Not Good Enough

We have some spare slots in an IBM EXP810 disk tray attached to our DS4000 series storage system and thought of filling them with 1TB SATA disks. MCG Technology have 1TB Seagate drives (ST31000340AS) for $179 including tax (or 16c per GB). Note that these drives come with a 5 year warranty. So I figured a drive from IBM would probably be around the $500 mark. That would allow for an enterprise spec’ drive, the enclosure and IBM’s usual exorbitant markup.

Boy was I wrong.

Our Australian dollar ex-tax purchase price for a 1000 GB/7.2K SATA EV-DDM drive is $2100.00 each. I couldn’t believe it. That works out to $2.10 per GB - and they’re not proper sized gigabytes either.

By contrast a 750GB SATA drive from IBM comes to $850.00 or $1.13 per GB.

Now I know that the world is in a financial crisis. But that doesn’t excuse IBM ripping its customers off. It appears that the robber barons of Wall Street have moved to 1 New Orchard Road.

It’s just not good enough!

OpenLDAP is open source LDAP software. It’s used on a lot of Unix and Linux distributions. ldapsearch is a utility that comes with OpenLDAP. It allows you to search an LDAP directory from the command line. This is potentially very useful when you need to access LDAP from a shell script. You can even use it to access Active Directory, as Phil Lembo shows here.

Unfortunately, when ldapsearch returns its results it wraps the output after 76 characters - and it doesn’t appear to give an option to turn line wrapping off. Now what bright spark thought that this would be a good idea. That makes it a pain in the arse when you’re trying to grep the output of a directory search.

Someone does seem to have come up with a patch back in 1999, but it doesn’t appear to have made it into production.

It’s just not good enough!

I went to shut my computer down last night and received the following error (it turns out that “No” was the option I wanted - “Yes” didn’t seem to do anything):

It’s just not good enough!

Ah, criticising Microsoft is a bit like picking on the disabled kid.

Anyway, one of the issues we have with Windows is when a user accidentally moves a directory.  How do you accidentally move a directory you ask. By moving your mouse across the screen. Sometimes, for one reason or another, as you drag the mouse the left button gets held down and suddenly you’ve moved a directory. If it’s a small directory the user may not even be aware that they’ve done it - and sometime later we get asked to restore the “missing” directory.

This has happened often enough that I’ve been asked to modify permissions on directories so that users can’t do it. The problem is I can’t - the permissions on the directories are fine. The users concerned are supposed to be able to do what they do.

Really this isn’t a security issue, it’s a usability issue. If Microsoft had provided an option in Windows so that the user would be asked to confirm a move then we would all be happy. Unfortunately, they haven’t.

You might be thinking “so what - it’s the user’s fault, they should have been more careful”. However, it’s easy to do. Browse to your favourite search engine and enter Windows Explorer move confirm and you’ll see that plenty of other people have the same problem.

So, Microsoft, why haven’t you fixed this issue? It shouldn’t be hard - you only need to provide a tick box under the Folder Options menu and then, if it’s ticked, ask the user to confirm a drag and drop move. One of your gun Windows programmers could probably knock it up over lunch.

It’s just not good enough!

I’m big on virtualisation. I think it’s the way of the future, especially from a DR perspective. The combination of VMware ESX and SAN replication means that the downtime due to the loss of a data centre can be minimised. Virtualisation potentially makes DR a lot easier. As a matter of fact, I think it’s worth virtualising everything, even if you only run one virtual server per physical server. VMware ESXi is now free so it doesn’t even have to cost anything to do it. In my mind it makes a compelling argument.

The only fly in the ointment is the problem of those products that won’t work without a licence server. Some products require a USB or parallel port dongle. They obviously can’t be virtualised.

However, licence servers that don’t require dongles (e.g. FlexLM based) are prime candidates for virtualisation. We can virtualise these servers and know that if we have to fail over to our backup data centre everything will still work.

Intergraph now require a licence server if we want to use their SmartPlant Materials (formerly called Marian) product. Thta’s fine, it’s their product. Unfortunately, they won’t allow us to virtualise the licence server. To my mind, this means that Intergraph are saying that they don’t care about us or our business.

It’s just not good enough!

We have an IBM Blade Center with two Management Modules, two Nortel Ethernet switches and two Brocade Fibre Channel switches.

The Management modules are used to provide the I/O Modules (the Ethernet and Fibre Channel switches) with basic network configuration (IP address, etc.). The rest of the configuration of the I/O Modules is done directly on the modules themselves (i.e. via telnet or a web browser and Java).

We have had an issue with the Blade Center where after an outage the external ports on the I/O Modules come up disabled. I had to connect to each of the modules and enable to external ports. Now, the first time this happened I assumed that some twit (me) had forgotten to save the configuration of the I/O Modules. So, of course I made extra sure that I saved the configuration.

The next outage we had the same thing happened. The external ports where disabled. However, it was obvious that the configuration had been saved because all the other settings (VLANs, etc.) were correct.

Later I discovered by accident that there’s a setting in the Management Module that overrides the I/O Modules. This setting is tucked away in the Admin/Power/Restart screen when all other configuration is access via the Configuration screen (or by connecting to the modules directly). And it seems that this setting defaults to disabled (although I can’t confirm that):

I/O Modules Advanced Setup

Now, I can perhaps think of a reason for allowing the Management Module to override the I/O Modules (maybe - if you want to disable all external I/O to a particular module, although we can do that by connecting to the modules themselves, the place where we would normally configure them). But why default to disabled? And if we enable the ports on the I/O modules themselves, shouldn’t the above setting also change to enabled?

