Ceph caching for image pools

Posted on July 14, 2017 by j mozdzen

Running a Ceph storage for small and mid-size private clouds can easily become challenging and spotting supporting information is not always that easy.

A major concern will likely be the over-all speed of the Ceph cluster, as seen by the clients. On the same level, the money required to build and operate the cluster will be important, too. So how do you optimize between these two? Will you need SSDs, will you really need 10G networking?

Here’s my report of what started as a demo environment and moved on to what you may call a production system. Continue reading

Posted in Ceph, howto, Linux, OpenSUSE | Leave a comment

cyradm and custom annotations

Posted on July 5, 2017 by j mozdzen

An old problem reared its ugly head again: Trying to set up mailbox folders in Cyrus imapd for a new Kolab user, the message “Permission denied” was the only result when trying to set the required annotations:

user@somehost:~ > cyradm --user cyrusadmin --auth plain mailhost
Password:
mailhost@company.com> mboxconfig user/username@company.com /vendor/kolab/folder-type mail
Permission denied

But after all, we’re using the Cyrus admin account. So what permission is it looking for?

That does ring a bell. It’s likely that we stumbled across that old problem of cyradm not knowing about custom annotations, rather than about missing permissions. And indeed, looking at “/usr/lib/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi/Cyrus/IMAP/Admin.pm” shows just the static list of annotations. Continue reading

Posted in Horde, Kolab, Linux | Leave a comment

PHP7, LDAP & TLS

Posted on May 19, 2017 by j mozdzen

It’s been quite a while since I’ve updated this blog, but not because we’ve run out of problems – most of the issues were either too complex to document them in a simple article, too confidential to be allowed to be documented here, or both. And I’ve been pretty busy fighting bugs, too, leaving close to no time for getting updates into this blog. So to set a new starting point, here’s a smaller recent issue.

While migrating a PHP application to a newly set up server platform, an issue with non-working connections to a back-end LDAP server turned up. The application just reported some generic problem, while the log revealed a bit more information:

Unable to start TLS and unable to fetch rootDSE entry to see if TLS is supported: Can't contact LDAP server

Fortunately, the LDAP server wasn’t down nor malfunctioning, and fortunately invoking “ldapsearch” to verify the state of the LDAP server (of course invoked on the server running the PHP application) gave an immediate hint at the root cause:

# ldapsearch -Wx -ZZ -h ldap.example.com -b "dc=example,dc=com" "(objectClass=*)" 
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)
#

Indeed, the LDAP server was configured to use a certificate that was issued by an internal Certification Authority, the latter using a self-signed certificate. But that’s nothing new and the CA certificate was available on the server where we called “ldapsearch”, so what’s the deal? Continue reading

Posted in howto, openssl, OpenSUSE | Tagged , , | Leave a comment