Shoot, 37 Signals had this performance impact:

Of course, layering in a VM lets us VMotion the process, if we weren’t using a lot of local disk (since the local disk doesn’t move with it). NAS? Bwa ha ha ha, please no, corporations with I/O response requirements use SAN. Sure, SAN is expensive, but it shares the disk nicely unless you need to use the tool to monitor the SAN — SAN congestion slows the tool you need to fix it

Layering a VM tends to be satisfying a corporate requirement of “everything on VM”.

When considering Tuning the MySQL InnoDB Engine, keep in mind that if it’s on a VM, you can’t guarantee accuracy of the numbers you’re using to tune.

openssl s_client -connect 192.168.1.2:443 < /dev/null   |   \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'   > rui-192.168.1.2.crt

So what’s up with this?  When installing my company’s product, we always go through this goose-chase to find a rui.crt.  Seriously, it’s a pain, we need to dig through a bunch of directories, and in the end, sometimes we’re still scratching our heads.

Our customers just want something they can cut-n-paste.  Of course, the line above only works on non-windows, but I have reduced concern for those trying to fly with wings of lead: there’s a limit as to what you can do with windows.  Accept it.

HUGE Kudos to “Bruno” on StackExchange whose LDAP Certificate response was the key win for this.

in AutoFS Mounted FTP via FUSE, I discussed setting up an FTP client as a filesystem to do a client-side pull of FTP content.  That turned out quite vulnerable to our IT guy truncating a connection randomly through the firewall: the data stream didn’t seem to handle timeouts, and any process waiting on a data buffer tends to hang.  Pulling data from a filesystem is a kernel-level thing, so a process cannot really abort a hanging FUSE request.  Bad news.

I later found the simplified route, and installed it on the FTP server:

1. download the ZIP file (cygwin-rsyncd-2.6.8_0.zip)
2. unpack the zip file
3. use rsync.exe, which uses a cygwin.dll
4. that’s it

The rsync.exe is a cygwin binary, and acts very similar to its UNIX-y cousins; instead of installing a huge Cygwin stack, the developer has bundled just the necessary parts of Cygwin into the smaller single DLL, and provides it for rsync’s dependency.  There’s a few other files in there, but as an rsync client, I didn’t need them.

The server has a fairly standard rsync server config, with an rsyncd.conf identifying shared directories as filesystems, and such.  In general, if you have a working rsyncd, you can connect to it from this rsync.exe

Finally, my command line, as an example (my rsync.exe and the DLL are in C:\Program Files\rsync\, hand-installed), is as follows. Note that I’ve broken the line up with back-slashes to show functional groups, but when you run it, you should have it all on one line, without backslashes except the rsync.exe path.

“C:\Program Files\rsync\rsync.exe”  \

–exclude=some-skipped-file’ –exclude=*a_wildcard_pattern* –exclude=backup*z  \

–exclude=backup*.zip –exclude=*.mov –exclude=*.wmv –exclude=.*  \

–delete –delete-excluded –chmod=ugo=rX ‘  \

-avr    /cygdrive/f/path/to/users/library/   server.example.com::library/

The server has a rsyncd.conf config that says:

[ftp-services]
path = /shared/docs/library
uid = libraryowner
gid = docs-ro
comment = Library to share to all remote staff
write only = true
read only = false
list = false
exclude = some-skipped-file’ *a_wildcard_pattern* backup*z
incoming chmod = u=rwX

You’ll notice a few things that are unusual here:

1. I use “-avr” in my rsync command.  ”r” should be redundant with “-a”.  try it without
2. the source and destination paths end in a slash.  I would recommend the same convention.  Be consistent
3. I used to have /library/* as my source, but on a push, deleted directories as direct children of /library/ are gone, no longer found by the “*” wildcard, so there deletion does not sync
4. I have a bunch of –exclude options, some of which are duplicate on the rsyncd.conf entry.  Try removing some once you have yours working.
5. ditto for the chmod — they should act similarly, and setting it on the server sets a consistency and avoids users forgetting
6. my uploads are write-only — I use a different share label in rsyncd.conf for uploads than I do downloads so that those who have the keys to read can’t butcher my stuff.
7. for those crazy A:\, C:\ drive letters, you can use the cygwin special path /cygdrive/a/ or /cygdrive/c/ to map to them without playing the game of escape slashes: “was that 21 backslashes for 10 laters of scripting, or 22?”

