Grant Curell's questions

I'm testing Keycloak and wanted to integrate it with OpenShift. I'm following these instructions

I got the bit where you configure the client scope and keycloak immediately dies with:

Default install, this is all I've done to it. Refreshing does nothing. To reproduce I just go to:

Clients -> openshift (the name of my client) -> Client Scopes. When I check the logs I see:

2024-07-15 19:32:02,456 ERROR [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager] (executor-thread-27) Could not query server using DN [OU=Users,DC=openshift,DC=lan] and filter [(&(objectclass=person)(objectclass=organizationalPerson)(objectclass=user))]: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310028D, problem 2001 (NO_OBJECT), data 0, best match of:
        'DC=openshift,DC=lan'
]; remaining name 'OU=Users,DC=openshift,DC=lan'
        at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3285)
        at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3206)
        at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2997)
        at java.naming/com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1876)
        at java.naming/com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1799)
        at java.naming/com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
        at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
        at java.naming/javax.naming.directory.InitialDirContext.search(InitialDirContext.java:359)
        at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$3.execute(LDAPOperationManager.java:258)
        at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$3.execute(LDAPOperationManager.java:255)
        at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:729)
        at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:709)
        at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:704)
        at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:255)
        at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:278)
        at org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:174)
        at org.keycloak.storage.ldap.LDAPStorageProvider.paginatedSearchLDAP(LDAPStorageProvider.java:1123)
        at org.keycloak.storage.ldap.LDAPStorageProvider.searchLDAPByAttributes(LDAPStorageProvider.java:564)
        at org.keycloak.storage.ldap.LDAPStorageProvider.searchForUserStream(LDAPStorageProvider.java:379)
        at org.keycloak.storage.UserStorageManager.lambda$searchForUserStream$29(UserStorageManager.java:537)
        at org.keycloak.storage.UserStorageManager.lambda$query$13(UserStorageManager.java:331)
        at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273)
        at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
        at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
        at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
        at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
        at java.base/java.util.stream.SortedOps$RefSortingSink.end(SortedOps.java:395)
        at java.base/java.util.stream.Sink$ChainedReference.end(Sink.java:261)
        at java.base/java.util.stream.Sink$ChainedReference.end(Sink.java:261)
        at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:510)
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
        at java.base/java.util.stream.StreamSpliterators$WrappingSpliterator.forEachRemaining(StreamSpliterators.java:310)
        at java.base/java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:735)
        at java.base/java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:734)
        at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
        at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:151)
        at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:174)
        at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.base/java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:601)
        at com.fasterxml.jackson.datatype.jdk8.StreamSerializer.serialize(StreamSerializer.java:71)
        at com.fasterxml.jackson.datatype.jdk8.StreamSerializer.serialize(StreamSerializer.java:15)
        at com.fasterxml.jackson.databind.ser.DefaultSerializerProvider._serialize(DefaultSerializerProvider.java:502)
        at com.fasterxml.jackson.databind.ser.DefaultSerializerProvider.serializeValue(DefaultSerializerProvider.java:341)
        at com.fasterxml.jackson.databind.ObjectWriter$Prefetch.serialize(ObjectWriter.java:1574)
        at com.fasterxml.jackson.databind.ObjectWriter._writeValueAndClose(ObjectWriter.java:1275)
        at com.fasterxml.jackson.databind.ObjectWriter.writeValue(ObjectWriter.java:1098)
        at io.quarkus.resteasy.reactive.jackson.runtime.serialisers.FullyFeaturedServerJacksonMessageBodyWriter.writeResponse(FullyFeaturedServerJacksonMessageBodyWriter.java:79)
        at org.jboss.resteasy.reactive.server.core.ServerSerialisers.invokeWriter(ServerSerialisers.java:216)
        at org.jboss.resteasy.reactive.server.core.ServerSerialisers.invokeWriter(ServerSerialisers.java:184)
        at org.jboss.resteasy.reactive.server.core.serialization.FixedEntityWriter.write(FixedEntityWriter.java:28)
        at org.jboss.resteasy.reactive.server.handlers.ResponseWriterHandler.handle(ResponseWriterHandler.java:34)
        at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:147)
        at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
        at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
        at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
        at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
        at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:1583)

but as far as I can tell, that's correct based on my lab AD config:

Then one final sanity check in the LDAP config:

I'm not sure what Keycloak is looking for here. Everything is configured correctly.

BLUF: How does VMWare's implementation of RAID5/6 work?

