New Plugin: Host Status plugin (1.5.6 FOG version)

Hi,
With the 1.5.6 release version is available one new plugin: Host Status.

This plugin say you the state of the computer in the host edit page:

This plugin detects the OS that is running in the computer:

• Windows
• Linux
• FOS (Fog Operative System): a FOG task is running in the PC
• Unknown: the FOG server can not comunicate with the PC: the PC is shutdown or the firewall is closed (you must open the 445 TCP port in the computer)

The state is detected on fly and only in the host edit page.

NOTE: when you search one host or hosts, in the result list appears the state of the computers too, but this state is read from the database and this entry in the database is updated by FOGHostPing daemon. The daemon need time to iterate with all computers and update his state. If you have a lot of PC in your FOG server, the daemon takes one second per PC to update his state, there may be discrepancies between the two states (host status plugin and FOGHostPing daemon)

Hello,

Some news about this problem. We made some changes in our server and his configuration and, actually, the server is not so drowned as before. The conclusion is: the default configuration of apache, php-fpm and mysql is not optimal for large scenarios. If you have a great number of client, you need to tune the server.

I will tell our previous situation and the actual situation to share our experience.

Initial Scenario:

• FOG version 1.5.2
• Virtual server with 8 vCores and 16 GB RAM
• OS: RHEL 7
• Active clients: 7000
• One fog server and only the default node.

In July we migrated from our old FOG version (0.32) under RHEL 5 to the new one (1.5.2) under RHEL 7. Without any additional configuration.

In August we observed that the server consumed a lot of CPU and RAM and we began to have performance troubles (and the course had not started). Panic Mode ON!!

The first thing that you think is … more resources are neccesary (more wood is the war). ERROR. The System Operation Center (SOC) guys say NO. We can not give you more resources.

First thing: Update
we updated the server OS and some packages. For example: php and mariaDB. We had php 5.6 version and we updated to php 7, the performance of php increased a lot of.

We updated the FOG version from 1.5.2 to 1.5.4

Second thing: Optimize the virtual machine resources

Our virtual server is hosted in a VMWARE server with two socket and each one with 6 cores (is an old server). Problem: our virtual server was 8 vcores, 6 vCores in one socket and the other 2 in the other one. The server had time access problems.
We removed two vCores from the server, in this way all vCores were in the same socket and the time acccess was more quicky. PROBLEM: less resource, more server load. In September the clients began to wake up and the php and mysql queries increased, then more resources were neccesary. To minimize it we increased the checkout time of the client to 900 seconds, with this we decreased the php and mysql queries, but the comsumption was still high (mysqld proccess 300%). The problem was the access time to the cores of the server, we had 6 vCores in a socket with 6 cores and also with more virtual server in the same socket. The more time the vCores were waiting to access to the sockets cores. The vCores were always at 100% of CPU usage.

To solve this we enabled the NUMA in the server:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_tuning_and_optimization_guide/sect-virtualization_tuning_optimization_guide-numa-numa_and_libvirt

With this we distributed the vCores between the two socket: vCPUs 0,1,2 + 8GB RAM in NUMA 0 y 3,4,5, + 8GB in NUMA 1. This is configurated in the VMWARE server. In addition, we install the numad package in our virtual server, this daemon distributed the proccess betwween the two NUMAs. The access to the RAM and CPU was faster.

For example:

# ./numa-maps-summary.pl < /proc/1787/numa_maps
N0        :          100 (  0.00 GB)
N1        :       648226 (  2.47 GB)
active    :       435228 (  1.66 GB)
anon      :       645582 (  2.46 GB)
dirty     :       647118 (  2.47 GB)
kernelpagesize_kB:         1012 (  0.00 GB)
mapmax    :          332 (  0.00 GB)
mapped    :         1248 (  0.00 GB)

we can see with this python script that the mysql is using the resources of the NUMA1 Node.
Now we have, again, 8 vCores distribuited between the two NUMA nodes.
Now, the vCores are at 80%-90%

Third thing: tunning php, php.fpm and mysql

We don’t have a lot idea about php, php-fpm and mysql, then we had to read a lot of articles in the web about them.

