Jul 14 2013

A month and a half into a start-up accelerator

It’s been more than 2 years since my last post. A lot has happened since then. Most importantly, our family has welcomed a new member, Peter, who was born on 25 March 2013. I may talk more about my family in the future. I am finishing my PhD now and I plan to defend the thesis by the end of 2013. However, I decided to start blogging about entrepreneurship. During the last year, I have discovered a new passion – everything related to business, start-ups, and good business ideas.

In February, we incorporated our bioinformatics start-up, Genialis. Our business idea, to offer a cloud-based gene recommendation product to life scientists, started to emerge in December last year. In the beginning of April, we applied to TechPeaks, “The People Accelerator”, a six-month non-equity accelerator program located in Trento, Italy. It’s main idea is that it’s much more people-oriented than project-oriented. We started off in the end of May and last week, after the 3rd pitching round, we joined the club of 7 other teams who got funded a 25,000 EUR grant.

Before we came to Trento, I thought we’d benefit from TechPeaks by:

  1. Getting help from various skilled and experienced mentors
  2. Completing our team with skilled programmers and business guys
  3. Getting help from the TechPeaks team to link us to potential customers in the area
  4. Getting the 25,000 EUR non-equity grant

After a month and a half, I can evaluate a bit my expectations and put down some lessons learned which might be of use to others considering joining an accelerator.

1. Mentors: they are a great opportunity because they are ready to listen to you “by default”. Being a participant in accelerator itself provides you with a certain level of credibility, which you can increase or lose. Of course not all mentors will give you useful advice for your specific business, but they will give you useful feedback in most cases, and, more importantly, they are usually more than willing to link you with the parts of their social network that is somehow related to your business. This expectation has been met so far.

2. Team: getting new members into an existing team is very hard on itself. It is even harder when you only have two weeks to do it (if the team loses a member after it gets funded, it loses the funding*). It is something completely different from building a team from scratch. We had a rather unpleasant experience in this aspect, as our freshly-enlarged team fell apart right after the first pitching round. I believe it was mostly our fault as we were not careful enough to be as transparent as possible. We failed in putting ourselves in our new teammates shoes and explaining them all the important details of our business idea history, differentiator, relationships etc. I think there’s a reason why most of the teams that already existed before coming to TechPeaks, stayed the same. This expectation has certainly not been (and probably won’t be) met.

3. Network: we are already leveraging our “TechPeaker” status to get introduced to relevant people in the area: potential customers, domain experts, potential partners etc. It looks like this expectation will be met.

4. Grant: even though we still don’t know what will be the conditions for spending the grant, we are happy we got it. Obviously, this expectation was met.

But wait, there’s more.

5. TechPeakers: I could not imagine before what a powerful and friendly crowd of people will the TechPeakers be. I really enjoy coming to the office every day and meet other teams and individuals and discussing various matters. I am astonished to see how these guys are eager to help. I really feel they all took Evan Nisselson’s advice seriously when he said something like this in one of his first talks at TechPeaks: “If you don’t help at least one of your colleagues every day, you’re failing them and yourself”. I believe it is such networks of people, which add the most value to accelerators like TechPeaks. Thanks guys!

6. Be humble: It’s really hard to be humble and open to critiques when you think you have already spent too much time on fixing something and when you don’t see a clear way how to improve it further. You start to believe people providing the critique are malevolent or not smart, which is a dangerous thing. Our team was disappointed after not getting funded in the first round. That’s OK. But we were angry and shocked when we didn’t get funded in the second round. We have been considering all sorts of scenarios, even leaving the accelerator right away. In the end we realized it was us who didn’t really try hard enough to understand and implement the feedback we got from the jury. It was a painful but very important process for us.

That’s it for now. I’ll try to write the next post before 2015, I promise.

*Update 2013-07-25: One of the funded teams lost a member after it got funded and they kept the money. So apparently there can be exceptions.


Mar 17 2011

MikroTik SSTP with Windows SBS 2008 NPS (RADIUS)

Not many people know, that Windows Vista and Windows 7 now support another VPN type called SSTP, which is a kind of SSL VPN. This very useful because a secure L2TP can be somewhat difficult to configure since IPsec has to be configured as well. PPTP is neither secure nor does it pass NATs very well since it leverages GRE protocol. SSTP, on ther other hand, uses HTTPS protocol, so it is easy to configure (well, you still need at least a server certificate) and it passes the NATs very well as all other “nice” TCP protocols.

