multipathd queue_if_no_path And no_path_retry Explained

If you configure your multipath device to use “no_path_retry N” explicitly you may still see queue_if_no_path in multipath -ll output as a listed feature:

$ multipath -ll
mpathc (3600601608de04200c24aed5886c9b28e) dm-3 DGC ,VRAID 
size=2.0T features='2 queue_if_no_path retain_attached_hw_handler' hwhandler='1 alua' wp=rw

Does it mean the no_path_retry setting was not applied at all? According to multipath.conf man page both, queue_if_no_path and no_path_retry, are identical:

queue_if_no_path
Queue IO if no path is active; identical to the no_path_retry keyword.

But which policy is in use: queue or fail?

Unfortunately, it was not made clear in documentation but if no_path_retry is set to anything but fail, you will see queue_if_no_path in multipath -ll output.

If no_retry_path was set to fail, the output would look like this:

$ multipath -ll 
mpathc (3600601608de04200c24aed5886c9b28e) dm-3 DGC ,VRAID 
size=2.0T features='1 retain_attached_hw_handler' hwhandler='1 alua' wp=rw

This means, that yes, “no_path_retry N” is actually used as a path failure handling policy but queue_if_no_path is displayed instead anyway.

Also, no_path_retry is recommended over queue_if_no_path. Straight from multipath.conf man page:

The usage of queue_if_no_path option can lead to D state processes being hung and not killable in situations where all the paths to the LUN go offline. It is advisable to use the no_path_retry option instead.

If you want to set no_path_retry option explicitly, in an attempt to make sure that failed I/O requests are not queuing up and waiting patiently for a path to come back online, you need to add to your /etc/multipath.conf this:

devices {
 device {
 vendor "DGC" 
 product "VRAID" 
 no_path_retry fail
 }
}

Obviously, you need to match your vendor and product.

Another way to do the same is to use dmsetup command. Assuming you have three different multipath devices: mpatha, mpathb and mpathc.

$ dmsetup message mpatha 0 "fail_if_no_path" 
$ dmsetup message mpathb 0 "fail_if_no_path" 
$ dmsetup message mpathc 0 "fail_if_no_path"

If you have a compatible device it will be most likely configured automatically by multipathd. If that’s the case your multipath.conf would look not very different from this real-life example:

$ grep -v ^# /etc/multipath.conf                                                                                                                                                                                                  
defaults {
        user_friendly_names yes
        find_multipaths yes
}
devices {
        device {
                vendor                  "DGC" 
                product                 "VRAID" 
                no_path_retry           fail
        }
}

blacklist {
}

To apply your changes just run these commands:

$ multipath -d
$ multipath -v2
$ multipathd reconfigure

To verify the changes, look up runtime configuration and look for no_path_retry:

$ multipathd show config
Advertisements

The sticky bit note

chmod’s man page doesn’t apparently explain it but “t” and “T” are both signifying a sticky bit, the difference is whether executable flag is set for other or not:

drwxrwxr-T     1774
drwxrwxr-t     1775

How secure is Google Chrome Sign In?

I’ve been avoiding Sign In feature for quite some time now, up until today, because security with major service providers, that are also legitimate businesses and often are not open-source, seems always to be tricky. I realized I couldn’t hold back any longer, though, because the temptation to use synced data — and Chrome/Chromium syncs basically everything and lets you recreate your browser environment on just any computer/mobile device with the Internet connection and default browser configuration — was becoming very intense.

So, I’ve ran an extensive search on Google, but there were very few detailed results that would give you the dirt. Mostly generalized statements about how secure or insecure it is. Luckily, though, some peoplewrote up excellent articles that answered my questions and made me feel confident that I can safely upload my personal data to the cloud.

Because bottom line is Chrome/Chromium Sign In feature provides a very reasonable security model.

In short, the solution is to encrypt everything and use encryption passphrase, not Google Account as a passphrase (this gets sent to Google periodically and kinda defeats the purpose, because theoretically unscrupulous/overly enthusiastic employees literally have the key to your encrypted stash of private data and could read it if they really wanted to. Not cool.)

