Tag Archives: virtualization

BCvRP – Brocade Certified virtual Router Professional – Objectives

For training these I set up networks. Many.
Drawing the networks first in LibreOffice Draw and then setting them up with virtual machine templates and LAN segments.

The exam I took in October and because it was a beta exam the results aren’t out until December :)

The BCvRP has the below objectives (included for free are some of my comments on each topic).
None of this should be taken as a replacement for taking the actual course and actually doing these things on a vrouter.
And honestly, the various concepts and technologies described in the objectives below can become very complex. So before taking this course/exam you at a minimum want to know the basics of BGP and setting up an OSPF network should be a breeze.


OSPF Multi-Area Concepts

  • Describe OSPF routing concepts
  • Stub area – replace external routes with a default route
  • NSSA – not so stubby – can have a local external route inside a stub area
  • no-summary : exclude inter-area routes
  • LSA – link state advertisements
    • 1 All OSPFs: Lists subnets/links directly connected, does not cross area boundaries
    • 2 from DR: Lists routers connected to a network, does not cross
    • 3 from ABR: Lists networks from outside the local area
    • 4 from ASBR: Summary, lists location of ASBR
    • 5 from ASBR: AS external, list networks outside OSPF AS. 7 for NSSA.
  • Summarization: Good to have continuous addresses in an area, easier to summarize.
    • Do not summarize routes originating in Area 0.

BGP, EBGP and IBGP Concepts

  • Describe gateway protocol concepts
  • BGP Basics
    • Purpose is to determine best path (not necessarily the shortest)
    • TCP Connection, no periodic updates.
    • iBGP – within an AS / eBGP – between AS
    • Attributes – BGP policies – costs
    • eBGP – best to be on the same network
    • TCP port 179
    • A unique AS number is needed, there are private AS numbers.


set protocols bgp AS# router-id IP
set protocols bgp AS# neighbor ip-address remote-as as-number
set protocols bgp AS# network address/mask

exact match must be in the router’s table: create a static route to blackhole on the router

iBGP = same AS on the BGP peer (the neighbor)

iBGP – a full mesh is necessary. iBGP does not forward routes learned from other iBGP peers.
One can use “next-hop-self” so that iBGP router’s change the next-hop address to a network whenever it propagates the route.
update-source – this needs to be the same as the router-id.

iBGP required settings: local AS number, neighbor address and “update source”.

bgp does not reset advertised routes after an administrator’s changes.
Changes to eBGP does not come into affect until you run the reset:
reset ip bgp external out‘. The BGP table can be large – gigabytes.
Use the word soft to only request updates and not reset the peer connection.

reset ip bgp external [ipv4 address]


Tuning attributes and priority

  1. Local preference – only included within an AS. Default is 100. Higher is better.
  2. AS Path – always forwarded – shorter is better
  3. Origin – lowest
  4. Multi-exit discriminator # modified by an ISP to indicate preference
  5. eBGP preferred over iBGP
  6. Lowest Peer ID
  7. Community # group of prefixes with a common property. Can be used in filters.


Prepending: insert your AS number in the AS in the beginning of the AS path.
Communities are created with: set policy community list

BGP troubleshooting

An active peer – not good. Trying to actively set up a session.


iBGP design

  • Does not have to be physically connected (as in BGP).
    • Connectivity over BGP
  • Peer to loopback address
  • Full mesh is required
    • Doesn’t scale. You can use a Route reflector (“concentrator”) and have other iBGP routers as clients.
    • route reflectors must be meshed
    • You can also create multiple private AS within your AS. Reduces members in the mesh. Called a confederation.
      • Public AS number is only visible in the config
      • The Private numbers are visible in the show ip bgp commands.


Create a peer group, set BGP settings on the peer group. Then assign peers to the group.

