Friday, May 29, 2009

LVM + XFS + VirtualBox - Resizing a guest partition

I've been doing a lot of work with virtualization lately and I am working on what I hope will become the great solution I've always wanted. The current configuration on the Host machine is a RAID0 array, with LVM logical volumes on top of that for each of my virtual machines. Each LV used for a Virtual Machine is formatted in XFS; from what I have read, it offers better performance with large files.

My Logical Volumes created for my VMs are created with a conservative sized disk. This allows plenty of free space on the LVM VG for future VMs, snapshots, scratch volumes, and expansion of existing LVs. That's right, it is possible to increase the size of all the disk components in this mess (Logical Volume, XFS Partition, Virtual Machine VDI, VM filesystem). For the most part this is a pretty painless process. The only real nasty part that involves downtime is resizing the VDI, which isn't really resizing at all. Rather, we will create a new larger VDI and copy the old disk over.

Here is the process:

1. Resize the logical volume on the host machine (if necessary).
lvextent -L+3G /dev/mapper/vg--vm-lv--ftp (extends ftp lv by 3GB)

2. Resize the filesystem on the host machine (if you resized the lv).
xfs_growfs /var/vm/ftp

3. Create a scratch lv on the host machine. This will be used to hold the resized clone, so make it large enough.
lvcreate -L 22G -n scratch vg-vm

4. Create a filesystem on scratch volume.
mkfs.xfs /dev/mapper/vg--vm-scratch

5. Create a mount point and mount the filesystem. Give vboxuser ownership.
mkdir /tmp/scratch
mount /dev/mapper/vg--vm-scratch /tmp/scratch
chown vboxuser /tmp/scratch

6. Change to vboxuser and create a new VDI of the desired size.
su vboxuser
VBoxManage createhd --filename /tmp/scratch/scratch.vdi --size 20480

7. Register scratch disk in virtualbox and verify
VBoxManage openmedium disk /tmp/scratch/scratch.vdi
VBoxManage list hdds

8. Register the gparted iso
VBoxManage openmedium dvd /root/gparted-live-0.4.5-2.iso

9. Shutdown the VM.
10. Add new VDI to VM and mount the gparted disk.
VBoxManage modifyvm "ftp" --hdb /tmp/scratch/scratch.vdi --dvd /root/gparted-live-0.4.5-2.iso

11. Start the VM, gparted should boot. Follow the default prompts to get to the desktop.
VBoxHeadless -startvm "ftp"

12. Open a prompt. Verify that the source (old) disk is hda and the destination disk (new) is hdb. Then use dd to copy hda to hdb. When finished, reread the partition table on the new disk.
sfdisk -l
dd if=/dev/hda of=/dev/hdb
hdparm -z /dev/hdb

13. Open gparted and use it to grow the disk partition you need to be bigger. Apply the changes, then shutdown the VM.
14. Remove the dvd and both drives. Then re-add the new VDI as hda. Startup the VM to verify that it boots cleanly.
VBoxManage modifyvm "ftp" --dvd none --hdb none --hda none
VBoxManage modifyvm "ftp" --hda /tmp/scratch/scratch.vdi
VBoxHeadless -startvm "ftp"

15. Set hda to none on VM. Close the two hard drive images.
VBoxManage modifyvm "ftp" --hda none
VBoxManage closemedium disk /tmp/
VBoxManage closemedium disk /var/vm/ftp/ftp.vdi

16. Move the scratch disk to the resized lv.
mv /tmp/scratch/scratch.vdi /var/vm/ftp/ftp.vdi

17. Re-open the new disk and add back into the VM
VBoxManage openmedium disk /var/vm/ftp/ftp.vdi
VBoxManage modifyvm "ftp" --hda /var/vm/ftp/ftp.vdi

18. Start VM
VBoxHeadless -startvm "ftp"

19. Unmount the scratch partition on the host machine and remove the lv to tidy up.
umount /tmp/scratch/
lvremove /dev/mapper/vg--vm-scratch

Friday, May 15, 2009

Using AES on the Cisco 837

While trying to setup an IPSec SA on a Cisco 837 router I ran across an annoying problem. The solution is not obvious (to me) and google wasn't very helpful, so I figure it is worth mentioning. When trying to configure a transform set using esp-aes I got the following message:

Cisco837(config)#crypto ipsec transform-set my-ts esp-aes 256
Transform ecessa-ts disabled because esp-aes is not supported by encryption hardware

Re-checking the 837 datasheet, it does support AES in software. Setting 128 or 192 for the cipher length also had the same result. I also tried setting up AES as an ISAKMP encryption parameter and also got an error:

Cisco837(config-isakmp)#enc aes 256
May 15 15:38:03.704: %CRYPTO-4-ENC_METHOD_NOT_SUPPORTED: Invalid encryption method for IKE policy 10

Google was oddly unhelpful, until I searched the comp.dcom.sys.cisco usenet group and found this thread. Apparently, to use AES in software on the 837, you need to disable the hardware 3des engine using the following global configuration command:

no crypto engine accelerator

After that, specifying AES works fine.

Sunday, May 10, 2009

The WS-C3524-XL isn't a good choice for CCNA practice anymore.

I am in the process of studying for the CCNA and I have a Cisco 3524 in my arsenal that I got for cheap before I really had an idea of what gear to buy. It is nice to have the switch around to complete my three switch lab configurations, but as I get deeper into my studying I am finding that there are some significant differences between the 3524-XL and newer Cisco switches that can make using this switch a bit of a headache. The problem is that this switch is EoL and Cisco stopped supporting this switch in IOS 12.0. Presumably these shortcomings apply to the 3548-XL and 2900-XL devices as well. For the sake of comparison, my other switches are 2950s and 3550s, which are much more capable/recent. here is a list of shortcomings that I have identified thus far; I will update the list as I find more.

  1. VLAN database - The newer IOS versions place VLAN and VTP configuration inside of configuration mode; namely the vlan and vtp global commands. At first glance, these commands appear to be missing from the 3524 interface, but really they are just placed elsewhere. These commands are located in the vlan database privileged-mode interface. Access this mode and you can configure VLANs and VTP to your hearts content. The command syntax is mostly the same too.
  2. switchport nonegotiate - This command does not exist on the 3524 IOS.
  3. switchport mode dynamic - This command does not exist on the 3524 IOS. Your choices are trunk or access. You also can not connect a 3524 trunk port to another switch (2950 in my case) configured for a dynamic mode. The other switch will freak.
  4. switchport voice - The 3524 does support this command, but it does not appear to work properly. I connected [linux] notebooks to voice ports on a connected 3524 and 2950 and configured 802.1q tagging interfaces. The tagged IP addresses could not communicate, but the untagged (access) IP addresses could. Repeating this with a 2950 and 3550 connected works just fine for tagged and untagged frames. I was able to approximate the behavior by setting the 3524 port to trunk mode, but this would probably not be acceptable in a prduction environment.
  5. show interface trunk - This very useful troubleshooting command does not exist on the 3524 IOS.

There are probably more I have forgotten. Bottom line, the 3524 and similar switches are okay for an extra switch if you can get them dirt cheap (<$50), but don't buy them with the expectation that you will be able to study everything on the ICND2/CCNA exam.