Recent versions of RouterOS (5.X) also support SSTP, so coupling it with Windows RADIUS server, this becomes an easy VPN solution for SMBs. In this post I will show how this can be done.

MikroTik part

First, you create an IP pool for SSTP IP address assignments:

/ip pool add name=sstp-pool ranges=192.168.1.100-192.168.1.150

Then, you add a SSTP profile:

/ppp profile add dns-server=8.8.8.8 local-address=192.168.0.1 \
name=sstp remote-address=sstp-pool use-encryption=yes use-ipv6=yes

Now its time to configure certificates for SSTP server. You can use StartSSL to get free browser-approved SSL certificates. You will need 4 files:

  • ca.pem (StartSSL Root CA) – you get this one at StartSSL
  • sub.class1.server.ca.pem (Class 1 Server SubCA) – you get this one at StartSSL
  • your.mikrotik.pem (public certificate)
  • your.mikrotik.key (private key)

You have to import these files by copying them to your MikroTik device (either via WinBox drag & drop into “Files” window or via FTP) and then doing something like:

/certificate import file-name=ca.pem
/certificate import file-name=sub.class1.server.ca.pem
/certificate import file-name=your.mikrotik.pem
/certificate import file-name=your.mikrotik.key

Except for your.mikrotik.key, you just hit ENTER when you are asked about the “passphrase”. For your.mikrotik.key, you must enter your private key password, if the key is encrypted. If it is not, you can just hit ENTER as well.

Now you can just do some configuration on this certificates you just imported:

/certificate set cert1 name="StartSSL CA"
/certificate set cert2 name="StartSSL Class 1 Server SubCA"
/certificate set cert3 ca=no
/certificate set cert3 name="your.mikrotik"

Now you can configure the SSTP server interface:

/interface sstp-server server set authentication=mschap1,mschap2 \
certificate=your.mikrotik default-profile=sstp enabled=yes

If you are unable to use port 443 for SSTP, you can use “port=” option in the command above to define the listening port. Don’t forget to open this port on the firewall (on the INPUT chain) if you are blocking ports by default.

Enable RADIUS authentication for PPP:

/ppp aaa set use-radius=yes

And configure the RADIUS client:

/radius add address=192.168.0.2 called-id="" disabled=no \
domain=YOURDOMAIN secret=yoursecret service=ppp

Don’t forget to change the IP address to the IP address of your RADIUS server. The same goes for YOURDOMAIN and yoursecret.

Windows part

Last time I was configuring MikroTik to authenticate users I was using Windows 2003 Server and its IAS. However, in Windows 2008 this is now called Network Policy Server and it didn’t work for me until I changed some default configuration options. So this is how I did it.

First, make sure the Network Policy Server (NPS) role is added. If not, add it, its very straightforward. Then, open the NPS management console and click the root node in the left pane (it’s called “NPS (Local)” on my server). Then, just use the wizard to configure the RADIUS server for VPN:

  1. Select “RADIUS server for Dial-Up or VPN Connections” as the configuration scenario and click “Configure VPN or Dial-Up”.
  2. Choose “Virtual Private Network (VPN) Connections” as “Types of connections”. (You can also change the policy name, but that’s completely optional.)
  3. Now you have to add a RADIUS client. Click Add and then choose a friendly name for your MikroTik here and write in its (local) IP address. Also, put in the secret you configured it before on MikroTik (yoursecret, remember?).
  4. When choosing the Authentication Methods, I chose also MS-CHAP (v1), but perhaps leaving only MS-CHAPv2 selected will also work (I haven’t tried), since MikroTik should support it as well.
  5. Now add the user group, which will contain those users who can authenticate for this VPN connection.
  6. You can easily leave out the IP filters.
  7. You can probably disable 40 and 56-bit encryption, but I didn’t try that.
  8. You don’t need to configure the realm name, just skip it.
  9. That’s it!