1. try adding “–stats” to get a list of what rsync is doing
2. try adding “–max-size=20k” to avoid pushing HUGE files while diagnosing issues
3. if the datestamping is seriously butchered on your windows boxes, try “-c” option to use checksums, understanding it’ll take (much) longer to sync
4. if you habitually rename files, and rsync faithfully re-pushes the file every time, “-y” or “–fuzzy” tells rsync’s receiver to check around for similar files to use for missing files

Good Luck!

Enabling VNC on a VMX would obviate dependency on CoRD to get the job done, but this may change your user-experience.  For example, RDP tends to allow filesystems sharing across a connection, but even though VNC wouldn’t support that, I’ve had sketchy reliability there anyhow.  Additionally, the Ctrl-Shift or Shift-Option in order to do right-clicks would change around (so may parts of Windows require a two-button mouse, even though Windows claims that it works with one-button pointing devices).  Finally, VNC password seems to be a static one-for-everyone, so you lose the protection that the Windows Kerberos/AD password policies give you.

Engineers are sticklers for detail — indeed, they’re so often held feet-to-fire for the finer details their managers don’t know, cannot fully comprehend, or simply don’t care.

Many’s the engineer who is pressed for an estimate, gives one (with or without variance indicators), under- or over-estimates, and is taken to task for the bad prediction.  Similar to asking a detective “when will you solve this crime?”, some engineering work cannot be predicted, and if the engineer explains it as a “Poisson distribution”, his manager assumes “poisson” is profanity.

Some engineers no longer even try to estimate: it’s more efficient to be wrong, and punished, without wasting the effort.

Often, missing details, and discovery thereof, drive the inaccuracy.  I recall one at USL saying “less than two years”, then offering to improve the prediction within a few weeks when the manager relented and gave some details.  The manager thought he was helping by asking broad questions with few details to “get a ballpark figure” whereas the Engineer can see how the answer ranges from 2 hours to 2 years depending on environment alone.

…and then there’s the aspect of promises.  Engineers don’t promise anything but quality.  They don’t commit to a delivery, they offer their firm attempts to succeed, understanding that the delivery might be met of some features are later dropped.  They don’t answer questions unless the answer is a relatively good degree of accuracy — or unless pressed feet-to-fire for an answer that will come back and bite them later.

Lying, or inaccuracy approaching lying, is not done.  It WILL bite them later.

Being asked for answers to exceedingly vague questions will result in non-answers or answers with equally vague details.  Being asked to rough up or down significantly will be met with long decisions as to which way to go.  If an Engineer is billing, and the effort is below a certain minimum, I have known some to simply not bill for such insignificant work.

Quantizing is inaccuracy.   … an hour, a half-day, a full day, these are simply varying quanta.  Rounding up too far will yield to rounding down to zero.

Increasing inaccuracy increases the chance that either zeros will be quoted, or nothing responded at all: easier to not answer and be wrong than spend hours answering and still be inaccurate to the point of unprofessional.

So what expectation is there that a timesheet in terms of half-days will ever be accurate, and not bite the Engineer later?  ”did you really spend 1/2 day on the project you billed me for?”

Don’t impose inaccuracy on an engineer; accept the answers, record them, and if you want inaccurate or more vague results, round them yourself.

Kindle Fire’s Linux kernel lacks the necessary component (tun.ko) required to connect a tunnel.  This may be because the vendor feels its unnecessary, and space on an embedded device is more of a “prove we need it” rather than “include everything we might need” mindset, or the vendor realizes the possibility for abuse and purposely blocks this avenue.

The possible uses of tunnelling/VPN include allowing the user to use the Kindle from a corporate VPN connection, or more safely from an open Wifi, or to appear as though from a different country which therefore defeats country-based rights-blocking to purchased content (hey RIAA and MPAA, did you know that the internet was global?)