Route Redistribution

  • Describe route redistribution design and configuration
  • Best practices:
    • Set metrics
    • Do not redistribute into or out of BGP
    • Use network statements
    • Statements to direct towards BGP exit points
    • Only redistribute a network from one host (VRRP)
  • OSPF: metric type (increase cost)
  • Only active routes are redistributed

IPsec VPNs

  • Identify IKE Phase 1 and Phase 2 operations
  • Describe how to configure and troubleshoot an IPsec VPN

OpenVPN Concepts

  • Identify the features of OpenVPN
  • Describe OpenVPN configuration

VRRP Concepts

  • Describe VRRP concepts and operations


  • Describe the attributes of WAN load balancing
  • Describe QoS features and configuration

Policy-Based Routing

  • Explain where policy-based routing falls in Brocade Vyatta packet flow
  • Configure and verify policy-based routing
  • Default: drop route entry . By default it only takes the first action that matches.
  • Rule -> Filter -> Route Map (excluding deny filters) > Take action as defined
  • Filter list: prefix, le 24. Any netmasks between /16 and 24, including /16.
  • Regexp for matching AS lists – use underscore to match whitespaces
  • Filter has the rules.
    • permit/deny in the filters affects if the rule is applied to the filter.
  • Route-maps has the rules.

Multicast Routing

  • Describe multicast protocols/elements
  • Configure and troubleshoot multicast routing

BCvRE – Brocade Certified virtual Router Engineer – Objectives

This post will be continuously updated with my short notes under each concept.
It’s not meant to be a replacement of the official training materials.
I’m just starting out playing with the vRouter Core / open source version and installing it in a VM and set up some networks and firewalls is probably one of the best way to learn this.
Learn by doing!

The Brocade Certified vRouter Engineer 2013 exam has these objectives:


Brocade Vyatta vRouter System Operations

  • Describe show command system usage
    • show – in operational mode shows status of components
    • show – in configurational mode shows the configurations
    • run show –  in configurational mode shows status of components
  • Identify key CLI operations
    • set/delete
    • copy (configs)
    • renew (new dhcp IP)
    • install (to disk)
  • Describe the commit and save processes

Ethernet Concepts

  • Identify Ethernet operations
  • Identify VLAN operations and settings
    • set interface ethernet eth0 vif <vlanid> # this creates eth0.<vlanid> a subinterface. This looks like a normal ethernet interface.
    • set interface pseudo-ethernet # these can be used if you want to set the MAC-address. Some features are not allowed for these peth devices though (VLAN, bonding).
  • Identify bonded interface operations
    • Two NICs on the same network
    • set interface bonding (IP address, mode)
    • set interface ethernet (bond-group)
  • Demonstrate knowledge of configuration and operation using show commands


  • Demonstrate knowledge of the relationship between Layer 2, IP and TCP/IP
  • Identify TCD and UDP differences
  • Identify address subnets

DHCP and DNS Troubleshooting

http://www.guldmyr.com/blog/?p=2022 I’m going through how to set it up.

  • Describe troubleshooting of DHCP operations
    • show dhcp server leases
    • show log dhcp
  • Describe troubleshooting of DNS forwarding
    • monitor dns forwarding # I could not get anything into the log)
    • show dns forwarding # shows cache size for example)


http://www.guldmyr.com/blog/?p=2022 went through how to set up static routes

  • Identify uses for routing
  • Identify show commands for use with routing
  • Identify configuration of different types of static routes


  • Describe firewall operations and troubleshooting using show commands
  • Describe firewall rulebase operations
    • set firewall name <name> default-action
    • set firewall name <name> rule 1 destination/source
    • set firewall name <name> rule 1 action <action>
    • set interface bonding bond0 firewall in/local/out name <name>
      • in – into the router (matching on destination IP)
      • out – out from the router  (matching on source IP)
      • local – to the router itself


  • Describe NAT concepts


  • Describe the Brocade Vyatta upgrade process
    • 1. Install 6.5R1 to disk.
    • 2. add system image URL
    • 3. reboot
    • It is also possible to copy the config elsewhere and reinstall

Logging and Packet Captures

  • Identify logging options for firewall and NAT operations
    • set firewall name <name> rule <num> log enable
    • commit; exit
    • monitor firewall .. # and see matches to the rule.
  • Identify methods to verify operations and troubleshooting

OSPF Single-Area

http://www.guldmyr.com/blog/?p=2022 set up an area 0 OSPF

  • Describe OSPF show command output
  • Describe how to configure OSPF

BCvRE – Brocade Certified virtual Router Engineer

Been checking out the Vyatta vRouter a bit closer. Mostly because of the BCvRE exam but I’m slowly starting to think there might be some benefits to using it elsewhere too.

