Tag Archives: Linux

Creating a Net-DevOps environment.

February 6, 2019Containers, ProgrammingAnsible, Container, Devops, Docker, Linux, NetDevOps, neteng, Programming, PythonNicolas Michel |

TL;DR : Code is here. Help yourself 🙂

Introduction to the Net-DevOps Container:

Recently, Ethan Banks posted a very interesting blog post where he struggled a little bit to set up a Python environment. If I understood correctly, he wanted to increase his skills set in particular with NetDevOps. He fairly pointed that it could be a bit complicated to handle all the dependencies you might need. Based on the fact that you also want to start fresh between projects you want to spend the least amount of time resolving these kinds of issues and maximize your time on something that is valuable: Learn how to Automate or just Automate your network environment.

Credit xkcd #1987 and inspired by Ethan’s site to illustrate my point.

A lot of people are in a similar case and are not sure how to start their journey to Devops / Full stack engineer. Ivan Pepelnjak first lessons of the great Network Automation Course is inviting us to create a lab environment so that you can practice in a safe environment (aka “don’t mess with your prod”)… You can use eve-ng / GNS3/ VIRL / Vagrant to emulate the devices but I also wanted to have an environment where I could run the code …. and don’t have to rely on my corporate laptop OS.

I was in a similar case a few weeks ago and I decided to setup an environment that would fill the following requirements:

Must be able to run scripts
Changes in that environment must be quick and easy to install. We don’t have much time to troubleshoot the dependencies.
Must be able to edit code on my favorite code editor rather than vim (sorry guys … my beard is not long enough 🙂 )
Must be able to run the environment on any machine (PC / MAC / Server) so that I can experience the same behavior everywhere.

All these requirements led me to the wonderful world of Docker !

By definition, Docker is a tool engineered and release with one goal in mind: “Create and Deploy application using containers”. It was natural to add Docker as a tool of the NetDevOps portfolio. It felt natural to create a “NetDevOps container that will allow me to work with efficiency in mind. I wasn’t very familiar with it until last year so it was a good opportunity to learn it.

In order to have a container, you need to choose a base image and I decided to go with Ubuntu 18.04 because I was familiar with it and enjoyed it throughout the years. Ubuntu is now very popular across the world and the community is one of the best (if not the best)

Then, I managed to install all the regular and well-known linux tools that I am using as a network engineer: fping/hping, curl, htop, iperf, netcat, nmap, openssh-client, snmp-walker (yeah !), tcpdump, tshark, telnet (!), wget, vim and zsh. I am pretty sure you used them at least once as well …

From a Net DevOps standpoint, I have installed most of the things I needed as well: Python2, Python3, Powershell (NSX), PIP, Ansible 2.7.4. Libraries are not left behind, they are critical and mandatory for your scripts to run. We are network engineers and not full time developers (or real developers I should say) so there is a chance we will use the same libraries over and over again (e.g netmiko, napalm, nornir, xmltodict, PyYAML …). Hank from Cisco DevNet has released an awesome video that demonstrates all the useful libraries a network engineer should use. I have implemented these libraries into a requirements.txt file that will be copied and installed when the docker image is build using pip. There are still some work that needs to be done in order to configure ansible up to this point but I got mainly what I need …

Demonstration:

First, I need to build the image ( I use the term “bake” when I speak about container so it helps neophytes to understand it better) so that I can consume it.

nic@vPackets-MBPro.local:/Users/nic/Code/DOCKER - Tools git:(master) $ docker build -t vpackets/tools .                                     
...
...
...
Successfully built 130aba981a36
Successfully tagged vpackets/tools:latest

nic@vPackets-MBPro.local:/Users/nic/Code/DOCKER - Tools git:(master) $ docker build -t vpackets/tools .

...

