A Better Way To Test Computers

If you really want a better way to test a system, especially for single threaded performance, try testing it with an upwards of 90 MB text file which contains approximately 1.45 million lines of text in it by running a compare operation against two copies of the text file, and the difference between the two files is about +/- 7200 lines, but +/- 20 MB. (Yeah, don't know how THAT happened, but that's the result.) (It is an index of a directory that I have that contains about 1.45 million files and folders)

The current compare operation that has been running in Notepad++ 8.1.2 with the compare plugin has been running for over an hour now on an Intel Core i7-6700K (4-core, 4.0 GHz base clock speed, 4.2 GHz max boost speed, HyperThreading enabled) and I have no idea how much longer said compare operation is going to take.

You want to test single threaded performance?

Test it with something like this.

This will give you a REAL sense as to what different processors can do.

*edit*
The comparison ended up taking 51 hours 45 minutes and 28 seconds on said computer.

Mellanox Lies (and Why It's Important To Speak Up)

In the 2020 version of Mellanox's (now Nvidia Networking, but I'm old school, so I still call it Mellanox) IB Adapter Product Brochure, it states that their Infiniband network adapters support NFS(o)RDMA.

Page 4 from the Mellanox IB Adapter Product Brochure

But when I actually purchased said Mellanox ConnectX-4 dual 100 Gbps VPI port cards (MCX456A-ECAT), and I tried to use Mellanox's OFED drivers for Linux (MLNX_OFED_LINUX-4.6-1.0.1.1-rhel7.6-x86_64.iso), said NFSoRDMA wasn't working, so I posted on the Mellanox community forums to try and get some help (because sometimes, it can very well be that either I didn't read nor execute the installation instructions correctly or that I am not understanding something or that there was another step that I needed to do that wasn't documented in the installation instructions).

After fiddling around with it for a little while, I ended up reverting back to the "inbox" driver, i.e. the driver that ships with the OS (originally in my case, CentOS 7.6, and then I eventually moved up to CentOS 7.7.1908), because for some strange reason, NFSoRDMA was working with the "inbox" driver, but not the Mellanox OFED driver.

Turns out, the NFSoRDMA feature was disabled in that version of the Linux driver (and may have been actually disabled in some versions prior to that as well).

Oh really?

So with that admission, I was able to get Mellanox to go on record stating that their then-own-driver actually did NOT do what their advertising material states that their products can do, which constituted false advertising (which would be illegal).

Since then, I'm not sure at what point or version, but their latest driver now has NFSoRDMA re-enabled.

Source: https://docs.mellanox.com/display/MLNXOFEDv541030/General+Support

 

I am writing about this now because this was quite the adventure in trying to get NFSoRDMA up and running on my micro cluster.

 

As a result of Mellanox (Nvidia Networking) having previously taken away a feature/functionality before, I no longer trust that they won't do it again.

 

Therefore; as a result, I currently still will only use the "inbox" drivers that ships with the OS because at least I know that it'll work.

 

The ONLY time where this may not work or won't be true is if I were to start using Infiniband with the Windows platform (either on the server side and/or on the client side). Then I might have to use the Mellanox drivers for that, but for Linux, I can vouch for certain that the "inbox" driver that ships with 'Infiniband Support' for CentOS 7.6.1810 and 7.7.1908 works like a charm!

The Part Of Computing That Nobody Ever Talks About

Whenever people talk about computers, whether it's CPUs, GPUs, RAM speeds, HDDs, SSDs, or networking, they will always put each of those components through its paces with some kind of test or benchmark and/or a suite of benchmarks.

At the component level, that's usually useful and good enough so that people can be informed about how one part compares to another part so that you can make informed, decisions about your current and/or future purchases and that's fine and dandy and all.

Today, I'm going to be talking about something that people in the computing and IT industry/world (especially for general public consumption) that is pretty much NEVER talked about as far as I can tell/see.

 

In the computing world, people will talk about how much data a CPU or a GPU is able to process, whether it's virtual machines, hyperscalers, databases, HPC/CAE applications, machine learning, etc.

 

In the storage subsystem world of HDDs and SSDs (or PMEM), they'll talk about a drive's performance in terms of sustained transfers rates (STRs) or the number of input/output operations per second (IOps) that a drive can deliver.

In the networking world, they'll either talk in millions of messages sent/received per second, the latency, or the raw bandwidth.

But notice that NONE of these ever talks about, for example, what it really means when you put it all together.

Take HPC/CAE for example. One simulation can generate terabytes (TBs) of data, if not more. A LOT more. As far as I can tell, NOBODY in the entire IT/computing industry talks about what do you do with all of that data and/or how to manage it that volume of data.

Moving the data around, organising it, making sure that it's consistent, especially when you have say upwards of 10 million files (I'm currently just shy of 7.5 million files (7,499,865 files to be exact as of the last scan, as of this writing).) - how nobody every talks about nor benchmarks what it's like to manage that much data.

For example, let's say that I want to update the user and the group that owns all of the files on a given system. That process, on my systems where one is hosting 2.8 million files and the other system is hosting close to 4 million files, can take anywhere between 40 minutes to an hour (each). And sometimes/usually, I will run those tasks overnight so that there are no other changes happening on the file system/server and even then it still takes between 40 minutes to an hour (each) just to do that. So upto 2 hours, JUST to update the user and the group that owns the files. Nothing else.

Why aren't people talking about the data processing speed of having to do just this kind of a basic, simple task?

Whenever people benchmark CPUs or drives, nobody bothers to talk about something like this.

Now you might argue that this isn't done very often, but that isn't the point.

The point is that there has been tremendous improvements that we've made to CPUs and GPUs and HDDs/SSDs and networking, but as a collective system, because nobody tests this, therefore; there aren't any improvements that people are making to actually make these operations run/go any faster.

