boingboing.net's excellent tribute

No, it’s not the iPad, the iPhone, or even the iPod. It’s definitely the Mac. Steve Jobs real gift to the world was bringing the Mac to the market in 1984. The Macintosh was a major step in making personal computers pleasant and easy enough to use to gain mass market appeal. If the Mac hadn’t been released then, the industry, our industry, would not be where it is today. You likely would not be reading this, you would not be on Facebook or Twitter, you wouldn’t know many of the people you know, especially those met online.

The Mac was never the market leader, but it’s existence opened peoples eyes. Computers HAD to be easy to use like the Macintosh, cryptic commands typed into dark screens weren’t going to cut it. This changed the game, the competition released competing products and the personal computer industry as we know it was born.

That’s was what Steve did. He didn’t invent anything brilliant. He took fantastic people and technologies and integrated them into products that created market sectors that didn’t exist. He took huge gambles, that industry experts almost always said would not pay off. Sometimes they didn’t. But others really did change the world. I know it’s trendy to hate Jobs, Apple, heck, anything popular with hipsters. Just don’t forget the value of what Jobs accomplished with his much too short life. Certainly the world would look very different today if the modern computer as we know it was still sitting in the halls of Xerox and the labs of Universities for another 5 or 10 years as everyone continued to type cryptic commands into their terminals…

Rest in peace Steve, you changed my life, and for that I will be eternally grateful.

I know I’m WAY behind on blogging. I really hope I’ll find some time ASAP. I wanna talk really quickly about Mac OS X 10.7.

First the good. The UI changes are great. I have always been a fan of tiny widgets and maximizing screen real-estate. In 10.6 and prior, I went to great lengths to shrink every font and widget. In 10.7 theres no need. Scroll bars are tiny and automatically fade out, you can full screen most apps, fonts and widgets are just smaller. Fantastic. New UI animations and transitions are everywhere and delay things a bit, hopefully there will be a TinkerTool or similar to disable them. They’re short and tolerable but as an example, I am typing a character or two into the ether when switching spaces during the animation.  I’m not really into the LaunchPad paradigm, but the MasterControl look works for me. Mail.app’s new UI is fantastic, iCal’s is a bit over the top. Mail.app’s performance (specifically around large operations and anything RSS related) is a complete train wreck. I expect a patch soon. Reverse scrolling took less than a day to adjust to (I am an iPad/iPhone user though). Autocorrect is a nice addition. The new Finder is great, Safari updates seem good, heck even the Terminal.app updates are nice! Grab an updated version of TerminalCopyOnSelect and away you go.

10.7 is a huge update, in the way 10.5 was to 10.4, and at $29. If Mail.app’s performance is fixed I’ll likely be very happy.

Here’s a very WTF bug though. I ran into it last night and figured it was just me, or I’d boned something up. I have a bunch of shell scripts that do SSH port forwards for accessing network appliances and infrastructure behind lock and key. Half of them stopped working on me, failing to resolve their respective hosts. How strange. Amusingly Brandon was complaining of basically the same problem this morning so we decided to take a look.

Some how OS X’s resolver library is no longer checking any hostname with a dot in it against the /etc/resolv.conf search directive in 10.7. Seriously. Let’s say I have a server called admin.omghi2u.com. My /etc/resolv.conf (and OS X network control panel) contain omghi2u.com in the search field. Surely, we can resolve (ping, ssh, web browse, whatever) to ‘admin’ since it can match that as admin.omghi2u.com. Cool. Now normally, in UNIX (heck even Windows land!) if I had admin.tor.omghi2u.com and admin.chi.omghi2u.com, simply hitting ‘admin.tor’ or ‘admin.chi’ would match the omghi2u.com hostnames. Not the case in 10.7. Something is clearly broken in the resolver in libSystem. Oddly despite being linked to the same library, the host command still functions properly… Maybe the search logic is handled by the command itself…

While it’s a simple bug fix, its an annoying oversight on Apples part. Breaking basic UNIX networking functionality is kinda shameful.

UPDATE (JULY 26th): Head over to Brandon’s site for a fix!

Ugh it’s almost been a month since I last blogged, and I’ve had a lot to blog. It’s been super busy with a lot of big projects coming to an end at work, and I’ve spent my free time blasting through rolls of film and enjoying the awesome weather… Going to take tomorrow off and just write up any of the blog posts I can remember…..