  1. See vyatta-a-routervpnfirewall-in-a-vm-brocade-certified-vrouter-engineer/ for where to find manuals or training materials.
  2. See the objectives.

I tried installing Vyatta vRouter 6.6 amd64 Live ISO to disk first in a Virtualbox VDI file and then uploading said file to openstack. This works, but:

Ethernet interfaces might get renamed but a startup, log in and save, poweroff and another boot should get the first interface back to eth0.

In the openstack available to me I could set up my own networking topology like this:

  • Create one network (VLAN) and define several subnets inside (these are still kind of firewalled based on IP and MACs).
  • Then create machines and add the network.
  • Power off and start the machines again (or the links stay DOWN).

VMs should see an individual eth interface per subnet.
The machines still get an IP assigned to each interface/subnet even if DHCP is disabled. If DHCP is disabled you still have to statically assign only this assigned address on the interface.
The interfaces are in order: the IP listed at the top is the IP you need to put on the first interface (eth0).

Because a lot of the things you can do with a router involves creating networks and assigning IP addresses, which openstack would block for security reasons – it was much easier to do all of these in VMWare Workstation:


  1. Install a Vyatta VM – bridged and a private network (without a DHCP).
  2. Install another OS in a VM – this will be a client – only on the private network.
  3. Put both VMs in the same network.
  4. Configure dhcp on the Vyatta VM:
delete interfaces ethernet eth1 address dhcp 
set interfaces ethernet eth1 address

Configure dhcpd on the Vyatta VM:

set service dhcp-server
set service dhcp-server shared-network-name ETH1_POOL subnet ??? # pool, dns, router

Then, set up so that the Vyatta VM routes traffic from the private network to the Internets. A NAT. This is called a source NAT in the vyatta CLI.

set nat source rule 10 ??? # Put in the settings you need. Source, outbound interface and the IP they should be seen as from the outside.

Real easy to set up a DNS forwarding server too:

set service dns forwarding listen-on eth1 
set service dns forwarding name-server

Now we have a client behind the Vyatta gateway that can access the Internet!

It’s possible to set up different kinds of VPNs. For example site-to-site or remote access.

It is possible to ssh from the vyatta VM – you can even run ssh-keygen. How to add an authorized key you wonder?:

set system login user vyatta authentication ...


Another thing to test: launch a bunch of Vyatta VM and use them to route IP traffic, woop woop! The BCvRE objectives actually mention OSPF so this would be wise to test.

Starting with static routing

Key: Network Name (IP subnet, interface on the host)

  • VM hostname – Interface inside the VM: IP address


Public (, bridged):

  • Vyatta – eth0:

Network A (, vmnet2):

  • Vyatta – eth1:
  • V1 – eth0:
  • V2 – eth1:

Nework B ( , vmnet3):

  • V2 – eth2:
  • V3 – eth0:

Static routing:

Vyatta: set protocol static next-hop
V1: set protocol static next-hop
V3: set protocol static next-hop
V3: ping


Adding host V4 that is in Network B and Network C.
Basically Vyatta, V2 and V4 are routers.
V1 and V3 do not run OSPF, they have their default gateway to one of their local routers.
So V3 has and V1 has

Public (, bridged):

  • Vyatta – eth0:

Network A (, vmnet2):

  • Vyatta – eth1:
  • V1 – eth0:
  • V2 – eth1:

Network B: (, vmnet3)

  • V2 – eth2:
  • V3 – eth0:
  • V4 – eth0:

Network C: (, vmnet4)

  • V4 – eth1:

