Oracle ASM on FreeNAS 8.3.0 x86

Hey there folks, just writing this very quick tip on how to setup an iSCSI storage for your *crash and burn* environment… In this tutorial I will not care for network settings, security or anything, I will just demonstrate the installation and configuration of the storage using the raw devices as luns. (They can be split within FreeNAS and used as extents, but this is for a later post).

You can download this version of FreeNAS in both 32 and 64 bits from the links below:

https://download.freenas.org/8.3.0/RELEASE-p1/x86/
https://download.freenas.org/8.3.0/RELEASE-p1/x64/

Create virtual machine

Since the idea is to have a storage simulated using as few resources as possible, I’m using FreeNAS 8.3.0 – 32 bits, create a VM and set the TYPE to BSD and VERSION to FreeBSD (32-bit) — or 64 bit if you are using that architecture for storage.

001

Set the memory to 512 MB, it will fire an warning during installation but does not block the installation.

002

Create a new virtual disk, I recommend to leave the default of 16 GB.

003

Leave the default disk type, VDI.

004

Dynamically allocated is fine for this setup.

005

This is the disk where the installation will reside. I’ll leave the default.

006

As the initiatior (client machine) resides on my physical network, I will change the NIC to Bridged mode.

007

In the storage tab, I’ve added a SCSI controller and created 3 disks will be later on used as LUNS, I also inserted the iso image in the CD drive.

008

Here is an overview of the machine ready to begin the installation.

009

FreeNAS Installation

When you boot the machine, you will be presented the Console Setup, select option 1 and hit Enter.

010

Select the drive ada0 which is the IDE disk where the installation will reside.

011

Select NO when prompted if you want to preserve existing parameters, as this is a fresh install.

012

Select YES to format and proceed.

013

The installation takes 1 minute and a few seconds on my hardware (which is not that good).

014

After rebooting you will see the IP obtained from DHCP. You can set a static IP in option 1 but I am using the default here just to demonstrate the storage setup.

015

iSCSI Configuration

Browse to the IP address of FreeNAS and click on “Services”.

016

Locate iSCSI and click on the tool icon to configure it before turning it on.

017

This step is necessary just for older versions of FreeNAS, select “Enable LUC” and change the “Controller Auth Method” to “None”.

018

Go to the Portals tab and add the portal. I’ll leave the IP address to 0.0.0.0 and the default TCP Port 3260.

019

Move on to Initiators tab and configure the initiators according to your needs, I will just leave ALL and ALL, because I don’t intend to setup authentication for this storage.

020

Now, on Targets tab, create the target name which will be servicing the Luns to the Initiators. I will follow the standard naming convention (iqn.YYYY-MM) which is usually when the iSCSI target was created, in my example: iqn.2017-05 + storage + purpose. (I’m not sure if there’s a convention for what follows the month).

Notice I have also disabled the authentication and set the Portal Group ID and Initiator Group ID to 1, which is what was created in previous tabs.

021

Now on the Device Extents tab, just click on Add Device Extent button and assign the devices you want to be presented as LUNs.

022

Finally, on the “Associated Targets” tab, assign the luns to the target.

023

Back to Services, just change the switch from OFF to ON and you are good to go.

024

Present LUNs to the server

Now go to the server you want to present the luns and install the package iscsi-initiator-utils

[oracle@mustang ~]$ su -
Password: 
[root@mustang ~]# dnf -y install iscsi-initiator-utils
Fedora 25 - x86_64 - VirtualBox 243 kB/s | 33 kB 00:00 
Fedora 25 - x86_64 - Updates 1.1 MB/s | 23 MB 00:20 
google-chrome 24 kB/s | 3.8 kB 00:00 
Last metadata expiration check: 0:00:01 ago on Sun May 21 09:30:23 2017.
Package iscsi-initiator-utils-6.2.0.873-34.git4c1f2d9.fc25.x86_64 is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!

Now connect to the portal and request the target as in the example below:

[root@mustang ~]# iscsiadm -m discovery -t sendtargets -p 192.168.1.225
192.168.1.225:3260,1 iqn.2017-05.freenas.oracleasm

Now if we look at the devices, we still can’t see the LUNs:

[root@mustang ~]# ls -la /dev/sd*
brw-rw----. 1 root disk 8, 0 May 19 15:34 /dev/sda
brw-rw----. 1 root disk 8, 1 May 19 15:35 /dev/sda1
brw-rw----. 1 root disk 8, 2 May 19 15:34 /dev/sda2
brw-rw----. 1 root disk 8, 3 May 19 15:34 /dev/sda3
brw-rw----. 1 root disk 8, 16 May 21 08:50 /dev/sdb
brw-rw----. 1 root disk 8, 17 May 21 08:58 /dev/sdb1

To finish it up, login to the target and the devices are presented.