In order to use a VPN on Kindle, the user needs to “Root” it, similar to “Jailbreaking” an iOS device.  As a reminder, the “rooting” will disappear if the device is updated; the actual method used may disappear in a future update as well.  Finally, rooting your device, if detected, gives you an unsupported device should anything else happen to it (covered by warrantee or otherwise).

I write these tech articles to remind myself as much as remind others; the process seems straight-forward, but non-trivial: http://www.geek.com/articles/gadgets/how-to-root-the-kindle-fire-20111223/

In short:

1. download the Android SDK
2. set ADB (Android Debugger?) connection to recognize the Kindle Fire’s Vendor ID (0×1949)
3. set the Kindle’s SDK to use VID=1949, PID=0006
4. configure your Kindle to accept untrusted sources of applications
5. Connect your windows laptop with the SDK to your Kindle by USB
6. Download and unpack a bunch of tools from a website
7. Enable the “su” command, and download a helper app, then reboot
8. reboot, and you’re in

If the process supports a non-windows environment, I’ll update this post.

Providing configuration options for what a user actually knows versus what would be proper and correct might be faster for the user, and allow for incremental addition of resources, but may offend users or appear confusing.

Long ago, a toll-free telephone number was connected to a “Hunt Group” or “Hunt Pool”: the incoming call would try to connect on the first number, but if busy, it would move onto the next, then the next, eventually ringing the phone of the first non busy extension.  Basically, on failure of “is that line non-busy?”, it would try the next extension, recording the first success, and trying later to connect that call using the details of the success.

Some services make us change our passwords: special “you’re a nuisance” prize to those who make us change our passwords every 30 days to one we haven’t used in the last 8 passwords!  In general, we end up with some services using one password, some using another, and when we try to connect to those services, we tend to try the most recent password, then the previous, then the previous, hoping that we have a match before the service says “too many tries; account is deactivated, call our service number between the hours of 10:00am and 2:00pm and wait 45 minutes in a call-in queue to unblock your access”.  We basically try a list of possibilities, and hope we have a hit before the system “clamps down” on our attempts.

As an aside, if you know your buddy’s (or ex-girlfriend’s) bank ID, three password failures tends to block their web-banking.  Try that with your branch manager.

This same “hunt for a match before the system clamps” is often done when configuring access for dozens of servers: some servers have the new 2011Q4 password, some have the new 2012Q1 password, and some are those old systems with Mike’s password based on a cartoon character that no one remembers to change.  The behaviour is the same:

1. “all of our servers use username=scott, password=tiger”
2. (when some fail) “ok, try username=support, password=Rup3rt”
3. (all but a handful work) “ok, try username=admin, password=admin, yeah I know it’s a bad habit”

Look at how we typically ask for the authentication for a list of servers: we ask for 200 lines of a table with individual user/pass pairs for each, when we know that the user will fill in all to be the same “except for those ones over there, they’re old” and when there are failures, a few one-off changes are made.

Additionally, when authentication is not managed by TACACS or OpenID or LDAP, the group that sets/changes passwords may differ from the group that uses them.  Failing a login, we just say “Oh, Compliance Group has changed those passwords finally” and we use the new ones.

Why do we even ask for the list of passwords?  If the user is just going to play this “try this one, and if it fails, try that one next” game, and the login system never “clamps” on us, then why not just ask for the list of possible user/pass pairs?  We’d reduce the keystrokes necessary to enter all the services, we’d have a fallback path if our access suddenly stops (i.e. when “Compliance Group” updates a password and doesn’t tell our users), we could more simply add new services (such as organic growth, failover, or in response to Discovery), and we’d more accurately approximate what the user is doing.

Simple.

It’s strange, and users don’t like to tell us they don’t know.

Two things I learned in Asia: don’t back people into a corner, and don’t make then feel like they’re looking stupid.  Chinese are faced with a higher degree of competition in the workplace so are the ones nice enough to correct me on this: all cultures are sensitive to this.  No one likes to look stupid, and whether they feel like they’re looking stupid is up to their own perception. If we do something that says “you really don’t know your passwords”, they may be impacted and push-back; by continuing to play this game, we avoid this issue.  Perhaps any implementation along this idea of a list of possible names should keep this in mind.