Remove all static routes we did previously on Vyatta and V[1-2,4]:

delete protocols static route
show proto

Set up OSPF – define the networks on each router that that router share with another router:

ALL: set loopback interface IP to something unique and with a /32
ALL: set protocols ospf redistribute connected
V4: set protocols ospf area 0
V2: set protocols ospf area 0
V2: set protocols ospf area 0
Vyatta: set protocols ospf area 0
V3: set system gateway
V1: set system gateway


V4: ping
V4: show ip ospf route


V2: monitor protocol ospf enable lsa
V4: reboot # and wait
V2: show log|less

Vyatta: a router/vpn/firewall in a VM

Brocade has a beta exam up for BCVRE – Certified vRouter Engineer – which is on the Vyatta software from the company with the same name that Brocade bought last year.

There is the free open source core. Download from here: http://vyatta.org/downloads (no you don’t have to register).  The evaluation/subscriber version has the API and web gui available, I’ll probably check those out closer to the exam date.

I grabbed VC6.6 – Virtualization ISO. Use it in a VM and assign 5GB disk (install only requires 1G, or you could just run it on the iso, but then it doesn’t keep state between reboots) and 1GB RAM. Two NICs: One NAT and one private. But to get more acquainted with it you’ll likely have to do a bit more configuration on the hypervisor side. Such as turn off dhcpd in your virtual networks.

To install it to disk: hit “install system” at the CLI after it’s booted.

More documentation: http://docs.vyatta.com/current/wwhelp/wwhimpl/js/html/wwhelp.htm – there are descriptions how to get for example ssh management working ( set service ssh ).

The server is basically Debian with a more recent kernel (6.6 has 3.3) and a shell to make it more switch-like. It actually uses the bash completion to make it look like this. Check out /etc/bash_completion.d/vyatta-*

To remove a setting use “delete” (comparable to no in other CLIs). There is a web interface, but this is only for subscribers. Core version allows SNMP though if you want to use that :)

What to do with vyatta? A bunch of tutorials are here: http://www.vyatta.org/documentation/tips-tricks

  • NAT
  • VPN (for example connect private cloud <-> Amazon VPN)
  • Firewall
  • Routing (OSPF, BGP, etc)

But no SDN stuff (separate data and the control plane). It looks like it’s not possible to modify the flow table of a switch via Vyatta. This looks like a software router/VPN/firewall with some extras added to it.

Red Hat Certification – RHCE – KVM via CLI

In a previous post while preparing for RHCSA I installed kvm post-installation, via the GUI.

But how to install, configure and use it only from the CLI?


http://virt-manager.org/page/Main_Page has some details

As a test-machine I’m using a server with Scientific Linux 6.2 (with virtualization enabled as seen by ‘cat /proc/cpuinfo|grep vmx’).

None of the Virtualization Groups are installed, as seen by ‘yum grouplist’. While doing that you’ll find four different groups. You can use

yum groupinfo "Virtualization Client"

or correspondingly to get more information about the group.

yum groupinstall Virtualization "Virtualization Tools" "Virtualization Platform" "Virtualization Client"

This installs a lot of things. Libvirt, virt-manager, qemu, gnome and python things.

lsmod|grep kvm
service libvirtd start
lsmod|grep kvm

This also sets up a bridge-interface (virbr0).

Now, how to install a machine or connect to the hypervisor?

How to get console?

ssh -XYC user@kvmserver

did not work.

On the client you could try to do:

yum groupinstall "Virtualization Client"
yum install libvirt

Then start virt-manager and connect to your server. However this didn’t work for me either. Is virtualization needed on the client too?

Noit is not, first: check if Virtualization is enabled on the server. Look in /var/log/messages for

kernel: kvm: disabled by bios

If it says that you’ll need to go into BIOS / Processor Options / and enable Virtualization.

Then you can start virt-manager, check that you can connect to the KVMserver.

Copy a .iso to /var/lib/libvirt/images on the server.

Re-connect to the kvm-server in virt-manager.