And more broadly speaking, people will spend a LOT of time talking about, for example, how fast a CPU or GPU is, or how fast a drive is, or how fast networking is.

Nobody talks about how fast it is when you put it all together and you have to manage a (relatively large) volume of data.

Apparently, GlusterFS No Longer Supports RDMA And You Can't Use It Across Ramdrives Anymore

Back in the day, I used to use CentOS 7.6.1810 with GlusterFS 3.7 and I was able to create ramdrives in said CentOS and then tie a bunch of ramdrives together with GlusterFS.

Apparently, that's not the case anymore and it hasn't been since Version 5.0 as RDMA was deprecated.

Bummer.

Here's why this was important (and useful):

SSDs, regardless of whether it's consumer-grade or enterprise-grade, the NAND flash memory cells/chips/modules that's used in them all have a finite number of program/erase cycles.

Therefore; as a result, ALL SSDs are consumer wear components (like brake pads on a car) where they are designed to be replaced after a few years due to said wear. (This is a point that unfortunately, I don't think that the SSD as an industry, as a whole, spends enough time focusing on because a LOT of people were and are using SSDs as a boot drive, and as a boot drive, because it has a finite number of program/erase cycles, this means that it is only a matter of time before the system will fail, but I'm going to write/rant about that some other time/day.)

But for now, the key takeaway is that SSDs have a finite number of erase/program cycles and that can cause SSDs to fail.

So, in the HPC space, where I am running simulations, I can produce a LOT of data over the course of a run, sometimes, into the PB/run territory.

Therefore; if I have a large amount of data that needs to be read and written, but I don't need to keep all of the transient data that the solver produces the course of a simulation, then I want it to be as fast as possible, but also NOT have it be a money pit where I am constantly pouring money into replacing SSDs (again, regardless of whether it's consumer grade SATA SSDs or enterprise grade U.2 NVMe SSDs).

So, this was where the idea came from - what if I were to create a bunch of ramdrives, and then tie them together somehow?

Originally GlusterFS was able to to do this with gluster version 3.7.

I would be able to create a tmpfs partition/mount point, make that a GlusterFS brick, and then create a GlusterFS volume with those bricks and then export the GlusterFS volume onto the Infiniband network as a NFSoRDMA file system.

And it worked ok for the most part.

I think that I was getting somewhere around like maybe 30 Gbps write speeds on it (for the distributed stripped volume).

Lately, I wanted to try and deploy that again, but for creating plots for the chia cryptocurrency.

Apparently, that wasn't possible/capable anymore.

And that just makes me sad because it had so much potential.

You can create the tmpfs.

Gluster will make you think that you can create the Gluster bricks and volume.

Gluster lies (which you only find out when you attempt to mount the gluster volume that it never really created the bricks (on tmpfs) to begin with).

And then Gluster-hell-breaks-loose because it thinks that the bricks are a part of a gluster volume already which locks the bricks and volume together, and nowhere in the Gluster documentation does it tell you how to dissociate a brick from a volume or vice versa.

And that's too bad that because GlusterFS had so much potential.

Re-deploying My Old Server Supermicro X7DBE

So, I was originally moving from "real" servers to NAS units, in order to try and cut down on my power consumption a little bit and also to make managing dumb storage a lot easier, so I originally purchased a Buffalo LinkStation 441e 4-bay diskless NAS unit, with the original intention of plugging in four 6 TB HGST SATA 6 Gbps 7200 rpm HDDs in it, and when that didn't work, said NAS unit was relegated to only using four 3 TB drives instead.

Fast forward three years, and I guess that I just got tired of the fact that the Buffalo LinkStation 441e couldn't read/write the data at anything more than 20 MB/s with my Windows clients. So I decided that I am going to re-deploy my server as an actual server for dumb file storage and data serving tasks.

Hardware specs:

Supermicro SC826 12-bay, 2U, SATA rackmount chassis

Supermicro X7DBE dual Socket 771 motherboard

2x Intel Xeon E5310 (4-cores, 1.6 GHz stock, no HyperThreading available)

8x 2 GB DDR2-533 ECC Registered RAM

2x LSI MegaRAID SAS 12 Gbps 9240-8i (SAS3008)

SIMLP (it came with it, but I think that the IPMI card is dead)

4x HGST 3TB SATA 6 Gbps 7200 rpm HDDs

OSes that I tried:

1) TrueNAS Core 12.0 U1.1

2) Solaris 10 1/13 (U11)

3) CentOS 7.7.1908

4) TrueNAS Core 12.0 U1.1

I first tested the server using four HGST 1 TB SATA 3 Gbps 7200 HDDs in order to test the resiliency of ZFS in TrueNAS Core 12 (FreeBSD) by randomly yanking and plugging the drives back in into random locations to see what ZFS would do about it.

Of course, with a raidz pool, it was only fault tolerant to one drive (out of the four), which meant that, as expected, pulling out two drives killed the pool (took the pool permanently offline such that even if I plugged the drives back in, it would still report the pool as having failed).

I copied a little bit of data onto the pool to see what it would do.

And then I figured "well, since I was going to use ZFS, why not use the OS that started the whole ZFS thing in the first place?" - Solaris.

After anywhere from a day-and-a-half to three days, I finally got Solaris onto the system.

But then I wasn't able to get Samba up and running. (It still surprises me that the native samba package that ships with Solaris 10 - they NEVER got that working out-of-the-box, even with all of the updates to the Solaris 10 release cadence.) I found a samba package from OpenCSW, but that was only SMB 1.0, which is disabled in Windows 7 by default due to security vulnerabilities.

