FreeBSD使用VMware Tools无法关闭电源

  FreeBSD安装了VMware Tools以后,可以通过VI关闭客户机,但是系统停留在“The operating system has halted.Please press any key to reboot.”不能够自动关闭电源。解决方法为
ee /usr/local/etc/rc.d/vmware-tools.sh
  查找vmware_start_guestd()可见
vmware_start_guestd() {
cd "$vmdb_answer_SBINDIR" && "$vmdb_answer_SBINDIR"/vmware-guestd \
--background "$GUESTD_PID_FILE"
}

  在vmware-guestd命令下增加参数–halt-command “/sbin/shutdown -p now”,修改为
vmware_start_guestd() {
cd "$vmdb_answer_SBINDIR" && "$vmdb_answer_SBINDIR"/vmware-guestd \
--background "$GUESTD_PID_FILE" --halt-command "/sbin/shutdown -p now"
}

  保存退出。执行 /usr/local/etc/rc.d/vmware-tools.sh restart,重启vmware tools即可。

FreeBSD下ZFS在线替换硬盘扩容实践

替换前
test# zpool list
NAME SIZE USED AVAIL CAP HEALTH ALTROOT
zfspool 9.94G 1.96G 7.98G 19% ONLINE –

用da2替换da1,都是/dev/下的设备
test# zpool replace zfspool da1 da2

开始替换了
test# zpool status
pool: zfspool
state: ONLINE
status: One or more devices is currently being resilvered. The pool will
continue to function, possibly in a degraded state.
action: Wait for the resilver to complete.
scrub: resilver in progress, 15.24% done, 0h4m to go
config:

NAME STATE READ WRITE CKSUM
zfspool ONLINE 0 0 0
replacing ONLINE 0 0 0
da1 ONLINE 0 0 0
da2 ONLINE 0 0 0

errors: No known data errors

替换完成了
test# zpool status
pool: zfspool
state: ONLINE
scrub: resilver completed with 0 errors on Sat May 9 16:49:35 2009
config:

NAME STATE READ WRITE CKSUM
zfspool ONLINE 0 0 0
da2 ONLINE 0 0 0

errors: No known data errors

容量增加了
test# zpool list
NAME SIZE USED AVAIL CAP HEALTH ALTROOT
zfspool 17.9G 1.96G 16.0G 10% ONLINE –

整个过程中应用没有中断

使用PF实现基于来源的策略路由

  FreeBSD做服务器,要实现从哪个网卡进来的连接请求,返回时还从哪个网卡出去。这样可以让客户端自己选择线路,无需收集路由表。

ee /etc/rc.conf
pf_enable="YES"
pf_rules="/etc/pf.conf"

//启用PF
defaultrouter="192.168.1.1"
//这个是本机自己发起连接的默认路由

ee /etc/pf.conf

if_cernet="em0"
if_ct="em1"
gw_cernet="192.168.1.1"
gw_ct="192.168.0.1"
block all
pass quick on lo0 all
pass in quick on $if_cernet reply-to ( $if_cernet $gw_cernet ) proto {tcp,udp,icmp} to any keep state
pass in quick on $if_ct reply-to ( $if_ct $gw_ct ) proto {tcp,udp,icmp} to any keep state
pass out keep state

VMware ESXi 挂载 iSCSI 和 NFS 性能测试

  iSCSI-target和NFS Server由一台Raid10(4*2.5′ 10Krpm 146GB)的VMware ESXi 3.5里的FreeBSD服务机提供,在另一台Raid1(2*3.5′ 15Krpm 146GB)的VMware ESXi 3.5里挂载iSCSI和NFS,然后分别以虚拟磁盘添加入FreeBSD测试机中。使用/usr/local/bin/iozone -i 0 -i 1 -i 2 -r 1024 -s 1G -t 2 -C测试。测试结果如下:
  iSCSI测试:
Initial write = 5443.42 KB/sec
Rewrite = 4840.85 KB/sec
Read = 19823.13 KB/sec
Re-read = 19298.97 KB/sec
Random read = 44114.65 KB/sec
Random write = 4024.72 KB/sec

  NFS测试:
Initial write = 952.76 KB/sec
Rewrite = 975.36 KB/sec
Read = 14782.20 KB/sec
Re-read = 16085.16 KB/sec
Random read = 41878.42 KB/sec
Random write = 794.31 KB/sec

  CPU占用率上NFS只有iSCSI的一半,服务机和测试机都差不多。iSCSI时CPU占用率为15%左右,中间还有一段是30%多。NFS时基本都8%左右。两台机器均为2*Intel E5405,分配给虚拟机2个核。

  测试机直接加载NFS测试:
Initial write = 2361.99 KB/sec
Rewrite = 2130.92 KB/sec
Read = 17595.85 KB/sec
Re-read = 18904.29 KB/sec
Random read = 13139.79 KB/sec
Random write = 2001.82 KB/sec

  测试机本地测试:
Initial write = 8233.32 KB/sec
Rewrite = 12511.68 KB/sec
Read = 34969.73 KB/sec
Re-read = 34179.26 KB/sec
Random read = 82272.52 KB/sec
Random write = 4620.50 KB/sec

  服务机本地测试:
Initial write = 6236.64 KB/sec
Rewrite = 9016.30 KB/sec
Read = 47051.42 KB/sec
Re-read = 47444.12 KB/sec
Random read = 27243.86 KB/sec
Random write = 3251.88 KB/sec