Secondly, it’s strange.  It’s not what we’ve done in the past, and no matter how it may approximate what actually happens, you’ll get laughed at for proposing it.

…and no one with any sense of ego likes being laughed at.  Only take this road if you’re willing to have to explain it to a number of people who either reject the unusual, or accept it but lack the backbone to explain it to the next guy.  The meatware is always an issue, both the brain of the user, and the brain of the developer who avoids looking stupid to his peers.

Consider arriving in a strange, new city during the era of prohibition.  In order to find stores, markets, and local associates, you pick up two telephone guides.  Remember the White Pages and Yellow Pages?  Consider those as your resources, except that your phonebooks update instantly.

You’re able to look up your friend Mike, who has invited you to dinner.  His address is in the white pages, telling you “Mike Smith: 123 Main St”, and you know how to get there.  Mike lives above a tailoring shop, and has a market nearby, which you’re able to find to buy some beef enroute to dinner.

What about a bottle of wine?  That would be nice, but it’s prohibition, everything with any alcohol is illegal.

On the way to Mike’s, beef in-hand (a couple of excellent steaks), you notice that the tailor shop below him is closed, yet many people keep entering and leaving.  That’s odd.  Mike is happy to see you when you get to his door, and he makes a great dinner; he suggests doing so again next week.

Next week, Pork’s on the menu, but you have to look up the market again.  You wrote down the name (Joey’s Eastside Butcher) and your whitepages tell you where it is.  Mike tells you on the phone to be careful, police have detected that the Tailor shop is a Speak-Easy, and is illegal.  As a lawful citizen, despite that you’d like a drink occasionally, you tend to stay away from that sort of place anyhow.

Off to the butcher’s, but wait… where’s Mike’s place?  The whitepages no longer list his building at all.  From your always-updated whitepages, Mike’s entire building is gone.  You ask a friend, they have one that doesn’t update as quickly, and it shows that last week, Mike’s address was 123 Main St.  yeah, that’s right.  Another friend has a version of whitepages from Germany, and although in a different language, it does show the local city, and it agrees: Mike’s address is still 123 Main St.  Good thing you wrote down Mike’s phone number itself rather than his name, or you’d lose all contact with Mike.  You should get yourself a German phonebook, or use one that doesn’t delete entries, just adds them.

Arriving at Mike’s building, you notice that the Speak-Easy is doing a brisk trade.  It hasn’t been shut down!  The police haven’t lifted a finger, just “hid” it by removing Mike’s building from the whitepages.  Everyone who goes there often knows exactly where it is; if they haven’t, they’ve written down the phone number already, or have it on speed-dial.

This is how these new bills work: they don’t stop crime, they simply allow it to become unlisted quickly, without any recourse, any due-process.  They just make it harder to find, quickly.  The internet whitepages is called “DNS”, and is controlled by many different countries.  DNS updates take up to 72 hours to occur, and even after that time, the services are still open.  Anyone using these services knows where to find them without having to look them up, but if they need to, they can use alternative listings to find the same address.  The piracy isn’t even affected, it continues unabated, but common people are affected: new arrivals at a website or an interest group, and those who have to find their websites when they move (which happens about as frequently as people change homes)

Worse, with some allusion to Brazil, and perhaps to some implementations of photo-radar speed-traps, there’s no double-checking of errors, no due-process.  Due to an error, not only is a building, and all it’s businesses gone, while they are barely making it through the recession.  I’m sure the people who think this is a good idea are not the small businesses and private citizens who can vanish immediately due to error.  … and we know the Department of Homeland Security makes no mistakes.

Would you give the “Internet Kill Switch” to the TSA?

Criminals will simply go to other countries’ DNS, or just use the numbers, leaving only the lawful to be the victims of bad legislation and the zealots who support it.

Crime should be stopped by actually stopping crime, not by making it and its innocent neighbours into unlisted addresses.

Anyone who has tried to download software form a repository can tell when the ownership changes hands: the directory structure changes in subtle ways.  There’s a dot in the path now, there wasn’t before, or capitalization changes.  This isn’t a problem until you try to use the repository in an automated fashion: scripting and tools.  Suddenly, a change from “V” to “v” requires an entirely new case, as if it’s a whole new repository on a different server.

