quarta-feira, 3 de junho de 2015

Recover data from a single RAID1 drive

If you found this blog post you probably know why you need it.

One good reason to run RAID1 is that all data is contained on both drives of the array. RAID1 is a cheap uptime-friendly setup which is not space efficient and should not be used on current hard drives (> 1TB). That's why current systems run RAID6 ... on expensive and reliable hardware with automatic backups and disaster recovery plans in place. What follows regarding RAID1 is, in general, impossible with any other RAID level.

With that in mind...

1. Insert drive on USB dock and connect it to a computer running Linux; in this example the device appears as /dev/sdb 

2. List available partitions
root@laptop:~# parted -l /dev/sdb
Model: WDC WD50 00AAKS-00YGA0 (scsi)
Disk /dev/sdb: 500GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt

Number Start End Size File system Name Flags
4 1049kB 10.7GB 10.7GB raid
5 10.7GB 21.5GB 10.7GB raid
1 21.5GB 23.6GB 2147MB raid
3 23.6GB 24.2GB 537MB raid
2 24.2GB 500GB 476GB raid
3. Setup RAID1 device using a single drive

If you know which partition was in use in the RAID array (ex: partition 2) just run
mdadm --assemble --verbose /dev/md0 /dev/sdb2
Otherwise, you can let mdadm guess. If you don't have other RAID members in the system it will probably work:
root@laptop:~# mdadm --assemble --verbose /dev/md0
mdadm: looking for devices for

mdadm: no RAID superblock on /dev/sdb5
mdadm: /dev/sdb4 has wrong uuid.
mdadm: /dev/sdb3 has wrong uuid.
mdadm: /dev/sdb1 has wrong uuid.
mdadm: no RAID superblock on /dev/sdb
mdadm: no RAID superblock on /dev/sda5
mdadm: no RAID superblock on /dev/sda2
mdadm: no RAID superblock on /dev/sda1
mdadm: no RAID superblock on /dev/sda
mdadm: /dev/sdb2 is identified as a member of /dev/md0, slot 0.
mdadm: added /dev/sdb2 to /dev/md0 as 0
mdadm: /dev/md0 has been started with 1 drive.
4. Check status
root@laptop:~# cat /proc/mdstat Personalities : [raid1] [linear]
md0 : active linear sdb2[0]
464779264 blocks super 1.2 0k rounding

unused devices:

5. Mount device
mount /dev/md0 /mnt/recover
If the mount fails and you see this in the logs
Jun 3 14:32:53 ghlaptop kernel: [16068.061347] EXT4-fs (md0): bad block size 65536
apt-get fuseext2
fuseext2 -o ro -o sync_read /dev/md0 /mnt/recover
6. Backup your data
mkdir /root/raid1data
cp -R /mnt/recover /root/raid1data


segunda-feira, 20 de abril de 2015

Docker test drive - the sane way


Would you like to try Docker effortlessly on a standard Centos or Ubuntu machine? The summary below will take you there. These instructions work both on physical and virtual machines and will get you Docker containers working in a couple of minutes.


Centos 6.x
Requirements: EPEL repo, kernel >= 2.6.32-431
yum install docker-io
service docker start
chkconfig docker on
Ubuntu 14.04
wget -qO- https://get.docker.com/ | sh
Test run
 docker run hello-world

Ubuntu 14.04 minimal guest

 Download image, create a container that stays running, run a shell on it:
docker pull ubuntu
docker create --name=$MYHOSTNAME --hostname=$MYHOSTNAME ubuntu sleep infinity
docker start  $MYHOSTNAME
docker exec -it $MYHOSTNAME bash
 Create a non-root user and enable ssh on the container
apt-get update
apt-get install -y openssh-server
useradd -m -s /bin/bash myuser
passwd myuser
sed -ri 's/^session\s+required\s+pam_loginuid.so$/session optional pam_loginuid.so/' /etc/pam.d/sshd
service ssh start
Stop the the container in order to test the startup procedure
docker stop $MYHOSTNAME
 Test the container startup procedure and try to access it using ssh
docker start  $MYHOSTNAME
docker exec  $MYHOSTNAME service ssh start
GUESTIP=`docker exec $MYHOSTNAME ip -4 -o  addr  list eth0 label eth0 | awk '{print $4}' | awk -F/ '{print $1}'`
ssh myuser@$GUESTIP
Done! We have a simple procedure to create as many Ubuntu 14.04 general purpose guests as needed using Docker technology.

Final notes

This article aims to be the Docker test drive I haven't found elsewhere. It provides a basic OpenSSH server installation and deals with the exit-after-start nonsense discussed here - the "sleep infinity" command is there to ensure the container stays running until it is explicitly stopped. For other purposes the default behaviour might be better but this is what makes sense in a Docker test drive, especially for people with a virtualization background.

sábado, 18 de abril de 2015

Linux load average - the definitive summary

What is the Linux load average?