So, I wasn't able to get that up and running and quickly abandoned it.

Next, I tried to use CentOS.

I use CentOS for my micro cluster and also the micro cluster headnode, so I have some experience with it, but again, because of how my backplane was wired up where three of the 3 TB drives was connected to one of the HW RAID HBAs and the fourth drive was connected to the second one, it meant that I would have needed to use mdadm to make it work, which I was a little bit weary of, on the off chance that said md array would fail.

At least with ZFS, there appears to be more resources available for help, should I need it, as that seems to be all the rage in the Linux storage subspace right now, despite the fact that for years, I have been telling people that it's not my favourite filesystem to work with due to the fact that there are ZERO external data recovery tools for data that resides on hard drives that belonged to a ZFS pool. (A point which is still true today. i.e. if your ZFS pool dies, you can't do a bit read on the drive in order to salvage whatever information you can off the platters themselves and try and reconstruct the data/your files whereas with (at least a single NTFS drive, you CAN do a bit read on the drive and try and pick up/pick off whatever data you can with that).)

So, CentOS didn't really work like I thought it would've/could've.

So that sent me back to TrueNAS Core 12.0 because at least, it has a nice, web-based GUI (I'm so done and tired of looking up commands to copy-and-paste into a command prompt or terminal or over ssh to get the system setup).

I did consider UNraid, but the problem with UNraid is that it will fill up one drive and then the next and then the next, which means that the write speed of a single drive can quickly become a bottleneck for your entire server.

It's too bad that Qnap doesn't publish/sell their QTS software so that you can install it on any hardware because I really like Qnap's software. And it's also too bad that the only way that you can get the Qnap software is if you buy their hardware as well, which can be quite expensive for the hardware that you are getting and with that, it doesn't even necessarily support some of the other nice-to-haves that I would want, perhaps in the future, from my future storage server(s) (like being able to install a Mellanox/Nvidia (I'm old school, I still call it Mellanox because that's what it is) ConnectX-4 100 Gbps Infiniband network card.

 

So TrueNAS Core 12.0 became the selected candidate, and I proceed to get everything all set up and up and running.

 

As it stands, CIFS/SMB and NFS is running, although I AM running into a permissions issue between the two differing protocols right now (Windows clients connect over CIFS/SMB and my Qnap Linux based NAS units connect to it over NFS because for some reason, it fails to log in with CIFS/SMB to the TrueNAS Core 12.0 system). I posted the question in the forums, and it seems that nobody has identified a cause nor a fix for this yet.

Luckily, most of the time, it's the Windows clients that uses this newly re-deployed server rather than my Qnap NAS units.

But this partially documents and chronicles my journey with TrueNAS Core 12.0 and also my old Supermicro server.

It took almost like 4 days to get the server back up and running. But it's humming quite nicely now.

The only downside is that I think it's consuming somewhere around like 205 W of power or something like that vs. the Buffalo LinkStation 441e only had a 90 W AC adapter.

And the weight of having to move/lug the server around before I finally put it into the rack. (It's just sitting on top of stuff. I don't know if I actually have rails for it.)

My Review Of The Buffalo Linkstation 441e 4-day Diskless NAS

TL;DR - it fails to meet performance expectations.

I bought the Buffalo LinkStation 441e 4-bay diskless NAS unit in May of 2018 and there were a number of problems that I immediately ran into when I was trying to use it. For one, I was originally going to try and put in four 6 TB HGST SATA 6 Gbps 7200 rpm HDDs into it, and right away, that didn't work. It wouldn't recognise the drives nor properly identify the storage capacity of each of the drives.

It was only then that I found out that it looked like that it couldn't support drives bigger than maybe 3 TB (the only other drives that I had available to me were 3 TB drives, so I popped four of those in instead, and that seemed to work).

This limitation was not advertised on Microcenter's product page at the time when I bought it. Had I known that a priori, I probably wouldn't have got it. But seeing that I bought it already, I just tried to see if I could make the best of it.

Setting it up was pretty easy and straight-forward.

The administrator's password, if you decide to assign a new one, can only take alphanumeric characters (apparently, or so it seemed). If you tried to use special characters, it didn't seem to work. I think that I had to reset the unit back to the factory default a few times on account of it when I was first trying to get the unit set up and configured the way I like it.

Upon doing so, the other problem that I ran into was that copying files to and from the Buffalo LinkStation 441e, despite the fact that it had a gigabit ethernet (GbE) networking, with four HGST 3 TB drives in a RAID5 configuration, I was NEVER able to get more than 20 MB/s read or write to this NAS.

It didn't matter what I tried to do - the unit just wasn't capable of it. It was also irrelevant whether the NAS was full or nearly empty - it couldn't read nor write at speeds > 20 MB/s (using a Windows client). The Buffalo LinkStation 441e does not support NFS, so I couldn't really test it with a Linux client.

The one thing that I will comment on that I liked about it was that Buffalo has a NAS Navigator so that it will find your NAS units that has a dynamically assigned IPv4 address to it, which is useful and helpful for the initial setup/configuration.

Beyond that, its inability to be able to read/write at anything > 20 MB/s really limited what I could actually use it for.

Pity.

(When you're reading/writing at upto 20 MB/s, even a USB 2.0 high speed device could outperform this NAS unit with four hard drives in it. And I know that drives weren't the limiting factor because I had them in a "real" server before I moved them into the LinkStation 441e NAS and they were able to read/write at > 100 MB/s (limited only by the gigabit ethernet).)

Oracle Solaris Is A Self-Terminating Ecosystem

So, recently, I was trying to re-deploy one of my servers to take over dummy fileserving duties from a NAS unit that really just wasn't up to the task (more on that later).