Below is VMWare's chart for RAID5/6 in vSAN:

It seems VMWare is altering RAID's terminology. When I hear RAID6 I think two parity of something; usually two parity drives and subsequently we can tolerate two failures. I'm having trouble making sense of this chart for a couple of reasons:

• What is the difference in row 2/4 between RAID5 and 6? They seem to be identical.
• Why is RAID 1 (mirroring) listed twice, but with different failures to tolerate and different capacity required? It seems to follow that additional copies of the data must be made, but if that's the case then it wouldn't be RAID1 (at least not as I understand RAID1)
• How is it that they have a RAID6 that only has a single failure to tolerate

As I wrote the above question it dawned on me that what the might mean is that they are running a RAID6 with VMWare's FTT set to 1. However, if that is the case how does that work? How are they getting data size 100GBs with 133GBs required?

I'm in a strange scenario where I have a server with NodeJS backend and ReactJS frontend that does record keeping where the customer wants to use user certificates to ID who visits this internal site. The problem is they have a very large network, with convoluted PKI, and the public cert I have been given to assign to the site doesn't necessarily match all the clients that could visit it.

I have nginx up front with the ssl_verify_client optional_no_ca; set but I noticed that browsers will only give users the option of selecting their client certificate if they have a certificate that is properly signed by the same CA as the public key presented by nginx.

My understanding is that during the certificate request the server can specify what CAs are acceptable. It seems like nginx may be doing this but I’m not sure that’s the case. My plan is start dissecting with wireshark tomorrow. Is there a known way to get my site to ask browsers to always prompt users for a client certificate? Have I perhaps misunderstood something along the way?

I'm trying to interpret the above performance chart from vCenter. The thing is, each of these clusters each has four servers each with 64GB of RAM for a total of 256GB per cluster. What confounds me is that the chart seems to indicate the cluster in red has:

(red-blue)/(total red memory)

utilization. Except the units of measurement are millions of KBs and in this case that would be roughly 360 million KBs which, assuming my math is right, is 360GB, which doesn't make sense to me. Am I misinterpreting this chart?

I've been reading about RoCE and it talks about transferring data zero copy between the memory in one server directly to the memory of an application in another server. Most articles make a point to say this is done without involvement from the CPU. I don't understand how this is accomplished though. How does the data get from the adapter to the RAM without any processing from the CPU? How does it know where the application's data is in RAM?

On all distributed port groups I disabled all security settings and set everything to promiscuous.

I've got a setup I built where I have three virtualized ESXi hosts. Their management vmkernels were on a standard vswitch - everything worked like a champ. They could ping each other, they could ping out to my physical default gateway. No problems.

I migrated their managament vmkernels to a distributed switch that each of them have, they can still ping out to the default gateway, but they can no longer ping each other. I'm still working at it but at a complete loss as to how they could be able to ping the default gateway but not be able to ping each other.

I'm usually working on software and am weak on storage. I'm reading about block vs file vs object storage and everything I find talks about storage as an entirely isolated subject rather than including what the operating system would see - which is what I'm really interested it.

What confuses me is the idea that block and file storage are completely separate. For example, in LVM, you have to give it block devices to manage and then on top of that you have the respective VGs and LVs with a file system on top of that. Are these block devices not considered block storage?

When a storage person says file storage, doesn't that file storage at some point necessarily have block storage underneath it? Conversely, would block storage not require something on top of it to be useful? Either a file system or some sort of object/proprietary/special sauce storage?

For example, if I understand correctly, a SAN has some sort of controller which then presents LUNs (typically) which then get mounted by servers (seen as another hard drive in the OS) which then put file systems on them. Or is that incorrect?

It just seems odd because most of the reading material presents these as seemingly mutually exclusive options and I'm not sure if I am misunderstanding something fundamental.

I'm heavy into optimization for my job and I'm trying to better understand how to select RAM quantities. From my reading:

For the same DDR4 memory speed and DIMM type, more ranks will typically increase the loaded latency. While more ranks on the channel give the memory controller a greater capability to parallelize the processing of memory requests and reduce the size of request queues, it also requires the controller to issue more refresh commands. The benefits of greater parallelizing outweighs the penalty of the additional refresh cycles up to four ranks. The net result is a slight reduction in loaded latencies for two to four ranks on a channel. With more than four ranks on a channel there is a slight increase in loaded latency.Quote source: Useful to get the definition of "rank".

Subsequently, if I want to reduce load latency, I would think I want two to four ranks on my RAM. However, how do you know how many ranks something is?

For example, if I purchase 32GB RDIMMs, how do I tell how many ranks that RAM has?

Update: For anyone else who has to do this: I went into my company's part lookup tool and was able to pull the info. That got me this string: "DIMM,32GB;2933,2RX4,8G,DDR4,R". This post is helpful for understanding that output. The 2RX4 means 2 ranks of 4, each 8GB in size. If you're just looking it up commercially, you should be able to search by the part number if you're using Newegg or something.