Now to the tricky part:

  1. In the left pane, go to Policies, Connection Request Policies. Double click the “Virtual Private Network (VPN) Connections” policy (or whatever you named your policy above). Now set the “Type of network access server” to “Unspecified”. Also, you have to go to the Conditions tab. Edit the entry (it should be a NAS Port Type condition entry) and change it from “Virtual (VPN)” to “Async (Modem)” (deselect “Virtual” and select only “Async”).
  2. Do the same for the Network policy with the same name (Policies, Network Policies). I also set the order of the network policy to be the second (right after General Connection Authorization Policy), but I am not sure if this is needed.

WARNING: I have figured out, that configuring these options is somewhat nondeterministic. This means, that it just didn’t work some times and I had to configure the “Type of network access server” back to “Remote Access Server (VPN-Dial up) and after that back to “Unspecified”. And this time it worked. It appears to me as a bug, but maybe its just me being unfamiliar with Microsoft way of thinking. :)

Enhanced by Zemanta

Feb 23 2011

TAYGA: Simple, no-fuss NAT64 for Linux

Yesterday, I tried TAYGA, which is a stateless NAT64 (SIIT actually) userland implementation for Linux. It works pretty well, since it can leverage any “classical” NAT44 implementation to do the stateful part, which is probably what a NAT64 deployer will want to have.

So I installed TAYGA on a virtualized Debian 6.0 box where I also installed Ecdysis’ DNS64 implementation, which is actually a patched BIND.

I just followed the instructions on TAYGA web page and everything went smoothly except for the IPv6 prefix setup. TAYGA says it can use IPv6 prefixes of any length, which is allowed by RFC 6052. So first I tried to use my Hurricane Electric assigned /64 prefix (part of my /48 allocation), and it failed to work, at least with DNS64 from Ecdysis. I haven’t tried TOTD (yet), which is mentioned in the instructions, so this might be causing the troubles. However, after I changed the prefix length to /96 both in BIND and in TAYGA configuration, I was finnaly able to connect to the IPv4 world from the IPv6-only machines.

I think that this kind of stateless NAT64 is quite useful and very easy to deploy (especially for smaller environments). The only “quirk” is in that you have to use a special pool of IPv4 addresses, which TAYGA uses for its temporary (you can make them static as well) 1-to-1 IPv6-to-IPv4 mappings. However, since these IPv4 addresses are only “visible” to the NAT64 gateway (if you are running NAT44 on the same box), I can’t see why this would be a significant problem at all.

Enhanced by Zemanta

Feb 14 2011

phpBB: Export all posts for a user into a file

Few days ago, one of the users of the phpBB-based forum I administer, asked if he could have all his posts (few hundreds of them) exported as text and delivered via e-mail. After a quick Google search, I could find any such script, so I created my own. I wrote it in Python and the only requirement is that you have MySQLdb Python module installed (python-mysqldb in Debian).

Here it goes (I am a Python beginner, so beware):

#!/usr/bin/python

import MySQLdb
import time
import re
import getopt
import sys

def usage():
    print 'Usage: PhpbbExportPosts.py <DBHOST> <DBUSER> <DBPASS> <DBNAME> <POSTER> [options]'
    print
    print 'Obligatory arguments:'
    print
    print '  DBHOST: MySQL database hostname'
    print '  DBUSER: MySQL database user\'s username'
    print '  DBPASS: MySQL database user\'s password'
    print '  DBNAME: MySQL database name of phpBB'
    print '  POSTER: Username of the author of the posts to be exported'
    print
    print 'Options:'
    print
    print '  --prefix=PREFIX\tTable name prefix (default: phpbb_)'
    print '  --file=FILE\t\tOutput file name (default: none (stdout))'
    print '  --help\t\tPrint this help'

def main():
    # Finish at once if there are to few arguments
    if (len(sys.argv) < 6):
        usage()
        sys.exit(2)

    # (Try to) parse the options
    try:
        opts, args = getopt.getopt(sys.argv[6:], 'pfh', ['prefix=', 'file=', 'help'])
    except getopt.GetoptError, err:
        print str(err)
        usage()
        sys.exit(2)