Add a new VM called test. Using 6.2 net-install and NAT network interface. This may take a while.

Pointing the VM to kvm-server where a httpd is running (remember firewall rules) and an SL 6.2 is stored. Installing a Basic Server.

OK, we could use virt-manager, it’s quite straight-forward and doesn’t require any edits of config files at all.

Moving on to virsh.

To install a vm you use ‘virt-install’.

You can get lots of info from ‘virsh’

virsh pool-list
virsh vol-list default
virsh list
virsh list-all
virsh dumpxml test > /tmp/test.xml
cp /tmp/test.xml /tmp/new.xml

Edit new.xml

change name to new and remove line with UUID

virt-xml-validate /tmp/new.xml
virsh help create
virsh create --file /tmp/new.xml
virsh list

This creates a new VM that uses the same disk and setup. But, if you shut down this new domain, it will disappear from virsh list –all and the list. To keep it you need to define it first:

virsh define --file /tmp/new.xml
virsh start new

This can become quite a bit more complicated. You would probably want to make clones (virt-clone) or snapshots (virsh help snapshot) instead of using the same disk file.

Making your own .xml from scratch looks fairly complicated. You could use ‘virt-install’ however.

virt-install --help
virt-install -n awesome -r 1024 --vcpus 1 --description=AWESOME --cdrom /var/lib/libvirt/images/CentOS-6.2-x86_64-netinstall.iso --os-type=linux --os-variant=rhel6 --disk path=/var/lib/libvirt/images/awesome,size=8 --hvm

For this the console actually works while running ‘virt-install’ over ssh on the kvm-server.

To make edit to a vm over ssh:

virsh edit NAMEOFVM

openstack testing day

Only one day late!

I actually started installing this on the 8th but I forgot to install it to hdd so the ‘yum update’ failed and broke the machine with I/O errors :)

Installing it in a VMWare Workstation (fedora 64-bit type, 2, cores, 4G RAM, 20G disk).


Basic Setup


http://fedoraproject.org/wiki/QA:Testcase_install_OpenStack_packages – No problem.


http://fedoraproject.org/wiki/QA:Testcase_setup_OpenStack_Nova –

Says that if you are doing this in a VM you need to “configure nova to use qemu without KVM and hardware virtualization:”. This is not true, as VMWare Workstation 8 has virtualization pass-through.

[root@localhost mart]# vgcreate nova-volumes $(sudo losetup --show -f /var/lib/nova/nova-volumes.img)
  No physical volume label read from /dev/loop0
  Writing physical volume data to disk "/dev/loop0"
  Physical volume "/dev/loop0" successfully created
  Volume group "nova-volumes" successfully created

Gives this error, which already is reported:

Verified connectivity to MySQL.
Creating 'nova' database.
Asking openstack-nova to sync the databse.
2012-03-09 07:28:26 WARNING nova.utils [-] /usr/lib/python2.7/site-packages/nova/db/sqlalchemy/migrate_repo/versions/075_convert_bw_usage_to_store_network_id.py:49: SADeprecationWarning: useexisting is deprecated.  Use extend_existing.

2012-03-09 07:28:28 WARNING nova.utils [-] /usr/lib/python2.7/site-packages/nova/db/sqlalchemy/migrate_repo/versions/081_drop_instance_id_bw_cache.py:40: SADeprecationWarning: useexisting is deprecated.  Use extend_existing.



[root@localhost nova]# ADMIN_PASSWORD=$OS_PASSWORD openstack-keystone-sample-data
The default service password has been detected.  Please consider
setting an actual password in environment variable SERVICE_PASSWORD

But after that it generates users.


No problems, should ‘glance index’ return anything at this stage?


No problems.

6 Add SSH keypair

No problems, just do exactly what the instructions say (don’t try to be smart and put them in .sh files for example :P).

7 Register Guest Images

At this point the wiki went down :/

[root@localhost ~]# glance add name=f16 is_public=true disk_format=qcow2 container_format=ovf copy_from=http://berrange.fedorapeople.org/images/2012-02-29/f16-x86_64-openstack-sda.qcow2
Failed to add image. Got error:
Unexpected response: 500
Note: Your image metadata may still be in the registry, but the image's status will likely be 'killed'.