Successfully built 130aba981a36

Successfully tagged vpackets/tools:latest

Now that you baked (built) the container using the recipe (Dockerfile), you are ready to consume the container.

docker run -dit --name vpackets-tools -h vpackets-container -v /Users/nic/Code/:/home/nic/code vpackets/tools:latest

1	docker run -dit --name vpackets-tools -h vpackets-container -v /Users/nic/Code/:/home/nic/code vpackets/tools:latest

We are now in the container and ready to automate !!! We have access to our networking tools as well as our NetDevOps tools

It is obvious that if you want to use that particular container, you should probably change a few things to accommodate your needs. For example this container will create a user ‘nic’ with a home directory of the same name … You might want to change that. Also, I did a mapping of my laptop drive to a folder in the container so that I could use my laptop editor to work on my code but execute it in the container.

I am still far away from being an expert in NetDevOps so if you have suggestions or comment so that I could improve this, please let me know !

Also I have uploaded a series of video of that work here. Refer to videos 3 and 4 in order to see this in action.

Recover a RAID5 Array on Linux with healthy disks

May 25, 2018HomeAtom C2000, Atom C2538, Linux, Raid, Raid5, Storage, SynologyNicolas Michel |

Intel Atom failures

I know the title sounds a bit weird and you may ask why would you need to recover a RAID5 array when all your disks are healthy, right?

To understand what is going on, my DS1515+ has an Intel Atom C2538. (source: Synology CPU / NAS Type). It recently caused a lot of issues in the IT industry. (remember the Cisco clock issue? 🙂 )

The Errata AVR54 of the C2000 Specifications update clearly states the following: “system may experience inability to boot or may cease operation”. My NAS was starting to have regular reboots and it completely crashed before I could back up the last delta of data.

In the first instance, Synology denied any abnormal failure rate on this specific hardware while admitting a flaw (!). Synology then extended the warranty of all the NAS platforms affected by this hardware flaw.

Recovering the data using the GUI. (fail)

I immediately opened a case with Synology who sent me another DS1515+ pretty quickly. I still had to pay for express shipping).

After I inserted my disks into the newly received NAS, I noticed that the new NAS was beeping and was trying to recover my RAID5 array without any luck. The DSM told me that the Raid 5 array was down but all disks healthy.

I waited until the parity check was performed to verify if the Synology was silently trying to recover the volume. Unfortunately after 10 hours, nothing appeared in my volume list.

I decided to dig and found plenty of useful information provided by Linux experts in the Synology community (shootout to him/her).

Here is what I have done:

Recovering the volume using the CLI. (Semi-success)

First I wanted to check my raid information:

admin@Syno-Home:/volume1$  cat /proc/mdstat
Personalities : [linear] [raid0] [raid1] [raid10] [raid6] [raid5] [raid4]
md2 : active raid5 sda3[0] sde3[4] sdd3[3] sdc3[2] sdb3[1]
      11701777664 blocks super 1.2 level 5, 64k chunk, algorithm 2 [5/5] [UUUUU]

md1 : active raid1 sda2[0] sdb2[1] sdc2[2] sdd2[3] sde2[4]
      2097088 blocks [5/5] [UUUUU]

md0 : active raid1 sda1[0] sdb1[1] sdc1[2] sdd1[3] sde1[4]
      2490176 blocks [5/5] [UUUUU]

admin@Syno-Home:/volume1$ cat /proc/mdstat

Personalities : [linear] [raid0] [raid1] [raid10] [raid6] [raid5] [raid4]

md2 : active raid5 sda3[0] sde3[4] sdd3[3] sdc3[2] sdb3[1]

11701777664 blocks super 1.2 level 5, 64k chunk, algorithm 2 [5/5] [UUUUU]

md1 : active raid1 sda2[0] sdb2[1] sdc2[2] sdd2[3] sde2[4]

2097088 blocks [5/5] [UUUUU]

md0 : active raid1 sda1[0] sdb1[1] sdc1[2] sdd1[3] sde1[4]

2490176 blocks [5/5] [UUUUU]

