Just another Scott Alan Miller Sites site

If you are working with SSHTectia 6.2 and attempting to generate an SSH key or run SSH or connect via SCP or SFTP you may run into this rather obscure error:

Error: Failed to initialize conversion library: Failed to open library `(null)/lib/shlib/i18n_icu.so', syserror:       Permission denied(13), `(null)/lib/shlib/i18n_icu.so: cannot open shared object file: No such file or directory      '. / Could not load converter library `(null)/lib/shlib/i18n_icu.so'. / Failed to open library `(null)/lib/shlib      /i18n_iconv.so', syserror: Permission denied(13), `(null)/lib/shlib/i18n_iconv.so: cannot open shared object fil      e: No such file or directory'. / Could not load converter library `(null)/lib/shlib/i18n_iconv.so'.
Failed to generate the key pair for user myuser

This error is caused by a bug in Tectia 6.2.  What is causing this, at least in my testing, is a lack of a manually created .ssh directory within the user’s home directory.  If the user does not have a home directory at all, which is where we commonly see the issue, the bug obviously also appears.  So to fix this simply:

mkdir -p ~myuser/.ssh; chown -R myuser ~myuser

The rumor is that Tectia will be resolving this issue in the 6.3 release.  But in the meantime, manually working around the bug is required.

My favorite Linux desktop distribution has long been OpenSuse and more recently my new favorite desktop environment has been Cinnamon from the Linux Mint project.  For the last few releases, OpenSuse has been providing a Cinnamon repository but has not yet built it into the base distribution.  I am hopeful that Cinnamon will become a standard environment choosable during the installation process but until then we can very easily enable and install it with just a few commands.  The Cinnamon repository is an official OpenSuse repo so no need to deal with third parties.

All we need to do is to download the repo file and tell OpenSuse to install Cinnamon, logout and select Cinnamon while logging back in.

cd /etc/zypp/repos.d/
wget http://download.opensuse.org/repositories/home:/cyberorg:/cinnamon/openSUSE_12.3/home:cyberorg:cinnamon.repo
sudo zypper in cinnamon

That’s it, all done.  Now just log out of your current session and when you log back in, choose Cinnamon.

At the best of times, working with ulimits (limits) in Linux can be confusing and complicated.  Sometimes it can be seriously challenging to determine if a limit is being imposed by the system, a user, a script or inheritance from a calling process.  One of the trickier problems to identify is that of a “fork bomb protection” limit being exceeded.  As long as you know to look for it, it is pretty easy, but if you don’t know to look for this overriding limit it can be pretty confusing to identify why processes are failing.

Typically you will encounter this limit when a user receives repeated “Resource temporarily unavailable” errors such as these below:

$ ps aux
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: Resource temporarily unavailable

Or attempting to run a process might prompt “cannot fork [Resource temporarily unavailable]“  Our first guess is likely to inspect the /etc/security/limits.conf file and make sure that the user in question is given enough “open files” and possibly “max user processes.”  In many cases, simply raising one or the other of these limits may solve the problem.  If you collect the output of ulimit from the user session in question you can determine what the limits are that are directly affecting the process calls.

What you may find is that no matter what you do, the “max user processes” or “-u” option in ulimit never goes above 1,024.  Is that strange because you raised this limit in the limits.conf file?  It is indeed.  Before we decide that that is the issue, let’s see how many processes the user in question is using.  Remember that Linux does not have a threading model but only has processes and lightweight processes (LWPs) that behave much like threads in other operating systems.  The “max user processes” value uses the count of all processes and LWPs combined.  So to see how many processes the user is using we can check:

# ps -eLF | grep ^baduser | wc -l
1024

If that number returned, where “baduser” is the username of the offending user account, is at or near 1,024 we can be pretty certain that something has gone wrong and the user has been forking processes rapidly bringing it to the system protection limit.  This is an extremely high number, even for very busy servers.  It’s not an impossible number, just an abnormally high one.

Red Hat Enterprise Linux, and by extension its derivatives like CentOS, have an extra layer of limits applied specifically to the number of processes that an individual user can call to protect against malicious or accidental fork bombs.  This additional limit file is located at /etc/security/limits.d/90-nproc.conf.  The purpose of this file is to override any attempt to raise the “max user processes” limit above 1,024 in the normal limits.conf file to protect users from themselves.