Yes, this is where it fall short. Manpage for clance doesn’t even have the ‘copy_from’. Maybe it could be downloaded? ‘glance index’ doesn’t work either.


[root@localhost ~]# glance index
Failed to show index. Got error:
Internal Server error: Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/eventlet/wsgi.py", line 336, in handle_one_response
    result = self.application(self.environ, start_response)
  File "/usr/lib/python2.7/site-packages/webob/dec.py", line 147, in __call__
    resp = self.call_func(req, *args, **self.kwargs)
  File "/usr/lib/python2.7/site-packages/webob/dec.py", line 210, in call_func
    return self.func(req, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/glance/common/wsgi.py", line 279, in __
    response = req.get_response(self.application)
  File "/usr/lib/python2.7/site-packages/webob/request.py", line 1086, in get_re
    application, catch_exc_info=False)
  File "/usr/lib/python2.7/site-packages/webob/request.py", line 1055, in call_a
    app_iter = application(self.environ, start_response)
  File "/usr/lib/python2.7/site-packages/keystone/middleware/auth_token.py", lin
    valid = self._validate_claims(claims)
  File "/usr/lib/python2.7/site-packages/keystone/middleware/auth_token.py", lin
    return self._validate_claims(claims, False)
  File "/usr/lib/python2.7/site-packages/keystone/middleware/auth_token.py", lin
  File "/usr/lib/python2.7/site-packages/keystone/middleware/auth_token.py", lin
    return json.loads(data)["access"]["token"]["id"]
  File "/usr/lib64/python2.7/json/__init__.py", line 326, in loads
    return _default_decoder.decode(s)
  File "/usr/lib64/python2.7/json/decoder.py", line 366, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib64/python2.7/json/decoder.py", line 384, in raw_decode
    raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded

[root@localhost ~]# cd images/
[root@localhost images]# ls
aki-tty  ami-tty  ari-tty
[root@localhost images]# http://berrange.fedorapeople.org/images/2012-02-29/f16-                                                                                        x86_64-openstack-sda.qcow2^C
[root@localhost images]# glance add name=aki-tty is_public=true container_format                                                                                        =aki disk_format=aki < aki-tty/image
=================================================[100%] 7.79M/s, ETA  0h  0m  0s
=[  2%]                                                 1.25M/s, ETA  0h  0m  3s                                                                                        Failed to add image. Got error:
You are not authorized to complete this action.
Details: 401 Unauthorized

This server could not verify that you are authorized to access the document you                                                                                         requested. Either you supplied the wrong credentials (e.g., bad password), or yo                                                                                        ur browser does not understand how to supply the credentials required.

Note: Your image metadata may still be in the registry, but the image's status w                                                                                        =================================================[100%] 20.9M/s, ETA  0h  0m  0s
[root@localhost images]#


Install FreeBSD in VirtualBox

The Past

I used to run FreeBSD 5 and 6 about eight years ago on a Pentium III 900MHz machine with maybe 768MB RAM. It was very slow but after a lot of tinkering with the kernel I got it to boot and run very nicely.

Fluxbox was the window manager I used then together with Eterm and pico :)

The Install

Installing it $today in a VirtualBox 4.1.6 on an IBM T40 running RHEL 6 x64.

I used the ‘disc1’ .iso of FreeBSD 8.2. Give it enough of RAM and bridged networking is probably what you want. If you have it set to NAT and then want to change you can do that ‘online’ while the virtual machine is online. Might be good to run another dhcp discover after though. And also don’t forget to remove default route before that. (route del default).

Defaults are pretty OK I suppose on a VM. No need to mess around with the partitions or labels.

It’s all done in the console menus and you can go back and forth between the menus. You probably want to enter the ‘post-install’ section to set ip, password, chose to install sshd. Add a new user and add it to the group ‘wheel’. That way you can hit ‘su -‘ to get root access.