[root@mustang ~]# iscsiadm -m node --login
Logging in to [iface: default, target: iqn.2017-05.freenas.oracleasm, portal: 192.168.1.225,3260] (multiple)
Login to [iface: default, target: iqn.2017-05.freenas.oracleasm, portal: 192.168.1.225,3260] successful.

Now we can see the LUNs and you can proceed to configure them with udev rules, asmlib, etc.

[root@mustang ~]# ls -la /dev/sd*
brw-rw----. 1 root disk 8, 0 May 19 15:34 /dev/sda
brw-rw----. 1 root disk 8, 1 May 19 15:35 /dev/sda1
brw-rw----. 1 root disk 8, 2 May 19 15:34 /dev/sda2
brw-rw----. 1 root disk 8, 3 May 19 15:34 /dev/sda3
brw-rw----. 1 root disk 8, 16 May 21 08:50 /dev/sdb
brw-rw----. 1 root disk 8, 17 May 21 08:58 /dev/sdb1
brw-rw----. 1 root disk 8, 32 May 21 09:33 /dev/sdc
brw-rw----. 1 root disk 8, 48 May 21 09:33 /dev/sdd
brw-rw----. 1 root disk 8, 64 May 21 09:33 /dev/sde

 

Hope this helps.

Advertisements
Posted in Storage | Tagged , , , , , , , , , | 2 Comments

AWS – Securing your cloud with IAM

 

Moving to cloud equals to concerns with security, as it should. You are putting your services up on a bunch of remote datacenters which you have no control of whatsoever. So let’s start securing what we can, like our root credentials first.

For the sake of understanding, let’s pretend you just started using AWS. Go ahead and connect to the management console with your root credentials, a.k.a, the one that has your credit card/ billing information and can do whatever is you wish, and of course, screw you by the end of the month 😉

All right, back to securing the account… find IAM (Identity and Access Management) under Security, Identity & Compliance as in the image below:

screenshot-from-2017-02-08-20-45-18

You will land to its dashboard which initially will look something like the image below. The first thing here I would is click on “Customize“, so I can get my custom URL to access my account as you can see under “IAM users sign-in link”.

screenshot-from-2017-02-08-20-46-13

IAM Password Policy

Just like building a house, let’s start from the bottom up… so first thing here is to define and apply a password policy by expanding the last option and clicking on “Manage Password Policy“:

screenshot-from-2017-02-08-20-46-46

You can define your password policy as your business might require you to, one good configuration would look similar to:

screenshot-from-2017-02-08-20-47-33

If you scroll down, you can disable regions where you won’t be able to request temporary credentials from. In my case I am more interested in the regions I intend to work with, which are North Virginia, Oregon and São Paulo.

screenshot-from-2017-02-08-20-49-17

Groups and permissions

Back to the dashboard, now it is time to create groups, for that just expand the “Use groups to assign permissions” box and click on “Manage Groups”.

screenshot-from-2017-02-08-20-49-37

Just enter the group name you wish and hit “Next Step”. I will create an infrastructure group which will have admin privileges in this example.

screenshot-from-2017-02-08-20-50-52

Now you can choose from existing policies and customize your group’s privileges. In my case, AdministratorAccess will be enough, as I am creating my own non-root account. This will allow me to use everything I need without having access to finance data.

screenshot-from-2017-02-08-20-54-09

The last step is a simple review window. If you are happy with your setup, just click on “Create Group” and you are done here.

screenshot-from-2017-02-08-20-54-29

Go back to the dashboard for the next step.

Create IAM users

Here is where you add users to access your cloud, including your own. Just expand “Create individual IAM users” and click on “Manage Users”.

screenshot-from-2017-02-08-20-54-59

On the next screen, just click on “Add user”.

screenshot-from-2017-02-08-20-55-18

Enter the user details. Please note that if you are creating a user account to perform automation or system integration, it is a good idea to change its access type to programmatic, which is not the case for me since I intend to use the management console. Click on “Next step” to proceed.

screenshot-from-2017-02-08-20-56-43

Here we set the permissions for the user. I will add my user to the group “infrastructure”.

screenshot-from-2017-02-08-20-57-09

The last page is the review, just like for all the other stuff we’ve been doing. Review your settings and click on “Create user”.

screenshot-from-2017-02-08-20-57-40

Multi Factor Authentication for root account

Now things will get more interesting, we will add a second layer of security to our root account. At this point I don’t have to tell you to go back to the dashboard, right? Moving on… expand “Activate MFA on your root account” and click on “Manage MFA”.