Should you need to raise system-wide user limits, you will need to raise the cap in the 90-nproc.conf file and then additionally raise (or limit) them for individual users in the normal limits.conf file.  That Red Hat makes such a point of making this hard to raise accidentally should trigger red flags that you probably do not really want to raise this limit.  But if you need to do so, that is where the additional limit is kept.

One of the best features of Linux is the DRBD network RAID system.  DRBD is now a part of the Linux kernel so all recent Linux distributions ship with it natively.  Some distributions, like RHEL 6, are just old enough to not have it yet included but any subsequent releases will have it.  The platforms using it more heavily today are OpenSuse and Ubuntu.  Since we will be moving on in later articles to address other aspects of high availability clustering which is, to the best of my knowledge, not working on the last several releases of Ubuntu (notably 12.04 and 12.10) we will base our project off of OpenSuse 12.2.  Suse has long been the “go to” Linux distribution for those most interested in storage.  The Suse community has embraced advanced storage technologies, such as a broad inclusion of alternative filesystems, since the earliest days and was the original pioneer of the Reiser filesystem projects and is now the first major distribution to include BtrFS, widely expected to be the “next big thing” for storage on the Linux platform.

The use of DRBD for network RAID 1 (shown as R(1) or R[1]  in Network RAID Notation, depending on configuration) is the building block for many things.  It provides a reliable block device base on which we can build our clusters.  DRBD has pioneered block replication and was the inspiration for FreeBSD’s HAST system.  DRBD is currently on 8.4 but OpenSuse 12.2 is on 8.3, as is Ubuntu 12.10, so we will stick with the included version as it is mature and robust.

Before beginning, we need to install the drbd components packages as well as remove the minimal_base system if you, like me, start your OpenSuse installs from a bare minimum and build them up as packages are needed.

zypper -n remove patterns-openSUSE-minimal_base
zypper -n install drbd

Now at this stage we will need to assume that you already have the block device that you wish to add to your storage cluster ready.  This could be an entire disk drive (such as /dev/sdb) or a single partition of a block device (such as /dev/sdba3) a logical volume or a software RAID device (like /dev/md2) or a hardware RAID logical drive or just about anything you can imagine.  In our example we will work with /dev/sdb to leverage an entire drive as this is very simple to see and is a common scenario when working with VirtualBox in a lab and it is very simple to extrapolate how to replace with a different device.

One thing that can be tricky with a DRBD setup, or any type of cluster, is that to avoid working with IP addressing for everything you are stuck putting peer names into the /etc/hosts file to protect yourself against DNS errors.  DNS resolution can cause latency or hiccups or outright outages that you really can’t risk with a cluster but using straight IP addresses is too crusty so the answer is traditionally to rely on the hosts file instead.  So let’s put our two cluster nodes into our hosts file to make this easy on ourselves.  Our primary host is going to be “bert” and our secondary host is going to be “ernie”.  We’ll also assume that we are using 10.0.0.1 and 10.0.0.2 for our nodes network RAID addresses (the addresses with which they will talk to each other for block transfers, this doesn’t necessarily have to be used for any other purpose.)

Note on Node Primacy: DRBD clusters do not have a primary and secondary host hole in a persistent state.  At any given moment either node may be the primary or the secondary but neither physical node is permanently assigned such a role.  The DRBD pair act as a single unit of storage and will flip roles based on external factors.  We only think of one as primary and the other as secondary for the act of cluster creation during which we must have the first node created by primary by the nature of being the only node at the time of creation.  Once the secondary node has joined to the cluster and become fully synchronized to the primary the two are “one” in their own minds and hopefully in ours.  Once the cluster is created, restrain from thinking of one unit as being the “main” one and the other as a backup.  This is a peering relationship and both nodes are equal.  We only care which node is acting as primary at any given moment for the purposes of troubleshooting or maintenance.

echo "10.0.0.1          bert"  >> /etc/hosts
echo "10.0.0.2          ernie" >> /etc/hosts

Now we are ready to actually create the configuration file for DRBD.  This is  a very basic configuration file but will serve our purposes for setting up basic DRBD replication.  Input the following as the contents of /etc/drbd.conf:

global { usage-count no; }
common { syncer { rate 33M; } }
resource r0 {
        protocol C;
                startup {
                wfc-timeout  15;
                degr-wfc-timeout 60;
        }
        net {
                cram-hmac-alg sha1;
                shared-secret "secretphrase";
        }
        on bert {
               device /dev/drbd0;
               disk /dev/sdb;
               address 10.0.0.1:7788;
               meta-disk internal;
        }
        on ernie {
               device /dev/drbd0;
               disk /dev/sdb;
               address 10.0.0.2:7788;
               meta-disk internal;
        }
}