Using FreeBSD

After it’s up you probably want to get root access: ‘su -‘
Run ‘dhclient INTERFACE’ to get a dhcp ip. Find the interface name via ifconfig.

Install Bash

If you chose to install Ports during install, you can go to /usr/ports and hit ‘make search name=”bash”. You can use this to search for packages called bash. Then cd /usr/ports/shells/bash; make; make install; make clean

Then ‘chsh’ and change to /usr/local/bin/bash. Vi-syntax works so press i to insert, r to replace, x to remove or :wq! to write and quit.

Update and use ports.

You can also search on freshports.org.

csup is a tool that you use to update the ports collection. Another is portsnap.
Portsnap appears to be a bit simpler and it came by default when I installed it.

portsnap fetch; portsnap extract; port portsnap update

Basically Ports consists of softwares’ make files and some files pointing where to download the softwares when you decide to install them. You only need to run the portsnap extract the first time. Rest of the times fetch and update should do it. Or ‘portsnap cron’ if you do it in the scheduler/crontab.

Portaudit is a tool that checks for vulnerabilities in the softwares you use. This was very quick to install though. To see if you have any issues, hit ‘portaudit -Fda’.

Each port or software should have a file called pkg-descr, you can use this to see what it does.

portsearch is one that you can use to search for ports instead of the ‘make search’.


You can ssh into the machine directly after installing, as long as it has IP connectivity (if you can ping it). You also cannot ssh in as root by default.


the firewall is ‘ipfw’. This is not enabled by default. To enable it set firewall_enable to YES in /etc/rc.conf. Make sure you add some good fw rules first. Or you can set firewall_type=”open” in rc.conf and then firewall_script=”/etc/ipfw.rules”.

See http://www.freebsd.org/doc/handbook/firewalls-ipfw.html . There is a sample called ‘inclusive ruleset’. This one you can paste into /etc/ipfw.rules , edit to your liking (change your public interface name, add dns-servers, comment out services you don’t need (like port 80 if you for example do not have a web-server). You could then edit this script to have a

$cmd 00411 allow tcp from to me 22 in via $pif setup limit src-addr 2

This would allow only addresses from the network to ssh into your machine if you comment the rule that allows incoming on port 22 from anywhere.

ipfw list # to see the current firewall


FreeBSD is special compared to a few other operating systems because you get to compile all the software. You can of course get binaries if you want and install via pkg_add. But that’s not so cool right? It’s also a good idea to tweak the kernel, especially if you have a little slower system and want some better performance. If you have a slower system (like in a virtual machine), it could be painfully slow to install something. For example bash took what felt like forever to install for me.

This means a bit more patience is required with FreeBSD, but on the other hand maybe this way there will much be less crap installed.

Apparently FreeBSD 8.2 is not so cool because there is a 9 in beta or PC-BSD. If you want you can even get a ‘snapshot’ in the CURRENT subset, which is basically as new as it gets.

HEPIX Spring 2011 – Day 4

Dinner on the 3rd night was amazing. It was at the hotel Weisse Schwan in Arheilgen outside Darmstadt and it was a nice reception hall with big round tables, waiters with lots of wine and great buffet food. A+

Cloudy day!

Or – Infrastructure as a Service – IaaS

A few had the standpoint that the HEP community is not ready for cloud, not secure enough and we have something that’s working. But maybe a mix period would work. At least for now it’s quite awesome for non i/o intensive applications.

There were talks about virtual images and how to (securely) transfer them between sites. Several options about this, stratuslab cloud distribution of images and cloudscheduler.

One great use case for running computing nodes in the cloud is at the moment for when the cluster is maxed out – then you can kick up some more vms in the cloud to help speed up the run. Or when running the jobs it keeps the VM running as long as jobs that require that kind of VMs are in the queue. Or for testing – quite easy to set up several VMs with different operating systems/platforms and then run testing on them. See cloudscheduler.org

Infrastructure as a Code – IaaC – see Opscode and Chef. A pretty interesting looking  configuration management system.