I knew md0 and md1 (system + swap) were fine but md2 (actual data) was not behaving properly even though my disks were “fine”. The Raid 5 state is clean and the number of disks is accurate with what I have (/dev/sd[abcde]3). Let’s find with more detail the state of the RAID 5 array:

admin@Syno-Home:/volume1$ sudo mdadm --detail /dev/md2
/dev/md2:
        Version : 1.2
  Creation Time : Wed Aug 19 16:28:10 2015
     Raid Level : raid5
     Array Size : 11701777664 (11159.69 GiB 11982.62 GB)
  Used Dev Size : 2925444416 (2789.92 GiB 2995.66 GB)
   Raid Devices : 5
  Total Devices : 5
    Persistence : Superblock is persistent

    Update Time : Thu May 24 21:49:28 2018
          State : clean
 Active Devices : 5
Working Devices : 5
 Failed Devices : 0
  Spare Devices : 0

         Layout : left-symmetric
     Chunk Size : 64K

           Name : Syno-Home:2  (local to host Syno-Home)
           UUID : e55ddd73:47653974:e2639cbd:36b06604
         Events : 4660

    Number   Major   Minor   RaidDevice State
       0       8        3        0      active sync   /dev/sda3
       1       8       19        1      active sync   /dev/sdb3
       2       8       35        2      active sync   /dev/sdc3
       3       8       51        3      active sync   /dev/sdd3
       4       8       67        4      active sync   /dev/sde3

admin@Syno-Home:/volume1$ sudo mdadm --detail /dev/md2

/dev/md2:

Version : 1.2

Creation Time : Wed Aug 19 16:28:10 2015

Raid Level : raid5

Array Size : 11701777664 (11159.69 GiB 11982.62 GB)

Used Dev Size : 2925444416 (2789.92 GiB 2995.66 GB)

Raid Devices : 5

Total Devices : 5

Persistence : Superblock is persistent

Update Time : Thu May 24 21:49:28 2018

State : clean

Active Devices : 5

Working Devices : 5

Failed Devices : 0

Spare Devices : 0

Layout : left-symmetric

Chunk Size : 64K

Name : Syno-Home:2 (local to host Syno-Home)

UUID : e55ddd73:47653974:e2639cbd:36b06604

Events : 4660

Number Major Minor RaidDevice State

0 8 3 0 active sync /dev/sda3

1 8 19 1 active sync /dev/sdb3

2 8 35 2 active sync /dev/sdc3

3 8 51 3 active sync /dev/sdd3

4 8 67 4 active sync /dev/sde3

The partitions were good when I ran an fdisk -l so I tried to stop and reassemble the RAID 5 array.

ash-4.3# mdadm --stop /dev/md2
mdadm: stopped /dev/md2

ash-4.3# mdadm --assemble --force --run /dev/md2 /dev/sda3 /dev/sdb3 /dev/sdc3 /dev/sdd3 /dev/sde3 -v
mdadm: looking for devices for /dev/md2
mdadm: /dev/sda3 is identified as a member of /dev/md2, slot 0.
mdadm: /dev/sdb3 is identified as a member of /dev/md2, slot 1.
mdadm: /dev/sdc3 is identified as a member of /dev/md2, slot 2.
mdadm: /dev/sdd3 is identified as a member of /dev/md2, slot 3.
mdadm: /dev/sde3 is identified as a member of /dev/md2, slot 4.
mdadm: added /dev/sdb3 to /dev/md2 as 1
mdadm: added /dev/sdc3 to /dev/md2 as 2
mdadm: added /dev/sdd3 to /dev/md2 as 3
mdadm: added /dev/sde3 to /dev/md2 as 4
mdadm: added /dev/sda3 to /dev/md2 as 0
mdadm: /dev/md2 has been started with 5 drives.

ash-4.3# mdadm --stop /dev/md2

mdadm: stopped /dev/md2

ash-4.3# mdadm --assemble --force --run /dev/md2 /dev/sda3 /dev/sdb3 /dev/sdc3 /dev/sdd3 /dev/sde3 -v

mdadm: looking for devices for /dev/md2

mdadm: /dev/sda3 is identified as a member of /dev/md2, slot 0.

mdadm: /dev/sdb3 is identified as a member of /dev/md2, slot 1.

