Man Page Collection

By Julien Gabel on Tuesday 28 March 2006, 20:00

When bitching on alt.sysadmin.recovery, some of the contributors have authored the man pages they really wish were included in Unix (with their associated commands). They (sysadmins) truly are a twisted lot, and these contributions help to prove the point. The ASR man page collection is a comprehensive reference to many of the things sysadmins have to deal with in the profession... as i do! ;-)

Please find the source distribution, troff formatted pages, below:

Section 1 - User Commands

Section 2 - System Calls

Section 3 - C Library Functions

Section 5 - File Formats

Section 8 - Maintenance Commands

The online browsable version is also accessible.

The whole lot can be obtained as the ASR distribution archive set.

no comment

Sunday 30 October 2005

Changing user account informations stored in LDAP

By Julien Gabel on Sunday 30 October 2005, 20:50

This little real-life example will be based on changing the user's login shell for a given account.

  • grills represents the LDAP server (master)

Verify that the user exists in the directory server:

# ldaplist passwd jpeg
dn: uid=jpeg,ou=people,dc=thilelli,dc=net

Get detailed parameters for this account:

# ldaplist -l passwd jpeg
dn: uid=jpeg,ou=people,dc=thilelli,dc=net
        cn: jpeg
        uidNumber: 1000
        gecos: Gabel, Julien
        homeDirectory: /u/jpeg
        gidNumber: 1000
        objectClass: posixAccount
        objectClass: shadowAccount
        objectClass: account
        objectClass: top
        uid: ut0tar
        userPassword: XXXXXXXX
        shadowLastChange: 6445
        shadowFlag: 0
        loginShell: /usr/local/bin/bash

Create the desired modifications using a ldif LDAP file:

# ldaplist -l passwd jpeg > ldapmodifiy.jpeg.ldif
/* Edit and save the ldif file. */
#
# cat ldapmodifiy.jpeg.ldif
dn: uid=jpeg,ou=people,dc=thilelli,dc=net
changetype: modify
replace: loginShell
loginShell: /usr/local/bin/ksh

Inject this modification(s) into the LDAP server:

# ldapmodify -h grills -D "cn=Directory Manager" -f ldapmodifiy.jpeg.ldif
Enter bind password: 
modifying entry uid=jpeg,ou=people,dc=thilelli,dc=net

Verify that the changes are done as expected:

# ldaplist -l passwd jpeg
dn: uid=jpeg,ou=people,dc=thilelli,dc=net
        cn: jpeg
        uidNumber: 1000
        gecos: Gabel, Julien
        homeDirectory: /u/jpeg
        gidNumber: 1000
        objectClass: posixAccount
        objectClass: shadowAccount
        objectClass: account
        objectClass: top
        uid: ut0tar
        userPassword: XXXXXXXX
        shadowLastChange: 6445
        shadowFlag: 0
        loginShell: /usr/local/bin/ksh

The example shown below use the ldaplist(1) and ldapmodify(1) commands line, which use and options may vary between OS versions and/or family. Be warned.

no comment

- page 1 of 2