Maybe the most interesting presentation at the end of the day – and the debate following was maybe the most – it was the presentations from Oracle Linux and Oracle Open Source.

Before the presentation they had a nice slide stating that they don’t make any promises based on the presentation. That presentation is not available but the other one is – the one about Oracle and Open Source..

Oracle Linux (OL) looks pretty good, it’s free to download but if you want any updates you need to pay them. They have an upgrade thing so if you’re on RHEL6 you can apparently update easily (changes some yum repos). A lot of advertisement – but it was a presentation about the distribution. It’s based on RHEL, they take the updates from RHEL, then add their own magic to it. They have a boot setup so if you want to you can boot OL in Red Hat Compatibility mode. Apparently Oracle wants to put Red Hat out of business (after which they were asked: “Where will you get the kernel then?”). x86-64 only.

On the horizon:  

  • btrfs(fs that supports error detection, CoW, snapshots, ssd optimization, small files are put in metadata)
  • vswitch(full network switch, set up virtual network in the OS, ACL, VLAN, QoS, flow monitoring with openFlow)
  • Zcache(keep more pages of the fs page cache longer in main memory, more cache using LZO compression and thus fewer I/O operations – a lot faster to compress/uncompress than to access disk)
  • storage connect
  • linux containers (resource management, jails on bsd, zones on solaris, own apps/libs/root, runs on top of the kernel, not a virtualization).

From the discussion:

Pidgin – some wanted Video. Pidgin said: no way. This is how Oracle will run their open source projects like MySQL, Lustre.

“If you don’t like how the project is going – fork.” – Gilles Gravier.

Two reasons to fork: proactively (worried) or because they are unhappy with how it’s going (how it’s going or not going).

People in the audience are afraid that a lot of times a company acquires an open source project and then closes it down.

“When you acquire a company and it’s the projects. You have two options if don’t want the project. Drop it or kill it. Kill it does not work for open source.” – Gilles Gravier.

Openoffice is not dropped yet. Lots of other options. Fork and work on closed source (like Grid Engine). Drop it and stop working on it. Drop it and “talk to the community”.

No info about Lustre – when asked about it Oracle did not want to comment. Asked to e-mail gilles.gravier@oracle.com for more information.

Will Oracle port debconf to Oracle Linux? Oracle will take a look.

There was lot of angst against Oracle that surfaced, but Oracle handed it quite well and had good answers.

From one of the Oracles: “Allow me to be a bit provocative: If Oracle’s prices were lower; would you consider buying an Oracle product?”

“It takes 25 years to make a good reputation, 5 minutes to loose it.” – CERN employee.
“SUN used to make hardware and give away software for free; Oracle is .. the other way around.” – Lenz Grimmer
“Laughter” – Audience.

European Open File System SCE

  • http://www.eofs.org
  • one repository of lustre
  • hpcfs.org is another lustre open source – this will merge with opensfs.org. Both are American.
  • Close work together with eofs.org – the two above have agreed on a set of improvements.
  • 2.1 lustre will be released by Whamcloud in summer 2011.
  • LUG – lustre user group – reports and interviews at http://insidehpc.com


Next Day:
Day 5

Previous Days:
Day 3
Day 2
Day 1

Virtualbox – Free OS Virtualization

Had the opportunity to try out virtualbox the other day on RHEL.

I really liked the part that the rpm that I downloaded was signed and I had to import the signature to be able to install the package! Feels safe. Install did not cause any other problems for me.

As far as the interface goes I like it a lot.
Quite intuitive and worked fine for what I did with it (load a pre-made .vdi, boot, configure).

Not that different at all from VMWare Workstation. But I didn’t do much at all with virtualbox except the initial setup of the VM.

It is also free!

Some cool stuff:

  • manage the VMs via php
  • updated about once a month
  • Runs on windows/linux/osx/solaris
  • you can convert vmware vms into virtualbox format or you can actually import a vmware vm

Not so cool stuff:

  • oracle -> means suddenly you may have to pay licenses for it ;s