Here is what I was looking to be able to at least try and do (here is a list of my performance/technical requirements, in no particular order):

1) Actually be able to hit and/or sustain gigabit ethernet (1 GbE) line speeds (e.g. ~ 100 MB/s sustained transfer rates).

2) Be able to create a share folder that both Windows and Linux clients can use, simultaneous. (So, using a combination of CIFS/SMB for the Windows side and NFS (mostly) for the *nix side.)

3) Due to the way that my old server was setup and how the SATA backplane was wired up, it meant that three of the drives in the top row of a 12-bay, 2U server was attached to hardware RAID controller #1 whilst the fourth drive (also in the top row of said 12-bay, 2U server) was attached to hardware RAID controller #2. What this meant was that I couldn't create a single logical drive/RAID array consisting of all four drives because said all four drives weren't attached to a single controller. And I didn't want to rewire the backplane.

Therefore; as a result of this, I needed a software-based solution that would be able to create a RAID5 array across the two controllers, and my preference was for ZFS.

So here are the OS candidates:

1) FreeBSD (TrueNAS Core 12.0 U1.1)

2) Solaris 10 1/13 (U11)

3) Linux (CentOS 7.7.1908)

I've previously used Solaris 10 before for a similar kind of dumb file serving duties and being that, for example, ZFS on Linux on root JUST became a "thing" as of like Ubuntu 20.04, whilst ZFS on root for Solaris has been a thing since Solaris 10 10/08 (U6) (Source: https://en.wikipedia.org/wiki/Oracle_Solaris#Version_history), I figured that I would give ZFS another go.

(Previously, I had sworn off of ZFS because I had some major problems with it - problems that even after purchasing a premium support subscription directly from Sun Microsystems themselves, the creators of ZFS, they weren't able to help me fix/resolve my problem/issue with ZFS. So I avoided ZFS like the plague.)

As it turned out, trying to get Solaris 10 1/13 onto my old server become quite the challenge.

First off, the server only sports a Supermicro X7DBE motherboard, which only comes with two USB 2.0 ports in the back and none in the front. (I think the chassis that I am using is a Supermicro SC826, but I'm not 100% sure). The motherboard itself has ports for PS/2 mouse and keyboard, but as such, I don't really have nor use PS/2 mouse nor keyboards anymore (I've finally "modernised" and moved up to USB mice and keyboards) which meant that I was short for USB ports.

So, how do I plug in a mouse, keyboard, AND install Solaris?

Well, at first, I tried installing with an USB slim, external DVD drive, but for some reason, the graphical installer had a problem loading/reading off from the DVD+RW disk that I use pretty much for all of my OS installs that needs to do so from an actual DVD.

And then I tried to use a USB flash drive, but that had problems as well.

So, I remember years ago, deploying a PXE install server so that I can get Solaris onto the system.

So that's what I set off to do.

And oh boy, what a journey (in a bad way) that was.

First off, to be able to deploy Solaris over PXE, pretty much all of the official Oracle documentation asssumes that you have another system already running Oracle Solaris.

(I did try to deploy it using a Linux system (Ubuntu), but that didn't really work out the way it should've, based on people who's written about it on other blogs previously.)

So, deploying it using another Oracle Solaris system it is.

I fire up Oracle VirtualBox, and get to installing Solaris 10 1/13 on said VM and I didn't really have much of a problem with that.

(Maybe perhaps in a little bit of irony, I was running the Solaris VM off an Intel NUC. I'm actually finding myself using my Intel NUC for a BUNCH of VMs now whereas before, it was only relegated to the task of being a license server for some of my applications, i.e. it wasn't really doing much.)

I get the VM all set up, running Java Desktop 3 (yes, that was a thing), per usual. Nothing special to write about there.

Oracle Solaris 10 1/13 Java Desktop System 3. Yes, it's a thing.

After that, I then proceed to follow the instructions, as published by Oracle, for Oracle Solaris 10 1/13 Installation Guide: Network-Based Installations.

The instructions for creating an install server with DVD media (for x86 systems (as opposed for SPARC systems)) you follow the instructions here and there is nothing special to write about that.

Now, it says, in the instructions, that if you are going to be using a DHCP (which I was going to be because apparently, my system is so old that the PXE boot for the server can ONLY happen with DHCP, i.e. you cannot assign a static IP address to the onboard NICs themselves), so it said that you didn't need to create a boot server, but I did it anyways.

Now this is the part where it gets messed up.

According to the Oracle documentation, the next step in the process is "Adding Systems to Be Installed From the Network with a DVD Image - How to Add Systems to Be Installed From the Network With add_install_client (DVD)".

Step 3 states:

"3. Add the client to the install server's /etc/ethers file.

a. On the client, find the ethers address. The /etc/ethers map is taken from the local file.

# ifconfig -a grep ether

ether 8:0:20:b3:39:1d"

 

Here is the problem with this:

 

If you have a system that you are trying to deploy Oracle Solaris onto, you're NOT going to be able to run "ifconfig -a grep ether" on the client!

 

This is a really stupid step/line in the instructions.

Think about it. You're trying to "jumpstart" the system. The client isn't up and running yet because this is what (and why) you are setting up the PXE server for a network installation, and therefore; NOTHING is running on the target/client.

So, instead, I had to pull the MAC address by powering on the server, setting the BIOS so that it will boot from PXE, and then waiting/letting the PXE request to time out so that it will show me the MAC address for both interfaces (because I think that it might have actually tried to ennumerate thes second NIC first, which meant that I had to wait until that failed before the primary NIC's MAC address will show up).

And then took a picture with my phone so that I would then be able to go back to my desk so that I can keep going with the instructions.

That was a really, really stupid step in the instructions on the part of Oracle.

