Finnish IT Guy: 2015

Wednesday, June 10, 2015

First Tintri T880 in Finland?

Well, I'm not 100% sure if it's first, but for sure there are not many Tintri boxes in Finland.

And what Tintri is? It's Application aware storage, that is extremely simple to set-up.

I'm not writing post on how to set-up it or what it does, since it's so simple, and there are already many good posts about it. But, I'm planning to write up some real-life experiences when we get real production load to our new storage.

But here are some sneak peeks:

First #tintri #t880 in Finland? With #t650

A photo posted by scattereditnotes (@scattereditnotes) on Jun 2, 2015 at 9:50pm PDT

See difference between #tintri #t880 and #t650 ?

A photo posted by scattereditnotes (@scattereditnotes) on Jun 2, 2015 at 9:52pm PDT

#tintri #t880

A photo posted by scattereditnotes (@scattereditnotes) on Jun 2, 2015 at 9:54pm PDT

#tintri #t880 #controllers

A photo posted by scattereditnotes (@scattereditnotes) on Jun 2, 2015 at 9:55pm PDT

As you can see, we also have older T650 that was used in our POC.

Error joining ESX 5.5 host to Active Directory

After joining ESX 5.5 host to Active Directory, I was not able to login with my AD account to host.

Also, lsassd ( Likewise Identity and Authentication Service) service was not running:
~ # /etc/init.d/lwiod status
running
~ # /etc/init.d/lsassd status
stopped
~ # /etc/init.d/netlogond status
running

And when you try to start it manually:

~ # /etc/init.d/lsassd start

Starting Likewise Identity and Authentication Service...failed

Reason for this, there is a directory missing in host! (And yes, it's a bug in ESX..)

So, login to host with root account, and create directory /var/lock/subsys

~ # cd /var/lock

/var/lock # mkdir subsys

But, Likewise Identity and Authentication Service is still not starting. So, you need to restart lwiod (Likewise Identity and Authentication Service) and netlogond (Likewise Site Affinity Service) and after that start lsassd.

/var/lock # /etc/init.d/lsassd start

Starting Likewise Identity and Authentication Service...failed

/var/lock # /etc/init.d/lwiod restart

Stopping Likewise IO Manager Service...ok

Starting Likewise IO Manager Service...ok

/var/lock # /etc/init.d/netlogond restart

Stopping Likewise Site Affinity Service...ok

Starting Likewise Site Affinity Service...ok

/var/lock # /etc/init.d/lsassd start

Starting Likewise Identity and Authentication Service...ok

And, now I was able to log in with my AD account to that host!

These links helped me resolving this issue:

VMware KB:http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2075398

VirtualMe blog: http://blog.jgriffiths.org/?p=677

Monday, April 20, 2015

Netscaler part 4: Redirect HTTP to HTTPS

I'm writing series of blog posts about Netscaler configuration, concentrating on Content Switching feature. Main target is to show how to use one VIP-address with multiple back-end servers.

On this fourth part, we direct all HTTP requests our Content Switching VIP to HTTPS.

So, log in to you Netscaler and go to:
Traffic Management -> Content Switching -> Virtual Servers
Click 'Add' button, to add new Content Switching Virtual Server (CSVS)

I'll name it: 'ContentSwitch-VIP HTTP-to-HTTPS'

Protocol: HTTP

And use same IP address as we used in part 1

Click 'OK'

Click 'Policies' on right side.

Click '+' icon on 'Policies'

Under 'Choose Policy', select 'Responder'

Click 'Continue'

Under 'Policy Binding', click on '+' Icon

Click '+' icon right to 'NOOP'

Name: 'responder_action_http-to-https'
Type: Redirect

Expression: "https://"+HTTP.REQ.HOSTNAME+HTTP.REQ.URL

Check 'Bypass Safety Check'

Click 'Create'

Name: 'responder_policy_http-to-https'

Expression: 'true'

Click 'Create'

Click 'Bind'

And click 'Done'

And there it is:

Now, when client connects to VIP-address listening on port 80, it will automatically redirect to HTTPS port 443.

To do this with CLI:

add cs vserver "ContentSwitch-VIP HTTP-to-HTTPS" HTTP 192.168.86.3 80 -cltTimeout 180 -Listenpolicy None
add responder action responder_action_http-to-https redirect "\"https://\"+HTTP.REQ.HOSTNAME+HTTP.REQ.URL" -bypassSafetyCheck YES
add responder policy responer_policy_http-to-https true responder_action_http-to-https
bind cs vserver "ContentSwitch-VIP HTTP-to-HTTPS" -policyName responer_policy_http-to-https -priority 100 -gotoPriorityExpression END -type REQUEST

This was fourth part of Netscaler blog series.
There might be more to come in the future on same topic.

Netscaler part 3: Publish WEB-site with Content Switching Virtual Server

I'm writing series of blog posts about Netscaler configuration, concentrating on Content Switching feature. Main target is to show how to use one VIP-address with multiple back-end servers.

On this third part, we create publish WEB-page using Content Swithing Virtual Server created in part 1, and Load Balancing Virtual Server created in part 2.

So, log in to your Netscaler and go to:
Traffic Management -> Content Switching -> Virtual Servers
Select Virtual Server and click edit

Click 'No Content Switching Policy Bound'

Click on 'Click to select' under 'Select Policy'

Click 'Add' to create new policy.

Give name for policy and set this as an expression:
HTTP.REQ.HEADER("host").SET_TEXT_MODE(IGNORECASE).EQ("ubuntu.local.dom")

Click on 'Click To Select' under 'Target Load Balancing Virtual Server'

Select LBVS created in part 2 and click 'OK'

Click 'Bind'

Click 'Done'

And now, since my DNS points address 'ubuntu.local.dom' to IP-address 192.168.86.3, I can test if this works:

And it does!

