SheevaPlug - 1 year later

A little over a year ago I purchased a SheevaPlug Development Kit to replace my aging server with something a bit more eco-friendly. Looking back, that didn't turn out to be as easy as I thought.

The main services that I was running of the plug (DNS,DHCP,NTP,Proxy) have been working just fine. Of course the problems were the little things. Irssi failed to run and for some reason the SD card that I was using would become unaccessible every ~45 days so I had to rethink my storage strategy.
As experimenting with the SD card took a lot of time as I needed to wait for over a month between every attempt, my old server still hasn't been removed. As it turns out, that wasn't such a bad thing.

Then came the day I wanted to upgrade the plug to the new Ubuntu release to see if that would resolve the software issues. That turns out to be impossible as Ubuntu changed the supported ARM versions so the only thing that can run on the plug is Jaunty (9.04) which will stop receiving updates very soon. So I'll have to take the plug offline and re-install using Debian.

This week however, the plug took itself offline, as the power supply had blown up:

(image taken from the forums as I didn't have a camera nearby, but mine looks exactly the same)

As it turns out, this is a very common problem. The sheevaplug forums are filled with pictures like this. The plug will either not power on at all, or the power led will just flash once every second. So many people have encountered this problem that the now have begun selling replacement power supplies. As mine was purchased from the US, which doesn't have the the EU 2yr warranty, I'll have to get a replacement PSU or construct one myself.

So now all services have been restarted on the old server (good old Dual P2, from back in the days when hardware was still reliable) and once I have the plug hooked up to a new power supply, I'll reinstall it using Debian and hopefully be able to move everything over to it. To be on the safe side, I might equip it with some speedholes to cool it down.

Blog Category:

Choosing an operating system for my desktop computer

My 7 year old desktop computer has finally died. After having replaced 2 disks, 3 power supplies, a VGA card, the USB ports, several fans and a monitor, its about time for this machine to retire. With its innards spilled onto floor and hooked up to multiple power supplies, its being kept alive long enough for me to copy all the important data over to my NAS.

I already looked around a bit and will probably reuse the case, power supply and some disks for the new machine. With a new gigabyte motherboard, core i7 CPU, plenty of RAM and an SSD for the operating system, it will probably be insanely fast compared to this one. But that brings me to the final choice, which operating system to use?

I have experience with most operating systems. My desktop has always been linux (first debian and later ubuntu), but I also own a macbook pro and use Windows at work. None of them are perfect, so choosing between them is pretty hard. Note that I can't really run OSX on the new hardware I plan to order, but I'll include it in the comparison as I could buy an iMac instead.

The most important functions for this machine are:

  • Running virtual machines (development environments & tests).
  • Surfing the interwebs.
  • Communication tools (IM/twitter/email/..).
  • Access shared data stored on the NAS via CIFS.
  • Connecting and disconnecting monitors while its running so that I can use one of them to watch TV.

So here is how I see the advantages and disadvantages of the different operating systems at this time:

Linux

PRO CON
  • My trusted desktop environment for years. I know what its good at and what its limitations are very well.
  • Easy shell scripting for bulk operations.
  • Lots of free applications, although not all of them are good.
  • Software updates for all applications, not just the OS.
  • Very easy software installation.
  • Has gotten pretty bloated over time. Definitely no longer the lean and mean OS it once used to be.
  • Inconsistent when it comes to accessing CIFS shares. Only certain applications can access files opened in the gnome explorer, for CLI tools you need to manually mount it again.
  • Very poor performance when accessing the CIFS share.
  • Support for multiple monitors and accelerated graphics in general is horrible.
  • The nightmare that is Audio.
  • Frequent upgrades required and every time something breaks.

Windows

PRO CON
  • good at dealing with CIFS file shares.
  • Easy use of multiple monitors.
  • Lots of applications and nowadays quite a lot of freeware as well. Most of the applications I use are cross-platform.
  • Not as easy to use scripting.
  • Its Microsoft and I'll have to listen to rant after rant about me selling my soul to the devil.
  • Main target for malware so I'll have to run an antivirus program which will affect performance.