mdadm: /dev/sdc3 is identified as a member of /dev/md2, slot 2.

mdadm: /dev/sdd3 is identified as a member of /dev/md2, slot 3.

mdadm: /dev/sde3 is identified as a member of /dev/md2, slot 4.

mdadm: added /dev/sdb3 to /dev/md2 as 1

mdadm: added /dev/sdc3 to /dev/md2 as 2

mdadm: added /dev/sdd3 to /dev/md2 as 3

mdadm: added /dev/sde3 to /dev/md2 as 4

mdadm: added /dev/sda3 to /dev/md2 as 0

mdadm: /dev/md2 has been started with 5 drives.

When I tried to mount my partition as mentionned in the above link from the Synology forums, I had the following issue:

ash-4.3# mount -o ro /dev/md2 /recovery
mount: wrong fs type, bad option, bad superblock on /dev/md2,
       missing codepage or helper program, or other error

       In some cases useful info is found in syslog - try
       dmesg | tail or so.
ash-4.3#

ash-4.3# dmesg | tail
[ 4343.120646] md/raid:md2: raid level 5 active with 5 out of 5 devices, algorithm 2
[ 4343.129021] RAID conf printout:
[ 4343.129024]  --- level:5 rd:5 wd:5
[ 4343.129027]  disk 0, o:1, dev:sda3
[ 4343.129030]  disk 1, o:1, dev:sdb3
[ 4343.129032]  disk 2, o:1, dev:sdc3
[ 4343.129034]  disk 3, o:1, dev:sdd3
[ 4343.129037]  disk 4, o:1, dev:sde3
[ 4343.129083] md2: detected capacity change from 0 to 11982620327936
[ 4343.136496]  md2: unknown partition table

ash-4.3# mount -o ro /dev/md2 /recovery

mount: wrong fs type, bad option, bad superblock on /dev/md2,

missing codepage or helper program, or other error

In some cases useful info is found in syslog - try

dmesg | tail or so.

ash-4.3#

ash-4.3# dmesg | tail

[ 4343.120646] md/raid:md2: raid level 5 active with 5 out of 5 devices, algorithm 2

[ 4343.129021] RAID conf printout:

[ 4343.129024] --- level:5 rd:5 wd:5

[ 4343.129027] disk 0, o:1, dev:sda3

[ 4343.129030] disk 1, o:1, dev:sdb3

[ 4343.129032] disk 2, o:1, dev:sdc3

[ 4343.129034] disk 3, o:1, dev:sdd3

[ 4343.129037] disk 4, o:1, dev:sde3

[ 4343.129083] md2: detected capacity change from 0 to 11982620327936

[ 4343.136496] md2: unknown partition table

So I stopped the raid array and reassembled again and try to check with dmesg what was the status of my array:

ash-4.3# dmesg | tail
[ 4343.129032]  disk 2, o:1, dev:sdc3
[ 4343.129034]  disk 3, o:1, dev:sdd3
[ 4343.129037]  disk 4, o:1, dev:sde3
[ 4343.129083] md2: detected capacity change from 0 to 11982620327936
[ 4343.136496]  md2: unknown partition table
[ 4409.403524] EXT4-fs (md2): INFO: recovery required on readonly filesystem
[ 4409.411127] EXT4-fs (md2): write access will be enabled during recovery
[ 4409.419424] EXT4-fs (md2): barriers disabled
[ 4409.774205] JBD2: journal transaction 23508701 on md2-8 is corrupt.
[ 4409.781228] EXT4-fs (md2): error loading journal
ash-4.3#

ash-4.3# dmesg | tail

[ 4343.129032] disk 2, o:1, dev:sdc3

[ 4343.129034] disk 3, o:1, dev:sdd3

[ 4343.129037] disk 4, o:1, dev:sde3

[ 4343.129083] md2: detected capacity change from 0 to 11982620327936

[ 4343.136496] md2: unknown partition table

[ 4409.403524] EXT4-fs (md2): INFO: recovery required on readonly filesystem

[ 4409.411127] EXT4-fs (md2): write access will be enabled during recovery

[ 4409.419424] EXT4-fs (md2): barriers disabled

[ 4409.774205] JBD2: journal transaction 23508701 on md2-8 is corrupt.

