OpenStack + Docker + OpenContrail

Docker is a tool that simplifies the process of building container images. One of the issues with OpenStack is that building glance images is an off-line process. It is often difficult to track the contents of the images, how they where created and what software they contain. Docker also does not depend on virtualization; it creates linux container images that can be run directly by the host OS. This provides a much more efficient use of memory as well as better performance. It is a very attractive solution for DC operators that run a private infrastructure that serves in-house developed applications.

In order to run Docker as an openstack “hypervisor” start with devstack on ubuntu 12.04LTS. devstack includes a docker installer that will add a debian repository with the latest version of the docker packages.

After cloning the devstack repository one can issue the command:

tools/docker/install_docker.sh

For OpenContrail there isn’t yet a similar install tool. I built the OpenContrail packages from source and installed them manually, modifying the configuration files in order to have config, control and compute-node components all running locally.

Next, I edited the devstack localrc file to have the following settings:

VIRT_DRIVER=docker

disable_service n-net
enable_service neutron
 Continue reading

Blessay: The Internet is a “Cloud” for Networking

Can the Internet be the “Cloud Network” ? If so, when could the transition happen (if it hasn’t started already) ?

Supposition/Hypothesis As a technology, the Internet has strikingly similar properties to sharing Compute and Storage as ‘Cloud’. A large pool of resource that can be used or shared between many parties. The total pool of resource is dynamically allocated. Internet bandwidth is shared between all users and access is determined by bandwidth purchased at the network edge

The post Blessay: The Internet is a “Cloud” for Networking appeared first on EtherealMind.

SSH Fingerprint issue on Mac OS X

If you use an Apple Mac to SSH to a device and the terminal sends an error message saying the SSH fingerprint does not match (following text), the easiest way to get new SSH fingerprints is by doing a ‘ssh-keygen -R IP_Address’.

Last login: Tue Apr 22 10:21:10 on ttys000

doka:~ doka$ ssh -l root 10.100.0.1

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that a host key has just been changed.

The fingerprint for the RSA key sent by the remote host is

81:79:83:12:f3:85:9c:13:f8:d2:01:ac:43:1c2:28:2c.

Please contact your system administrator.

Add correct host key in /Users/doka/.ssh/known_hosts to get rid of this message.

Offending RSA key in /Users/doka/.ssh/known_hosts:88

RSA host key for 10.100.0.1 has changed and you have requested strict checking.

Host key verification failed.

doka:~ doka$ ssh-keygen -R 10.100.0.1

# Host 10.100.0.1 found: line 88 type RSA

/Users/doka/.ssh/known_hosts updated.

Original contents retained as /Users/doka/.ssh/known_hosts.old

doka:~ doka$ ssh -l root 10.100.0.1

The authenticity Continue reading

Passing Command Line Arguments to Python

The Common Way (I think) There’s a very well know way of grabbing command-line arguments and passing them to a Python program. This is done by importing the sys module and using the argv...

[[ Summary content only, you can read everything now, just visit the site for full story ]]

EGP

Today I came across an old Cisco router with original IOS image. Big surprise (at least for me) when I did check what routing protocols are supported on this router: I was out of the game, or better not even yet had discover the networking games, when the EGP was still out there and available […]

Trojan.Eclipse — A Bad Moon Rising?

ASERT’s malware collection and processing system has automatic heuristics that bubble up potentially new and interesting DDoS malware samples into a “for human analysis” queue. A recent member of this queue was Trojan.Eclipse and this post is my analysis of the malware and its associated campaigns.

Analysis was performed on the sample with an MD5 of 0cdd10cd3393d3fe916a55b946c10ad6.

The name Eclipse comes from two places: a mutex named “eclipseddos” and a hardcoded Cookie value used in the command and control (C2) phone home. We’ll see in the Campaign section below that this threat is also known as: shadowbot, gbot3, eclipsebot, Rhubot, and Trojan-Spy.Win32.Zbot.qgxi.

Based on the C2 domain names, GeoIP of the C2 IP addresses, and a social media profile of the owner of one of the C2 domains, I suspect this malware to be Russian in origin. In addition, Eclipse is written in Delphi and empirically Russian malware coders have a certain fondness for this language.

Command and Control

The analyzed binary has a hardcoded C2 domain string. This string is protected from modification by running it through a simple hashing algorithm and comparing it against a hardcoded hash at certain points of the code. The Continue reading

Is Netflix’s Arresting Development with Comcast a House of Cards, or Is it The New Black?