I’m not a huge bash guy,  in fact nine times out of ten I’ll chose perl. I like the way perl hands strings, escaping and its general syntax better. Sometimes however, it’s just better to use bash, say for a cron, especially if you can pull it off in one line (instead of maintaining a script on disk). This is definitely advantages when you are adding a cron to an appliance, it’s nice to maintain everything that isn’t provided by the managed distribution in a single location (i.e. root’s crontab)

I’m a big fan of F5, the Big-IP product line is fantastic as is their support. Theres definitely a lot of way to get alerting, the best of which would be SNMP, or even have the included alertd directly email your pagers. Personally, I don’t have an SNMP driven alerting system, 99% of our devices/systems are actively monitored by dedicated monitoring systems. Modifying alertd has the problem that you have to port your changes forward during any OS updates, and we are currently split between OS 9.x and OS 10.

I decided to write a quick little non-intrusive script (no changes OS configuration, nothing to maintain changes to), and keep it as a single cronable line, to comb the LTM logs (though this could easily be used for GTM logs as well) and email out notifications. The log looks like:


Jun 8 17:31:09 local/tmm notice tmm[1823]: 01070028:3: No members available for pool db-cluster.omghi2u.dev
Jun 8 19:12:17 local/ltm1 notice mcpd[3377]: 01070640:5: Node 192.168.110.82 monitor status down.
Jun 8 19:13:51 local/ltm1 notice mcpd[3377]: 01070728:5: Node 192.168.110.82 monitor status up.
Jun 8 19:13:51 local/tmm notice tmm[1823]: 01070028:3: No members available for pool web-cluster.sup2u.qa
Jun 8 19:15:08 local/ltm1 notice mcpd[3377]: 01070727:5: Pool member web2.sup2u.qa:80 monitor status up.


The log formatting in OS9 is a bit less verbose than OS10, but basically it always starts with a timestamp formatted %b %e %H:%M:%S, then the log entry (OS9 lacks the log level and context). We want to check every 5 minutes (could be bumped to every minute) for any new entries in the last 5 minutes, and email them out if they aren’t stuff we don’t care about.

Some cool stuff of note: if you want to do a for loop on new lines instead of any whitespace, you need to change the IFS variable around. Just make sure you unset it when you are done or you will screw your terminal (or cron run!) up. The code originally looked like:


export IFS=$(echo -en "\n\b"); guts=$(for i in `cat /var/log/ltm | awk '{print $1 " " $2 " " $3}'` ; do unixtime=$(date --date=$i +"%s"); if (( unixtime > `date --date="5 minutes ago" +%s` )); then grep `date --date="@$unixtime" +"%b %e %H:%M:%S"` /var/log/ltm; fi; done | sort | uniq | grep -v -f /root/ltm_excludes.txt); if [ -n "$guts" ]; then echo "$guts" | mail -s "$HOSTNAME logs" "[email protected]"; fi; unset IFS;


And worked like a charm on OS10, but OS9 is based on Redhat 3, and has an ancient version of the date command that didn’t support the @timestamp format. Lovely. Theres lots of people using the pure date command to get around this, but timezones become a problem and are messy. It’s way better to use awk’s wrapper to strftime() and thus our fully backward compatible cron is:


*/5 * * * * export IFS=$(echo -en "\n\b"); guts=$(for i in `cat /var/log/ltm | awk '{print $1 " " $2 " " $3}'` ; do unixtime=$(date --date=$i +"\%s"); if (( unixtime > `date --date="5 minutes ago" +\%s` )); then grep `date --date=\`echo | awk "{ print strftime(\"\%c\", $unixtime) }"\` +"\%b \%e \%H:\%M:\%S"` /var/log/ltm; fi; done | sort | uniq | grep -v -f /root/ltm_excludes.txt); if [ -n "$guts" ]; then echo "$guts" | mail -s "$HOSTNAME logs" "[email protected]"; fi; unset IFS;


Only thing I wasn’t totally happy with was that I had to do a dumb echo | into awk. I couldn’t figure out (from the man page and a quick googling) how to get awk to do it’s thing without stdin or a file. Oh well. That was a lot of fun to write. You could change it to a whitelist by making a /root/includes.txt kind of file and losing the -v on grep. In fact you could have two crons. General alerts goto your ops inbox, alerts you are worried about (like pools having no members left :D) go to your emergency inbox (pagers). Or many crons. Or actually just hack up the alertd.conf… Or alert on SNMP! Either way, happy scripting!

UPDATE: (June 21st, 2011) On a day filled with a particularly large number of port scans resulting in lots of grep-filtered RST response messages, we decided to move the grep -v up to the beginning instead of at the end, this increases performance immensely. No more spikes on the CPU0 graphs! Here’s the updated script, smarter logic this time ’round:

*/5 * * * * export IFS=$(echo -en "\n\b"); guts=$(for i in `grep -v -f /root/ltm_excludes.txt /var/log/ltm | awk '{print $1 " " $2 " " $3}'` ; do unixtime=$(date --date=$i +"\%s"); if (( unixtime > `date --date="5 minutes ago" +\%s` )); then grep `date --date=\`echo | awk "{ print strftime(\"\%c\", $unixtime) }"\` +"\%b \%e \%H:\%M:\%S"` /var/log/ltm; fi; done | sort | uniq ); if [ -n "$guts" ]; then echo "$guts" | mail -s "$HOSTNAME logs" "[email protected]"; fi; unset IFS;


Problem: You have many (many many) servers and you want to know which server is on which switch port. Short of a manual (and very time consuming) cable trace and box audit, how do you make sure stuff is plugged in where you think it is?

