matteo nunziati's questions

I miss to understand the topic: a request from my corp's sec team.

while setting up an sftp with chroot they insist I've to (quoting) "add notty to authorized users". to my knowledge the notty is the outcome of a login made by a user with no shell (e.g. an ssh user whose config bind her to sftp only and -to-say- has /usr/sbin/nologin configured).

what am I missing? any pointer on the openssh docs (redhat version 7)?

thank you

I'm testing various GCP features and I've faced with the question in the title. After a little bit of experimentation I think the following should hold:

• 2 peered VPC can not share the same subnet ranges, while VPC sharing is sharing the same subnets: if we want instances to communicate and we adjust firewall (FW) rules, does this make any practical difference?
• Shared VPC creates a hierarchical relation where one end is the manager of the network and FW rules and therefore can dictate all service projects abilities and can revoke shares, this also means that the host part must have access to service projects to let pick them and allow them to use the host project VPCs. Anyway VPC peering require a certain level of access to projects if one wants to peer them, but the 2 projects are on-par (both ends must allow the peering): this is an administrative/auth difference
• Shared VPC allows for a simplified FW setup as you have only one central point to setup your FW rules: you have the same set of subnets shared; while peering - alike VPNs - requires to setup rules on both ends: this is a management simplification
• Shared VPC can exhaust its resources (IPv4 ranges) faster but this means you have a ton of instances connected...
• VPC peering can do passthrou (daisy chain) up to 1 level: I've 1 connection from VPC A to VPC B and one from VPC B to VPC C. VPC A and C can not communicate but VPC B can communicate with both. On the opposite in a share scenario a project can only be either a host or a service at the same time but I can create a scenario with multiple projects sharing the same subnet and talk to each other transitively... this is probably the most relevant difference I've seen

Let say we have N different projects with N different administrators, if all parts agree on having some sort of network connection among instances, is there any other pro/cons in choosing peering over shared?!

Edit

• maybe this is the really biggest difference: if a service project uses a shared VPC and you later want to remove it, you need first to create a new VPC (or use the service project's default), reassign a new nic to all the instances which are currently using the shared VPC, let this new nic use the project own VPC, redo the FW rules and check for correct connectivity of all instances before detaching them from the shared VPC.
• additionally VPC peering can be used within the same project to increase the isolation between workloads but letting few selected VM communicate.

Edit 2

• As of now (2021-01) shared VPC can be used on a second NIC but it is a beta feature
• also one can not add more than 25 peering to a network, therefore it is quite common to let project communicate via shared VPC in so-called hub-and-spoke designs.
• Just discovered that VPC peering can be applied even between different organizations!

Edit 3

While not a strictly network architecture, Google now offers also Private service access: a way to proxy external services (including those in other projects/VPCs) via a proxy in your VPC

Thank you

Introduction

my company has a 40+ phone system with both DECT and wired phones. the wired phones, coming from different periods have either UTP wiring or classic 4wire phone cabling. NO SIP/VoIP is in place

PBX is an Aastra 470.

voice comes from fiber router, enters a IP to ISDN converter and 4 UTP wires plug 8 lines into the PBX.

so far so good.

Now we are introducing a new ERP in the company, the ERP has an asterisk based VoIP solution to notify incoming calls into users pc, providing augmented info about the incoming call.

The problem

I'm wondering if is possible to introduce the asterisk based solution along with our current PBX (and setup in general). Infact, the asterisk solution will serve the customer care office with around 10 phones, while it will be of no interest for the other offices/building.

We do not want to rebuild the entire infrastructure for this, but the solution seems attractive for the customer care office. Of course we will update phones to VoIP solutions here.

question

is there a way to connect the 2 PBX, more generally, is it possible to use an asterisk based solution to manage a group of SIP phones and then , let say, daisy chain the current PBX, leaving everything else untouched?

the idea is to add this on top of the current infrastructure, avoiding big changes.