Is Netflix's Arresting Development with Comcast a House of Cards, or Is it The New Black?

by Brian Boyko, Technology Contributor - April 22, 2014

Photo credit: Netflix

Comcast has decided to start charging Netflix extra to connect Netflix's customers on Comcast's network. More or less. It gets complicated, depending on whether Netflix is being charged for data transfer, or interconnectivity.

The headline in the New York Times reads: “Comcast and Netflix Reach Deal On Service.” But Netflix CEO Reed Hastings posted on the official Netflix blog that there was a need for “a strong net neutrality,” calling the Comcast deal an “Internet toll.” That does not sound to me like Hastings came out of the deal happy.

Now, to be clear, what the deal is actually doing, on a technical level, is allowing Netflix to deliver its content directly to Comcast's servers, rather than going through a middleman such as Cogent. It's a type of “paid peering,” instead of “paid prioritization.”

Hastings, however, believes the two are the same thing – charging the content provider to provide the data at the rate that the ISP charges its customers. After all, the only reason Continue reading

Packet Design to sponsor ENOG 7 in Moscow

Packet Design is a silver sponsor of ENOG 7, 26-27 May in Moscow, Russia.

Click here to register for this free event.

On Policy in the Data Center: The policy problem

(This post was written by Tim Hinrichs and Scott Lowe with contributions from Martin Casado, Mike Dvorkin, Peter Balland, Pierre Ettori, and Dennis Moreau.)

Fully automated IT provisioning and management is considered by many to be the ultimate nirvana— people log into a self-service portal, ask for resources (compute, networking, storage, and others), and within minutes those resources are up and running. No longer are the people who use resources waiting on the people who are responsible for allocating and maintaining them. And, according to the accepted definitions of cloud computing (for example, the NIST definition in SP800-145), self-service provisioning is a key tenet of cloud computing.

However, fully automated IT management is a double-edged sword. While having people on the critical path for IT management was time-consuming, it provided an opportunity to ensure that those resources were managed sensibly and in a way that was consistent with how the business said they ought to be managed. In other words, having people on the critical path enabled IT resources to be managed according to business policy. We cannot simply remove those people without also adding a way of ensuring that IT resources obey business policy—without introducing a way Continue reading

How do ACLs handle fragments ?

This post represents the solution and explanation for made a test connection -> client learned the PMTUD = 1476 (1500-24/GRE) then I configured lower MTU 1440 on the GRE tunnels also I disabled PMTUD with command sysctl -w net.inet.tcp.path_mtu_discovery=”0″ so the server cannot learn the new PMTUD value You will say that it was not nice of me to hack it this way, but I’ll say: it worth demonstrate this... [read more]

How do ACLs handle fragments ?

This post represents the solution and explanation for quiz-22. It presents how fragmented traffic is handled differently by a simple access list. It is a long read about fragmentation, Path MTU Discovery, MSS and other stuff...

Poster: Network Safety Starts With You

Being a Network Engineer is a hazardous and even dangerous profession yet the Health and Safety division doesn't seem to care about the network damage and prevention.

It's time for us to stand up and start our own ITIL-compliant safety campaign. I've prepared the following handy sign for you to print and place on your cubicle wall to remind you to be safe out there.

The post Poster: Network Safety Starts With You appeared first on EtherealMind.

Using EEM to Remotely Change a WAN IP – Part 1

I often work remotely on customers’ infrastructures with their remote hands on-site. When a small office or branch changes ISPs or IP blocks, I occasionally find myself in a position where I have to change the only public IP address of a device like a branch office router or firewall, with no out-of-band management. The trouble with this is fairly obvious (on a Cisco device): by changing the IP address via which I am accessing the device over SSH, I will lose my own management session to it. Once the management session is lost, I can’t update the default route, and now the device is broken and I get to walk the on-site hands (who are often not very Cisco-literate) through changing a default route.

There are, of course, several ways to avoid this situation all together:

Have out-of-band access using a 3G/4G/LTE-connected terminal server (I wrote about one of these before)
Use a remote app like GetConsole so the remote hands can get me console access out of band using their smart phone
Use something with a proper commit/rollback mechanism like a Juniper device
Dial-up modem to the AUX port!

Clearly, from the list above, there are means to Continue reading

Get Ansible to Work on Mac OS X Mavericks

running ansible on mavericks If you’re trying to run an ansible-playbook or just testing around using a Mac running OS X Mavericks. There’s a good possibility that you’ll hit a...

