Categories
Homelab Storage VMware

NFS 4.1

Switching on NFS4.1 In the Homelab

I like a number of Homelabers use Synology for storage.  In my case, I have two a 2 bay DS216+ and a 4 bay DS918 That I have filled with SSD’s

NFS has been the prefered storage protocol for most people with Synology for two main reasons the biggest being simplicity but it’s tended to offer better performance than iSCSI by all accounts.

For me, the performance (especially on the DS918+) is great with one clear exception.   That would be Storage vMotion. It’s not often that I move VM’s around but when I do its a tad painful.   This is because I only have gigabit networking and NFS was limited to a single connection. However, it’s now possible to fix this…..

I have tried to find out when Synology officially supported NFS 4.1 but couldn’t find a reliable answer.  It has been a CLI option for a while but it certainly exists in DSM 6.2.1

The first thing to do is to make sure it’s enabled.

Then from vSphere create a new datastore

Make sure to select NFS 4.1

Then add the Name and configuration this is where the subtle differences kick in.

Note the plus on the server line where multiple inputs can be added.   In my setup, I have two IP addresses (one for each interface on my DS918)

Although NFS 4.1 supports Kerberos I don’t use it.

Finally, mount to the required hosts.

Of course, if you want to do with Powershell that’s also an option

[codeblocks name=’NFSMount’]

The other really nice thing is VAAI is still supported and if you want to see the difference here is a network graph from the Synology during a Storage vMotion clearly better than the single network performance.  This makes me much happier.

A Note of caution for anyone wanting to do this. DONT have the same NFS datastore presented into VMware with NFS 3 and NFS 4.1 protocols. The locking mechanisms are different and so bad things are likely to happen.   I chose to evacuate the datastore unmount and represent as 4.1 for all of mine.

Categories
Homelab

Lab Storage

Lab Storage Update.

 

Since starting my new role with Xtravirt my Homelab has gone under a number of fairly significant changes.  At the moment its very much focused around the VMware stack and one of the things I needed was some more storage and especially some more storage performance.  With that in mind, I purchased a new Synology a  DS918+

It’s a very compact unit with a quad-core Intel Celeron & I have left the Ram at 4 GB for now.

I have added some of the existing SSD’s that I had giving me about 3TB of usable flash.  I am presenting this back to my VMware hosts using NFS 4.1.   I must have missed the announcement as this is now built into the Synology GUI ( It used to be a command line only option) I have verified the VAAI works as expected in this configuration.  At present I am using this with a single network connection however I will be testing NFS Multipathing shortly.

The performance improvement has been noticeable and I have now removed all non-Synology systems from primary storage.   This has left me with the DS918+ detailed here and a DS216+ with 2TB of Raid1 WD Reds. I am using this for ISO’s and some general file storage.

 

 

Categories
Homelab Hosting

Sophos UTM – Lets Encrypt

Lets Encrypt

 

I have written previously around my use of Sophos UTM within my homelab.   Now I know it’s not a perfect device and some diehard network engineers will say it doesn’t have a CLI. But for my lab, my requirements and my level of skill its a dam good device with SO many features.  It may not have a CLI but it does have an API which has been on my backlog to look into for a long time.

Version 9.6 has just been released and one of the features that has been added was the integration of let’s encrypt certificates. Here is a quick intro to get up and running with them.

Create a certificate

To get started first of we need to enable Lets Encrypt.  This is done in the advanced section of the Certificate Management console with a simple tickbox.

Once that’s been enabled its time to request some certificates.

Navigate to Webserver Protection > Certificate Management > Certificates.

Click on +New Certificate…  

Hosting.jameskilby.net Certificate Creation

 

When you select save the UTM Appliance creates a self signed certificate that can be used immediatly.  In the background it requests a certificate from lets encrypt and providing it passes the validation checks the signed Let’s Encrypt certicate is recieved back from Let’s encrypt.

 

Lets Encrypt Certificate

 

Then its simply a case of applying it. In this example I have added to the Web Application Firewall section protecting the webserver

This can then be validated by visiting the site and as can be seen its displaying properly.

I have created Lets Encrypt certificates for all of the services that I run on the UTM,  they auto renew and generally make life a lot easier.