As no one here has expertise in this I'm asking for links/pointer or direct answers to clarify what could be done.

thank you.

just finished provisioning a new hpe dl380g9 server with hyperv server 2016. Installed it on microsd (yes, it is supported by HPE). All recommended updates installed.

Everything seemed smooth but now, provisioning VMs I have a major trouble. Being them either Linux or Windows VM, if I try to restart a VM, what I got MOSTLY is just a Stop. Now and then the VM actually restarts.

I've tried to restart the entire server but issue is still here!

Issuing several

stop-VM; start-VM

seem to work.

I post here some system settings:

hyper-v server is on microsd

VM are in 2 arrays each one managed by a raid controller.

when a VM is created in array 1 I (think to) put all required files (from definitions to paging) into such an array, nothing is kept on the sd.

the only actual change to hyper-v server (other than HPE drivers installed by windows at automatically at install time) is that I've disabled the paging file.

I've tested a number of VM (linux, windows) all gen2, with windows defender either ON or OFF on the host.

all VM have dynamic vhdx and dynamic memory.

Honestly I don't even know from where to start sorting this out.

Any hint? Thank you!

I'm going to provision a server with 2 raid controllers, both controllers have the same specs but the cache, being one a 2GB cache and the other a 4GB cache controller, let call them respectively SC (small cache) and BC (big cache).

I also have 2 sets of disks: a 4-disks set with 12gbs 15k SAS disks to be setup in raid 10 and a 4 set 6gbs SSD to be set up in raid 5 (expand space at the cost of a more unreliable raid level).

db transactions will occur on ssd, while documents and mails will be stored in SAS.

My initial idea was to give more cache to SSD, but honestly I don't know if this is really useful. namely I don't really know if RAID write cache is useful at all with databases on SSD.

would like to have any insight on which cache reserve for which disk, avoiding to waste cache where not needed/useful.

thank you.

I mean, beside any incident into the rack, is possible that a redundant storage like the hp msa1040 can die because of a single point of failure?

I'm asking because we are going to implement a redundant virt system with 2 servers and a san (let call the msa1040 a san), but I am quite new to the topic and I don't see a reason why such a san (sas attached) could die.

Is in any single point of failure in such kind of systems or everything is really redundant in them as advertised?

Thank you

Edit: for downvoter, it can still be a dumb question but I'm aware that everything can die. I was wondering if there actually is a non redundant component in such items. Then yes even redundant components can blow altogether but to me these are not single points these are overall system failures caused by failures of the given redundancy subsystem. It is a different thing.

EDIT 2: while I've marked the answer as the accepted one, I would like to point out what, to me, is the best answer in absolute: https://mangolassi.it/topic/8822/why-dual-controllers-is-not-a-risk-mitigation-strategy-alone

sorry for the long title.

this is the point: due to a number of decisions it doesn't worth to share here and which do not completely belong to me, I'm facing the choice of 2 different storage solutions for a virtualization server:

1. use a SAS-attached SAN with 10 SAS disks at 10k rpm (12gbs). Those disks will be set in raid under a controller with 4 gb cache (6gb, 2 of which for SAN OS and for metadata, 4gb for actual data).

2. use local disks on the server: same amount of disks but at 15k rpm, the raid controller having "only" 2 gb of cache.

everything else in the config (number of sockets, type of processors, amount of ram, type of raid... which is raid 6) will be the same.

honestly I can not estimate which solution would be faster considering that the storage will be used for virtualization of a number of workloads:

• ERP with documental storage, DB (Postgres) and mail accounts (IMAP)
• WMS with SQL express db
• other db "intensive" apps

expected concurrent users will vary between 30 and 50 constantly checking emails and adding data entries in the ERP as per customer orders received by the company.

I don't really know how much useful the cache would be in this scenario, and if the additional 2gb of the SAN would be on par with the additional IOPS/throughput provided by 15k rpm disks.

for what concern the SAN, being a SAS attached SAN it is to me more of a DAS, with the possibility, in future, to add a second server attached to it for HA (vMotion and similar stuff).