[[ Summary content only, you can read everything now, just visit the site for full story ]]

BGP VPNv4 Troubleshooting Commands

Original content from Roger's CCIE Blog Tracking the journey towards getting the ultimate Cisco Certification. The Routing & Switching Lab Exam
When working with MPLs Layer 3 VPN a lot of people get stuck with the verification, simply because they don’t know the bgp vpnv4 troubleshooting commands. This post will step through some of the verification you can use to verify the routes end to end through a simple MPLS Layer 3 vpn topology. The topology […]

Other pages of interest:

Post taken from CCIE Blog

Original post BGP VPNv4 Troubleshooting Commands

Don’t forget to restart all your OpenSSL binaries

The wonder of UNIX is that you can delete running binaries and loaded shared libraries. The drawback is that you get no warning that you're still actually running old versions. E.g. old heartbleed-vulnerable OpenSSL.

Server binaries are often not forgotten by upgrade scripts, but client binaries almost certainly are. Did you restart your irssi? PostgreSQL client? OpenVPN client?

Find processes running with deleted OpenSSL libraries:

$ sudo lsof | grep DEL.*libssl
apache   17179      root  DEL       REG        8,1               24756 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0

Or if you're extra paranoid, and want to make sure everything is using the right OpenSSL version:

!/bin/sh
set -e
LIB="/usr/lib/x86_64-linux-gnu/libssl.so.1.0.0"
if [ ! "$1" = "" ]; then
   LIB="$1"
fi
INODE="$(ls -i "$LIB" | awk '{print $1}')"
lsof | grep libssl.so | grep -v "$INODE"

A few points:

Run this as root in case lsof otherwise wouldn't be able to get at the data (e.g. if you run grsec)
This assumes all libssl is on one filesystem, since it only checks inode number
The easiest solution is of course to restart the whole machine, but there's really no reason to if you don't want to

HTIRW: DNS Lookups

Note: Some of this will be really basic for a lot of folks, but bear with me — in looking at the entire system as a system, there are going to be parts of each piece you’ll already know, and other parts you don’t know. Let’s begin where most users will recognize they’re interacting with […]

Author information

Russ White

Principle Engineer at Ericsson

Russ White is a Network Architect who's scribbled a basket of books, penned a plethora of patents, written a raft of RFCs, taught a trencher of classes, and done a lot of other stuff you either already know about, or don't really care about. You want numbers and letters? Okay: CCIE 2635, CCDE 2007:001, CCAr, BSIT, MSIT (Network Design & Architecture, Capella University), MACM (Biblical Literature, Shepherds Theological Seminary). Russ is a Principal Engineer in the IPOS Team at Ericsson, where he works on lots of different stuff, serves on the Routing Area Directorate at the IETF, and is a cochair of the Internet Society Advisory Council. Russ will be speaking in November at the Ericsson Technology Day. he recently published The Art of Network Architecture, is currently working on a new book in the area Continue reading

26 – Is VxLAN a DCI solution for LAN extension ?

One of the questions that many network managers are asking is “Can I use VxLAN stretched across different locations to interconnect two or more physical DCs and form a single logical DC fabric?”

The answer is that the current standard implementation of VxLAN has grown up for an intra-DC fabric infrastructure and would necessitate additional tools as well as a control plane learning process to fully address the DCI requirements. Consequently, as of today it is not considered as a DCI solution.

To understand this statement, we first need to review the main requirements to deploy a solid and efficient DC interconnect solution and dissect the workflow of VxLAN to see how it behaves against these needs. All of the following requirements for a valid DCI LAN extension have already been discussed throughout previous posts, so the following serves as a brief reminder.

DCI LAN Extension requirements

Strongly recommended:

Failure domain must be contained within a single physical DC

Leverage protocol control plane learning to suppress the unknown unicast flooding.
Flooding of ARP requests must be reduced and controlled using rate limiting across the extended LAN.
Generally speaking, rate limiters for the control plane and data plane must be Continue reading

Awesome Putty tips and tricks for work and the CCIE Lab!

Original content from Roger's CCIE Blog Tracking the journey towards getting the ultimate Cisco Certification. The Routing & Switching Lab Exam
If you use Putty on a daily basis or have only encountered it in the CCIE lab exam then you will know what a great tool it is. Simple and effective (with no tabs!) Most people though may not use putty on a daily basis preferring something like SecureCRT so will not be familiar with […]

Other pages of interest:

Post taken from CCIE Blog

Original post Awesome Putty tips and tricks for work and the CCIE Lab!

NPM build error

NPM has a bunch of useful stuff on it, however you could in life while using NPM get this:

stack Error: "pre" versions of node cannot be installed, use the --node dir flag instead

This error basically says “Give me the node

« Previous 1 … 3,755 3,756 3,757 3,758 3,759 … 3,854 Next »