The Screaming Viking

It’s year end for the school, and with that comes the onslaught of ordering.  I like this time of year because I get a chance to play with a few new things.  It also gives me the opportunity to set things up the way I’d like them setup.  Like I’ve said before, there is nothing wrong with the way the previous guy configured things…I just have a different idea of how I want it to work.  I want to move towards a more “enterprisy” environment.  I want to be able to manage all the machines from one central point, and I want to do it as cheaply as possible.

So far we have received approval to build out 2 business computer labs.  I’m going to use iMacs for these labs running both lion and win7.  They are going to be setup to dual boot.  I think this gives us maximum flexibility.  For one of these labs they are looking at teaching multimedia applications and some web design.  We’re looking at dual monitor setups and all that.  I think it will be pretty decent by the time we are done.  The only real concern I have is getting enough data pipe to these machines.  I don’t think the network drops in that room was ever really designed to push as much traffic as these machines will potentially push/pull.  What I’m going to do is build out the room the way I want, then I’ll look at going back and attacking the networking situation later.  The way the building is segmented there is no real main switch closet.  There are a couple of locations that have auxiliary switches.  In the next few years I would like to run fiber…but I’m not sure how much that is going to cost.

Something else I want to do is replace all the ancient macs we have here.  There are 90 or more emacs, which at this point are long past their usefulness.  I wonder how much we’d save on power alone if these were replaced…  My thoughts are instead of replacing X amount each year, we finance it…replace them all at once and pay it off over a few years.  This is going to be quite a bit of work for me, but I think this would jump start us on to a regular replacement schedule.  Also, in five years maybe we would be looking at some kind of 1 to 1 initiative where we can downsize the desktop machines.  Right now I don’t know how that would work…but we’ll see.

If all this replacement action gets approved, it will keep me fairly busy over the summer.  Physically setting them up and moving things around will take a little bit of time, but the big time sink will be putting images on the machines.  With deep freeze it has to copy the size of the frozen disk with each image…that’s what takes all the time.

We’re also ordering a few iPads.  Not a whole bunch, I will probably have around 20 to mess with and get ready for the school year.  The management of the ipads is something that is a bit tricky.  I’ve decided to quite expecting that people won’t use them for personal stuff.  As long as they are ready for school and they have them for that…I don’t care what they are used for.

Gonna be a busy summer.

Man, it has been a challenge getting the smoothwall working the way I wanted it to out in the sticks.  One of the initial problems I had was that ancient box I was using.  It was good enough for awhile, but it was starting to go to hell on me.  It was throwing disk errors sometimes, wouldn’t connect sometimes…one of the ports was going bad…it was just not a good situation.  I replaced that with a newer one, and that was working alright…but I wasn’t getting quite what I expected out of the QoS.

QoS for smoothwall worked decently in town..it never really did what I thought it should though.  What it actually does do on the smoothwall box is cut down the % of the overall bandwidth you have for each service.  If I set p2p on “low” it will give it 50% max of my total connection, “slow” looks to be about 25%.  This allows you to prioritize some traffic, but it isn’t exactly what I want.  When the connection is sitting idle, I’d like whatever is using pipe to use all it can…when the connection is used by something with more higher a priority it gets the majority of the pipe and the lower stuff gets cut back.  I did increase my headroom to 10%, this seems to have helped some but it still doesn’t do what I want.  I’ve done some reading about this and apparently to get QoS working any better on smoothwall is quite a challenge.  Some guys who know way more than I do about networking have hacked away at it and had some measure of success.  One of these guys has his own customized version of smoothwall…so I thought I’d give that a go.

Just like any admin, before I whacked the box I decided to make a backup *.iso of the machine.  I’d done this several times before on the old box and even restored it a couple of times without issue.  For this build I had the image I’d created right after I set it up completely and now this new one I created about a week later.  I burnt them both to disk and proceeded to load the new modified version smoothwall.  On the new hardware I’m using things load really fast…I was done going through the process in probably 15min (the old box would take an hour or so).  Fired it up, looked at the QoS tab…nadda, exactly the same.  The screen shots I was seeing something different.  I thought maybe it just worked better so I configured my port rules and gave it a go…nope exact same thing.

There is a module that smoothwall uses to detect the p2p traffic.  That isn’t work out well on mine.  Fine, no biggie, I hard coded the ports I use into the settings file, nope…still doesn’t throttle it properly.  I could live with the QoS the way it’s setup in smoothwall, but it would be really handy if it detected the ports properly.  This is something new after I moved.  The old box I had would connect to cable one via dhcp, when I brought it up to the farm the only change was to have it connect via PPPoE.  This caused a problem with the port forwarding rules as they are not in effect after a reboot.  For some reason I need to disable/enable them after the smoothwall connects.  I posted a question in a message board about this and the useful response was that the Red (external) IP needs to be established before port forwarding rules can take effect.  I assume this isn’t happening and things get borked.  I’m wondering if this is also happening with the QoS…but then why wouldn’t it work after I enable/disable it…like the port forwarding rules do.  It seems like it identifies all the other ports correctly…but not the p2p ports.  Even if I put those ports on a different heading (gaming for example) it doesn’t filter them properly.  I don’t get it.