(But this isn't why I think that the entire Oracle Solaris ecosystem is a self-terminating one though.)

Okay, so besides that, you keep going with the instructions after you get the MAC address off the NIC from the server.

Note here: If you are running these steps back to back, make sure you get out of the directory of where the DVD is mounted to (e.g. just type cd to get back to your root, home directory) so that you can then unmount the DVD before adding your client.

I made this mistake a bunch of times.

And THEN go to the directory where you copied the contents of the DVD to.

Proceed with the next step.

At the very bottom of that page is a one liner that says that if you are going to be using DHCP, then you need to set up the DHCP server.

Now, I thought that this was going to be like Linux installations where you just set up some dummy DHCP server, tell it what's the IP address range that you want said DHCP server to dish out/serve up, and it's already going to have a TFTP server running, and away you go.

[buzzer]

 

I couldn't be more wrong.

Here's what it takes to ACTUALLY set up the DHCP for a DHCP based, PXE/network installation of Solaris 10 1/13, in Solaris 10 1/13:

(Refer to the Oracle Solaris documentation, "Preconfiguring System Configuration Information with the DHCP Service (Tasks)")

Chapter 14. Configuring the DHCP Service (Tasks), in Oracle Solaris Administration: IP Services.

You have to go through the steps of running

 

# /usr/sadm/admin/bin/dhcpmgr

 

And then you get this:

 

 

Once you're done with that, then you got to create the macro for the client, BY MAC ADDRESS, itself.

 

Oracle Solaris 10 1/13 DHCP Manager Macros BY CLIENT MAC ADDRESS

And THIS is where I think that Oracle Solaris is a self-terminating ecosystem.

In order for you to be able to install the system, especially over PXE, according to their own instructions, you apparently have to set up and permit each system, BY CLIENT MAC ADDRESS, to be able to boot from and pull the Oracle Solaris 10 install image.

(The rest of the installation ran fine, by the way. It wasn't the fastest install, but at least it worked. And it IS technicaly faster than USB 2.0, or at least faster than what an USB slim, external DVD drive can do at 4x speeds.)

In other words, you can just deploy Solaris 10 on ANY system that you want. It's almost like you have to "register" it with the DHCP manager before this will work.

That's incredibly dumb/stupid.

 

Now, it is entirely possible that you don't have to "register" the client's MAC address to get this to work, and that would be nice, but according to the Oracle Solaris official documentation, that's NOT the example that they've shown here.

 

I have NO idea why they chose to make this more complicated way (but it DOES work) as the example that they use to show/tell/teach people how to deploy an installation over your local area network, but that's precisely what they've done.

Also apparently, and I don't know exactly when this happened, but apparently, as of this writing (27 July 2021), Oracle deleted the Oracle Solaris page off from Facebook.

Sounds to me like the days for Oracle Solaris may be numbered, even if that number may still be years, possibly a decade-or-more away.

(Also, by the way, the reason why I went BACK to Solaris 10 instead of using the latest Solaris 11 is because I currently have Solaris 11 deployed on another Intel NUC of mine, that exists to perform some basic web serving tasks and for some strange, stupid reason, after a while, one of the NICs that has been assigned to it (it too, also runs in a VM), which has a static IP assigned to it, stops working. And when I try to switch it from static IP to DHCP, it fails to pick up an IPv4 address from the router's DHCP server. So I ended up just adding a second NIC to the VM and left that as being a DHCP managed interface and haven't had any issues with that NIC since, but I can't give it a static IPv4 address, of course.)

Looks like what we are seeing is the beginning of the end for Oracle Solaris.

And that's a shame/pity. I used to really like Solaris.

Here Is The Security Problem With HiveOS' Diskless PXE Boot System

Here is the problem with the HiveOS diskless PXE boot system: 

If you have a HiveOS installation (this security flaw exists regardless of whether you are running the HiveOS' diskless PXE system/setup or whether you are using a disk of some sort for the HiveOS image), that is connected to the public internet (which is preferred so that your cryptocurrency shares that you are mining/farming will have the lowest latency back to the presumably, pool servers as much as possible), and that you have the SSH port open (port 22), then hackers and attackers can remotely take over your system, as laid out in Simon Bell's blog post Sneaky Malware Reconfigures Hive OS Wallet for Profit.

 

After you install HiveOS' diskless PXE system, if you look at what's inside /etc/shadow, you will notice that the salt and the key for user is the same, even if you update the image. (The more interesting question is whether the salt is the same across different users or not, but I am unable to personally test and verify this.)

This is important is because this is how the HiveOS diskless PXE is able to keep it so that the default password for the default user ("user") as "1".

(It uses the SHA-512 based password algorithm.)

The fact that the salt and the key is consistent through different HiveOS diskless PXE images, even if you update the image is one of the reasons why it is fundamentally and principally insecure.

(Ironically, if you do end up getting hit with this by hackers/attackers, one of the first things that you can do if you have a PXE installation is to power cycle your system/rig whereby you can take advantage of this fact that the HiveOS image that is served up by your PXE server will just reset and restore the default setup/configuration of your entire rig and since it will pull the flight sheet from your HiveOS account, you won't have a problem there.

In other words, there are pros and cons to using the HiveOS' diskless PXE setup/system because if you first notice that your crypto in your wallet or pool address isn't increasing as your system is mining and it is supposed to be, then you will be able to very quickly resolve and rectify this problem by just power cycling your rig given the fact that the HiveOS diskless PXE image lives in the local RAM of your rig, which means that turning your rig off -- any of the changes that the hacker/attacker has made will be gone/lost as far as the hacker/attacker is concerned since the image only lived in RAM and not on a non-volatile storage device like a HDD or SSD.