A couple of notes about the above configuration file:

• Syncer Rate: This is the background synchronization rate that DRBD uses to make the two remote filesystems consistent.  The rule of thumb is to set this to no more than one third of your available synchronization bandwidth (leaving two thirds for foreground synchronization) to keep from overly impacting write performance when the system brings itself back into sync.  You can alter this by hand when necessary on a live system so this is just the default rate that you set that it uses unless you tell it otherwise.  So if you know that write performance doesn’t matter overnight and you want to sync a large process, you could crank this to 95% for off-hours and let it sync up as quickly as possible.  This unit is in Bytes, not Bits.  So be careful.  The 33M number that I used here is appropriate for a dedicated GigE connection which is pretty typical of DRBD installations.
  
• Protocol:  There are three protocols available for DRBD – A, B and C.  C is the safest and the most common to use, it is full synchronization (nothing happens on the master node until the slave node has confirmed that it is up to date.)  Safe comes with a performance penalty.  Synchronous network RAID 1 would be written R(1).  Protocols A and B are asynchronous replication, so would be written R[1].  They lower the write latency to the master by not requiring the slave node to confirm a successful write before they confirm the master write back to the operating system.  This means that there is a brief moment when the systems are in a state of inconsistency.  Protocol B is called “memory synchronous” or “semi-synchronous” because it confirms that the peer (slave) node has received the replication data but does not wait for it to commit the write to disk before continuing.  This is nearly always safe, especially if the two systems are highly isolated from each other.  A joint power outage would be the primary concern here.  Protocol A is full asynchronous and introduces no delay for local writes because it does not wait for the remote node in any way and the replication data may be in a queue waiting to be sent in the case of a system failure.
• Port: In this example we are using the default replication port of 7788.  This is default but you may choose any port that you like.  Each resource requires its own port number.  So it is typical to simply increment this number for each additional resource.  Remember to open the firewall for whatever port(s) you intend to use for replication.
• Resource Name: In this example I named our DRBD resource “r0″.  This is very common and introduced by Linbit as a standard naming convention.  Naming after function is also common.  A replicated storage cluster used for NFS might be named “nfs” instead of “r0″ to make its purpose clear.  I generally do this outside of examples.
• Block Device Name: It is accepted practice to name the resultant block device of a DRBD cluster to “/dev/drbd#” where # starts at zero and increments along with each additional resource created.  While you can name the device whatever you like it would be bad form and very confusing to deviate from this practice.

Now that we have our configuration file we need to manually create the metadata that our resource will need to be able to run.  If all is going well we can simply run this command and we are almost ready to begin:

drbdadm create-md r0

Once that completes we can start the DRBD process itself which will read our configuration file and begin attempting to process our block replication system.

service drbd start

Now because our cluster has not existed previously, the system will feel that it is in an inconsistent state.  We need to tell the system that it is the master and that nothing else matters (become master without prejudice.)  So we will execute the following command (caution, never execute this on an existing cluster unless you know exactly what you are doing!):

drbdadm -- --overwrite-data-of-peer primary r0

Now if we check our DRBD status, we should see that we are now running as the primary node in a one node cluster (not very exciting.)

service drbd status
cat /proc/drbd

At this point we haves enough for us to begin to use our storage locally.  Let’s create a filesystem and mount it to /data:

mkfs.ext4 /dev/drbd0
mkdir /data
mount /dev/drbd0 /data
cd /data; touch test_file_on_drbd

Now all that we need to do is to set the DRBD process to start automatically upon system boot. And add the mount to automatically mount our newly created filesystem at boot time and our first node is complete.

chkconfig drbd on
echo "/dev/drbd0 /data nfs defaults 0 0" >> /etc/fstab

If we reboot we should, if all goes well, see that DRBD has started up and that /data has mounted and is now a normal filesystem that we can use like any other.  Now it is time to configure our second node.  This will go even faster.  In fact, we simply go back to the top and begin the same process again on that host that we did on the first one except on ernie we are going to stop once we turn on DRBD.  Now run:

drbdadm secondary r0; chkconfig drbd on

Once we do that, checking our status commands should show that synchronization has begun with a steady stream of data being sent over from bert.  Depending on your connection, your syncer rate and the speed and size of your disk array this might take a few minutes or weeks.  You can see the progress as it goes, though.

