A ZFS Clone is a read-write clone of a filesystem created from a snapshot. It still refers to the snapshot it has been created from, but allows us to make changes. We cannot remove the origin snapshot whilst the clone is in use, unless we promote it. These concepts will become clear during the examples.
Category Archives: UNIX & Linux How Tos and Tutorials
OpenDJ: Installation and Multi-Master Replication Configuration
OpenDJ is a fork of the OpenDS directory server, with OpenDS originally being developed by Sun. Sun went its own way with JDS, and OpenDS was developed for a while by the community. ForgeRock came along and forked the stale project off (the last OpenDS release was back in 2010) and have been actively developing and since then have been releasing builds as OpenDJ. OpenDJ forms part of the complete ForgeRock open-identity stack, fully supported, and is a very viable alternative to the Sun/Oracle IDM stack. OpenDS, and therefore OpenDJ, are pure Java implementations.
In this article, I will install and configure OpenDJ on two nodes running Oracle Enterprise Linux 5.7 x86_64. OpenDJ will be configured with multi-master replication between both nodes. The same procedure should work on any RHEL 5.x or 6.x derivative. Node names are foo-0001prjenv and foo-0002prjenv.
You should obtain the latest versions of all software for your platform.
NSD: How to Implement Master and Slave DNS Servers
NSD is a name server implementation developed and maintained by NLnet Labs in cooperation with RIPE. NSD is an authoritative-only DNS implementation, and is memory efficient, secure and fairly straightforward.
NSD can start up quickly, as all zone information is compiled into an efficient binary format prior the the NSD daemon reading it. A few of the root nameservers use NSD, as well as the .se ccTLD. NSD has a proven history of being robust and can meet the demands of the highest-traffic DNS requirements known.
You can read more about NSD over at the project page (http://www.nlnetlabs.nl/strace/bash -x that I had to indulge myself in. Both gooby and dolan are running a minimal package install of CentOS 6.3 x86_64.
PowerDNS 3.2: First Steps
I have been an avid PowerDNS Authoritative Server (hereafter referred to as PowerDNS - there is also a separate Recursor available that we shall ignore for now - both available at http://www.powerdns.com) user since early in the 2.x series of releases. I replaced a global BIND infrastructure with PowerDNS for many reasons - instant provisioning to an easily replicated MySQL backend being the main one. PowerDNS is also RFC-compliant, powerful, and reliable.
The infrastructure I commissioned served well over 200,000 zones across three nameserver sites - each site receiving well over 100,000,000 queries per day. Two servers at each site, each with their own MySQL backend, replicated to from a hidden MySQL master to which we provisioned, handled this load with ease. Of course, this will depend entirely on the server specifications you use to host PowerDNS. PowerDNS offers support for multiple backends, however MySQL suits my needs well - I’m familiar with it, it’s more suited to DNS provisioning than LDAP (IMHO) and supports native replication (unlike PostgreSQL).
Rather than hacking a provisioning solution around BIND 9, moving to PowerDNS provided a technical advantage as well as a business advantage - customers could have their DNS data provisioned near-instantly - something that BIND 9 with a large number of zones and a cron’d rndc reconfig/reload would not achieve. PowerDNS 3.x introduces support for DNSSEC, something PowerDNS 2.x didn’t have - so it’s time to move to PowerDNS 3.x where possible.
I will use this article to walk through an installation of PowerDNS 3.2 from source on CentOS 6.3, perform basic configuration, load a basic zone, and serve the zone data authoritatively. This article will only scrape the surface of what PowerDNS has to offer, and further articles will be written in due course to cover interesting concepts in finer detail.
Have a good read over the manual available on the PowerDNS documentation site (http://doc.powerdns.com) too.
Highly-Available Load Balancing of Apache Tomcat using HAProxy, stunnel and keepalived
This article will describe the process required to set up a highly-available SSL-enabled load balancer using HAProxy, stunnel and keepalived to front a pair of Apache Tomcat instances.
The configuration will start off simple, and extend and grow as more functionality is added. First, a session-aware HAProxy load balancer is configured. Next, Tomcat clustering is configured with session replication and the responsibility for maintaining session state is moved to Tomcat. Then, keepalived is added - providing a failover IP between HAProxy instances running on two nodes. The solution is then fully HA. To complete the article, SSL support will be enabled by way of adding stunnel in front of the HAProxy instances, and a few cleanup tasks performed.
Faithful dolan and gooby will be used for this in my lab environment. Each of the servers is running CentOS 6.3 x86_64 and already has a Tomcat instance installed to /usr/local/tomcat7 (running as the tomcat user).
|
1 2 3 |
172.16.18.169 dolan www1.tokiwinter.com 172.16.18.172 gooby www2.tokiwinter.com 172.16.18.199 vip-address |
As you can see, I’ve also reserved an IP address for our floating IP (or Virtual IP - VIP).