I do not expect the SAS attached storage to perform differently from the local disks performance wise, I mean: no fiber channel of any kind of networking between SAN and server. am I wrong?

I expect the performace to be related to disks rpm and - maybe- cache. But don't understand which mix would be faster.

any suggestion? Clarifications? Missing points?

Thank you!

While it seems than win10 pro can expose a print server, I've tried to experiment a bit to understand if this print service can be used as a role in our domain.

Basically other machines can see the printer in the win10 machine if added via print management, but those printers are "volatile" (do not persist at reboot) and aren't pushed via GPO.

Before digging in possible errors on my side I would like to understand if I can use the service as in a win 2008 print server role.

I'm conducting a number of tests in order understand why some of our workloads generate a really poor "user experience" with db related activities.

We have a dl160g9 server with a B140i controller (4 LFF disks 7.2k rpm). host is centos 7, the virtualization engine is kvm, version is 105.el7_2.4 (1.5.3) from centos virt sig. Disks are thick LVM volumes on top of the fake-raid 5 generated by the b140i controller. tuned is set for performace (setting to virt guest doesn't change so much).

We run both win and linux VMs. In any case the storage is local, attached to the VM via virtio with cache=none and io=native.

As our db files are small I'm simulating workloads with:

iozone -i 0 -i 8 -s 4m -t X

where X is either 1 (simple case) or 25 (actual userbase).

These are results on host:

Children see throughput for 1 mixed workload    = 1768421.25 kB/sec
Parent sees throughput for 1 mixed workload     =  293368.05 kB/sec
Min throughput per process          = 1768421.25 kB/sec 
Max throughput per process          = 1768421.25 kB/sec
Avg throughput per process          = 1768421.25 kB/sec
Min xfer                    =    4096.00 kB

Children see throughput for 25 mixed workload   = 12061204.12 kB/sec
Parent sees throughput for 25 mixed workload    =   39519.61 kB/sec
Min throughput per process          = 1017999.00 kB/sec 
Max throughput per process          = 1237047.00 kB/sec
Avg throughput per process          =  482448.16 kB/sec
Min xfer                    =    2212.00 kB

The linux VM (ubuntu 14.04 LTS) shows:

Children see throughput for 1 mixed workload    = 1901520.62 KB/sec
Parent sees throughput for 1 mixed workload     =  176180.65 KB/sec
Min throughput per process          = 1901520.62 KB/sec 
Max throughput per process          = 1901520.62 KB/sec
Avg throughput per process          = 1901520.62 KB/sec
Min xfer                    =    4096.00 KB

Children see throughput for 25 mixed workload   = 5338608.75 KB/sec
Parent sees throughput for 25 mixed workload    =   15434.67 KB/sec
Min throughput per process          =       0.00 KB/sec 
Max throughput per process          = 2675395.75 KB/sec
Avg throughput per process          =  213544.35 KB/sec
Min xfer                    =       0.00 KB

Windows 10 64bit pro VM results:

 Children see throughput for 1 mixed workload    =  496220.16 KB/sec
 Parent sees throughput for 1 mixed workload     =  162133.06 KB/sec
 Min throughput per process                      =  496220.16 KB/sec
 Max throughput per process                      =  496220.16 KB/sec
 Avg throughput per process                      =  496220.16 KB/sec
 Min xfer                                        =    4096.00 KB

 Children see throughput for 25 mixed workload   = 1298231.58 KB/sec
 Parent sees throughput for 25 mixed workload    =    7626.09 KB/sec
 Min throughput per process                      =       0.00 KB/sec
 Max throughput per process                      =  285706.31 KB/sec
 Avg throughput per process                      =   51929.26 KB/sec
 Min xfer                                        =       0.00 KB

I see here a number of issues:

• linux perf on 1x threads seems legit according to virtio overhead but threaded concurrent access seems a mess, especially the min at 0 KB/sec is strange

• while linux VM seems to scale badly, win (and the related virtio drivers) seems a total mess even at 1 thread. While I expected some overhead, people got better results here

Of course win 10 is new and supported only by latest (117) drivers, but win 8.1 gives similar results (omitted as this post is going large).

