Actifio worked around the VMware CBT bug in 2012

There has been a lot of discussion lately about a VMware Change Block Tracking (CBT) bug that causes backup software to miss out on modified parts of VMDK files.  This results in corrupted backups.

The Register has had two articles about it:

Oct 27:  ESXi is telling fibs to backup software • The Register

Nov 3: VMware: Yep, ESXi bug plays ‘finders keepers’ with data backups • The Register

The articles point to this VMware Knowledgebase link, and mentions that there is no fix available from VMware.  Ouch!

Well of course since Actifio uses VMware Change Block Tracking (CBT) to capture images of VMs, my first thought was sh…    ahh actually this is child friendly blog…   but you get the idea.   Were petabytes of client data at risk of being bad?

Fortunately the answer is a resounding no.  Actifio does not depend on this particular API because we saw the potential for a flaw like this a long time ago.  In fact we changed the way we use the VMware APIs in 2012 to ensure this API could not affect us

Actually we were that concerned about data integrity when using external APIs that we developed a feature we call Fingerprinting to ensure the integrity of our images. With every image that Actifio creates, Actifio uses a sampling technique to confirm that the image created in Actifio’s storage pools is the same as the source we were fetching data from.  This applies to both VMs and to images created by our Connector software.

So with this Actifio customers can be assured that all available virtual images are free of any corrupt data due to CBT, backup calls, or any other capture procedures.

Monitoring IBM Storwize and IBM SVC products with Splunk

I have been playing around with Splunk recently, so I can understand what it is and why my customers may choose to it.   For those that don’t know, Splunk (the product) captures, indexes and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards and visualizations.  In essence Splunk is a really cool and smart way to look at and analyse your data.

Because Splunk is able to ingest data from almost any source we can quite easily start pulling data out of an IBM Storwize or SVC product and then investigate with Splunk.  I couldn’t find anything in Google on this subject, so here is a post that will help you along.

A common way to get data into Splunk is to use syslog.   Since Storwize can send events to syslog, all we need to do on the Storwize side is configure where the Splunk server is.

In this example I have chosen syslog level 7 (which is detailed output) and to send all events.

Then on Splunk side, ensure Splunk is listening for syslog events.   Storwize always uses UDP port 514:

However this really only captures events.   There are lots of other pieces of information we may want to pull out of our Storwize products and graph in Splunk.   So lets teach Splunk how to get them using CLI over SSH.

Firstly we need to supply Splunk a user ID so it can login to our Storwize and grab data.   I created a new user on my Storwize V3700 called Splunk, placed it in the Monitor group (so anyone with the Splunk userid and password can look but not touch) and then supplied a public SSH key since I don’t want to store a password in any text file and using SSH keys makes things nice and easy.  In this case I am using the id_rsa.pub file for the root user of my Splunk server, since in my case Splunk is running all scripts as root.

Now from my root command prompt on the Splunk server  (called av-linux) I test that access works to my V3700 (on IP address 172.24.1.121) using the lsmdiskgrp command.   It’s all looking good.

[root@av-linux ~]# ssh splunk@172.24.1.121 "lsmdiskgrp -delim ,"
id,name,status,mdisk_count,vdisk_count,capacity,extent_size,free_capacity,virtual_capacity,used_capacity,real_capacity,overallocation,warning,easy_tier,easy_tier_status,compression_active,compression_virtual_capacity,compression_compressed_capacity,compression_uncompressed_capacity 
0,InternalPool1,online,1,5,32.55TB,2048,27.06TB,5.49TB,5.49TB,5.49TB,16,80,auto,balanced,no,0.00MB,0.00MB,0.00MB

So I am now set up to write scripts that Splunk can fire on a regular basis to pull data from my Storwize device using SSH CLI commands.

Now here are two important things to realize about using SSH commands to pull data from Storwize and ingest them into Splunk:

1. For historical data like logs, it is very easy to pull the same data twice.  For instance if I grab the contents of the lseventlog command using an SSH script then I will get every event in the log, which is fine.   But if I grab it again the next day, most of the same events will be ingested.   If I am looking to validate how often a particular event occurs I will count the same event many times as I ingested it many times.   Ideally the Storwize CLI commands would let me filter on dates, but that functionality is not available
2. Real time display commands don’t insert a date into the output, but Splunk will log the date and time that each piece of data was collected on.