NOTE: if the files are moved around manually, and the owner of those hands doing the moving is a bit flakey or random, then this sort of speed-wobble might as well count as changing the ownership, only more frequently (every release)

People will have a problem with this, but they’ll never tell you just as they’ll never tell you that your shoes don’t match your belt… but unlike fashion faux-pas, inconsistency with directories actually impacts others.

Don’t be a flake.  Be consistent.  A script helps you do that.

Additionally, if the script is the final part of the build process, it reduces the manual steps to a build.  I would recommend either right before or right after running your self-tests.

Many of the censorship tools in-use are just tools built by engineers who are not political, just building tools. Just doing their jobs. Often the desire to fulfill a challenging objective can blind the engineer to the possible uses — or the engineer simply doesn’t care (i.e. has bigger issues to care about than some foreign country’s citizens’ free speech).

I have an Idea I’d call Qloak (compression of “Quacking” and “Cloaked”, and “Quacking” based on what Chinese guys call gossip) that would allow:

• twitter posts to get through firewalls and most paywall wifi APs
• foursquare checkins to also get through
• ability to check whether an app needs to self-destruct, flushing history

A lot of this technology is the way I used to configure the “ext” system as a phonebook at a past employer; as well, acting as the head of a TOR or a VPN connection may consistently get through.

I don’t judge Eqypt, or Libya, or China, but I worry over the limiting/chilling/hushing aspect of some engineering talent mis-applied.

I would prefer that more people are in the conversation.

Countries, Companies, people who claim to support freedom of speech should act to support it. Build a TOR gateway. Support free opinions in other countries. Listen to everyone, even the Gay, the Religious Fanatic, the Type-B personality, the Nature Fanatic, the Raging Republican — whatever grouping you put people into, those people will be oppressed in other countries. Listen to them, however much you may disagree.

Yes, if I built an App for this, I would give away free signups to anyone at an email with a domain such as .cn, .ly, etc.

iCollectGadgets shows a few great photos, but the key is in the following two (with permission, I’m willing to host a copy of these on my site to reduce any bandwidth-stealing):

Button Alignment:

Earbud 3.5mm Socket:

I would strongly recommend checking out the original site: https://icollectgadget.wordpress.com/2011/10/09/how-to-choose-cases-for-iphone-4s-and-iphone-4/

IPhone is 80% battery, HTC is 57%. Sure, optimal conditions rate the content the other way, but we all know our wifi access points will hit 300 feet / 100meters range in an optimal situation: real life differs, and for my usage, HTC with MAYBE the same services active is burning battery twice as quickly.

Not sure Android is winning yet.

Fatal error: Call to undefined method WebRequest::getIP() in extensions/ConfirmEdit/Captcha.php on line 202

Apparently, this is due to rev 106097, which replaced wfGetIP() with a wgRequest->getIP() that doesn’t exist. Maybe it’s in Yesterday’s version of WikiMedia only.

My fix:
cd extensions/ConfirmEdit
svn update -r 106096

I’m putting this blog entry so that others may see it and make use of it.

I’ve used a few terms in that one-line suggestion, perhaps I can expand on this a bit.

VirtualWisdom lets you make filter expressions such as:

Attached Port Name MATCHES ^OracleServer_*

This powerful logic lets you leverage similar names and terms to select similar servers. Consider selecting similar storage targets or hosts by parts of names, or FCIDs that start or end in the same sequence, or switches using the word “Core” or “Edge” in its role. In fact, a simple filter applied to an alarm can apply a more urgent reaction to a port with errors on a core switch rather than an edge, representing different SLAs or criticality.

The example above says “look for where the Attached Port Name — the nickname of the device attached to a switch — starts with ‘OracleServer_’ “.

UDC — User-Defined Context — allows a VirtualWisdom Administrator to define an additional metric in terms of filter expressions: when various conditions match, a constant enumeration is used for that port’s value, or that ITL’s encoding. For example, for switches with certain names, a “DataCenter” column can identify where that switch is to help forward physical layer errors (such as CRCs) to the right team to more quickly address the issue. Different storage or servers involved in different business units can be enumerated, and based on that “BU” flag or value, different SLAs may be applied, or different teams alerted. UDCs are quite powerful, and are processed on every summary that gets stored in the database.