screenshot-from-2017-02-08-20-58-19

Spoiler alert: Currently supported MFA virtual devices:

screenshot-from-2017-02-08-21-00-34

I will use Google Authenticator because google owns me, probably owns you too…

Well, once you’ve clicked on Manage MFA, the next screen would be actually where you pick what device you want to use. I will go with a virtual one, as stated in the above spoiler.

screenshot-from-2017-02-08-20-58-45

There’s a small disclaimer that can direct you to a link with compatible stuff, which is the spoiler image above. Click on “Next Step”.

screenshot-from-2017-02-08-21-01-43

Now you have to scan the QR code with your MFA app, in my case Google Authenticator.

screenshot-from-2017-02-08-21-04-08

Once you scan the QR Code, you will see an image like below and the token will start changing every minute. The above Authentication Code 1 & 2 must be filled with the 2 sequentially generated numbers on your MFA app

screenshot_2017-02-08-21-03-05

Having done so, just click on “Activate Virtual MFA” and if all went well, you should see the message below. Just click on “Finish”.

screenshot-from-2017-02-08-21-06-19

Delete root access keys

This is a best practice, you should delete your root access key. You will understand why as soon as you expand the “Delete your root access keys” panel and read the disclaimer. Click on “Manage Security Credentials”.

screenshot-from-2017-02-08-21-06-58

You will be prompted with the following popup, just click on “Continue to Security Credentials”

screenshot-from-2017-02-08-21-07-45

Here you will see a lot of options and panes you can expand and collapse. Expand the “Access Keys (Access Key ID and Secret Access Key)” panel and you will find your root access key. Click on Delete under “Actions” column.

screenshot-from-2017-02-08-21-08-54

A prompt will appear so you can confirm the deletion of the Access Key. Click on Yes. (Be sure to be deleting the right access key, if you have already other keys in place).

screenshot-from-2017-02-08-21-09-11

Once you are back to the dashboard, your settings should appear all green. Looks a lot better, right?

screenshot-from-2017-02-08-21-10-04

Let’s test it out… the whole point of doing that is to avoid my IT account wouldn’t have privileges to access my finance data… let’s put it to proof.

Connecting to AWS with your IAM User

Now we should test the access. Just browse to the custom URL you have setup up there in the beginning and enter the user id and password created.

screenshot-from-2017-02-08-21-11-36

Once you are connected… Expand the options and click on “My Billing Dashboard”, which would take you to finance stuff.

screenshot-from-2017-02-08-21-16-52

If all is setup well, you should receive the error below. Yay…

screenshot-from-2017-02-08-21-17-48

Now you can start creating different groups and granting different privileges for your technical team while leaving the finance data out of their reach… or kind of… we have limited their access so they can’t see or deal with finance data, but they still can use as much resource as they like in the cloud… which will incur in charges and $$$$.

Stay tuned for the next chapters on how to avoid that. 😉

Posted in Cloud Computing | 2 Comments

AWS – Disabling Termination Protection for unwanted instances and terminating them.

If you are new to cloud computing, specially with AWS, you will probably see an annoying message while trying to terminate instances you no longer need. The message will look like below “These instances have Termination Protection and will not be terminated”.

aws1

Be sure that the instance can be terminated (by that I mean excluded!)

In order to terminate such instance you have to go to EC2 -> Instances, select the desired server and click on “Actions” -> Instance Settings -> Change Termination Protection as demonstrated below.

aws2

You should see a prompt similar to the image below, just click on “Yes, Disable”.

aws3

Now you can terminate the instance by selecting “Actions” -> Instance State -> Terminate.

aws4

Confirm your choice by clicking on “Yes, Terminate”. (Again… be sure you can really remove this server)

aws5

That’s it… the server will still show up in the list with the status “Terminated” and will disappear in about 20 minutes. You will no longer be able to start that server.

Hope this helps…

 

Posted in Cloud Computing | Tagged , , , , , , , , , , , , , | Leave a comment

Virtualbox: How to setup NAT with DHCP

Hi folks, in this article I will demonstrate how easy it is to setup a NAT (Network Address Translation) on virtualbox. I use this very often to isolate resources from my virtual servers and my physical network while still having access to the internet from my virtual servers. Another great thing about this setup on virtualbox is the possibility to have native DHCP for your NAT configuration, allowing you to perform a broader range of tests.

Let’s get it started! Open up your virtualbox and go to File -> Preferences and on the newly opened window, select Network and click on the add icon as illustrated in the image below:

nat1

The new network will be added to the list, double click on it and edit the network name, IP range, mask and enable the DHCP. Here is an example of how to setup a NAT that will work with IPs ranging from 172.16.2.2 to 172.16.2.254, where 172.16.2.1 will be its default gateway:

nat2

Now you can go to any of your VMs and change their NIC to NAT and select the entry nat_net1.

nat3

That’s it, simple and easy. Hope this helps.