    # Set options defaults
    file = None
    prefix = 'phpbb_'

    # Set the variables regarding to the options
    for o, a in opts:
        if o in ('-h', '--help'):
            usage()
            sys.exit()
        elif o in ('-p', '--prefix'):
            prefix = a
        elif o in ('-f', '--file'):
            file = a
        else:
            assert False, "Unhandled option"

    # Establish connection to MySQL
    conn=MySQLdb.connect(host=sys.argv[1],user=sys.argv[2], \
                                     passwd=sys.argv[3],db=sys.argv[4])

    # Set character set to UTF-8, which should be correct for phpBB
    conn.set_character_set('utf8')

    # Get a database cursor and set UTF-8 everywhere where possible
    cursor = conn.cursor()
    cursor.execute("SET NAMES utf8;")
    cursor.execute("SET CHARACTER SET utf8;")
    cursor.execute("SET character_set_connection=utf8;")

    # Run the MySQL query to get all the posts of the selected poster
    cursor.execute("SELECT a.post_time, a.post_subject, a.post_text \
                          FROM "
+ prefix + "posts a, " + prefix + "users b \
                          WHERE a.poster_id=b.user_id \
                          AND b.username='"
+ sys.argv[5] + "'")

    # Open file for writing or use standard output
    if file is not None:
        output=open(file, 'w')
    else:
        output=sys.stdout

    # Print the formatted posts into a file one by one
    while (1):
        # Get the next post
        row = cursor.fetchone()

        # Exit when there are no more posts
        if row == None:
            break

        # Inter-post delimiter line
        output.write('================================================================================\n')

        # Also remove all HTML tags with a regular expression
        output.write('Post date: %s\nPost subject: %s\nPost content:\n\n%s\n\n' % (time.ctime(row[0]), row[1], re.sub('<.*>', '', row[2])))

        print "Number of posts exported: %d" % cursor.rowcount

if __name__ == "__main__":
    main()

Alternatively, you can download it from here.


Feb 13 2011

Two thirds of traffic is IPv6 traffic? I doubt it.

Yesterday I came back home from Paris, where I attended the V6 World Congress 2011. Since I am interested in IPv4-IPv6 transitioning mechanisms, I was looking forward to hear Jordi Palet Marinez’s talk on the tutorial day about them. During the talk, Jordi mentioned some interesting statistics – the percentage of IPv6 traffic on the Internet and the shares that Teredo and 6to4 have in this percentage. I can not recall the exact numbers, but it is interesting to me because I was planning to do exactly the same for my PhD research. I had this idea of trying to persuade various ISPs or Internet exchange points to let me plug my statistic-gathering equipment into their switches and gather information about which transitioning mechanisms are most used today and what are their respective shares of packets flowing through.

I talked to Jordi and he suggested to Google a bit about 6meter – this is the software they used to measure traffic at various ISPs. One of them can be found here. Because the ISPs don’t like to give out their actual statistics, he has provide overall statistics only. However, I find the numbers very odd. Two thirds of the packets are IPv6 packets? Almost a half of the bytes are IPv6 bytes? I was talking to a few other people at the conference and they said that this is impossible or at least, that this is a very non-representative sample which can not be used to prove that the findings hold true for the whole Internet. The actual IPv6 packet/byte percentages should be a lot smaller than Jordi’s.

Anyway, I am very interested in this topic, so I am still trying to find any other similar published research. If you know of any, please let me know.


Feb 12 2011

IPv6 address database: ipv6list.com

A few weeks ago I saw a presentation from van Hauser titled Recent advances in IPv6 insecurities. He merges three different sources of IPv6 addresses to obtain a database of IPv6 addresses:

  • search engines and databases (directories),
  • DNS (bruteforcing),
  • common addresses.

He shows that this method is quite successful for those who are interested in getting as many IPv6 addresses as possible. So I was thinking – why not put up a public databases of such addresses and provide a way for anybody to contribute them.

The main purpose of such database is to make IPv6 Internet a bit more “enumeratable” for those who would like doing any kind of research on the nature and behaviour of IPv6 Internet. Also, it may convince those who would like to not be listed (I guess for security through obscurity reasons) to actually renumber from <prefix>::1 to something else.