UDCs can use the same “MATCHES” terms that standard filters can use.

The problem with MATCHES is that it strips away some optimization: the Query Optimizer is a part of a database that cross-references the client’s query with existing possible indices, even aggregate indices, to reduce the processing load by orders of magnitude. Any Oracle Admin who has spent time with the “SQL EXPLAIN” has seen the difference a simple re-ordering of expressions can make in a complex query to get a more efficient join, or fewer rows evaluated for processing to reach a result. These indices only match constant expressions with basic comparison operators such as “==”, “!=”, ““, and are completely inefficient for fuzzy or regular-expression matches.

A “MATCHES” expression in your filter or UDC can increase the load between a VirtualWisdom Portal Server and the underlying MySQL database engine. Although Virtual Instruments Engineering has worked to improve the database schema and queries, resulting in dramatic improvements in processing efficiency and maximum ITL and port count of a Portal Server, we the users still have the power to ruin this with a heavy expression or two.

If a filter isn’t run very often (such as a private dashboard, or a filter used mostly in a daily report), it may not pose very much load on the database; conversely, for a filter that runs often, constantly, the load of a MATCHES expression can repeatedly affect the server for the same data points. It’s almost as though a cache of the resulting filter would avoid rerunning the comparison so often. That is where a UDC can be used.

For filter expressions that run often, consider moving the MATCHES to a UDC calculation, and convert the filter to a comparison against that precise value. For example, if your filter looks like:

Attached Port Name MATCHES BillingServer_* OR Attached Port Name MATCHES CustRecords_*

This can be converted to a UDC such as:

• default value: “Other“
• value “Billing” when “Attached Port Name MATCHES BillingServer_*“
• value “Records” when “Attached Port Name MATCHES CustRecord_*“

This sort of UDC means that the two MATCHES expressions will run twice on every Port or Exchange of every summary. If only Servers are identified by this pattern of nicknames, you could also avoid this sort of evaluation on non-Servers by the following:

• default value: “Other“
• value: “Other” when “Attached Device Type != Server“
• value “Billing” when “Attached Port Name MATCHES BillingServer_*“
• value “Records” when “Attached Port Name MATCHES CustRecord_*“

In general, if a MATCHES is rarely evaluated, then its load — however heavier — only affects the server at rare times, so in total has a lower effect. A 100-fold heavier query run only weekly is not worth swapping for a UDC expression run every five minutes.

Try to consider each case where MATCHES is used for conversion to a UDC expression, and whether even that evaluation can be avoided by a constant expression evaluated before the MATCHES expression. Your portal server will thank you!

I wanted to highlight something I saw quite interesting in Axeda Corporation‘s Gateway and Connector technologies: Quality of metrics. Axeda uses an enumeration of simple qualities (Good, Bad, or Unknown), and this could theoretically be used when choosing which of two conflicting data types to show.

The simple act of collecting and summarizing metrics is not necessarily made easier when the precision meta is tracked, but it can help the end-user make better decisions based on this data: if you see an aberrant data point, do you know it’s seriously out-of-norm and needs to be acted upon, or is it based perhaps on a ratio with a questionable denominator, and should be taken with a bit of skepticism?

Consider precision, or at least define why it’s out-of-scope for your work.

Initially, this administrator and I spoke of “trunks”, but between Brocade and Cisco terminology, these mean different things. The aggregations of ISLs into single logical units are “Trunking” in Brocade, but “Port Channels” in Cisco. Trunking E ports in Cisco is a different thing. I’ll use “Aggregate” as much as possible to refer to this in terminology as vendor-neutral as VirtualWisdom is.

We discussed why this Admin wanted to see more than just “the top 20″ values on a list of ISLs.  Diving deeper, this was because the top 24 entries are all the same aggregate: essentially, the first entire page is taken up by channels 1 and 2 of a a single aggregate ISL.  He wanted to skip beyond this to see the next 20 or 40 ISLs so he could see which ISLs were getting near 90% utilization.  So… why not combine these into a single filter or expression that matches the aggregate, and make sure that each aggregate uses only one row of this resulting table?