Lets take the output of lsmdiskgrp as shown above.   If we run this once per day we could track the space consumption of each pool over time.   Sounds good right?   So on my Splunk server I create a script like this.  Notice I get the output in bytes, this is important as the default output could be in MB or GB or TB.

ssh splunk@172.24.1.121 “lsmdiskgrp -delim , -bytes”

I put the script into the /opt/splunk/bin/scripts folder and call it v37001pools.

I make it executable and give it a test run:

[root@av-linux scripts]# pwd
/opt/splunk/bin/scripts
[root@av-linux scripts]# chmod 755 v37001pools
[root@av-linux scripts]# ./v37001pools
id,name,status,mdisk_count,vdisk_count,capacity,extent_size,free_capacity,virtual_capacity,used_capacity,real_capacity,overallocation,warning,easy_tier,easy_tier_status,compression_active,compression_virtual_capacity,compression_compressed_capacity,compression_uncompressed_capacity 
0,InternalPool1,online,1,5,35787814993920,2048,29753385943040,6034429050880,6034429050880,6034429050880,16,80,auto,balanced,no,0,0,0

So now I tell Splunk I have a new input using a script:

Input the location of the script, the interval and the fact that this is CSV (because we are using -delim with a comma.  Note my interval is crazy:   every 60 seconds is way too often, even every 3600 seconds is probably too often.  I used it to get lots of samples quickly.

I now confirm I have new data I can search:

And the data itself is time stamped with all fields identified and has all the data like pool names.

Now I can start graphing this data.   With Splunk what I find is that if someone publishes the XML this makes life way easier.    So I created an empty Dashboard called Storwize Pools and then immediately select Edit Source

Now replace the default source (delete any text already in the source) with this where you change the heading and script name with your own (in red) and the pool name of one of your pools (in blue).  If you have more than one pool, add an additional chart for every pool (copy all the chart section and just make a new chart).

---

In the attached word document you will find the required XML.   For some reason WordPress kept fighting me and changing my quotes so I have attached the XML as a doc.

SplunkDashboard

---

And we get a lovely Dashboard that looks like this.  Because the script runs every 60 seconds, I am getting 60 second stats.

We could run it every day or use a cron job to run it at the same time of every day (which makes more sense).   Maybe once per day at 1am by setting the interval to a cron value like this:   0 01 * * *

So hopefully that will help you get started with monitoring your SVC or Storwize product with Splunk.

If you would like some more examples, just leave a comment!

The quest for perfect knowledge doesn’t start with a screen capture

One of the fun parts of my job is problem solving….  I wont lie… I love it.

Step one in problem solving is always the same:  define the problem.
Step two:  get the data needed to solve the problem.
Step three:  solve it!

Simple, right?

Wrong.

One of the reasons IT gets it wrong again and again is simple:  the assumption of perfect knowledge.   We assume that with one sentence or even worse, one screen capture, we have described the problem with enough depth that it can now be solved.   That the team now perfectly understand the problem and that the solution they supply will be…. wait for it….  you guessed it….  perfect!

Don’t get me wrong, I love screen captures (using my favourite tool, Snagit).   In fact screen captures are one of my number one tools for writing documentation.  When I worked on IBM Redbooks (one of IBMs greatest free gifts to the IT community) I often found some chapters were more picture than text… and that was ok.   People need to see what it is you are talking about.

But when it comes to describing a problem, in the vein of a picture is worth a thousand words, a screen capture can be the devil itself.   The issue with screen captures is simple:   they contain information that cannot be easily searched or indexed (apart from with your eyeball).   They may show the problem or just barely validate that the problem exists, but they rarely help in SOLVING the problem.

Last week I got my favourite kind of screen capture, the one taken of a screen with a phone (with the reflection of the photographer clearly visible in the shot).   Apart from giving me the ability to rate that person’s fashion sense, these kinds of shots are among the worst.   Amusingly when I asked why I didn’t also get logs, I was told the customers security standards would not allows logs to be sent.   Yeah right… this is the same customer who doesn’t mind you standing in the middle of their computer room taking photos of their displays with your phone?

So the next time you plan on sending a screen capture, stop for a minute and consider…  is this enough for a perfect solution?   Are there no logs I can send along with this picture?  Has the vendor supplied a tool I can use to offload data?   Or even better automatically send it?    Am I doing anything more than just describing the problem itself?