Of course, any ideas about other possible techniques for harvesting IPv6 addresses, are welcome.


Feb 11 2011

netfilter’s way of tracking ICMPv6 connections

These days I am configuring a Debian-based firewall, whose iptables policy is being managed by Firewall Builder tool. Check it out, it’s a really cool, object-based firewall policy management tool.

However, I was quite stumped when I realized that if I make an “allow all” mixed (IPv4/IPv6) policy, the ICMPv6 packets are not let through the bridge (I am doing filtering on a bridge interface). This is not really intuitive, so I thought it must be some kind of bug. I still recall, that some time ago, netfilter had serious problems tracking IPv6 connections (it would match improperly match valid connections, which made it impossible to drop the packets, which matched INVALID state).

My rationale was: I should pass all IPv6 packets, which match NEW, RELATED or ESTABLISHED state in both directions and I should be fine. This is also what Firewall Builder generates. However, I found out that ICMPv6 packets other than PING (echo/reply) don’t match netfilter states at all! So that was why Firewall Builder’s policy wouldn’t let my ICMPv6 packets (e.g. neighbor discovery) through.

The solution is straightforward: make an additional “allow any” rule only for ICMPv6 packets and make it stateless. Firewall Builder nicely supports that, you can double click the Options column and check the “Stateless” check box.


Oct 13 2010

SharePoint Services 3.0 dead after applying KB983444

I am not a Windows administrator, really. But I do take care of one Windows 2008 SBS machine and we have Exchange 2007 and SharePoint Services 3.0 installed. Recently, I installed a security update for Windows SharePoint Services 3.0 (KB983444). After rebooting, all my SharePoint sites were down (404 error). It took me quite a few hours to put them back online. I did tried many things, among them:

  • running SharePoint Products and Technologies Configuration Wizard, which failed at step 9/10,
  • running “psconfig -cmd upgrade -inplace b2b -wait -force“, which failed with various errors.

Finally, I did this to solve the problem: I connected to Central Administration and then went to “Operations” tab. Then, I chose “Services on Server” and clicked “Windows SharePoint Services Search”. There, I entered my administrator account as the “Service Account”. I saved the changes and then rerun SharePoint Products and Technologies Configuration Wizard, which worked this time (although it took it very long time to do everything it had to do).


Feb 1 2009

RCPFA 1.0.5 available

The 1.0.5 version is out. It makes RCPFA compatible with RoundCube 0.2-stable. Thanks to Andrey Sharandakov!


Nov 30 2008

gmirror and gvinum on the same drives

In 2006, when I was installing a FreeBSD server for our client, one of the requests was also a RAID-5 array of some kind. I checked out and discovered GEOM vinum (or gvinum), which provided what I needed at that time. It is a file server, but throughput is not a critical issue, so I tried it (at that time, graid5 was not yet available, AFAIK). I am writing this because this weekend I had to rebuild the array (and copy the data) with new, larger drives, which took me many hours to do it, because there is not so many documentation on how to make different GEOM RAID subsystems share the same three drives.

This is what I wanted to achieve: have three drives, which would contain two gmirror (RAID-1) arrays (one for root partition, the other for swap) and three gvinum (RAID-5) volumes – for

/var

,

/tmp

and

/usr

. For the latter, it is best to use volume management capabilities of gvinum, which allows you to join only three physical devices (or slices or partitions) with it, so that the logical volumes are created “inside” the vinum manager.

The main problem was, that I forgot how to do this “properly”. It was 2 years since I did this (of course, I didn’t write it down how I did it, although it took me a few hours) last time and since the machine is far away, I don’t have physical access. This would have helped, because I could just put the old drives back and see how they were configured, but the remote system administrator already exchanged the drives and I didn’t want to bother him.