By the same token, the fact that the default password is the same for the default user ("user") also is a security flaw unto itself for HiveOS' diskless PXE system because this is what allows the hacker/attackers shell script to be able to run in the first place.

The HiveOS team, in their Telegram post, writes:

But as my testing and research has shown, you can't actually abide by their recommendation of using more secure passwords because any changes that you make to your machine/system/rig's HiveOS password will ONLY be temporarily changed until the next reboot or power cycle.

To test and prove this, you can either actually perform a reboot, or you can just extract any of the hiveramfs.tar.xz images (or any of the backup images in <<path_to_your_pxeserver_root>>/backup_fs) and then cat ./etc/shadow | grep user and you will see that in your current image and any of your backup images, the result is the same.

The other really big security flaw with this setup is also the fact that the HiveOS team DOES give you a command (hive-passwd) so that you can change the password locally on your system.

The problem with this command is that you have to pass in the new password as an input argument to that command, which means that the password will be typed in, in plain text.

This also means that by default, this system, which is based on the Ubuntu 18.04.5 LTS distribution, also uses bash as the default shell. As a virtue of the bash shell, if you type in the command: history, you will be able to read, in plain text, the password that the user has changed their system to.

HiveOS' diskless PXE setup does NOT clear your bash shell history with each login or with each log off.

And then, on top of all this, if a hacker/attacker is even mildly or remotely sophisticated, and your mining rig is directly connected to the public internet with port 22 open, it won't take them much to be able to find out whether you are running a diskless PXE setup or not. They can literally just read the config files, in plain text, to be able to determine and ascertain that. If you are running a PXE server, then you run the risk where they can start hacking into the rest of your network via your PXE server, or if they are only interested in hacking your mining rig and stealing your crypto, then all they would need to do is to run the hive-upgrade.sh script, and after your system is done updating, they would just need to unpack the PXE image into a temporary location that you aren't aware of on your PXE server, change the salt and the key for their new password and encode that into /etc/shadow, and then re-pack the hiveramfs.tar.xz file back up, and then pass the hacked version of hiveramfs.tar.xz as the "good" image (which as far as I can tell, HiveOS doesn't check), send the reboot signal to your rig so that it will pull the new, hacked image, and now you're hosed to the point where even a power cycle won't help you fix/restore your PXE image.

(And this also assumes that they haven't locked you out of the hive-upgrade.sh so that you can just run the update again, and undo those changes, which I can only imagine that a hacker/attacker that's slightly more sophisticated may probably be able to do that with what I can only assume, would amount to minimal effort (to lock you out of the hive-upgrade.sh command).

In fact, if they were smart, they would delete the hive-upgrade.sh command after they're done modifying your image, and also delete the pxe-setup.sh command as well so that you can't re-setup/re-download the image from the HiveOS server/repository which will undo said hacker/attacker's changes.)

And now your entire PXE setup is screwed until you rebuild the PXE server again, so that you can re-deploy the diskless PXE image again.

These are a bunch of inherent security flaws with the HiveOS' diskless PXE system.

I tried to warn the HiveOS team on the HiveOS forums, but thanks you @HaloGenius there, he decided to take it upon himself to just label this as fear, uncertainty, and doubt (FUD) when the statements that I have presented here are VERY easy to prove (because I've been able to prove them and I'm an idiot as far as computers and sysadmin is concerned). It doesn't take much.

In fact, I am such an idiot that I used the hive-passwd command to change the password to a more secure password and then I forgot what it was that I changed said password to, so I power-cycled my rig so that it would pull the HiveOS image from my PXE server again just to "reset" the password. (Because if you use the hive-passwd command and you mess it up, you don't really have a good way of recovering from that (or at least it's not an easy way to recover from that).) Whoopsies! (When I said that I'm an idiot when it comes to this stuff, I'm not kidding.)

So....what does this all mean? And what can you do?

The best thing that the HiveOS team can do at this point is to take a good, long, hard look at the security issues that I have presented here, building on top of the work that Simon Bell had presented almost three weeks ago (8 July 2021).

What I would LIKE the HiveOS team to do would be that when you run the pxe-setup.sh command for the first time, it will ask you what you want the default rig password to be (you WILL need to make sure that you don't screw this one up because if you toast it, then you will have to rerun the pxe-setup.sh command again to correct it). 

That way, it will download the original image with the default password for the default user, and then right away, you will get to change it and it will replace the line that's in /etc/shadow with the new password, at minimum, and preferably, with a new salt and password.

Right now, it will ask you what your farm hash is, what's the IP address of your PXE server, etc. The HiveOS team should be able to add another, new question, "what do you want the default password to be?" and then you can type it in (preferably echo off), and IF and/or anywhere where HiveOS might need to store that in plain text anywhere, that it will only do so temporarily and then it will clean up after itself so that it won't leave any reminents behind.

When I read Simon Bell's blog and I started thinking about what this means for a diskless PXE setup, I never realised how many failure modes there are that existed with the diskless PXE setup until I started really taking a look into this.

That's would be the minimum of what I would recommend the HiveOS team to take a look at, and implement those changes or something along those lines.

In the meantime, here is what you can do to protect yourself:

1) Secure your local area network. There are no shortage of videos on YouTube that you can look up and watch (or google it and read) where there are people who are dedicated to this topic, so follow their best practices.

2) Use a VPN. It won't really help secure what's inherently insecure, but at least it adds one more layer of protection. It will take your rig off the public internet, and therefore; will increase your latency times for shares, but I suppose that's better than getting hacked, right?

3) Close off port 22 on your router if you don't absolutely need SSH to remote into your network. I know that this isn't always possible, but if and where it is possible, you should probably close that off. (If you DO need port 22 to remain open, there are ways to do so in a more secure fashion as well. You can google and/or YouTube that as well.)