Categories
AWS Homelab Money

AWS IoT Button

AWS IOT Button

Back Story:

My AWS Solution Archictect certification is due to expire in the next 6 months and given I have not done a huge amount with AWS since getting certified I thought it was worth kicking the tyres again and running a few bits and pieces within AWS. One of the first things I did was move my blog over to AWS lightsail.

In addition to the  above I thought I would purchase an AWS IOT button  and have a play. The setup for these is now MUCH simpler with the introduction of the iOS and Android  setup apps.

Part 1   Button setup to email

To start with I just wanted to do something easy so I set it up so that with a press of the button it would send me an email via SES  This was to get to grips with the button check I had the comms setup correctly etc etc. I chose to use one of the prebuilt python functions for this. It deliveries a basic email like the below.

[codeblocks name='Pythonmail']

Part 2 IFTTT integration

Once i had this working I then decided to hook it into my Phillips Hue setup to turn the lights on or off. This was done mainly with the help of  this post from Joseph Guerra This wasnt quite straightforward as IFTTT have renamed some of the parts of the site. Joseph did a great post explaining this, however where he describes maker this is now called webhooks within IFTTT.  This is the full code that i’m using ( just with my key masked

[codeblocks name=’IFTTTLambda’]

Part 3 Monzo

Once the AWS to IFTTT integration was setup the next steps were quite easy.   Monzo is becoming my goto bank for most things.  They recently announced IFTTT integration so I wondered if i could hook my IOT button into Monzo.  I decided to create an action that when my button was pressed it would move £1 into a savings pot.

First you need to login to your IFTTT account and then add the Monzo channel.  This is pretty straight forward if you do from your phone where IFTTT and Monzo is installed.

I then went back to IFTTT on my laptop  to create the new applet using the create link https://ifttt.com/create

Then click on the + icon and drill down to find the webhook section

Then you need to check that the eventname on the webhook matches the AWS lambda event in my case I am using “buttonpress”

This should complete the “this” section, Now you to sort the “that”

Click on the plus and select the Monzo service with an action to move money into a pot ( Within the Monzo app I have already created a savings pot called IFTTT)

At the end of the process you should have something that looks like the below

If everything is setup ok a button press will move money over in a few seconds.

Categories
Homelab Nutanix

Nutanix CE 5.6

Nutanix CE 5.6

 

I have been running Nutanix CE at home for quite a while now and the new version has just dropped so I had to try it out.   I decided to destroy the current ( Single Node ) Cluster that I was running and start again.   This was for a few reasons but primarily I wanted to introduce disk redundancy and add some extra drives.  I was previously running this on a Dell T20 with 1x Sandisk 240GB SSD and 1x WD Red 3TB drive.    So I added another WD Red and SSD.  I have also moved over to using an old Intel 80Gb SSD as the boot volume (rather than a USB stick)

I decided to stck with the orginal installer method and copyied the new build onto the SSD

[codeblocks name='ntnxprep']

Then run the installer and choose not to build a cluster.  I then needed to revoke the previous SSH keys for the Host and the CVM ( as i had used the same address’s)

I then SSH’d into the CVM and create the single node cluster but with disk redundancy

[codeblocks name='clustercreate']

On login to Prism Element the cluster shows that Im now on the later version and I now do indeed have storage redundancy.   The big green ok shows this at a glance.  The middle image shows a detailed view confirming that all the required components can tolerate a failure but obviously I cant tolerate a host loss as i only have 1 (last image ) 🙁

The cluster is pretty bare at the moment but I will start adding back the various systems.

Data is all ok
I am fully protected at the storage component level
I cant loose a host 🙁

 

Categories
Homelab Networking Ubuntu

Pi-Hole – Taking back control of your DNS

Pi-Hole

I have seen a few posts on twitter recently about people running the Pi-Hole software for network-wide ad blocking.   The software was originally built to run on a Rasberry Pi and therefore is very lightweight.   I don’t have any Pi’s so i thought lets test it in a VM.

Build

I spun up an Ubuntu VM from my Image Service on My Nutanix CE server

This process allocated an IP out of the IPAM in Nutanix.  Obviously, if you dont have this available you will need to configure a Static address.

Make sure your VM is upto date

[codeblocks name='Ubuntu Update']

Install Git

[codeblocks name=’Install Git’]

Install Pi-Hole

[codeblocks name='Install Pihole']

Input your sudo password and hit Ok!  the installer should run and you will be given a few basic options.