In FreeBSD terms, a partition is a logical unit, which resides on a slice (which is actually a partition from other operating systems’ point of view).  Let’s have four drives on the system:

/dev/ad0

,

/dev/ad1

,

/dev/ad2

and

/dev/ad3

. We’ll assume that on

/dev/ad0

there is the system we are booting and running FreeBSD at the moment and we wan’t to create the arrays on the other three drives, which will eventually run by themselves (we’ll pull the

/dev/ad0

out when we finish). When you create a slice on

/dev/ad1

, for example, you’ll be able to access it via

/dev/ad1s1

. When you create a partition on this slice, you’ll see it as

/dev/ad1s1a

, where the last letter “a” can also be “b”, “d”, “e”, and so on, you know the alphabet. This naming system is somewhat peculiar, and I don’t like it but I can live with it. The letter “a” usually hosts the root partition, and the letter “b” provides swap space. As you can see, there is no letter “c”. This is because it specifies the whole slice and therefore it should not be used for anything else.

Usually, when you’re setting up the gmirror RAID-1 on FreeBSD, you make put it on the physical drive directly, i.e. you make the

/dev/ad0

visible as

/dev/mirror/gm0

(after you put the metadata on the drive, by running ‘

gmirror create

‘), which also means that all existing slices and partitions will be visible at the new location. If you had

/dev/ad0s1a

, you’ll now have

/dev/mirror/gm0s1a

. Which is very nice and makes gmirror very easy to set up after the system was installed. In the end, you just add other mirrors (

/dev/ad1

, …) in the array and that’s it.

However, if you want to use gvinum on the same drives (to make RAID-5 arrays, for example), you can’t do that. You’ll need to gmirror something else: the slices or the partitions, but not the whole drives. Now FreeBSD allows you to have no slices at all – to create the FreeBSD partitions (the letters) directly on the drive (so you’ll have

/dev/ad1a

). So when I started to think about how I would partition the drives and which units will I merge with gvinum and gmirror, I became a bit confused. So I tried a few ideas I had and none of them really worked because I didn’t know what actually the command such as ”

bsdlabel -w

“, ”

boot0cfg

“, ”

gmirror label

“, ”

gvinum create

” and creating slices via ”

sysinstall

” actually do. Where do they write their data? At what offsets and what are the sizes of these metadata? I found it quite annoying that there isn’t much documentation about this (at least not well organized), so I had to do some homework. Here is what I discovered:

gvinum — When you run ”

gvinum create

“, it will rewrite the bytes from

0x1000

to

0x21200

, that is from block 8 (first 8 blocks are left untouched) to block 265 with its own configuration data, so you have to be careful not to mess with these blocks.

gmirror — Running ”

gmirror label

” puts gmirror’s metadata on the last block of the device. The size in blocks of the mirror is then number of block of the device – 1.

bsdlabel — When labelling a slice (or the drive directly), bsdlabel writes label information to the second block (from address

0x200

on, in my tests it never passed the

0x2c0

limit, which still fits into the second block).

boot0cfg — Since it rewrites the MBR with BootMgr, this means it rewrites the first block (block 0) of the drive.

fdisk — Fdisk writes the slice information into first 16 blocks of the slice. This means, that you shouldn’t label them with bsdlabel (don’t assign them to any of the partitions), or you can have problems.

To sum up, the only configuration, which worked for me on FreeBSD 6.1 (yes, quite old one) was the following. First I created slices on all of the drives (one on each drive) and wrote the BootMgr onto them (you can do this easily by running

sysinstall

and then going to Custom and then Partition. You select the first drive (of the three) and then, when in fdisk-editor, press a and then w to write the slice. When asked about MBR, just say BootMgr and that’s it. This will ensure that there is a boot manager on the drive (which means you can boot from it). You have to repeat this procedure for the other (two) drives as well.

Then, you have to edit the label of all three slices, running “

bsdlabel -e /dev/ad1s1

” (for the slice on the first drive). You have to provide the following partition set:

a:  1048576       16    4.2BSD        0     0     0
b:  4194304  1048592      swap
c: 976768002       0    unused        0     0         # "raw" part, don't edit
d: 971525106 5242896     vinum

In this configuration you can see that the size of “a” (root) partition is 1048576 512-byte blocks which means 512 MB. The offset of 16 blocks for the “a” partition is very important, since the slice needs the first 16 blocks for itself. The size of the “b” (swap) partition is 4 times the size of “a” (2 GB) and the “d” takes all the space left on the slice.