Apple OSX

PRO CON
  • Pretty hardware and it has an Apple badge. Admit it, thats one of the main reasons they are bought.
  • Easy to use multiple monitors.
  • It can do scripting just like linux.
  • Lots of applications and several of them are quite user friendly. Even though I'm not a novice, I still appreciate a clean and simple user interface.
  • Its Apple, which as a company is far worse than Microsoft.
  • It has quite some troubles accessing CIFS shares. Especially if authentication or hidden shares are involved.
  • Bloody expensive and nearly impossible to upgrade the hardware afterwards.
  • Video and audio codec hell.
  • It will not allow you to choose anything other than Quicktime to open videos which are located on a read-only CIFS share.
  • Requires quite a lot of tweaks to work the way I want.

Conclusion

At the moment I'm leaning towards using Windows 7 as my primary operating system with a Linux virtual machine to run my collection of scripts. I'll still give Linux a try when the new hardware arrives, but I don't really expect anything amazing from it. Getting it to work has always been a struggle, especially when it comes to multiple monitors. I don't expect this to work properly, especially attaching and disconnecting the monitors while its running.
OSX has already been ruled out because of its price and lack of hardware flexibility. I'll simply keep running all the cool OSX stuff and image editing on my macbook as I already do nowadays. If I could run OSX on my own hardware, that would probably have won.

I have mixed feelings moving away from Linux on the desktop. It's still running on my servers of course, but now that a lot more has shifted to the web and the few other applications that I use have become cross-platform, many of the reasons that I was using it on the desktop have vanished. Quite the irony as most of these applications are open source.
On the other hand, as I look at all the Linux server admins, 90% of them are using macbooks. So I don't seem to be the first to admit that Linux has lost the battle for the desktop.

Creating a global firewall policy on Juniper SRX

Juniper firewalls, both netscreen and SRX, use a concept of security zones. Each interface is assigned to a zone and firewall policies are created between zones to permit traffic. This is very useful as you can safely use the "Any" object in firewall rules without unexpected results. However, sometimes its useful to create policies regardless of the source and destination zones. The most common reason is to create a default deny rule with logging enabled.

On netscreen firewalls, there was a global rulebase which was evaluated if there was no matching rule in the regular rulebase. On SRX series however, there is no global rulebase. So in order to create default deny rules with logging enabled, you have to create rules for each possible combination of source and destination zone. This can be a lot of work as the number of policies required increases exponentially.

Tired of creating so many rules, I figured there had to be an easier way. This device is running JUNOS, there must be some feature or script that can help simplify this, and there is. Its a feature called configuration groups which makes it easy to repeat a piece of configuration multiple times. This following example create a firewall rule that drops and logs all traffic. This rule is then appended to each rule set:

set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop match source-address any
set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop match destination-address any
set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop match application any
set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop then deny
set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop then log session-init
 
set security policies apply-groups global-policy

This can easily be extended to create address objects in multiple zones at once, or modified to apply only to select rule sets.

The apply-group is not entirely the same as the global policy on netscreen, it will only create a default log+drop rule in each existing rule set. So if there are two zones for which no policy exists yet, no drop rule will be installed either.

Resources for following news about the ashcloud / airport closures

I'm supposed to travel to Budapest tomorrow and my brothers flight was scheduled to depart this morning so we had to monitor the news. As the traditional media take ages to update, here are a couple of online resources to check:

Eurocontrol CFMU : The news headlines section updates at least hourly, listing all closed airspace. Note that times are in UTC.

Met Office ash cloud forcast : Updated every 4 hours.

Eurocontrol on twitter : eurocontrol is doing a good job posting updates and links to interesting resources on twitter.

Brussels airport : current status of Brussels Airport.

Images from METEOSAT-9 : satellite image with dust concentrations

Webcams : want to see the volcano that causing all this trouble? Its not really going to help you though..

And of course, check the airline website. SN Brussels has canceled all flights until Monday noon but getting some information from Hungarian airlines has proven to be more difficult.

Unfortunately, many people traveling to San Fransisco for drupalcon are also stranded, they even created a map to see where everyone is: Drupalistas stuck in Europe. Some people are already planning minicons in the UK and Belgium for those who can't make it to SF, this drupalcon won't soon be forgotten :)

Blog Category:

Pages

Subscribe to Bart Jansens RSS Subscribe to Bart Jansens - All comments