Posted in Virtualization | Tagged , , , , , , , , , | 1 Comment

Makefile:183: *** Error: unable to find the sources of your current Linux kernel

Hello folks, recently I ran on this error while installing virtualbox on Red Hat 6. It will probably work for Oracle Linux/Centos as well. The reason you are receiving this error message is probably because of missing packages, such as kernel-devel, headers or gcc.

To solve this, open a terminal and logon as root (replace the kernel folder below in red according to your system):

# /etc/init.d/vboxdrv stop
# yum -y install kernel-devel
# yum -y install kernel-headers.x86_64
# yum -y install gcc.x86_64
# export KERN_DIR=/usr/src/kernels/2.6.32-573.26.1.el6.x86_64/
# /etc/init.d/vboxdrv setup
# /etc/init.d/vboxdrv start

Notice that if you still get errors, you’ll be able to troubleshoot them by simply reviewing the log generated every time you run the setup command.

Posted in Virtualization | Tagged , , , , , , , , , , , , | Leave a comment

Migrate Windows 7 KVM virtual machine to Virtualbox

Hi folks, here is me again posting tips about virtualization instead of database management stuff. I’m doing this specially to document stuff I had to deal with that I’m pretty sure I won’t be doing any time soon. This is one of such things, move a Windows 7 VM from KVM to Virtualbox… so let’s get to it, shall we?

First thing you might be interested to do is changing the type of hard drive used in KVM to IDE. If you have problems, check this out:
https://support.microsoft.com/en-us/kb/922976

The second thing is to convert the disk image from KVM to RAW using qemu.

# qemu-img convert -O raw Windows_7-KVM.qcow2 Windows_7VBOX.raw

Once the RAW disk is created, now it is necessary to convert it to VDI using VBoxManage.

# VBoxManage convertfromraw -format VDI Windows_7VBOX.raw /home/user/Windows_7VBOX.vdi
Converting from raw image file="Windows_7VBOX.raw" to file="/home/user/Windows_7VBOX.vdi"...
Creating dynamic image with size 85899345920 bytes (81920MB)...

Since I have been doing everything as root, I will now change the owner for the disk to my non-privileged user.

# chown user:group /home/brunomc/Windows_7VBOX.vdi

Finally we can create a VM on Virtualbox using the converted disk. Here is a brief overview:

Open up virtualbox and click on create virtual machine. Enter a name for the machine and click “Next”.
screenshot-create-virtual-machine

Select the amount of memory for the machine and click “Next”. In my example 3GB of RAM.
screenshot-create-virtual-machine-1

Now the most important part for this article, select the existing disk and locate your converted VDI.
screenshot-create-virtual-machine-2

Start the VM and check if it is working fine. Hope this helps 🙂

Posted in Virtualization | Tagged , , , , , , , , , | 2 Comments

RAC 11gR2: Change SCAN VIP subnet

First of all, check whether your DNS servers is resolving to the new IPs. This is usually done by a network administrator.

[oracle@rac2 ~]$ nslookup rac-scan
Server:        144.180.76.91
Address:    144.180.76.91#53

Name:    rac-scan.localdomain
Address: 144.180.76.121
Name:    rac-scan.localdomain
Address: 144.180.76.123
Name:    rac-scan.localdomain
Address: 144.180.76.122

Now from grid home check the current scan configuration.

[oracle@rac2 ~]$ srvctl config scan
SCAN name: rac-scan, Network: 1/144.180.76.0/255.255.255.0/eth0
SCAN VIP name: scan1, IP: /192.168.1.121/192.168.1.121
SCAN VIP name: scan2, IP: /192.168.1.123/192.168.1.123
SCAN VIP name: scan3, IP: /192.168.1.122/192.168.1.122

As you can see the IPs are in a different subnet. To change it logon as root and modify the scan.

[root@rac2 ~]# /u01/app/11.2.0/grid/bin/srvctl modify scan -n rac-scan

Now, bring the SCAN back online…

[oracle@rac2 ~]$ srvctl start scan
[oracle@rac2 ~]$ srvctl start scan_listener

Confirm the IPs changed…

[oracle@rac2 ~]$ srvctl config scan
SCAN name: rac-scan, Network: 1/144.180.76.0/255.255.255.0/eth0
SCAN VIP name: scan1, IP: /rac-scan.localdomain/144.180.76.122
SCAN VIP name: scan2, IP: /rac-scan.localdomain/144.180.76.121
SCAN VIP name: scan3, IP: /rac-scan.localdomain/144.180.76.123

That’s it. For further information you can refer to Doc ID 952903.1.

Posted in ORACLE Database | Tagged , , , , , , | Leave a comment