It’s just not good enough!

Ah IBM. Their Remote Supervisor Adapter II allows for the creation of up to 12 login ids. The problem is, when you create a password it doesn’t tell you if the password is too long. From trial and error, it seems that the maximum password length is 15 characters. I’ve looked at the source code of the page and I can see that the password field is restricted to that many characters (perhaps I should have saved myself a lot of trail and error testing by looking at the source first):

RSA II Password Length - HTML Code

Now 15 characters isn’t that bad (plenty of systems allow only 8 and it seems one UK bank only allows six). The problem is that it lets you think you have created a password with more than 15 characters - but it only stores the first 15 characters. So, if you set your password to a123456789012345 you can’t login using that password (however, you can login using a12345678901234). Imagine the consequences if this is the only log in account, and you don’t realise the 15 character limit.

Surely it couldn’t have been that hard for the programmer creating the page to have done a basic check and popped up an error message if the password is too long. After all a message does appear if the password doesn’t contain both alphabetic and non alphabetic characters:

RSA II Password Error

So, if they can pop up an error when the password isn’t complex then why can’t they pop up an error when the password is too long.

It’s just not good enough!

In virtually every application I use, including Lotus Notes, Control-F brings up the Find dialogue. This seems to be the default behaviour for Windows applications. There is an exception though - Microsoft Outlook. In Outlook 2007, Control-F is the keyboard shortcut to forward a message. So, Microsoft has broken their own UI standard. Why? They didn’t need to, they already have a keyboard shortcut for forwarding - Alt-W.

Unfortunately, it appears that the User Interface Hall of Shame isn’t being maintained any more. Otherwise this would rate a mention.

It’s just not good enough!

You just gone out and spent all your money on a fleet of Packeteer iShapers (or PacketShapers and iShared) and want to use them to optimise your network. So, you plan to run cram as much TCP traffic down your WDC tunnel as possible to make the most of your expensive bandwidth. Of course, some traffic is more important than others, so you also plan to prioritise some of your traffic that’s going through the tunnel. It’s a great plan. Unfortunately, it’s a plan that won’t work.

The Packeteer PacketShapers (or the Inline plane in the iShapers) uses WCCP to redirect traffic destined to go through the WDC or WAFS tunnels. It does this before the traffic passes through its inspection and classification engine. That’s fair enough - you don’t want to be needlessly shaping traffic before it reaches the tunnel or you wouldn’t gain any benefits from the WDC cache.

The problem is that once the data has entered the WDC or WAFS tunnel, the PacketShaper (or the Inline plane) thinks it’s just WDC or WAFS traffic. It can’t classify it any further. So you can’t tell whether its the Payroll Department trying to use Oracle to get everyone paid, BITS updating an SMS repository or someone skiving off in Facebook. That means you can’t prioritise one over the other. The whole reason for buying a PacketShaper has just gone out the window. You would actually have been better off using the PacketShaper with a caching device from one of Packeteers competitors (Cisco, Citrix, Riverbed, etc.).

It’s just not good enough!

You could dedicate a whole site to the problems with this product. However, lets start with just one.

The iShaper is basically a melding of the Packeteer PacketShaper and the Packeteer iShared (a product Packteer acquired through their takeover of Tacit Networks). It consists of two planes - the Inline plane which offers the traditional features of the PacketShaper (QoS and not very good reporting) and the Advanced Services plane which runs Windows and offers WAFS and TCP caching (WDC). On paper this device looks a million dollars. The idea is that you can deploy it to a branch office and have it provide the features of a Windows server (Active Directory, DNS, DHCP, printing) together with WAFS, WDC and your traditional PacketShaper QoS. The PacketShaper part (the Inline plane) does a WCCP redirection to the Advanced Services plane of the traffic that needs to go via the WAFS or WDC tunnels. Note that these devices are pretty expensive - depending on your discounts, a mid range server from a tier one vendor is probably cheaper.

One of the problems with this device is that it doesn’t come with any form of built in remote management of the hardware. If you go out and buy a mid range HP Proliant or IBM xServer you’ll have the option of iLO or RSA to provide remote management of power and a remote console. The remote consoles might be slow because they use a Java client and the tracking of the mice might be poor, but at least you can do it. So, if Windows locks up and RDP doesn’t respond, and the server’s in another country, you can try to fix it.

Not so with the iShaper. They have nothing like iLO or RSA (or DRAC in the case of Dells). If RDP doesn’t work you’re stuffed. If the Advanced Services plane stops responding to the network (and that does happen) you’re stuffed.

Because the Inline plane is basically a separate machine it will still respond. You can still
log on and you can use the reset command. However, you can only reset the Inline plane, not the Advanced Services plane. So, you’re still stuffed.

Packeteer now sells an external IP KVM you can use to access the console. Unfortunately, this device only went on sale some considerable time after the release of the iShaper - and it’s not integrated. Nor does it do anything about the power. If Windows were to have a BSOD you would still be stuffed! This does assume that you can get to the KVM. Sometimes a misbehaving iShaper does strange things to the traffic passing through it - like blocking most of it.

My advice, avoid the iShaper. It’s just not good enough!