I also had a problem installing this modded version that was going to make it impossible for me to use anyhow.  While it was loaded it failed to create the swap as well as subsequent partitions.  I dropped into the shell and commented out creating these partitions just to see if it was worth my time to monkey with getting it to actually install properly.  I did get it installed…but as I mentioned above things didn’t work anyhow.  There was also quite a few disk errors because of my hack…no biggie but if I was going to run this reliably obviously that had to be fixed.  The problem appeared to be that it didn’t drop the sda2 partition into /dev…I’m not sure why and didn’t feel like messing with it anymore.  I popped my restore disk in, rebooted…”can’t detect hard drive”…ta hell?  Reboot, same…power down, restart…same.  Pop in the disk for the modded install, finds the disk fine…but still doesn’t install properly.  I have no reason to expect there might be problems with my hd, but maybe there was.  I have moved recently, maybe things go banged around too much.  It was late so I didn’t feel like screwing with it.  The wife relies on the connect for work, so I do have a backup linksys router that will handle the network for us.  Even if I just used the linksys router and not a Linux firewall…I’d still have two of them.  If one goes to hell or something she needs to be back up quickly.  I don’t expect anything would, be I’ve got a couple of them so it’s not like I’m buying extra hardware.  My need for redundancy stops at the extra equipment I already have…

I downloaded a new smoothwall iso at the school and installed it the following weekend…everything installed fine and it’s up and running like I expected it to be.  It has the problems I outlined initially, but once they were identified it was fairly simple (albeit a little bit of a hassle) to work through.  I set up my smoothwall with Red (external) Green (trusted internal) and Orange (DMZ) interfaces.  The idea is to run the internal network off the Green interface and the wife’s work machine off the Orange.  I have some mods installed on the smoothwall for nicety enhancements, adzap, dansguardian, clamav…etc.  Anything on the orange connection should bypass these mods and just have a straight connection to the interwebs.  Also, this segregates her from my network.  Not that I’m worried about her machine, but if something from my network happened to get on her machine or she attached to my network storage without thinking about it I’d rather she didn’t get in trouble.  On thing I did find out though is that it doesn’t seem like she completely bypassed all of adzap.  I’m not sure exactly why this is…although, after thinking about it while I’m typing this it is possible that chrome had the page in question (a recipe site) cached and wasn’t trying to reload the images.  (the wife goes to this recipe site and some of the images wouldn’t load.  Found out a while ago that adzap was whacking them.  I fixed it, but after the reload I had to “refix” it)  When we went to si.com or the inforum, the ads loaded….so I should have looked in to this a little better, but it was late and I wanted it to just work for now.  I would have had to add that PASS rule for adzap as she might look at the site from an internal machine anyhow.

Why all this hassle?  Well, like I’ve said before…a linux firewall is about all that will handle all the connections I create…and because tinkering with things is what has given me the knowledge to get the jobs as I’ve gone though life.  Just today I called up smoothwall corporate to ask for pricing on their content filter app and hardware for the school.  I wouldn’t have known about these guys if I hadn’t used their open source software at home.  While I might have been able to find -something- that would have worked, the base knowledge I built on my own with content filtering can’t be a bad thing.

Printers are the bane of my existence.  When I started off here, everyone was printing directly to the printers via bonjour…I think I’ve chronicled here before about the problems that caused.  I’ve resolved that issue by setting up  a print server and routing users through that.  A centralized print server is a path I’d have gone down sooner or later even if things worked decently the way they were setup…the problems I was seeing accelerated that process.  I had one printer that would randomly drop off the network.  I wasn’t able to ping it until it was manually restarted.  For this machine it wasn’t as simple as pulling out a modular print server.  The NIC was built into a larger logic board.  The vendor came up and replaced that.  It was work I could have done, but the replacement piece was actually here quicker with him driving it up.  Also, those printers are on a program where we pay per print…so they handle all the parts and labor.

After those issues were resolved, I had two printers that would jam constantly.  I was pretty sure one was because of the feed rollers for tray 2…but the other one I was not sure about at all.  I emailed the xerox guys in minot about each of them.  He was able to overnight the feed rollers.  For the other he advised me to clean things up but it was probably the fuser that was causing the jam.

The new rollers came when they were suppose to, they installed very easily and things seem to be rolling correctly again.  The secretary printed out some information page on the other one and it showed jams constantly at the fuser.  I replaced that and things seem to be working there as well…  Now I’ve got a color balance issue with one of the printers, and I’ve got no idea where to even start with that.  I went through their color caliburation setup…and that didn’t bring things even close to where they are suppose to be.  I’ll think of something I’m sure.