[ 4409.781228] EXT4-fs (md2): error loading journal

ash-4.3#

AH ! The journal has an issue when loading so let’s try to mount it and load the journal. (Do not plan to do that for a long-term use of your NAS, my immediate concern was data recovery).

ash-4.3# mount -o ro,noload /dev/md2 /recovery
ash-4.3#

1 2	ash-4.3# mount -o ro,noload /dev/md2 /recovery ash-4.3#

I guess the mount has been performed and let’s check if I could see something in the /recovery folder:

ash-4.3# ls
@appstore     @autoupdate  @database  yyyyyyy  lost+found  NetBackup  yyyy     @smbd.core	      synoquota.db     @tmp
aquota.group  Backup	   yyyy       @eaDir   Media	   Nicolas    @S2S     @synoaudiod.core       @syslog-ng.core  video
aquota.user   @cloudsync   @download  @iSCSI   music	   photo      yyyyyyy  @SYNO.FileStatio.core  Temp

ash-4.3# ls

@appstore @autoupdate @database yyyyyyy lost+found NetBackup yyyy @smbd.core synoquota.db @tmp

aquota.group Backup yyyy @eaDir Media Nicolas @S2S @synoaudiod.core @syslog-ng.core video

aquota.user @cloudsync @download @iSCSI music photo yyyyyyy @SYNO.FileStatio.core Temp

I could see my folders (some names are changes for obvious privacy reasons) but I was wondering how to retrieve my data now …. the GUI couldn’t see a volume and I couldn’t install any package on the volume in the GUI (because it didn’t see any)…… So I couldn’t FTP at all.

So I had another empty box with Linux running on it and I decided to do some Rsync backup from the old NAS (failed volume) to another NAS.

ash-4.3# rsync -gloptruv /volume1/yyyy/ admin@IP:/volume1/Backup
The authenticity of host 'IP (IP)' can't be established.
ECDSA key fingerprint is SHA256:SHA256ASH:)
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'IP' (ECDSA) to the list of known hosts.
admin@IP's password:
Could not chdir to home directory /var/services/homes/admin: No such file or directory
sending incremental file list
.file.
.file.
.file.
.file.
.file.
.file.
.file.
.file.
.file.
.file.
.file.

ash-4.3# rsync -gloptruv /volume1/yyyy/ admin@IP:/volume1/Backup

The authenticity of host 'IP (IP)' can't be established.

ECDSA key fingerprint is SHA256:SHA256ASH:)

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'IP' (ECDSA) to the list of known hosts.

admin@IP's password:

Could not chdir to home directory /var/services/homes/admin: No such file or directory

sending incremental file list

.file.

I am so happy I retrieved the delta of data and learned from my mistakes. I need to automate the backup more frequently and on one more that 1 device. Now I just have to wait until I could copy a few TB of datas.

I am far from being a linux guru but I know my way around bash. Network Engineers, you need to understand how linux is working. I had a very interesting conversation with Pete Lumbis a year ago at the Software-Defined Enterprise Conference & Expo about how to learn linux … Pete and I had the same observation:

Most of the course I tried about Linux were not reaching the expectation I had, I was quickly bored even though I had to keep watching/reading to understand everything. On this case I did prefer to dig the technology by reading articles and get my hands very dirty.

Nic

From Network Engineer v1.0 to v2.0

May 19, 2017CareerCareer, Certifcation, Engineer, job, Linux, PythonNicolas Michel |

I recently relocated to the US from France/Switzerland and I have been so busy the past 2 years working on that process. Yes, It is that long!

I have been asked about career advice twice this week and I wanted to share my thoughts about it.

Networking in 2008

I think we all agree on the fact that the networking field has been very static for the past 15 years. One of the ways to provide a better network experience to the users/applications was to add more bandwidth (or invest in WAN optimization). OSPF/BGP/EIRGRP/MPLS and spanning tree haven’t changed much since 2002 right?