Once it is done, you should see bert running as primary and ernie running as secondary.  There is no mechanism to flip this in our current setup, so while primacy is in the eye of the beholder, in this odd case, bert truly is permanently the primary unless you manually switch them.

Why would we use this type of cluster?  In this case this is almost certainly going to be used as a building block for more clustering, but not necessarily.  This can be a great way of reliably protecting data that you just want to be able to recover “identically” later.  Let’s say that ernie dies.  Replacement is easy.  Zero impact to bert, just replace ernie and over time it syncs back up.  If bert dies you have choices, switch to running off of ernie or keep ernie as is, replace bert and let ernie feed all of the data back to bert.  A block-identical replacement system.  Useful, but hardly what we normally think of as a cluster.

Today’s article was just to introduce us to DRBD and get our feet wet and create a starting point from which to build a high availability cluster with HA starting at the storage layer and going up to the application.  As we go further the power of DRBD will become evident.

To get remote access to the graphical tools of Linux Mint, simply connect via SSH with the X and c flags (to tunnel X protocol and add compression.)  Once you do this (presumably from another UNIX system) you can simply run commands from the new session to large a local view of remote graphical applications.  This can make many tasks much easier.

ssh -XC mylogin@remoteserver

For example, should you want to make changes to the remote Linux Mint desktop you can do so via graphical tools.  To use the standard System Settings dialogue, just run this command:

gnome-control-center &

The Linux Mint team recommends upgrading versions using a LiveCD and doing a fresh install.  This method has its benefits but, for many users and environments, using the package repository online method is far superior.  First we need to make sure that we are running as root to make the process simple:

sudo -i su

Using the following command you will have your system package configuration files automatically modified for the update (I have included the old and new versions at the end of this tutorial for reference; there is no need to modify them by hand.)

sed -i 's/maya/nadia/g' /etc/apt/sources.list
sed -i 's/precise/quantal/g' /etc/apt/sources.list

Once we have changed the sources.list file, we are ready to do the update.  As always be sure that everything that you want to keep is backed up!  Upgrades are never completely safe.  Protect yourself. Once you are ready:

apt-get update; apt-get dist-upgrade
apt-get upgrade
reboot

Once your system reboots you should have a fully functional Linux Mint 14 installation.  On mine I found only one issue and that was that, for some reason, DNS was not updating correctly so I had to run the following command (thanks to everyone who commented.)  After doing that, everything worked properly.

dns-fix

As promised, here are the before and after /etc/apt/sources.list files.

deb http://packages.linuxmint.com/ maya main upstream import
deb http://archive.ubuntu.com/ubuntu/ precise main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ precise-updates main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu/ precise-security main restricted universe multiverse
deb http://archive.canonical.com/ubuntu/ precise partner
deb http://packages.medibuntu.org/ precise free non-free
#deb http://archive.getdeb.net/ubuntu precise-getdeb apps
#deb http://archive.getdeb.net/ubuntu precise-getdeb games

deb http://packages.linuxmint.com/ nadia main upstream import
deb http://archive.ubuntu.com/ubuntu/ quantal main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ quantal-updates main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu/ quantal-security main restricted universe multiverse
deb http://archive.canonical.com/ubuntu/ quantal partner
deb http://packages.medibuntu.org/ quantal free non-free
#deb http://archive.getdeb.net/ubuntu quantal-getdeb apps
#deb http://archive.getdeb.net/ubuntu quantal-getdeb games

Begin with a minimalist install of CentOS 6.  You will need to get your networking configured before continuing.  Make sure that you can reach your YUM repositories.

Install the RHEL 6 EPEL:

rpm -ivh http://mirrors.xmission.com/fedora/epel/6/i386/epel-release-6-7.noarch.rpm

Now you can install the basic packages that will be needed for MediaWiki.

yum -y install httpd php php-mysql php-gd mysql-server mysql
yum -y install system-config-firewall-tui
service mysqld start; mysql_secure_installation
chkconfig httpd on; chkconfig mysqld on
yum install mediawiki119

MediaWiki will install to /var/www/mediawiki119 which is not the most convenient location for the files but there are several options there. You will need to edit:

DocumentRoot "/var/www"
<Directory "/var/www">
DirectoryIndex index.html index.html.var index.php

Once you have Apache configured as you would like it all you need to do is to restart Apache to pick up the new changes that you have made.

service httpd restart

You will also need to adjust your firewall to allow web connections.  I find it easiest to handle this using the System Config Text UI.

system-config-firewall-tui

Once everything is complete you will have a working MediaWiki installation. However, there is an error in the MediaWiki 1.19 RPM and there are missing links in the /var/www/mediawiki119 directory that leave you with a basically working, but ugly un-themable wiki system and some significant confusion. So to fix this all we need to do is to manually create some missing links. In order to do so, simply run these commands and you will be all set:

In Linux it is very easy to configure the use of virtual memory for the kernel.  This behaviour is known as “swappiness” as is controlled through a controllable kernel parameter, vm.swappiness.  It is easiest to think of this setting as a slider that goes from zero to one hundred.  The lower the number, the less the kernel will attempt to swap, the high the value the more aggressively the operating system will attempt to utilize swap space.