I'm open to any doc or suggestion which can point me to the right direction: my knowledge was that cache=none, raw LVM and correct tuned-adm were enough to get good results.

Updated info

kernel (stock): Linux dl190g9 3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12 11:03:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

qemu-kvm (centos virt sig): 105.el7_2.4 (1.5.3)

libvirtd: 1.2.17

when I say virtio drivers I mean libvirt xml files report virtio as bus.

• Win shows "Red Hat virtIO SCSI Disk Device"

• linux reports disks as "00:06.0 SCSI storage controller: Red Hat, Inc Virtio block device"

Update 2

• I've previously said that the 1 thread perf on windows was unexpectedly bad. It actually fits results posted here: a ratio of 1:3 between native and Win VM in throughput.

• This leaves both scenarios with the badly scaling issue: 1:3 scaling in host vs 1:10 in VMs

As per comments, I hope in 7.3 improvements, which, according to Red Hat release schedules should happen in the really close future (around 6 months between releases).

Thanks

I'm new to hp servers. we own an hp dl160 gen9 with soft raid. it uses the b140i controller to manage 4 LFF in raid 5.

My question is: how can I scrub the raid? I've installed the hpssacli utils: while they allow me to have a report on the controller and array status, I can not find any reference to data scrubbing.

In linux soft raid I was used to program a periodic check of raid data, I would like to reproduce the same on this server.

thank you.

this is the current state in my company - non relevant details omitted: we have a production server which hosts a CRM in a VM using virtualbox. Let call this server "SMALL" as it is a small tower server. I can not switch off such a server until I've migrated/rebuilt the VM in a new server.

We have no experience with virt tecnologies like ovirt/vmware/hyper-V, with the exception of the testing ovirt install I've made on my laptop using the all-in-one plugin! We have used desktop virtualization technologies for a while now (from virtual box to local installs of kvm+libvirt).

The idea: We are going to buy a new server, let call it "BIG", and we would like to use the "BIG" machine as an oVirt node, setting the "SMALL" one as ovirt-engine.

The deploy scenario 1: can I build an oVirt node without the engine and create a new VM on it, migrate there the CRM (the "how" is out of the scope of this thread) and let it run? Later, when the CRM will be online in the "BIG" node, I would like to format the "SMALL" server and put an ovirt-engine on it. is this possible?

deploy scenario 2: add a step on top of the previous procedure: use a temp engine, even on a notebook, and deploy the oVirt node as described above. How can I migrate the whole engine later on the "SMALL" server, considering it has been already configured on a temp machine?

deploy scenario 3: I'm open to any other suggestion! :-)

thank you,

MN

Scenario: My company is going to move all the mail accounts from the current local (and ancient) POP-only provider to gmail, via google apps for work.

Current status: Currently we are using a firewall/proxy/spam filter appliance named nethsecurity box (basically an old ipcop based solution on a small x86 embedded board) which filters all mails downloaded from our local provider's servers.

Issue: Such an appliance is going out of resources these days because the company has grown a lot in the last 5 years, but basically resource shortage is due to heavy usage of clamav and spamassassin. If required, we need to replace it with something more powerful (that is more cpu and ram)

The question: does it worth to have an additional layer of spamd/clamav if you have gmail as filter? Is there any report about comparative capabilities of clamav + spamassassin vs. gmail filtering? I would avoid to add an additional layer of checks for a really neglectable increment in filtering performance (read: capability to remove additional unwanted material without relevant increments in false positive).

Never tried this and I would like to know if I can save some bucks, keeping the current appliance just for firewalling tasks.

thanx a lot!

M