The end goal is to have dolan and gooby both running Tomcat as before, also running their own HAProxy and stunnel instances but also running a failover VIP provided by keepalived.
OpenLDAP Multi-Master Replication
This article will cover the installation of two OpenLDAP instances on different nodes. OpenLDAP will be configured to provide multi-master replication. Writes should still be sent to a single server, but both can be used for directory reads. In the event of failure of the write node, a load balancer or similar solution could fail writes over to the other node. OpenLDAP multi-master replication to me doesn’t seem like true multi-master replication, rather an active-active read LDAP database with hot standby of a write database. In this author’s opinion, (Oracle) Sun JDS and Forgerock OpenDJ offer far superior replication abilities.
This article will not cover OpenLDAP basics which you can already find within the administration guide available from OpenLDAP. Review the documentation available there before proceeding with this tutorial.
ZFS Part 4: ZFS Snapshots
Snapshots are another piece of awesome functionality built right into ZFS. Essentially, snapshots are a read-only picture of a filesystem at a particular point-in-time. You can use these snapshots to perform incremental backups of filesystems (sending them to remote systems, too), create filesystem clones, create pre-upgrade backups prior to working with new software on a filesystem, and so on.
The snapshot will, initially, only refer to the files on the parent ZFS dataset from which they were created and not consume any space. They will only start to consume space once the data on the original dataset is changed. The snapshot will refer to these blocks and will not free them, thus the snapshot will start consuming space within the pool. The files on the snapshot can be accessed and read via standard UNIX tools (once you know where to look).
BIND 10: Authoritative DNS Server
Note: This article was written alongside BIND 10 1.0.0-beta. See this article which covers the major differences to be aware of between 1.0.0-beta, and 1.0.0-rc.
In the previous article in the BIND 10 series, we saw how to build and install BIND 10, start it up (in the background), get it running as a designated user, connect to the command channel, and issue a command to shut BIND 10 down. In this article, we will see how BIND 10 needs to be configured to act as an authoritative DNS server. Further articles will deal with recursion, the DHCP components, and more as I investigate BIND 10 in more detail. I’m learning as I write too, so bear with me - BIND 10 is very new software, and is still in Beta stages of development - thus a lot of BIND 10 is still incomplete, or even where complete - incoherent - especially to a BIND 9 veteran like myself!
If you haven’t read the BIND 10: First Steps article, I suggest you go and do that now.
We will use bindctl to interact with the BIND 10 command channel. I’ve had a bit more time to dig into bindctl and what it actually does (and where it stores its configuration) so we will digress a little at first, and take a look at that.
ZFS Part 3: Compression & Encryption
Also available to us is ZFS compression. Let’s create a test pool for testing. We’ll turn a few options on and off so you see the syntax:
|
1 2 |
# zfs create -o mountpoint=/compressfs -o dedup=off \ > -o compression=on datapool/compressfs |
BIND 10: First Steps
Note: This article was written alongside BIND 10 1.0.0-beta. See this article which covers the major differences to be aware of between 1.0.0-beta, and 1.0.0-rc.
I’ve been an avid BIND 9 administrator for many years, and have found its configuration to be straightforward and the software itself to be reliable and RFC compliant wherever I’ve taken the time to check RFC compliance. My only criticism of BIND 9 was not being able to easily and instantly provision new zones (e.g. requiring an rndc reconfig to add new zones), without the use of DLZ (Dynamically Loadable Zones). DLZ (http://bind-dlz.sourceforge.
BIND 10 will replace BIND 9 and ISC DHCP, and thus BIND 10 comprises processes to handle both authoritative and recursive DNS, as well as DHCPv4 and DHCPv6.
BIND 10 is still in development, and this article has been written around the current release (BIND 10 1.0.0 beta). SQLite is the only supported backend at present (except for DHCPv6 which confusingly supports only MySQL).
I’m sure ISC will release a coherent product as development continues, but in my opinion they have released a confusing and very incomplete beta version of BIND 10. The BIND 10 Guide (http://bind10.isc.org/docs/
I will do my best to give BIND 9 admins an interesting overview of getting BIND 10 up and running on a fresh CentOS install, and will demonstrate some of the features available, basic configuration, architecture of the new software and so on.
Stand by guys – it’s going to be odd. Very odd. I’ll be posting new articles as I learn more about BIND 10, so what you read in this article may be superseded by a later article (once I find a better/correct way of doing something, or BIND 10 itself changes).