On most systems, such as Red Hat Enterprise Linux 6 and Ubuntu 12.04, the default setting for swappiness is “60″.  For traditional, physical servers this is a very good starting value and will work well for most purposes.  This value is generally balanced with a blend of throughput versus latency with the assumption that the physical storage of the server is relatively lightly used.  For systems such as desktops or batch processing servers moving this value higher might be logical to increase latency delays while also increasing overall system throughput. On a latency sensitive system or a system where disk IO is at a premium, lowering this number is generally advisable.

On a virtualized system, a good starting point is a value of “10″.  This is because, with rare exception, virtualized systems have shared disk IO and it is important for the overall system to reduce disk utilization when possible.

To determine the swappiness setting of your running system simply run this command:

cat /proc/sys/vm/swappiness

To modify the system setting for swappiness, add or modify this line in /etc/sysctl.conf:

vm.swappiness = 10

This change will require that sysctl reload or that the system is restarted.  This change is persistent.  If you want to test a temporary change that will disappear upon reboot, try this comand instead to alter the /proc filesystem directly:

echo 10 > /proc/sys/vm/swappiness

This will change system behaviour immediately.  Remember to profile your system before and after a change such as this so that you can determine if a change is beneficial or not for your situation.

The default installation of Elastix has more services running than are typically needed or desired on a PBX.  These services eat far more memory that is necessary and can very easily be cleaned up to improve memory utilization.

First we will stop a series of unnecessary services from starting at boot time (this will disable shared storage, local email handling, new hardware detection, etc. so be aware that this does stop some things but any service that proves to be needed is trivial to re-enable.)

chkconfig nfslock off
chkconfig cyrus-imapd off
chkconfig iscsi off
chkconfig iscsid off
chkconfig netfs off
chkconfig kudzu off

Further, if your system is like mine you likely use the web server very lightly but will find that the default configuration of Apache is set to spawn, by default, eight processes.  This is far too many for a normal deployment. Each process uses memory.  For an average deployment of Elastix, three is more than enough.  You need only raise this number if web performance suffers.  This will not impact telephony performance regardless.

In the file /etc/httpd/conf/httpd.conf we need to edit the section:

<IfModule prefork.c>
StartServers       8
MinSpareServers    5
MaxSpareServers   20
ServerLimit      256
MaxClients       256
MaxRequestsPerChild  4000
</IfModule>

to something more like this:

<IfModule prefork.c>
StartServers       3
MinSpareServers    2
MaxSpareServers   10
ServerLimit      256
MaxClients       256
MaxRequestsPerChild  4000
</IfModule>

You can wait for the system to reboot or restart Apache manually:

service httpd restart

And finally, to control swapping activity on the box, assuming that you want to avoid swapping when unnecessary, which I do because my box is virtualized, simply add this line on to /etc/sysctl.conf:

vm.swappiness = 10

You’ll want to test that number carefully. A setting of “10″ is quite standard for virtualized systems. The default is “60″. For a physical deployment the higher value is likely better as it allows CentOS to make better decisions about how to utilize memory for maximum throughput. But on a virtualized system we really want to avoid, typically, any additional contention at the storage IO layer.
[Testing on Elastix 2.0 and 2.3]

Often remote SSH logins on Linux can experience a lengthy delay.  This is often caused by the SSH daemon on the server defaulting to attempting a DNS lookup of the SSH client attempting to connect to it.  Typically we do not want this behaviour as client systems often cannot be verified in this manner but awaiting a DNS timeout can be rather annoying.  Many systems configure this on by default.  I see this in the Red Hat family including RHEL, CentOS, etc.

The fix is simple, just explicetly add the line:

UseDNS no

To the /etc/ssh/sshd_config configuration file.  The default is “yes” and there should be a comment to this effect as well.  After making the change, simply restart the SSH daemon for the change to take effect.

service sshd restart