 

Next thing is to choose your favorite DNS provider.   I went for custom and then Cloudflare 1.1.1.1 

I allowed listening on IPv4 and v6  and left the network settings already applied to the VM and enabled the web interface .

You get a final confirmation page and then your done!!

 All thats left to do is to update your devices/DHCP to start using Pi-Hole  as a DNS server and your done.

If you want to monitor how Pi-Hole is doing check out the web interface listed in the final screen.   In the few hours I have been running it its blocked 28.1% of the DNS lookups my systems have attempted

Categories
Homelab

Lab Storage

I have been meaning to post around some of lab setup for a while.   Although it changes frequently at present its as below.  I will add some pics when I have tidied up the lab/cables

My primary lab storage is all contained within a HP Gen8 Microserver.

Currently Configured:

1x INTEL Core i3-4130 running at 2.3Ghz

16Gb of RAM

4x 1Gb/s NIC

2x 3TB WD Red

2x Intel SSD 320 Series 80GB,  25nm MLC

This is running Xpenology.

 

I have the 4 Nics split into two LACP bonds.   One for the management traffic and one for pure NFS traffic.

The 2xWD Red’s are in a SHR configuration with the SSD’s running as a SSD read write cache

This gives me 2.6TB Useable which is plenty to lab and store photos and media and with the RW cache the perf is pretty dam good.

I also have a DS216+II Synology with 2x 2TB WD Red’s  this is my tier 2 lab storage. for backups ISO’s etc

 

I am running a few apps/containers on the Xpenology install as it has a lot more ram/processing power.

At the moment this consists of:

Docker – Gitlab

Docker – PHPipam

Plex

 

Categories
Homelab

Nutanix CE

I ran a Nutanix CE server at home for a little while when it first came out.  However due to the fairly high requirements, it didn’t make sense to me to continue running it at home.  This was compounded by the fact that I have many clusters to play with at work.   These all run my Hypervisor of choice vSphere so I thought it was about time to see what was new with AHV and Nutanix CE

I downloaded the latest copy of CE from the Nutanix site and extracted it to a USB stick with Rufus.   ( This took about 30 mins)

The server that I choose to run this on was the same server I ran initially.  a Dell T20 with the Xeon processor 32GB of Ram and 1x240GB SSD and 1x3TB WD Red.  The install is pretty straight forward and covered a lot elsewhere.

I am just kicking the tyres with it at the moment and running a few VM’s.  I have also shared out the storage from my Nutanix CE setup back to my vSphere environment.

Ill post back with some updates of what I get upto with it

Categories
Homelab Security

Sophos UTM Endpoint protection

I have been using the Sophos UTM Appliance at home for about 3 years.  It has been my internet gateway all this time and also has been useful for the lab I run at home.

It’s pretty much the full featured enterprise edition but its limited to 50 IP’s on the lan side.  The feature set is huge and needs its own blog post.

I am just going to describe the basic endpoint side here. It’s been on my todo list to blog about this but I saw a fellow vExpert’s elderly father in law fall prey to a scam that Sophos would have probably caught…

If your interested in the product you can obtain it  here.

To enable features in the UTM you typically turn them on globally then they can be configured.

Once this has been done you can deploy the endpoint package (encompassing the AV and control agent)

This can either be done with a direct download or with a unique URL see screenshot.   For any homelabers  a push with group policy is required.

After that its a next next installer

Im not sure what the third party software it removes is but its a nice feature.

And your done nice and simple.

Once the agent is deployed it updates itself and runs a full scan. This can be monitored from the client end but also centrally in the UTM console. 

The example above is one of my fileservers.

One of the really cool things is the tamper protection seen above which means if you or your try and uninstall the agent from the client you will get the below message. You need a password to uninstall!!

I am just running with the basic protection for me which includes all of the following

 

As you can see web protection and blocking of malicious sites is enabled.  This is fully customisable and able to apply the same filtering as the firewall implements. It has a large numbers of categories  and a policy checker to see how a site will be handled.    The best part of the UTM is these are applied when the device is not behind the firewall.   Think Kids or Old people etc.

I have this implemented for a few friends and family but with slightly different policies.