Wednesday, February 17, 2010

Traffic (QoS) control built into your EON ZFS storage

Your EON ZFS storage provides access to a lot of services, such as HTTP, HTTPS, SFTP, Firefly/daapd, AFP(AppleShare) and more. All of these services are available as a network resource. Wouldn't it be nice to be able to control or manage how different systems use these network resources, such as bandwidth?

Project Crossbow provides the controls to manage and virtual-ize network resources. The traffic controls (QoS) can be used to manage by transport (TCP, UDP, SCTP, iSCSI, etc), bandwidth limits, IP address and more.

For example, one could simply limit the amount of bandwidth the HTTP, HTTPS or SSH service can utilize. You could create virtual nics bound to your real interface and provide different levels of service and bandwith to these virtual or real nics. It allows for a very flexible storage setup where you can really manage the traffic and quality of service it delivers.

Let's do a simple 10Mbps bandwidth limit for HTTP via interface bge0 for a flow we will label httpflow. First, we create a flow that matches the HTTP service
flowadm add-flow -l bge0 -a transport=tcp,local_port=80 httpflow
Let's view it
flowadm show-flow
Finally, let's set bandwidth limits
flowadm set-flowprop -p maxbw=10m httpflow
To verify the properties
flowadm show-flowprop
To show traffic usage
flowadm show-usage
Accounting can also be setup to record the usage. Rather than rehash the numerous possibilities, here are 2 links that details this feature fairly well. The first is written by Ben Rockwood and the other can be found here. Traffic control ... out!

Monday, February 1, 2010

Creating a EON ZFS storage self signed certificate

Your EON ZFS storage is available with 3 web server options, apache2(default), lighttpd, and nginx. They are provided with a self signed certificate that I created to simplify configuration and ease getting them started. The proper thing to do is replace it with your own certificate or create a self signed replacement.

Prerequisite(s): This requires the binary kit or an alternate system with a working openssl, to create your own self signed certificate.
The "\" means the command is one continuous line to create the self signed certificate. Feel free to experiment and substitute your own arguments for:
days = set to 365 x 10 = 3650 or ~10 yrs
CN = $HOSTNAME = replace with your own storage hostname
O = Gibraltar Engineering
OU = EON Secure Certificate
openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -keyout cert.key -out cert.pem \
-subj "/C=US/ST=NY/CN=$HOSTNAME/O=Gibraltar Engineering/OU=EON Secure Certificate"
This will produce 2 files cert.key and cert.pem. For Apache2 they are configured and the proper permissions set as follows:
cp cert.pem /etc/apache2/2.2/server.crt
cp cert.key /etc/apache2/2.2/server.key
chmod 400 /etc/apache2/2.2/server.crt
chmod 400 /etc/apache2/2.2/server.key
For lighttpd the pem and key file are concatenated to create a single file
cp cert.pem /your_pool/lighttpd/etc
cat cert.key >> /your_pool/lighttpd/etc/cert.pem
chmod 400 /your_pool/lighttpd/etc/cert.pem
For nginx
cp cert.pem /your_pool/nginx/conf
cp cert.key /your_pool/nginx/conf
chmod 400 /your_pool/nginx/conf/cert.pem
chmod 400 /your_pool/nginx/conf/cert.key