FreeBSD 配置 SNMP

cd /usr/ports/net-mgmt/net-snmp
make install clean
ee /usr/local/etc/snmp/snmpd.conf
rocommunity abc 192.168.1.0/24 设置只读community为abc,只允许192.168.1.0/24网段访问
ee /etc/rc.conf
增加snmpd_enable=”YES”

使用 DHCP Snooping 和 DAI 防止ARP攻击和私设IP地址

  使用DHCP Snooping防止私设DHCP Server并获得MAC-IP-端口绑定表,使用DAI对所有的ARP包进行检查。Cisco 6500做核心无需特别的配置,在接入交换机3560上做如下配置:
!
ip dhcp snooping vlan 5-10
//在5-10这些vlan上使用DHCP Snooping
no ip dhcp snooping information option
ip dhcp snooping database flash:dhcp-snooping.db

//保存DHCP Snooping的绑定表,否则交换机重启将丢失绑定表
ip dhcp snooping //开启DHCP Snooping
ip arp inspection vlan 5-10
//在5-10这些vlan上使用Dynamic ARP Inspection
ip arp inspection validate src-mac dst-mac ip
//检查ARP包的源MAC、目标MAC、IP地址是否符合DHCP Snooping的绑定表
ip arp inspection log-buffer entries 1024 //DAI的日志缓冲区
ip arp inspection log-buffer logs 1 interval 60
//设置每60s产生一条DAI日志,否则DAI会每发现一个非法ARP就产生一条日志,syslog信息就太多了,这样的话DAI会自动合并一样的日志
!
errdisable recovery cause arp-inspection

//打开因arp-inspection引起err-disabled的自动恢复
errdisable recovery interval 60 //设置自动恢复延时为60s
!
interface FastEthernet0/1
//这个是接下面计算机的端口
switchport access vlan 7
switchport mode access
ip arp inspection limit rate 30

//设置每秒最多接收30个ARP包,超过则进入err-disabled状态(原因为arp-inspection)。默认为15pps,实际使用发现有点低。
ip dhcp snooping limit rate 100 //同上类似
!
interface GigabitEthernet0/1
//上联6500或级联端口,配置一样
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection trust
//设置DAI信任,不检查ARP包
ip dhcp snooping trust //设置DHCP Snooping信任,不检查DHCP包
!

令人疑惑的 Cisco IOS Release 12.2(50)SE

  以 “Release Notes for the Catalyst 3750, 3560, and 2960 Switches, Cisco IOS Release 12.2(50)SE” мебели софия为例。
  在 “Deciding Which Files to Use” 中提到 “For IPv6 capability on the Catalyst 3750 or 3560 switch or on the Cisco EtherSwitch service modules, you must order the advanced IP services image upgrade from Cisco. ” 并在紧接着的表中有 “c3750-advipservicesk9-tar.122-50.SE.tar” 和 “c3560-advipservicesk9-tar.122-50.SE.tar”。但是在 “New Software Features” 的 “Catalyst 3750 and 3560 Switches” 中注明了 “These IPv6 features are now supported in the IP services and IP base software images:” 和 “The advanced IP services image is now end-of-sale (EOS) and end-of-life (EOL).”
  在 Download Software 里面根本没有 12.2.50-SE(ED) 的 advanced IP services image 下载,估计是写这个 Release Notes 的同志按照习惯直接复制粘贴了 Deciding Which Files to Use 段,然后把版本号替换了一下。

SolarWinds NetFlow V3.0 SP4 使用IE浏览器时发生错误

  使用IE浏览器查看NetFlow的时候出现 Sys.WebForms.PageRequestManagerServerErrorException: An unknown error occurred while processing the request on the server. The status code returned from the server was: 404 错误。这个错误出现是因为 .NET Framework 3.5 SP1 升级产生的。Firefox不会出现错误。

  解决方法为打开 \Inetpub\SolarWinds\Orion\MasterPage.master ,找到
<form runat="server" method="post" action="#" id="aspnetForm">
 改为 <form runat="server" method="post" id="aspnetForm">

参考:http://thwack.com/forums/t/10086.aspx

Panabit 在 VMware 下的使用方法

  VMware ESXi,Panabit Live CD 标准版,对网络出口进行监听。VMware ESXi 与交换机通过 trunk 连接。

  因为是监听模式,所以要做端口镜像。将被监听端口 (Gi1/1) 的数据镜像到 SPAN Vlan 1000 中。被监听端口所在交换机配置如下
vlan 1000
 remote-span
!
monitor session 1 source interface Gi1/1
monitor session 1 destination remote vlan 1000

  在 VMware 所接的交换机上配置如下
vlan 1000
 remote-span
!

  配置 VMware 的网络,在已有的虚拟交换机中添加一个端口组,VLAN ID 填写上面的1000 。完成后编辑刚刚增加的这个端口组属性,在安全页中将杂乱模式策略改为接受。

  为了简便使用了 Live CD 版本,在 VMware 里面新建一个虚拟机。客户操作系统选择“其他”,版本选择 Other (64-bit) ,网卡选择2个,适配器均为E1000,这个是关键,前面的客户机操作系统的选择就是为了把网卡适配器设定为E1000。两个网卡,管理网卡选择一般使用的网络,数据网卡选择上面刚刚建立的那个端口组网络。内存按照 Panabit 的说明配置,硬盘不需要。