That page is shown to me through Netscaler. As you can see, connection is HTTPS, even though nginx in my Ubuntu test server is not configured to use HTTPS, so netscaler does SSL offloading at this point.

With these three first posts, you should be able to publish WEB-sites with Netscaler Content Switching feature. To add more sites to be shown behind same IP-address, just follow steps on part 2 & 3 to add more servers behind that one IP-address.

And how to do this with CLI:

add cs policy redirect_ubuntu-nginx -rule "HTTP.REQ.HEADER(\"host\").SET_TEXT_MODE(IGNORECASE).EQ(\"ubuntu.local.dom\")"
bind cs vserver ContentSwitch-VIP -policyName redirect_ubuntu-nginx -targetLBVserver LBVS_ubuntu -priority 100

On next part, I'll show how to redirect HTTP traffict to HTTPS with Content Switching

Netscaler part 2: Creating settings for backend server

I'm writing series of blog posts about Netscaler configuration, concentrating on Content Switching feature. Main target is to show how to use one VIP-address with multiple back-end servers.

On this second part, we create Load Balancing Server, Load Balancing Service and Load Balancing Virtual Server.

Let's start with Load Balancing Server, it describes our back-end server itself, not any services that it might be offering.

So, log in to you Netscaler and go to:
Traffic Management -> Load Balancing -> Servers
Click 'Add' button, to add new Server

All you need, is name for your server and IP-Address. In this example these are:
Server Name: ubuntu_backend
IPAddress: 192.168.174.130

And click 'Create'

Good practice is to use back-end servers real hostname as a server name here.

And now we have a Server settings in place

Next, we set-up a Service.
G to:
Traffic Management -> Load Balancing -> Services
Click 'Add' button, to add new Service

Settings in this example:
Service Name: ubuntu_backend_http
Then we select 'Existing Server' and select our newly created Server to be used in this service: ubuntu_backend
And as my demoserver listens only on HTTP port, we use Procol: HTTP and Port: 80

And click 'OK'

We don't need to modify anything, so just click 'Done'

And here we can see our new service, and because my back-end server is up and running, it's state is 'Up'

And last thing to do, is to create a Load Balancing Virtual Server.

So, go to:
Traffic Management -> Load Balancing -> Virtual Servers
Click 'Add' button, to add new Load Balancing Virtual Server (LBVS)

In basic settings, most important thing is to set 'IP Address Type: Non Addressable', that is because we want to use this with Content Switching.
Name: LBVS_ubuntu
Protocol: HTTP
IP Address Type: Non Addressable

Click 'OK'

Click on 'No Load Balancing Virtual Service Binding'

Click on 'Click to select'

Select our newly created Service and click 'OK'

Click 'Bind'

Click 'OK'

And click 'Done'

And our new Load Balance Virtual Server is done.

It will show it's State to be 'Down', but click on refresh

And it should be up

To do these in CLI:
Create Server

add server ubuntu_backend 192.168.174.130

Create Service

add service ubuntu_backend_http ubuntu_backend HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO

Create LBVS and bind service to it

add lb vserver LBVS_ubuntu HTTP 0.0.0.0 0 -persistenceType NONE -Listenpolicy None -cltTimeout 180
bind lb vserver LBVS_ubuntu ubuntu_backend_http

On a next part, I will combine what that has been done on two first parts to publish a WEB-site.

Netscaler part 1: Creating Content Switching VIP

I'm writing series of blog posts about Netscaler configuration, concentrating on Content Switching feature. Main target is to show how to use one VIP-address with multiple back-end servers.

On this first part, we create a Content Switching Virtual Server.

To do so, log in to you Netscaler and go to:
Traffic Management -> Content Switching -> Virtual Servers
Click 'Add' button, to add new Content Switching Virtual Server (CSVS)

In my demo environment, I'm using follong settings:
Name: ContentSwitch-VIP
Protocol: SSL (reason for this -> I'm about to show how to do http -> https redirect on at later on)
IP Address type: IP Address
IP Address: 192.168.86.3 (this is a subnet in my VMware workstation)
Port: 443 (default SSL (HTTPS) port)

So fill your settings and click OK

After giving initial settings for CSVS, click OK (we will fill in Policies later on)

Click 'Certificates' button on a right side pane (I'm not going through how to set up Certificates on Netscaler, but you should have one ready at this point. Good guide can be found here: http://support.citrix.com/article/CTX121617)

Next, click on 'No Server Certificate'

Click on 'Click to select'

You should see you certificate in this list, in my example, I'm using 'test_certificate'. So, select your certificate and click OK

Click 'Bind'

And now, basic settings for your CSVS are ready, so you can click on 'Done'

After creating CSVS it's status is shown 'Down'. Click on refresh button and status will update.

And now it should look like this:

You can try now with your browser, if CSVS is answering, you should get a page like this:

Same thing in CLI can be done with these two commands:

add cs vserver ContentSwitch-VIP SSL 192.168.86.3 443 -cltTimeout 180 -Listenpolicy None
bind ssl vserver ContentSwitch-VIP -certkeyName test_certificate

On a next part, I'll show that how to set-up backend server settings in Netscaler, so we can use it with our CSVS

Subscribe to: Posts ( Atom )

About author

I'm an IT-professional that started he's career on year 2000.

This blog is mainly for writing down notes, hints & tips for myself, and of course it's nice if somebody else finds them useful too. And, this is my way of giving something back to the community.

If you want to contact me, you can use LinkedIn. Just add a message saying you found me from blog if you want to connect.

And you can also follow me in Twitter and Instagram

Everything in this blog, represents my own thoughts, and do not represent views of my current, past or future employer.