Solution: Ask the switch who lives where, make perl do the heavy lifting!

Our HP ProCurves provide what they call ‘port address tables’ which basically tell you which MACs are seen on which ports. A bit of digging and that info was just an SNMP call away. The MACs are stored in decimal format, in the OID, and the integer value it points to is the port number. Ports after physical ports (on ProCurves) are VLANs and Trunks. (The mappings and locations of ports is probably completely vendor specific though!)

Once we have that MAC address, we can pretty it up, map it to an actual hostname, and then label the ports with that. No more will you have to check another table, database, text file, etc and say, hey where is XYZ plugged into… The 30 minute dirty perl code:

#!/usr/bin/perl
# switchLabel.pl - 5/10/2011 (dirty 30 minute hack version)
# label ports on an HP Procurve switch with their boxes MAC address (easy to lookup)
# and even their hostnames! [email protected]

# configs
$debugMode = 1;

# code dont touch
if ( $#ARGV < 1 ) {
       print "usage: switchLabel.pl [switch IP/hostname] [community]\n";
       die("Please specify a switch IP and a valid r/w community string!\n");
} 

sub debug
{
        use vars qw($debugMode);
        if ($debugMode == 1) {
                print $_[0];
        }
}

my $switchIP = $ARGV[0];
my $snmpCommunity = $ARGV[1];

my $numPorts = 48; # after this is trunks and vlans, which we're going to ignore
                                  # label them manually kthx
                                  # change me for big chassis switches
                                  # could become another (optional) config variable

my @snmpWalk = `snmpwalk -On -c $snmpCommunity -v2c $switchIP 1.3.6.1.2.1.17.4.3.1.2`;
my %switchPorts = ();

foreach (@snmpWalk) {
 	$_ =~ s/.1.3.6.1.2.1.17.4.3.1.2.//; # lazy ass formating
	$_ =~ s/ = INTEGER: / /;
	chomp;
	($decMac, $port) = split(/ /, $_);
	if ($port <= $numPorts && $port > 0) {
		my @macOctets = split(/\./, $decMac);
		my $hexMac = "";
		foreach (@macOctets) {
			$_ = sprintf("%0.2X", $_);
		}
		$hexMac = join(':', @macOctets);
		debug("[found] $hexMac @ $switchIP: port $port\n");

		# put code in here to map MACs back to boxnames
		# or leave a MAC for now...
		my $machineName = $hexMac;

		if (!$switchPorts{$port}) {
			$switchPorts{$port} = $machineName;
		} else {
			$switchPorts{$port} .= ", " . $machineName;
		}
	}
}

for ($i = 1; $i <= $numPorts; $i++) {
	if ($switchPorts{$i}) {
		my $portName = $switchPorts{$i};
		if (length($portName) > 64) {
			$portName = substr($portName, 0, 61) . "...";
		}
		debug("[assign] $i => $portName\n\t");
                debug(`snmpset -c $snmpCommunity -v2c
                      $switchIP .1.3.6.1.2.1.31.1.1.1.18.$i s "$portName"`);
                 #the above line was broken in half for awful wordpress formatting
	}
}

I’ve removed our implementation specific MAC address to hostname mapping bit. Basically you can tackle that a few different ways, do an ARP lookup on a box that sees and knows all, query an SQL table where you do inventory, whatever you want. Just drop it in, and if (!machineName), put the hexMac in instead (i.e. you have an unknown box!) You could (and I probably will) extend this code to alert you if boxes move around (i.e. without you knowing), for audit-ability purposes.

This awesome reverse mapping of MAC addresses looks to be the same as Cisco’s dynamic CAM entries table, and they are on the same OID. (In fact I wager Cisco came up with that specification) That means this above code should work on a Catalyst with no modification but I haven’t tried it :) I have (and always will be) a Cisco big iron fanboy, but these ProCurves are totally awesome for anything other than edge and carrier distribution. All the SNMP goodies you’d ever need can be found on a sub-$250 HP 2510, and thats with a lifetime warranty and support…. (insane)

Grab the code and play around and always remember, snmpwalk is a network admins best friend!

I sent this out to our engineering department today, it’s mean, it’s exaggerated, it’s sarcastic, it’s hilarious. Enjoy: