From: Alexei_Roudnev (Alexei_Roudnev_at_exigengroup.com)
Date: Tue May 01 2007 - 03:51:40 CEST
Message-ID: <005301c78b93$433a0e00$7331a8c0@sjc.exigengroup.com> From: "Alexei_Roudnev" <Alexei_Roudnev@exigengroup.com> Date: Mon, 30 Apr 2007 18:51:40 -0700 Subject: Re: [suse-sles-e] SLES 9 and Compaq Proliant DL-380 and DL-385 hard drive (/dev/cciss) monitoring
----- Original Message -----
From: "Greg Byrd" <gbyrd@yahoo.com>
To: "Alexei_Roudnev" <Alexei_Roudnev@exigengroup.com>; "Gordon Ross"
<G.Ross@ccw.gov.uk>; <suse-sles-e@suse.com>
Sent: Monday, April 30, 2007 6:04 PM
Subject: Re: [suse-sles-e] SLES 9 and Compaq Proliant DL-380 and DL-385 hard
drive (/dev/cciss) monitoring
> Two reasons not to use snmp: 1. our security team will not approve the use
of snmp, and 2. IMHO, snmp is difficult to secure. I've looked
1) snmp is 100% secure as any other protocol, IF you don't allow access to
it from unknown sources and restrict IP{ to it by both SRC and DST IP _AND_
never allow write SNMP mode _AND_ don't allow network snifferring on your
networks. Of course it is not secure for using over the public Internet (but
who runs monitoring thu the public Internet?)
What are you going to secure in snmp? Read-only traffic from 1 well known
host to another well known host? Just restrict SNMP by any firewall to their
SRC and DST IP addresses, and be 100% sure that you never allow (on the
server) any WRITE snmp (so that snmp can only got information from the
server, and then that snmp can only go between IP1 and IP2 and both IP are
on the same network).
Of course SNMP never can be secure (except SNMPv3 with MD5 / HMAC
authentication) if it runs outside of internal network where it can be
interceipted; but don't forget that 99% of service providers runs SNMP (even
SNMPv1 with community securty only) without any securoity concerns - just
restricting SNMP traffic to the 100% well known hosts and to READ-ONLY mode.
We run SNMP in Russia (where everyone is a hacker) for more than 15 years,
just SNMPv1, without any security problems (but of course with carefully
constructed filters so that no any customer could issue even frauded SNMP
packet to any of our network devices).
Of course it works only if you 100% control access to your network. In
addition, we never used SNMP alerts (I am not saying that they are totally
wrong but an idea of sending alerts in binary format using whicked MIB
numbers looks trerrible and cause numerous problems - I saw alerts like
_event 10.2.34.5.66 - comes from the server_ - and no one knew what is this
event about...).
Through if you have a serious concerns, look into SNMPv3 and md5 on IP
level.
>
> We use Oracle, but haven't looked at their enterprise manager. We're
running Oracle on our mainframe guests,
> as well as RAC 10G on AMD servers, but Intel elsewhere.
If you run RAC already, then look into the GRID (Oracle Enterprise Manager)
server which can monitor Oracle databse AND Linux boxes. To my great
surprise, agent works pretty well and recognized DELL servers with all their
stuff, so may be it can do the same with Compaq servers too? (But if it is
in production, you must purchase additional package license, about $3K/CPU,
to use it, through it works out of the box - kind of dirty Oracle's games
with the licensing). Anyway it is a good thing, good to try - in the worst
case, if you spend few hours, find this hidden checkboxes which Oracle is
writing about when saying _you should disable features_ while never show
this checkboxes except deep. deep inside the menu's so that most people
never have a chance to change them - it still adds a lot of control and
database management.
>
> I really don't want to get into using an application that's kernel
specific. Since we use Novell's stock kernel, compiling HP's source rpm for
> quad-port GB nic is kernel dependent (upgrading kernels breaks the kernel
bonding). Having to compile rpms for three hardware
> architectures is a real pain for each kernel upgrade.
That's why I try (with 100% success for now) never compile any modules and
use 100% modules coming with the system (changing hardware and not software
when necessary). Saves a lot of time on the system updates and upgrades. But
yes, you can't use EMC for example with such policy (I have other reasons to
avoid it - until now they used their own uncompatible disks, their own
uncompatible PowerPath software and so on), or some other vendors (who are
not compatible with default Linux without additional vendor-specific
drivers, which are very dangerious because you risk to lost an option to
upgrade a kernel), so it's kind of balance - be limited in hardware or allow
vendor-specific modules manually installed into the system.
>
> That's more info than was asked about, but I really do appreciate the
input. 8-)
>
> Greg
>
> ----- Original Message ----
> From: Alexei_Roudnev <Alexei_Roudnev@exigengroup.com>
> To: Greg Byrd <gbyrd@yahoo.com>; Gordon Ross <G.Ross@ccw.gov.uk>;
suse-sles-e@suse.com
> Sent: Monday, April 30, 2007 4:07:04 PM
> Subject: Re: [suse-sles-e] SLES 9 and Compaq Proliant DL-380 and DL-385
hard drive (/dev/cciss) monitoring
>
> 1) WHy dont install snmpd?
>
> 2) Did you try Oracle enterprise manager ? (Aside of licensing questions,
> which are weird) It is a very solid monitoring SW package and it
recognized
> all DEL specific stuff - may be it can recognize Compaq specific stuff as
> well?
>
>
> ----- Original Message -----
> From: "Greg Byrd" <gbyrd@yahoo.com>
> To: "Gordon Ross" <G.Ross@ccw.gov.uk>; <suse-sles-e@suse.com>
> Sent: Monday, April 30, 2007 2:30 PM
> Subject: Re: [suse-sles-e] SLES 9 and Compaq Proliant DL-380 and DL-385
hard
> drive (/dev/cciss) monitoring
>
>
> > We don't have snmp installed, so I'm looking for something that uses
> syslog.
> >
> > ----- Original Message ----
> > From: Gordon Ross <G.Ross@ccw.gov.uk>
> > To: suse-sles-e@suse.com
> > Sent: Monday, April 30, 2007 3:06:27 PM
> > Subject: Re: [suse-sles-e] SLES 9 and Compaq Proliant DL-380 and DL-385
> hard drive (/dev/cciss) monitoring
> >
> >
> > >>> On 30 April 2007 at 21:58, in message
> > <772243.12625.qm@web39602.mail.mud.yahoo.com>, Greg Byrd
> > <gbyrd@yahoo.com>
> > wrote:
> > > Everyone,
> > >
> > > I'm looking for a way to monitor for hard drive failure on our DL-380
> > and
> > > DL-385 servers (DL-380 models include G3 and G4, whereas DL-385
> > servers being
> > > G1). I've rebuilt the cpq_cciss rpm, but since we don't use snmp
> > (required
> > > by cpqarrayd), I'm having trouble getting this rpm rebuilt without
> > failing
> > > net-snmp checks (installing net-snmp doesn't resolve the issue).
> > >
> > > With this in mind, I'm wondering what others are using for hard drive
> >
> > > monitoring on Proliant DL-38X systems. The utility needs to utilize
> > syslog
> > > for alerting.
> >
> > Have you looked at and ruled out the Proliant Support Packs ? These
> > provide monitoring tools/agents - typically used via SNMP.
> >
> > GTG
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: suse-sles-e-unsubscribe@suse.com
> > For additional commands, e-mail: suse-sles-e-help@suse.com
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: suse-sles-e-unsubscribe@suse.com
> > For additional commands, e-mail: suse-sles-e-help@suse.com
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-sles-e-unsubscribe@suse.com
> For additional commands, e-mail: suse-sles-e-help@suse.com
>
>
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
---------------------------------------------------------------------
To unsubscribe, e-mail: suse-sles-e-unsubscribe@suse.com
For additional commands, e-mail: suse-sles-e-help@suse.com
This archive was generated by hypermail 2.1.7 : Tue May 01 2007 - 05:58:59 CEST