To learn more details I highly recommend to follow these URLs and read these wonderful articles:

  1. Comparing the Security and Privacy of Browser Syncing by Gregory Szorc with Firefox who happens to work on FirefoxSync (this is exactly what I hoped to read, a fresh publication too!)
  2. How to Optimize Google Chrome for Maximum Privacy by Chris Hoffman of How-To Geek.
  3. Google Chrome Leaking Credit Card Data? by Adam Caudill, a demonstration of why you need to encrypt everything, not just passwords.

Perl: remove element from a list/array

You can easily push an element to a list/array, but when it comes to deleting an element, unless you know exactly its index number (which is rarely a case, as far as I’m concerned), things get unreasonably complicated.

I googled around and talked to people on IRC here’s what seems to be the best approaches:

  1. use splice in a loop with a counter
  2. use List::UtilsBy qw ( extract_by );

splice(); proved to be a really hard case. The following code will only remove 1st occurence in an array and ignore the rest, due to the fact that splice causes elements in a list to update their index numbers, so they get essentially offset and the counter is never adjusted for this fact (because I’m too lazy to figure out how). This code will do the job,  if your list contains unique elements  only, though.

#!/usr/bin/perl

use strict;
use warnings;

my @arr = (1, 2, 3, 4, “abc”, “zxy”, “qwerty”, “abcdef”);

my $index = 0;

foreach (@arr) {
if ($_ =~ m/abc.*/i) {
splice (@arr, $index, 1)
} else { $index++ }
}

If you print @arr to stdout you’ll see that abcdef is still there.

By and large, it’s a bad idea to modify an array in a for loop. If you one of a pretty, intuitive way to write a code that removes elements from an array do let me know, please.

extract_by looks like a real deal, but I abandoned it before I started really using it because I’ve realized that my code didn’t actually need to delete any elements from a list at all lol

Suddenly /dev/null became a regular file

I was doing a routine task – preparing a new CentOS server – today and ran into quite obscure problem.

I was at the point where I needed to configure VPN link but OpenVPN wouldn’t let me daemonize itself. It complained in the logs basically saying that the problem was this:

openvpn[4738]: daemon() failed: No such device (errno=19)

That’s weird. After an hour of troubleshooting this issue on the server I took it to #openvpn@irc.freenode.net where dazo, the channel operator, pointed out that some people previously had have a similarly looking problem, and that if /dev/null was involved it might be a similar or exactly that kind of problem.

I checked /dev/null with stat utility and it was indeed just a regular file. WHOA. This is a production server that doesn’t see software updates, tested and works for the most part as a clock. Utterly inexplicable at this point to me but I don’t have time to research this right now. I just wanted to make a post about it to remember to look into this later, because this is quite interesting and doesn’t happen very often. In fact, I’ve been working with Linux for at least 5 years now, and I’ve never seen anything of the sort. Not even my more than I am experienced colleagues.

Continue reading

Keep Linux Console From Dimming The Screen

There are many ways to do it depending on your context, i.e. whether you’re working with headless setup that doesn’t need to run X server – plain old console – or with an X-based setup.

In my particular case I had  a CentOS box that ran without X server and experienced some obscure, intermittent lockups. So, I needed to hook up the display, hoping to see some output like kernel call trace or maybe some error messages the box locks up the next time. The problem was that the system would dim the screen and when the box locked up I couldn’t see anything that might had been printed on stdout.

After quite a prolonged session of error and trial, what I learned was that simply issuing setterm -blank 0 in a terminal over ssh session (didn’t try to directly enter this command, let me know if this works for you) wasn’t working.  So, what I ended up doing was adding

% echo “/usr/bin/setterm -blank 0” >> /etc/rc.local

to the end of /etc/rc.local and rebooting the box.

That did it for me (finally! lol)

OSSEC Active Response E-Mail Notifications

Here’s a very nice page that describes how to set up OSSEC active response e-mail notifications.

There’s one problem, though. In current OSSEC version 2.6 that configuration will leave you with AR rule, if once triggered, staying in loop forever. For example, if a common web attack is detected and you’ve configured OSSEC to respond with firewall drop AR, upon the timeout the offensive IP address will be deleted from the firewall configuration and re-added immediately after that. Thus, this cycle will continue endlessly.

Continue reading