Main

SysAdmin Archives

November 17, 2008

"Fixing" Cable Modem Lockups

For quite a while now, we'd been having issues with the modem for our Time Warner Business Class service locking up, and needing to be power cycled to get back online. I've tried to track down what causes it, but haven't been able to reproduce the exact same conditions. It's not related to the overall traffic load, since the modem seemed as likely to freeze in the middle of the night on a weekend as it would during normal business hours on a weekday.

By polling the SNMP counters from our switch once a minute, I can see an increase in broadcast packets around the same time the modem would freeze, but that's about as deep as I've gotten.
After going through another round of multiple calls to the help line, and eventually getting a tech sent out again to replace the modem ( the 4th in 2 years ), I figured there had to be a better way than having to run across town to pull the plug.

I did some searching and reading up, then went to ebay and picked up a couple X10 control modules. For the actual switches, I got 2 AM 466 Appliance Modules, with the second unit on hand if I wanted to control the power on something else. Then to talk to them from the servers, an X10 CM11A computer interface module. The CM11A plugs into a serial port, and is driven by a Heyu.

While Heyu provides lots of nice automation features if I wanted to control lights and such, all I really needed was just a way to command the modules on and off. I used the script from this X10 DSL page as the base for my own, which attempts to do a simple DNS lookup from the local RoadRunner DNS servers. If it fails to get a response from both DNS servers, it will cycle the power on the modem.

So far things have been up and running for almost a month, and the script has reset the cable modem about half a dozen times, and saved me a lot of annoyance and pain. I need to clean the script up and make it a smarter, along with write up a manifest file to get it running under SMF in Solaris. When that's done I'll put it up, I'm sure it'll be useful to others.

February 11, 2009

Wrangling Solaris Zone Consoles

After running with several zones in production for a while, I wanted a better way to log things like console messages, since some things will still occasionally spit them out. For a little bit I tried using screen with a bunch of open windows running zlogin to each zone. But settled on using conserver since it's very well suited for handling access to multiple consoles.

You can download both my sample config file and SMF manifest here.

At first I looked into the method that zlogin itself uses when connecting to the zone console, which talks over a unix domain socket to zoneadmd after a short handshake. But that has a couple issues, one of which is that it's not a supported interface, and could change at some point in the future. Also if the zoneadmd is not yet running, zlogin handles starting it, which establishes the console socket:

default zlogin {
    type exec;
    host localhost;
    exec /usr/sbin/zlogin -CE &;
    execsubst &=cs;
}
console web { include zlogin-bigbox; }

Instead I stuck with using zlogin itself, using -E to disable being able to escape out of the zlogin command. Now conserver launches zlogin and keeps control of the zone's console as long as it is running. It does have a few extra processes around, since there's a shell forked for each zone, which then runs zlogin.

The SMF manifest supports authorizations, so a non-root user can manage the service. I've been creating my own authorizations seperate from the solaris.* namespace. The trick is adding "toplevel.*,toplevel.grant" to root's auths in /etc/user_attr:

# tail -4 /etc/security/auth_attr
seppuku.:::All Seppuku Authorizations::
seppuku.grant:::Grant All Seppuku Authorizations::
seppuku.smf.manage.conserver:::Manage Console Server Service::
seppuku.smf.modify.conserver:::Modify Console Server Properties::
# usermod -A seppuku.smf.manage.conserver ivan

One possible addition would be to run the service as a seperate user with a new RBAC profile that allows that user to run zlogin only. The default Solaris "Zone Management" profile also allows the use of zonecfg and zoneadm.

About SysAdmin

This page contains an archive of all entries posted to Here's A Nickel, Kid in the SysAdmin category. They are listed from oldest to newest.

Programming is the previous category.

Many more can be found on the main index page or by looking through the archives.