Additionally, one switch vender implements this aggregation of ISLs as balanced utilization across a collection of links between the same endpoints; conversely, another vendor implements this by overflowing one container, then moving to the next. In essence, an abstract aggregation that is has 60% Utilization may look like a collection of ports or links each with utilization 60%, or might look like 6 out of 10 links with Utilization 100%, and 4 of 10 with 0%.  That’s very difficult to separate in the data, and can obfuscate which ISL aggregations are approaching maximum desired load.

VirtualWisdom’s focus is on ports: what type, attached to what, etc.  Using Aliases or Nicknames, we can describe the endpoint, and in VirtualWisdom 3.0.0 and later, those ISL Nicknames are determined for us.  Unfortunately, these all have switch/blade/port, they’re too detailed. We cannot use that combination for a “group-by”expression to separate out the ISL aggregate.

VirtualWisdom is “too detailed” in this case: it wants to show all the ports individually.

A User-Defined Context, or UDC, is a metric with constant values applied using filter expressions. We often use these to automatically apply a logical grouping that better represents the real world implementation. One ISL aggregate between two switches A1 and A2 tends to encompass all E or TE ports on A1 connected to A2, and conversely, all A2 E or TE ports attached to switch A1.  That tends to make this one ISL unique from others.  We create a UDC in the SNMP/Link scope with values based on the “name of the switch” in an ISL: for example, in “SW12A44:3:1 ISL” as a link name, “SW12A44″ is the switch name.  ISLs between two switches share the same switch names, but are distinct by this same manner from ISLs to other switches. All we need is a UDC with values such as “SW12A44″ where “Attached Port Name MATCHES ^SW12A44:*”, and “SW12B44″ where “Attached Port Name MATCHES ^SW12B44:*”.

An example UDC would look like (Using terminology that’s a bit Brocade-leaning for this UDC because the Administrator favoured Brocade terminology) :

UDC to Group ISL Trunks

As you can see, grouping these ISL connects by “Probe Name”, “Channel”, and “TrunkChannel”, and filtering by “Attached ISL” would summarize traffic on all ISLs by the switches each connects, but aggregating bandwidth of all trunk members between each switch. Grouping by Channel continues to help us keep the directions separate so that a trunk loaded with 95% in one direction and 5% in the other shows “95%” and “5%” rather than “50%”.

You’ll notice, too, that we’ve added short-circuit to mark any non-ISL as a “NoTrunk”, the same as the default value. This avoids running the heavier “MATCHES” expression to evaluate ports that aren’t even ISLs. Your Portal server will thank you.

This logic assumes that all ISLs between two switches are in the same Aggregate; if you have any two switches with more than one distinct aggregation of ISLs, our logic no longer applies. One of our Analysts has seen ISLs grouped into multiple distinct aggregates even though they’re between the same switches, but it wasn’t the case in the discussion sponsoring the work I wanted to share.

Some customers have smaller SANs with a few dozen switches; others exceed 280 switches. This number of switches, and the various ISL possibilities between these, makes writing and maintaining a UDC with over 200 values very difficult and labour-intensive.  Because the user is effectively transferring config information from one format to another, accuracy risks can enter where users are transposing digits, or delayed in echoing the updated config information, or (more often) is simply not informed that any change needs to be echoed or copied. These risks are significant detriments to using this method.

To de-risk this implementation and help you try it out, we’ve created a script to convert a basic list of ISLs with nicknames into a UDC: while the blogging engine doesn’t let me upload this file, your VI Support and Services teams can help you get “ISL2TrunkChannelUDC.awk”, and a version of “awk” to run it. If your report with a Data View of “Table” is saved as a CSV with the AttachedPortName in the 4th column, you would run this script as:

awk -v COL=4 -f ISL2TrunkChannelUDC.awk 'Table-(summary).csv' > ISLAggregation.udc

(resulting UDC tested on version 3.0.2 and version 3.1.0 pre-release, incompatible before version 3.0.0)

I hope this helps you keep watch on your ISL utilization, and show the correct justification for adding ISLs to an aggregation, or balancing traffic to another less-used edge switch.