All the networking manufacturers paradigm was all about releasing new hardware that could provide more bandwidth and availability. As an engineer, you had to know networking protocols but we also had to understand specifics of networking hardware. It was very useful to understand how the 6500 Crossbar was switching packets internally. Another example was the StackWise technology: who remembers that the 3750 v2 could not locally switch without sending packets on the ring?.

Every device had a specific function in the network for example (which is still true at some point). Engineers were doing was vendors told them to do and they had to standardize their deployment (Access – Distribution – Core). It was a safe bet to design to design a network using the 3 tiers architecture mentioned previously.

Some networking engineers are self-educated up to a certain point and one of the ways to learn networking back in the days was to read a Cisco Press book, buy some hardware (2950 – 3600) on eBay and do some labs on your own or using a third party training company. For these engineers, the way to get a job was to climb the traditional certification pyramid (CCENT – CCNA – CCNP – CCIE). While this is still kinda relevant, the CCIE does not automatically open doors for any jobs anymore. Matt Oswalt published a quote that makes total sense “vendor certs are basically a way of putting the vendor in control of your career. On the other hand, fundamental knowledge puts YOU in control”.

I have a dual CCIE and studied very hard to get where I am today but the journey is far from being over (hopefully). I need to be a little less focused on proprietary certification and get some open source knowledge as well. (Damn CCDE you are tempting but I need to resist !)

Linux/Python skills were definitely not mandatory in any of the job descriptions back in the days. But as you can guess it becomes more and more a requirement nowaday.

I’ve been invited to a very interesting dinner with CIOs of Fortune 100 companies recently. They are all aware of the ongoing networking transition. They admitted it was not an easy plan to embrace this evolution but they are already preparing their teams for that.

Speaking of technologies, which technologies are we talking about? Do we need to know everything in IT? the answer is obviously “No” but it is valuable to at least understand how all the systems are interconnecting to each other.

Here is what a job description looked like back in the days (2008):

The need for evolution

I am doing this blog post is because our field is changing and our skills need to evolve with the networking trends. Engineers are the core of the networking industry. We all have a critical function in every organization that is willing to undertake their “business digital” transformation. We need to prepare how to evolve with the upcoming technologies.
I am willing to create a blog post series on how to tackle your own networking evolution. Please do not get me wrong, we still need to understand bits and bytes of all the networking protocols in order to provide connectivity. This statement will never go away (hopefully) and there is no working overlay if the underlay as been designed carefully. What needs to evolve is the way we are able to provision services for our customers/users/applications. When was the last time you heard that the networking team was taking too long to provide connectivity between A and B?

Networking in 2014+

Short story long, network engineers have to stay relevant throughout the years.

Today it would be a bit different, it is definitely expected to know everything that is above right (except maybe Cisco Works and CatOS 🙂 )

Himawan Nugroho made a great Cisco Live presentation that I attended in Milan: BRKSDN-4005 – CCIE Skill transformation to SDN kungfu. The most interesting slide for me is the following one:

He confirmed what I was explaining above. You still have to be an expert at traditional routing/switching but also have a broader knowledge of the following technologies: Linux and Operating Systems, Scripting, Overlays (proprietary and standards) and network virtualization.

Some new protocols and ways to provide network connectivity have recently emerged. Some of them are already dead (Trill anyone ?) and other are being used worldwide in different flavors (VXLAN anyone ?).

We see plenty of blog post related to the eternal question: Should we learn how to script/code:

My take on this is that you should be able to automate your network and most of your tasks. You should not consider going too deep (for now). We are not required to become a full-time developer.

Some of the following items you will find on this list are not necessarily new but it is something that the network engineers can’t avoid to be aware of anymore. This is by no means an exhaustive list but it gives you an indication of what the current trends are in our industry. Feel free to drop a comment if you think something valuable should be added.

Acquiring all of these skills do not happen overnight so I will publish quite a few blog posts about how I am preparing my own evolution. Let me know in the comments below what you liked, disliked or if you have any question.

Nic