Tunning MySQL: to do it we have used the mysqltunner script, http://mysqltuner.com . This script gives you an idea about the performance of the database and how tunne it to increase the performance.

SET GLOBAL query_cache_size = 4000000; (4MB)
SET GLOBAL tmp_table_size = 20000000; (20MB)
SET GLOBAL query_cache_limit = 2000000; (2MB)
SET GLOBAL max_heap_table_size = 20000000; (20MB)
SET GLOBAL thread_cache_size = 4;
SET GLOBAL table_open_cache = 450; 

In the MariaDB web page recommends edcrease the swappiness value (https://mariadb.com/kb/en/library/configuring-swappiness/)

#sysctl -w vm.swappiness=10

Tunning php-fpm and php: There is some articles about it in this forum.
PHP-FPM:

pm = ondemand

; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 50

; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 5

; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 5

; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 50

; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
pm.process_idle_timeout = 10s;

Normaly the people have pm=dynamic but we use pm=ondemand because we saw that the performance is better.

Is possible that these parameters will be changed, but now the server runs well, but is October and the download activity has decreased a lot of.

To see the activity of php you can enable the apache server status in the php.ini and there is a tool “goaccess” too to see the php calls and the number in the terminal:

#yum install goaccess
#tail -f /var/log/httpd/access_log | goaccess -

Hi!!!

I am developing a new plugin, after AccessControl plugin, now Site plugin
With AccessControl Plugin we can control the access to the items of the webUI using roles. Now, with the Site Plugin we can control the access to the hosts by user using his physical location.

Site is not Location

With Location plugin we can manage the storage nodes from the hosts will download the images, snapins, … With Site plugin we can have more granularity, we can define as Sites as we need (IT room, labs, …) and associate the host to these sites. We can associate one user to one or more sites, in this way, the user only will see the hosts which are in his sites and not the others.

Hi Tom,

Finally works fine under ubuntu 14.04

sudo rm /etc/apt/sources.list.d/mono-xamarin.list
sudo apt-get autoremove
sudo apt-get update
sudo apt-get install mono-complete
Install the client

With these instructions the client woks fine. Thanks!!

Hi @kAs1m ,
I know what is happen here. The problem is the array of element of the top menu.

I will try to explain how works the plugin: the elements of the top menu are saved in one array, the AccessControl plugin erases the elements of the menu but, frecuently, the AccessControl can not erase the element because the order in the array have been changed. This occurs, normaly, when you try to apply some rules at time.

In conclusion, the plugin doesn´t work as fine as we want. As solution try to add rules one by one and see the result, for example I have a configuration as yours usong these rules:

• MAIN_MENU-about about main
• MAIN_MENU-plugin plugin main
• MAIN_MENU-service service main
• MAIN_MENU-site site main
• MAIN_MENU-storage storage main
• MAIN_MENU-user user main

In the future 1.6 version the pages will be loaded in other way that takes in account this problem.

I didn’t see this post. My two cents.

es-ES [Spanish (Spain)]

### SHUTDOWN PROMPT ###
{company} necesita realizar el mantenimiento en este equipo.
{company} needs to perform maintenance on this computer.

Por favor, guarde su trabajo y cierre todos los programas.
Please save any work and close all programs.

Cancelar
Cancel

Ocultar
Hide

Posponer
Postpone

Reiniciar Ahora
Restart Now

Apagar Ahora
Shutdown Now

Posponer durante 
Postpone for

X hora(s) Y minuto(s) Z segundo(s)
X hour(s) Y minute(s) Z second(s)

### NOTIFICATIONS ###

Apagado Cancelado
Shutdown Aborted

El apagado ha sido cancelado
Shutdown has been aborted

Apagado Retrasado
Shutdown Delayed

El apagado ha sido retrasado {time}
Shutdown has been delayed for {time}

El apagado se producirá en {time}
Shutdown will occur in {time}

Está a punto de ser desconectado
You are about to be logged off

Será desconectado si permanece inactivo
You will be logged off if you remain inactive

Instalando {snapin name}
Installing {snapin name}

Por favor, no apague hasta que no haya finalizado
Please do not shutdown until this is completed