Shellshock and IBM SVC and Storwize products

While blogging last week about how various vendors have responded to the Shellshock exploit, I noted that several vendors, notably Oracle and Cisco were open about products that they did not yet have a fix for.     IBM meanwhile appears to be only announcing vulnerability after they have the fix.   In other words, vulnerable customers are left without formal notification that they are exposed, or made aware of any workarounds, until a fix is actually available.   I am left slightly annoyed by this policy.

The formal notification for the Storwize family and IBM SVC family came out here on October 11, 2014.  At time of writing these are the fix levels:

Remediation/Fixes
IBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500 to the following code levels or higher:

7.1.0.11
7.2.0.9
7.3.0.7

More importantly it contains this critical piece of information:

Vulnerability Details

The following vulnerabilities are only exploitable by users who already have authenticated access to the system.

In other words, the best way to manage exposure is to limit the number of users who have CLI access and to use network restrictions (such as ACLs and Firewalls) to restrict network access to your devices.

So kudos to IBM for creating fixed versions, I just wish that acknowledgement and remediation advice could have been published earlier.

 

Vale Randall Davis

I received some very sad news last week that Randall Davis has passed away.

Randall was a very experienced and capable IT professional based in Melbourne Australia. He worked for IBM for many years;  co-authored several IBM Redbooks and fathered two wonderful boys with his wife Fiona.

Randalls funeral will be held in the Federation Chapel, Lilydale Memorial Park, 126-128 Victoria Rd, Lilydale on Wednesday Oct. 8, 2014, commencing at 11.15 am.

If you knew Randall and wish to pay your respects, then please attend.

Shell shocked by binary explanations

On September 24, 2014 some new exploits to gain unauthorized access to Unix based systems that have a bash shell were revealed.   Known collectively as shellshock it has caused tremendous consternation and activity in the IT industry.

What has proven interesting is the way each major vendor has chosen to respond to this issue. An enormous number of products, whether software, hardware or appliance, are affected.  You could almost safely assume that if a product can be accessed with a Unix like shell, then it is quite likely going to need patching, once the relevant vendor has released a fix.

But how can you know?

The best way is clearly if the vendor in question has released a statement and this is where things get interesting.    Some vendors have taken the attitude that when they have a fix, they will admit they have the vulnerability.

Ideally each vendor should post a list of:

• Products that are not vulnerable
• Products that are vulnerable but a fix is available
• Products that are vulnerable and no fix is available (yet)
• Products that may be vulnerable but testing is still in progress

This IBM website here happily lists unaffected products, but gives no guidance as to affected products.  You can see a screen capture below of the start of the unaffected product list.

The DS8000 has a page here detailing available fixes, but its stable mate the Storwize V7000  (and V3700 and V5000 and the SVC) are also almost certainly affected, but not a peep on the internet from IBM about them.    I presume because a fix is being written but is not yet available

Oracle have a great page here which has four sections with titles like:

• 1.0 Oracle products that are likely vulnerable to CVE-2014-7169 and have fixes currently available
• 2.0 Oracle products that are likely vulnerable to CVE-2014-7169 but for which no fixes are yet available
• 3.0 Products That Do Not Include Bash
• 4.0 Products under investigation for use of Bash

Cisco have a great page here with a very similar set of information with sections like:

• Affected Products
• Vulnerable Products
• Products Confirmed Not Vulnerable

EMC have a page here but as usual, EMC make it hard for us common people by putting it behind an authentication wall.

Actifio Copy Data Forum – September 17 in Sydney

Its been a few weeks between posts, with the simple reason that I have been quite busy at Actifio!   One thing that is keeping me busy is an event we are running up in Sydney next week and it would be great to see you there.

You will hear from leading organizations like Westpac NZ, NSW Ambulance Service, and other Actifio customers, and learn how they have transformed their data management with Actifio Copy Data Virtualisation solutions.

At Copy Data Forum 2014, you will learn more about the proven business impact of Actifio, including:

Improved Resiliency – through instant data access for data protection and disaster recovery.

Enhanced Agility- putting data where you need it and when you need it.

Transition to the Cloud – ensuring your data follows your applications wherever they live, including public, private, and hybrid cloud-based systems.

Dramatic Savings – up to 90% reduction in storage costs, and up to 70% reduction in network bandwidth.

Sound interesting?     Register Now