Having to order every part I need for these things is certainly a draw back of living in this part of the world.  The guy did not have the parts on hand in minot either, so anyplace short of GF, Bismarck or Fargo and I’d have to order things just the same.  I wouldn’t even bet on Bismarck having these parts in stock.  I could keep one of each on hand for each model of printer…but then if one dies and I toss it I’ve wasted money.  The best thing to do, I think, is to consolidate down to one model printer for everyone.  That’s going to take a few years but I should be able to do that….or get it down to a couple models at least.

We did get a new copy machine in that I hooked up to the network, that was a far more expensive machine as far as hardware cost was concerned, but our price per page is significantly cheaper than the rest.  I’ve strongly encouraged all users to print to that machine when possible.  It’s also handy when they would print something and make copies.

I need to start changing the culture of the school…which is going to be quite hard.  I need to help people understand that not everything needs to be printed.  Things can be kept on their laptops…in their email…etc.  Maybe students can hand some assignments in electronically.  That is the way of the future…but it’s going to take some time to get there.  I don’t think the obstacle right now is technology…it’s changing the mentality of the instructors.  We’ll see how it goes, I’ve got 25 years to work on it.

Had a fairly productive week.  I was able to figure out how to get a 10.5 server act as a system update server for 10.6, 10.5 and 10.4.  It didn’t take a whole lot of tinkering…but there were a couple of random comments on the web that said it “couldn’t be done”.  I’m not really sure why people would think that…it was fairly simple once someone explained how.  I don’t know enough about the inner workings of a mac to have figured it out on my own…but after reading a walkthrough it took around 30 min to set it up.  Most of that time was spent waiting on the web server to restart…man that thing is slow.  I took a look at the server’s specs and it runs dual 2.3 ppc procs, but it’s only got 2gig of RAM.  Depending on how much I ask of this little sucker it could end up fairly over taxed.

I setup the service yesterday and let it run for a bit to pull down all the updates…so far for the 3 major versions of the os it’s weighed in at 27gig.  That’s a bit, but when you think about how many applications are included in apple’s patching process that’s not too bad.  Once the SUS is setup you have a couple of options to switch the machines over to using it.  The first…and one I really like is changing your internal DNS so the update urls resolve to your server.  The second option is to manually force the update address into each machine.  It’s a one time push, so it’s not something I’d have to change over and over again.  I dig on the first option because of the instructor laptops.  They will be taking them back and forth so I would like to not end up in a situation where they can only update on the school network.  Outside of those machines, it’s not much of a problem to change the update address on the desktops.  I bang out a unix command and send it to each machine via ARD.  So far I’ve only set this up on a couple of machines.  I did the high school lab all on 10.6, then a single machine each of 10.5 and 10.4 to verify functionality.

I saw a web site that was pimping some open source software that would allow you to build a SUS on non mac hardware/software.  While I am intrigued by this idea, I don’t think it’s something I would go with.  I like the idea of saving money, but I don’t want to end up in a situation where apple changes something and this software is unable to work for a little while.  I’ve looked at the prices for a mac mini and they are around 600 with Lion, but 1k with Lion server….but that’s a lot more machine than I need.  If I go with a 579 model, then pay the 50 for lion server….  On one hand it would be nice…but it’s quite a bit of money just for an update server.  I might think about trying to ebay a mini…we’ll see.  The updates are not all the critical, so they could easily be stored on an external usb or firewire drive.  Some stuff to think about anyway, and it’s not going to be a problem for quite a while yet.

I figured out how to push the printer update to all users from ARD.  It took a little digging around, but I found a nice little command line string to pull it off.  So far it’s worked well.  I’m hoping this ends the printer issues we’ve been seeing…I’m real tired of running around and hitting the power button.

I found out that deep freeze is really handy for testing changes.  I could monkey with the update server settings on a desktop and not have to worry about screwing anything up permanently.  So far I’ve only had one staff member not happy with the change.  For this person it’s a matter of getting use to not having control over the machines like they used to.  It’s not going to be possible for me to effectively maintain these boxes if students are accessing the machine with admin privileges…etc…  I think it will work out fine in the end…it’s just a matter of getting a handle on it all.

I also found out that when I setup parental controls on the student machines that Mac OS decided to be helpful and set the web parental controls for me.  I didn’t notice this until some students were not able to go to websites they should be able to.  I haven’t been able to find something I can run from command line to adjust this setting, so it’s a lot of touchy feely on each machine.  It’s not a huge deal…just not idea.

The week started off rough…I was getting hammered on with several problems.  After I got a handle on stuff and started knocking them down things have lightened up quite a bit at the end of the week.  Finishing up the printer configuration is going to eliminate quite a few “service” calls I’m guessing.