Keep those nicknames updated, and have a great holiday.

Worse, it’s in the Windows world, so by comparison, scripting is in a toddler world (small, doesn’t understand, and has tantrums)

I end up using something like the following, understanding that pre-sharing a public SSH key is safer.

@echo off

We’ve edited “brocade-alishow2wwncsv.awk” to accommodate broader formats, but I haven’t been able to check it on a wide range of platforms.

I’ve found that when the NTP server is fewer than 4x reached, then it will not choose a source. When it chooses a source, a local source might cause it to flag itself as “unreliable” (leap flag with a bad result). That or a poor stratum (less than client’s fudged 127.127.1.0) is causing a client to ignore a source.

In our case, we saw an SNTP reject on status == 3 (see sntp/main.c::read_packet : “if (failed || data->status == 3″); this “status” is actually the Leap Indicator being 0%11 ( == 3), which was re-instated in RFC-2030 (superseding RFC-958) as an alarm condition (when the last second plus the next second are leap-seconds).

The client is flagging 0×2001 and 0×6001 quite frequently; this is clearly PLL/FLL changeovers, implying that it often sees a “weak” source, perhaps one that jitters too often, and swaps mode.

I’ll add to this over time if I see additional factors. As always — ALWAYS — “ntpq -c opeers” (in whatever form is permitted by your OS) is the best first-step, although “readvar” is also a good first step.

checking whether make sets $(MAKE)... yes
checking for gcc... gcc
checking for C compiler default output file name...
configure: error: C compiler cannot create executables
See `config.log' for more details.
make: *** [config.status] Error 77


The config.log shows:


configure:2661: checking for C compiler default output file name
configure:2688: gcc conftest.c >&5
ld: library not found for -lcrt1.10.6.o
collect2: ld returned 1 exit status


There’s a lot of discussion about this, but basically, Apple didn’t check their own tool. Shame on you, Apple.

The fix is simple, embarrassingly so:

sudo ln -s /Developer/SDKs/MacOSX10.6.sdk/usr/lib/crt1.10.6.o /Developer/usr/llvm-gcc-4.2/lib

I would expect that this needs to be updated every release.


autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force
autom4te: m4sugar/m4sugar.m4: no such file or directory
aclocal: /Developer/usr/bin/autom4te failed with exit status: 1
autoreconf: aclocal failed with exit status: 1


I mean “works” and “fails”, polar opposites, clearly no one checked. Shame on you, Apple.

The fix was simple: (Thanks to Nathan Herring’s consideration of ADL’s post in Stack Exchange )


*** /Developer/usr/share/autoconf/autom4te.cfg 2011-10-28 00:15:15.000000000 -0700
--- /Developer/usr/share/autoconf/autom4te.cfg 2011-10-28 00:14:33.000000000 -0700
***************
*** 99,101 ****
begin-language: "Autoconf-without-aclocal-m4"
! args: --prepend-include /usr/share/autoconf
args: --cache=autom4te.cache
--- 99,101 ----
begin-language: "Autoconf-without-aclocal-m4"
! args: --prepend-include /Developer/usr/share/autoconf
args: --cache=autom4te.cache
***************
*** 126,128 ****
begin-language: "Autotest"
! args: --prepend-include /usr/share/autoconf
args: autotest/autotest.m4f
--- 126,128 ----
begin-language: "Autotest"
! args: --prepend-include /Developer/usr/share/autoconf
args: autotest/autotest.m4f
***************
*** 140,142 ****
begin-language: "M4sh"
! args: --prepend-include /usr/share/autoconf
args: m4sugar/m4sh.m4f
--- 140,142 ----
begin-language: "M4sh"
! args: --prepend-include /Developer/usr/share/autoconf
args: m4sugar/m4sh.m4f
***************
*** 152,154 ****
begin-language: "M4sugar"
! args: --prepend-include /usr/share/autoconf
args: m4sugar/m4sugar.m4f
--- 152,154 ----
begin-language: "M4sugar"
! args: --prepend-include /Developer/usr/share/autoconf
args: m4sugar/m4sugar.m4f