This is not exactly an orphan question but, as many other questions we tried to address in this blog, it is surrounded by misconceptions and incorrect information. Every time one starts discussing load averages, either in person or online, confusion steps in... and refuses to leave. We will try to provide an explanation that is "as simple as possible, but not simpler", as Einstein said once, and also short enough to be worth reading.

Definition 1

We will call the instantaneous load of a system the number of tasks (processes and threads) that are willing to run at a given time t.

Tasks willing to run are either in state R or D. That is, they are either actually running or blocked on some resource (CPU, IO, ...) waiting for an opportunity to run. The instantaneous number of such tasks can be determined using the following command

ps -eL h -o state | egrep "R|D" | wc -l

(see footnote [1] for more info on this)

Definition 2

We will call the load average of a system a specific averaging function of the instantaneous load value and all the previous ones.

For historical reasons the Linux kernel adopted the recursive functions

a(t,A) = a(t-1)exp(-5/60A) + l(t)(1-exp(-5/60A))

where parameter A takes the values of 1,5 and 15 and l(t) is the instantaneous load. To the above set of 3 functions, corresponding to the 3 values of A, we call 1m, 5m and 15m load averages. If we set A=0 we find a(t,0)=l(t) recovering, therefore, definition 1. That means, l(t) would be the 0m load average.

The load average values are calculated by the kernel every 5 seconds using a(t,A).


First of all we should stress that the load average from definition 2 is just a generalization of definition 1.

While their values are similar in nature, the larger the value of A, the lower the contribution of the instantaneous load compared to the contribution of the historic load average value. The main purpose of using an "averaging" function is the smoothening of fast oscilations that could render human inspection of load values nearly impossible. The timespan of that smoothening effect is influenced by parameter A.

The load average can be calculated from a bash or python script, using definitions 1 and 2, just as the linux kernel does (see /proc/loadavg and https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/sched/proc.c). Here is the example output of one such calculation, using ps and a(t,1) to estimate the 1m load average:

Kernel vs Script 1m load calculation
Second of all we need to argue that there is no such thing as a too high load average, in absolute terms. In fact, number of tasks that are willing to run on a given system depends on:
  • the architecture of the software that is running (is it mostly monolithic? or prone to spawn many processes? how dependent are such processes between each other?)
  • the CPU throughput requested by the software that is running
  • the I/O throughput requested by the software that is running
  • the CPU performance of that system
  • the I/O performance of that system
  • the number of available cores
Therefore, we can only say "the load average is too high on that system" if we know the "the normal value for that system". The "normal value" is an empirically discovered value under which that system usually runs and is known to perform acceptably. The normal value could well be 2 for a server with a low number of cores that runs an interactive web application, or could be 50 for a server that runs (non-interactive) numeric simulations jobs during the night.

  • for the same requested I/O effort and the same hardware, a software implementation that spreads the computation across many processes or threads will generate a higher load average; even though the actual throughput is the same, 10 processes trying to write 10MB each, on an I/O starved system, generate a higher load average than one process trying to write 100MB on the same system
  • given a certain software that sets all the existing CPU cores to 100% while running on a specific machine, its execution on a system with smaller a number of cores, or slower cores, will generate a higher load average; whether that higher load is a problem or not depends on the use case (if it means your numeric simulation or your file server backup takes 10 more minutes during the night but will still be ready in the morning then no harm is done)
To finish the article we should describe the important relationship between load average values and the CPU usage values that can be seen with utilities like top or iostat (%usr, %sys, %wait, %idle). As we have seen, load average values don't have an absolute numerical meaning unlike CPU usage values, which are are expressed in % of CPU time:
Time spent running non-kernel code. (user time, including nice time)

Time spent running kernel code. (system time)

Time spent waiting for IO. Note: %iowait is not an indication of the amount of IO going on, it is only an indication of the extra %usr time that the system would show if IO transfers weren't delaying code execution.

Time spent idle.
For systems running below their limits, CPU usage values are much more useful than load average values, since their numeric interpretation is universal. But once limits are hit, i.e, CPU %idle time becomes nearly zero, load average values allow us to see how much off the limits the system is running... once we establish a baseline, which is the normal load average for that system (software+hardware combination).