4) Change the password to a more secure password. Yes, I know that you have to pass in your new password in the hive-passwd command, but if you do it right after your system boots up (each time, preferably), then it will help safe guard your system. This is especially true if you've upgraded the HiveOS image on your PXE server.

Keep in mind that any password changes on your rigs are local and therefore; only temporary.

(I haven't checked to see if rig.conf stores the rig password in plain text, but I wouldn't put it past the HiveOS team to send the rig password, via rig.conf, in plain text as well. But I can't say for certain being that I don't use rig.conf files.)

5) After you have changed your rig's password, make sure you clear the bash history on your rig by running history -c. This is important because, again, since you have to pass in your new password, in plain text, as an input argument for the hive-passwd command, this will mean that the bash history will retain a record of it. Running history -c will clear said bash history.

I wished that the HiveOS diskless PXE system would do this automatically whenever you have ran the hive-passwd command by default, but right now, as it stands, it doesn't.

Stay safe.

Happy mining!

 

 

Credits and acknowledgements:

Credit goes to @HaloGenius from the HiveOS forums for deleting my thread and comments about these security issues/flaws with the HiveOS diskless PXE system/setup where instead of, or rather than addressing these security concerns, you took it upon yourself to delete the thread and comments under the guise of this being fear, uncertainty, and doubt (FUD).

As a direct result of your actions there, you inspired me to revive my blog that I haven't touched in years, and turn this blog into me blogging about engineering and IT stuff such as this so I want to acknowledge you, thank you, and give you credit for inspiring me to write this so that people will know what kind of security issues/flaws exists with the HiveOS diskless PXE system, which is sold as a "feature" on the HiveOS features page.

Apparently, security flaws with HiveOS diskless PXE system/setup is a "feature" of HiveOS.

More Reasons Why HiveOS' Diskless PXE Boot Is Such A Massive, Critical Problem

Here are more reasons why the HiveOS diskless PXE boot is such a massive, critical problem:

Per the HiveOS team's own Telegram post:

They tell you:

"How to avoid this kind of attack:

- use secure passwords"

The problem with this, of course, is that if you are using HiveOS that was installed on a hard drive, SSD, or a USB flash drive (which, by the way, if you got hacked/hijacked like this, you couldn't simply just reboot to wipe out the stuff that the hacker/attacker has done), then sure, you can change the password to your heart's content when you first boot up and everything will be a little bit more secure from that point forward.

But if you are using HiveOS' diskless PXE, the hacker/attacker hacks/hijacks your system, you reboot it to reset everything, which sounds great in theory, until you realise that it also restores your system to the default password "1".

So much for having a more secure password.

In other words, if you ACTUALLY want to abide by the HiveOS team's recommendations of using a secure password, a reboot and/or a power cycle on your rig/worker/system will wipe out said secure password and restore it back to the default unsecure password. Once that happens, then a hacker/attacker can hack/hijack/attack your system again. Rinse. Repeat.

 

This flaw exists REGARDLESS of whether you have port 22 open on your modem/router.

Even if you secured your network, the fact this massive, critical flaw that still exists with the HiveOS diskless PXE system means that your network and your rig/worker/system(s) are still at risk.

In other words, you want to actually abide by the HiveOS team's recommendation. But literally a reboot and/or a power cycle on your rig later, and your diskless PXE rig/worker/system would be just as unsecure as it was before you tried to use a secure password, pursuant to said HiveOS team's recommendations on how to avoid this type of an attack.

And in talking to at least the HiveOS forum moderator(s) and administrator(s), they are CLEARLY in denial about this massive, critical security flaw.

Again, the two things that I can think of that would make this vastly more secure would be:

1) If you actually WANT to abide by the HiveOS team's recommendations of using a more secure password, said HiveOS team would have to modify the pxe-setup.sh so that it will ask you want you want the default rig password to be (so that it won't just automatically deploy "1" as the default password to all of your rigs), and then it will deploy all of your diskless PXE rigs with the default password that you specified (that isn't stored in some config file somewhere, in plaintext).

2) An even better option, in addition to pxe-setup.sh asking you what you want the default password to be, would be if it asked you if you wanted to disable password authentication for ssh completely in the first place.

That way, you would have to worry a lot less about:

"How to avoid this kind of attack:

- use secure passwords"

 

BOTH times that I've written about this in the HiveOS forums and BOTH times, the post and the comments were deleted in regards to this. IF the HiveOS Team ISN'T able to or aren't willing to put the time in to actually make their diskless PXE more secure GIVEN these GLARING, massive, and critical security flaws with it, then they shouldn't advertise said diskless PXE as a feature on their HiveOS features page. That way, said HiveOS team won't have to worry about this gaping security flaw anymore.

HiveOS Has A Massive, Critical Security Flaw With Their Diskless PXE Boot System

TL;DR:

Don't use HiveOS diskless PXE because there's a massive, critical security flaw with it.

 

The issue: 

 

For some inexplicable reason, the moderators and the forum administrators over at the HiveOS forum has decided to take it upon themselves to delete the topic (https://forum.hiveos.farm/t/massive-significant-substantial-pxe-security-risk/43187/1) that I had posted where I talk about the fact that the HiveOS diskless PXE boot system currently has a massive security flaw in it right now. (*edit/update 2021-07-14 18:08 UTC*: I've also written extensively about it in the HiveOS diskless PXE forum thread as well whereby the moderators and administrators of the HiveOS forums are also fully and completely in denial about this MASSIVE security flaw in the HiveOS diskless PXE deployment environment.)