{snapin name} ha sido instalado
{snapin name} installed

La instalación ha finalizado y está listo para ser usado
Installation has finished and is now ready for use

Short version:

### SHUTDOWN PROMPT ###
{company} necesita realizar el mantenimiento en este equipo.
Por favor, guarde su trabajo y cierre todos los programas.
Cancelar
Ocultar
Posponer
Reiniciar Ahora
Apagar Ahora
Posponer durante 
X hora(s) Y minuto(s) Z segundo(s)

### NOTIFICATIONS ###
Apagado Cancelado
El apagado ha sido cancelado
Apagado Retrasado
El apagado ha sido retrasado {time}
El apagado se producirá en {time}
Está a punto de ser desconectado
Será desconectado si permanece inactivo
Instalando {snapin name}
Por favor, no apague hasta que no haya finalizado
{snapin name} ha sido instalado
La instalación ha finalizado y está listo para ser usado```

Hi @Sebastian-Roth and @EduardoTSeoane ,

I tested the changes in my dev environment and the suggestions work fine. I think we can push the changes in the repository.

I don´t use the location plugin but Ithink that the problem is the same. Maybe, @Tom-Elliott can say us want think about them XD and the reason it does not wok correctly

Hi FOGers!!
I need to develop a control access plugin and, although I have more or less the things clear in my head, I would like share my minds with you. I accept suggestions, corrections, …

Feature:

• Control the access to the icons, menus and submenus in the the webUI by rol.
• Limit the searches and access to the resources (snapin, hosts, groups, tasks and images) of one or more locations.

Necessities:

• Create a new rol: restricted user

This plugin has two levels of control:

• Visual: Limit the access to the menus and submenus by rol user. The admin rol can access to all menus and submenus of the webUI and the restricted user only can access to the some menus and submenus (for example: Home, Hosts, Groups, Images, snapin, printer, tasks and logoff)
• Searches: Limit the range of the search to the resources of one or more locations. The restricted user only can see the hosts, groups, images that are link or associated to his/her location/locations.

This last level have a dependency with Location plugin.

Dependencies:

• Location plugin

Well, hereinafter I accept suggestions, ideas …

Christmas List:

• Imaging techs assigned to Location A, may not touch or deploy any target host at Location B. Possibly read only access to Location B’s host records might be interesting.
• Create different roles
• Create different access rules

It’s a little barter XD
He added a field in the database and I developed the access control plugin. Personally I think I’m losing

Hi FOGers!!

I attach some captures of this new plugin

When we list all users, appears the role that they have linked.

We can link a role to one user from user edit page.

In the accesscontrol page we can list, edit and add new roles

And create, list and edit rules

Editing a rule …

Hi @ragnurenson ,
Actually I don’t use the site plugin, then I don’t know that it fails. I will try to see what happens with it, and fix the bug

I test the changes that @george1421 says and works fine.
The first boot goes direct to W10 but in the next one appears grub menu .

Hi,
I use the LDAP plugin to valid the access of the users in the FOG server. We use the Active Directory as validation server but I have problems with some user because they are in a nested group of the admin group that I define in the plugin.

FOG version: 1.5.2
OS: RHEL 7

More info in https://forums.fogproject.org/topic/11970/ldap-plugin-and-nesting-groups-of-ad/2

@wayne-workman said in Access Control Plugin:

@fernando-gietz said in Access Control Plugin:

To create LDAP plugin rule, in the same way only change Rule Value= ldap

Is there somewhere where all these are listed?

The rule value is easy to know. We use the url to restrict the access, for example:

URL: http://fog_server_name/fog/management/index.php?node=ldap

The node value of the URL is the Rule Value of the rule.

Good news!!!
I finished the beta version of Access Control Plugin.

When you install the plugin, the installation will create two default roles: Administrator and Technician.

The installation process will create a big number of default rules (38).

Actually the rules have two types: MAIN_MENU and SUB_MENULINK. The first ones are the top tool bar icons, and the second ones are the lateral menus. In the second case, sub_menulink, if you don’t define the node value, the rule will apply to all pages (nodes). If you define the node, the rule will apply only to this node.

From this page you can link a multiple rules to one role.
And, finally, the installation process will associate the Administrator role to fog user.