We summarize the load average / CPU usage relationship with a short list of true statements:
  • if all system cores are running at %sys+%usr=100 the instantaneous load is equal to or higher than the number of cores
  • the instantaneous load being higher than the number of cores doesn't mean all cores are running at %sys+%usr=100, since many processes may be I/O waiting (state D)
  • the instantaneous load being higher than the number of cores implies that the system can't be mostly idle; at least some of the cores will be seen for a relevant amount of the time in sys,usr or wait states
  • a system can be slow / unresponsive even with an instantaneous load below the number of cores because a small number of I/O intensive processes may become a bottleneck
  • in a pure CPU intensive scenario (negligible I/O, no processes in state D) where %idle > 0, the instantaneous load is equal to ((100 - %idle)/100) * NCORES; for example, on a 4 core system at steady %sys+%usr=90 we would have an instant load of ((100-10)/100)*4 = 3.6
Statement 5) can be easily tested by running

stress -c X
while looking at the output of top on a different terminal, waiting for the 1m load average to stabilize. It is trivial to see that the above formula holds until X=NCORES, which will cause %idle=0.

We haven't discussed Hyperthreading, or the equivalent AMD feature, to avoid complicating the discussion but where above we say NCORES, it could be the number of virtual CPUs, including CPU threads. Of course, each additional % usage on the second thread of an already busy core doesn't yield a proportional throughut.


[1] - The same result should be obtainable by parsing /proc/loadavg (4th field) or /proc/stat (procs_running, procs_blocked) but we have seen from experience that multiple processes in state D are shown by ps but not counted on /proc/loadavg and that neither /proc/loadavg (4th field) nor /proc/stat include threads in the task counters, even though they are taken into account in the load average numbers exposed by the kernel.


The load average bible in 3 volumes:


domingo, 8 de fevereiro de 2015

Multi Wan OpenVPN - the setup

keywords: multi wan openvpn, double wan openvpn, double openvpn,

We have recently realized that the "Multi Wan OpenVPN" question was either an orphaned question or one with a too low signal/noise ratio. We intend to clear things up with this short post.

  • some VPNs need multiple entry points with different public IPs for redundancy 
  • if more than one public IP belongs to the same VPN gateway we have a problem if we use OpenVPN because it sends all reply packets through the default route of the system instead of respecting the routing rules, preventing the connection from being established except on the IP of the interface the default route is assigned to - here is the bug report
  • there is a PFSense document on top of Google's results suggesting that the OpenVPN process should bind to localhost and one should setup port forwardings to from both WAN links - as far as we know this doesn't work at least with Linux + iptables
  • the problem can be worked around easily by replicating the server configuration file and letting the init script start several instances of OpenVPN each one bound to a single WAN interface
  • there is an even easier workaround which is changing the protocol from UDP to TCP (but certainly UDP is the default protocol for a reason - changing to TCP should be a last resort measure, some discussion here)
Below you will find an example of an OpenVPN bridge configuration on a multihomed Centos based gateway with two public IPs. The parameters in bold are the ones directly related to the Multi Wan configuration.

 Server configuration for the first WAN interface - /etc/openvpn/server.conf
plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so passwd
proto udp
dev tap0
local wan1.mycompany.com

ifconfig-pool-persist /var/tmp/ipp.txt
push "redirect-gateway bypass-dhcp bypass-dns"
push "dhcp-option DNS"
keepalive 10 120
dh /etc/openvpn/keys/dh1024.pem
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
port 1194
user nobody
verb 0

 Server configuration for the second WAN interface - /etc/openvpn/server2.conf
plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so passwd
proto udp
dev tap1
local wan2.mycompany.com

ifconfig-pool-persist /var/tmp/ipp.txt
push "redirect-gateway bypass-dhcp bypass-dns"
push "dhcp-option DNS"
keepalive 10 120
dh /etc/openvpn/keys/dh1024.pem
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
port 1194
user nobody
verb 0

Bridge setup script

# Set up Ethernet bridge on Linux
# Requires: bridge-utils

# Define Bridge Interface

# Define list of TAP interfaces to be bridged, one per WAN interface
tap="tap0 tap1"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t

for t in $tap; do
    ifconfig $t promisc up

ifconfig $eth promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
 To start up the OpenVPN instances we only need to run
/etc/init.d/openvpn start
One can check that the init script launched two independent instances as follows
 [root@gateway ~]# netstat  --udp -nlp |grep openvpn
udp        0      0 WANIP1:1194 *                               1806/openvpn       
udp        0      0 WANIP2:1194*                               1795/openvpn       
[root@gateway ~]#

For everything to work we need, of course, the linux multihoming configuration to be correclty implemented first. We wrote about that some years ago.

On the client side fault tolerance can be implemented simply by using multiple "remote" statements on the configuration file as in the following example
remote wan1.mycompany.com
remote wan2.mycompany.com
Alternatively, fault tolerance can be controlled by pointing the DNS entry, eg vpn.mycompany.com, to the WAN interface to be used. If that interface fails, a DNS update will enable a reconnection to a different one, given a small enough DNS record TTL.