So the idea is to make two gmirror arrays, the first one will consist of the three “a” partitions (remember, we have three hard drives) and will be used as the root partition. The second one will consist of the three “b” partitions and will be used as swap space. All the “d” partitions will be used for the construction of the gvinum array.

First, you need to load the

geom_mirror module

, which enables kernel to handle the gmirror arrays. You do this by running ”

kldload geom_mirror

“. But, it is needed to make this change permanent (so the module will load at boot) so you need to add these two lines to

/boot/loader.conf

:

geom_mirror_load="YES"
geom_vinum_load="YES"

This will also enable loading gvinum at boot, which we will need later (when the system will boot from the new arrays). No it’s time to create the arrays. You’ll run something like:

# gmirror label -v -b round-robin root /dev/ad1s1a
# gmirror label -v -b round-robin swap /dev/ad1s1b
# gmirror insert root /dev/ad2s1a
# gmirror insert root /dev/ad3s1a
# gmirror insert swap /dev/ad2s1b
# gmirror insert swap /dev/ad3s1b

This was for the gmirror arrays. Now make a file named

gvinum.conf

and put this in it:

drive disk1 device /dev/ad1s1d
drive disk2 device /dev/ad2s1d
drive disk3 device /dev/ad3s1d
 volume var
  plex org raid5 491k
   sd length 1024m drive disk1
   sd length 1024m drive disk2
   sd length 1024m drive disk3
 volume tmp
  plex org raid5 491k
   sd length 512m drive disk1
   sd length 512m drive disk2
   sd length 512m drive disk3
 volume usr
  plex org raid5 491k
   sd length 0 drive disk1
   sd length 0 drive disk2
   sd length 0 drive disk3

And then you run:

# gvinum create gvinum.conf

This will create three gvinum RAID-5 arrays – for

/var

,

/usr

and

/tmp

. They will be accessible via

/dev/gvinum/var

,

/dev/gvinum/usr

and

/dev/gvinum/tmp

respectively. You should know, that the size of the RAID-5 array is the sum of the size of all drives – the size of one drive. This makes our

/var

2 GB,

/tmp

1GB and

/usr

the rest. If you execute ”

gvinum list

” now, you’ll see that all the arrays are marked as up. However, this will not be the case after you reboot. I don’t know exactly why, perhaps this is a bug. Also I am not sure if it is present in the newest FreeBSD releases. So it is very important now, that you reboot the system now. After it comes back online, you have to run:

# gvinum start var
# gvinum start usr
# gvinum start tmp

Then you have to wait for the arrays to become synchronized. It may take a while. You can always check status with ”

gvinum list

“. When the arrays are synchronized, you need to create the filesystems on all of them:

# newfs /dev/mirror/root
# newfs -U /dev/gvinum/var
# newfs -U /dev/gvinum/usr
# newfs -U /dev/gvinum/tmp

After that, you should mount these new arrays in

/mnt

and copy the system, you are running now onto them:

# mount /dev/mirror/root /mnt
# cd /mnt
# mkdir var tmp usr
# chmod 1777 tmp
# mount /dev/gvinum/var /mnt/var
# mount /dev/gvinum/usr /mnt/usr
# mount /dev/gvinum/tmp /mnt/tmp
# cd / && find . -xdev | cpio -pm /mnt
# cd /var && find . -xdev | cpio -pm /mnt/var
# cd /usr && find . -xdev | cpio -pm /mnt/usr
# cd /tmp && find . -xdev | cpio -pm /mnt/tmp

Finally, you have to modify your

fstab

file on the root gmirror array. Edit

/mnt/etc/fstab

as follows:

# Device                Mountpoint      FStype  Options         Dump    Pass#
/dev/mirror/swap        none            swap    sw              0       0
/dev/mirror/root        /               ufs     rw              1       1
/dev/gvinum/tmp         /tmp            ufs     rw              2       2
/dev/gvinum/usr         /usr            ufs     rw              2       2
/dev/gvinum/var         /var            ufs     rw              2       2
/dev/acd0               /cdrom          cd9660  ro,noauto       0       0

Now you can try to boot the system from one of the three drives which hold the RAID arrays and you should be lucky. If you aren’t, you are welcome to post comments here and we’ll try to sort it out together.

Reblog this post [with Zemanta]