From the principal Access Control plugin page you can see the role list, add new role, list all rule and add new rule. In the role menu you can edit it, delete it, see the membership and see the rule that are associated to this role.

Membership page:

Rule association:

In these last images we can see that the “user5” has the Technician role and this role have 7 rule associated (5 main menu and 2 sub_menulink)

In this screenshot you can see the rules that are being applied for “user5”:

And in this one you can see that the sub_menulink rules (in the image page doesn’t appear the multicast and the list option) in action:

@george1421 I have recaptured the image.

• Install W10
• Install Ubuntu 16
• Boot under W10 and run the bcdedit command
• Capture the image

That is very strange!!

Let’s go to begin again. We will to reset all

1. Unistall the plugin
2. Verify that the tables roleRuleAssoc, roleUserAssoc, roles and rules are being erased from the database by the uninstall process.
3. Reinstall the plugin
4. To test if the plugin works fine, we will not create a new role, we use the roles that the install process create. For example, administrator role.
5. After install the plugin, go to users page -> List all Users. Does appear a new column named “Role”?
6. Go to AccessControl Page -> List all Roles. Select Administrator role.
7. Go to Rules tab -> Check the checkbox to see the rules that can be assign.
8. Select MAIN_MENU-about, MAIN_MENU-printer adn MAIN_MENU-storage.
9. Go to Members tab -> Check the checkbox to see the users that can be added.
10. Select fog user (for example, you can select profs users if you want). Does appear the fog user in the list of members?
11. Go to User Page -> list all users. Does appear in the role column the name of the role in fog row?
12. Any error log in the apache log?

Solved!

How I said in before posts, the problem was the different states of the network card. After working hardly with the network guys and talking with @Sebastian-Roth, we solved the problem using the undionly.kpxe file that is in the folder 10seconddelay.

This file adds a little delay in the DHCP request after power on the network card.

It is easy
AccessControl Plugin -> add new rule

Rule Type: MAIN_MENU
Parent: main
Node: (empty)
Rule Value: pushbullet

After do this, you need associate this rule to the role.

@sebastian-roth I have deployed the dual image to a different machine and … surprise! You are right, the machine boot directly under W10, in the next appears the grub and the posibility to boot under Ubuntu.

I have found a link about NVRAM, I suppose that will be a lot of them but was the first entry in google :

Understanding UEFI variables: http://en.community.dell.com/techcenter/os-applications/f/4457/t/19589262

1- What all information is stored in UEFI VARIABLES?

All configuration setup, vendor information, language information, input/output console, error console, and boot order setting all these information are stored in these variables

 

2- How to get NVRAM variables

You can use UEFI bootable USB to boot the server. You need to have supported files which can give you UEFI shell once server boot from USB. Once you got the UEFI shell you can run UEFI command "dmpstore" to see the variable available in NVRAM. For more options or help just type “? dmpstore”.  If you have Linux installed before in same server in UEFI mode. You can access the EFI partition. Give this command in UEFI shell "FS0:" Now your “/boot/efi “partition is mounted. You can see the content of this volume using ls/dir command. "dmpstore -all > myvariables"  will collect all NVRAM variable to EFI partition. When you reboot your Linux box you will see this file in your /boot/efi location.

 

3- Analysis of variables

You will see lot of entries in the dump file. Variable name, access, data and many more. We will use this example:

Variable NV+RT+BS 'Efi:ConOut' DataSize = 36

This tells that Variable name is Console output which data size is 0X36 in HEX

. This variable is available at runtime (RT) and boot time (BS).

Runtime variable which are available after OS booted and boot time which are available before

OS boot.

4- Mapping of UEFI variables from BIOS to Linux OS.

You can see all these variables are mapped from Linux OS.UEFI variables are mapped through sys entry. Just see to this location /sys/firmware/efi/efivars . It will have all variables which was available in dump file.

All these variables depend on efivarfs kernel modules. If this module is not available you cannot access the variables. It is mounted as  efivarfs file system on /sys/firmware/efi/efivars.

 

 

Parmeshwr_Prasad

Linux Engineer

Dell Inc (Bangalore)```