As reported by RedPandaMining in his video, he talks about the current security flaw with HiveOS where if your system/worker/rig is open/exposed to the public internet and the port for ssh (port 22) is open as well, that hackers can then hack into your mining system, change the configuration, change the password and hijack your system to mine for said hacker. 

 

So, my thought was that if you run a diskless PXE setup/configuration/deployment, that shouldn't be a problem right? 

 

Well, yes, and no. 

 

(Note: For the purposes of this blog post, I am going to be focusing in on the security of the HiveOS diskless PXE deployment rather than the actual network security side of things. This isn't to say that one area is more important than any other. As such, you can google how to secure your home network as there are plenty of resources that talks about this. From my research, there is little, if anything, written about the security of HiveOS diskless PXE setup/deployment/system so this is the area that I am going to focus on specifically, in this blog post. In fact, there is so little that's written about this topic and that may have something to do with the fact that the HiveOS forum moderators and administrators will delete any thread or posts talking about this topic, which is why I am writing it on my own personal blog instead since it is quite obvious, this is an area that they don't want to talk about.)

 

See, the thing with a diskless PXE setup is that whilst yes, you will be able to "fix" the hack simply just by either issuing a reboot command to your mining rig/worker/system via HiveOS' online management interface, or, if you can't get to it because the hackers have hijacked your rig, you will have to be able to physically power cycle the system, then it will just go back to booting like it normally would off of your PXE server, and that would undo all of those changes that the hacker was able to implement.

But that's not the end of it.

The way the hacked worked, according to Simon Bell, it installs basically a loader script that will connect to the hacker/hijacker/attacker's web server address that will then reconfigure your system (mostly to lock you out and prevent itself from being removed) and then it will download the rest of the payload and supporting files that will then change your actual configuration files specific to mining/the miner itself.

So, with that, again, the thought process could be that if you have a diskless PXE system/deployment, all you would need to do is power cycle your rig/worker and that will restore everything back to its default and that would be the end of the hack/hijack.

But that's not the case.

The truth of the matter is that some of the recommendations that Simon Bell makes are to change your password, both through the HiveOS online management interface, and if that fails/doesn't work (as it happened to be in my case when I tried it), you can always ssh into your rig/worker/system and run the command:

hive-passwd

to change the password locally on the system and that way you can set a stronger, more secure password.

Another mitigating action that you can take is also to disable password authentication for ssh altogether and authenticate only using keys instead which would make it more secure.

And you can google the steps on how to do that or follow the link from Simon Bell's post in regards to the specific instructions on how to do that.

But here is the problem with both of those actions: the moment you power cycle and/or reboot your rig, and it goes through the diskless PXE boot process all over again, it will (re-)download the diskless PXE image (hiveramfs.tar.xz) from your PXE server and then start to unpack it and ALL of those changes that you've just made to secure your rig is now, once again, NOT secure again, as the defaults are restored.

I know because I accidentally tested this.

I tried to change the password for my rig/worker/system via the HiveOS online management interface and that didn't seem to work so that ssh into my rig/worker/system, and ran:

hive-passwd

and changed my password to something more secure. I log out, and when I tried to log back in, it had failed. Maybe my password was too secure to transmit over ssh? Who knows.

Either way, I couldn't log back into my own system again.

 

So, what do I do to "fix" this?

 

I power cycle the system and as I mentioned above, it resumed the normal PXE booting process, downloaded the hiveramfs.tar.xz file from my PXE server and proceeded to boot up the rig/worker/system like normal.

But when went to log back into the system, instead of it being the password that I had changed it to, it reverted back to the default password.

That's a HUGE problem.

The default password is built into the hiveramfs.tar.xz image that it creates when you run the pxe-setup.sh initially PXE configuration script as well as the hive-upgrade.sh script.

This means that by default, the diskless PXE boot image is NOT secure because if you change the password and/or if you disable password authentication for ssh, all you would have to do to undo those changes is just to simply reboot the rig/worker/system.

And if your rig/worker/system is still wide open to the public internet and port 22 for ssh is still open on your modem/router, then the attacker/hijacker can attack your rig/worker/system repeatedly even if you were using a diskless PXE setup/server/deployment.

What's worse - if the attacker was more sophisticated, they can actually hack and hijack your rig/worker/system to a point where it will try and see if you are using/running a diskless PXE system/server, find out the IP address of the PXE server, and then try and implement the changes in the hiveramfs.tar.xz file directly so that even if you tried to reboot your diskless PXE rig/worker/system to try and "restore to default", it would be downloading a hacked/hijacked boot image where the hack/hijack would then be built into the hiveramfs.tar.xz image and then this would mean that your HiveOS diskless PXE server is toast (along with your rig).

So....where do we go from here?

 

Well, for starters, the HiveOS development team should change/modify the pxe-setup.sh script  such that it asks you what you want the default rig/worker password to be rather than just cascading or setting up the default password for everything, and making/leaving it all to be the same (and that it doesn't change unless you either change it via the HiveOS online management interface and/or by ssh'ing into your system individually and changing them one at a time).

Secondly, I think that the HiveOS development team should also ask you whether you want to disable password authentication for ssh by default when run pxe-setup.sh script in order to make it more secure and therefore; you DEFINITELY won't have this default user/default password problem that hackers/attackers can take advantage of.

Again, at the per rig level, if you are running HiveOS on a disk of some sort, then these actions can go a long way to help mitigating this type of an attack. However, if you're running a diskless PXE setup, then these mitigations will be erased/cleared out/reset the moment you reboot the system because the inherent hiveramfs.tar.xz file will NOT have these changes implemented and for that to happen, the pxe-setup.sh deployment script will need to be modified by the HiveOS team so that these mitigations will be implemented by default, so that even if you reboot the system, it won't wipe out these security mitigations and worse, put your system back into a state where it can be attacked again.