5 Days in Dubai

A review of our recent trip to Dubai (‘our’ being myself, my wife and our daughter Emily – 5yo). Now, I’ll be honest, Dubai was not high on my hit list of places to visit – mainly due to a roaring sun and many preconceptions (mostly proven wrong). However, my brother-in-law has been living and working there for the past year so the trip became inevitable. If you want to skip the review, I can sum it up as follows: I’d go back in a heartbeat.

A review of our recent trip to Dubai (‘our’ being myself, my wife and our daughter Emily – 5yo). Now, I’ll be honest, Dubai was not high on my hit list of places to visit – mainly due to a roaring sun and many preconceptions (mostly proven wrong). However, my brother-in-law has been living and working there for the past year so the trip became inevitable. If you want to skip the review, I can sum it up as follows: I’d go back in a heartbeat.

The flight out with Emirates was perfectly timed: departing Dublin T2 on Monday evening at 20:20 for a 7 hours 30 minutes flight and landing, with a +4 hour time difference, at 07:50 local time. I was never going to sleep much on this but Emily slept almost the entire way and Cherrie nabbed 40 winks.

Tuesday

Arrival into Dubai International Airport (DXB) T3 was easy. There was a Costa coffee outlet in baggage claim and immigration was painless (no visa required for Irish passport holders on a holiday). We knew taxis were cheap but, having time to kill while hoping for an early check-in, we decided to take the metro. We knew our hotel, the Conrad, was situated near World Trade Centre stop but, as it turned out, it’s right at the stop.

Emily looking down on Dubai
View from the 46th floor.

This convenience sold us on the metro for the week. We picked up two Nol cards (translates as fare cards – equivalent to Leap cards) and loaded them up with 40 dirhams each (~€8.80). We took 2 – 3 return metro trips a day from Tuesday to Saturday and didn’t need to top them up again. Great value and very convenient. But also one of the best ways to get a real sense of the people of Dubai.

Some quick facts: Dubai is both the name of the emirate and the city. It has a population of ~2m which has doubled in 10 years. Only 15% are Emirati nationals, the rest are expatriates and about 85% of those are Asian.

We arrived into the hotel at 9AM and, thankfully, they had a room available on the 46th floor – the top floor! We unpacked, washed the stench of travel off, refreshed and headed back out. The plan was to meet Cherrie’s brother Conor later that afternoon and plan the week. We decided Dubai Mall was an easy target being only four metro stops away.

Waterfall in Dubai Mall.
Waterfall in Dubai Mall.

Dubai Mall will be on everyone’s todo list – it’s situated next to the tallest building in the world – the Burj Khalifa. At this point it’s important to mention that Emily was extraordinary every day in the kilometres of walking she had to do without complaining. We pretty much metro’d and walked wherever we could. Arriving at the Dubai Mall metro stop, you have to walk 1.7Km along a huge enclosed and air conditioned gangway to reach the mall. The entrance is a geeks delight – about 10 electronic / gadget / computer stores.

The aquarium in Dubai mall.
The aquarium in Dubai mall.

It’s impossible to over exaggerate the size and scale of Dubai Mall. It is the world’s largest mall based on total area with 1,200 shops. Forget Dundrum Town Centre with its 100 and odd shops! I won’t claim we got our bearings but we had a wander around, grabbed lunch in a food court where all of the world’s cuisines were available and took in some sights such as the indoor waterfall, the built in aquarium and grabbed some essentials in the Waitrose supermarket.

Then it was back to the hotel to meet Conor (who was working nights this week) and plan an itinerary for the week. Followed by a swim in the hotel pool – a favourite of Emily’s and the perfect cool tonic to the heat.

By the evening we were crashing fast. Understandably. Conor guided us to an Irish bar with good food across the road from the hotel. Probably the last place in Dubai I’d have chosen pre-arrival but, after a long day of walking after a sleepless overnight flight, something close, convenient and familiar fit the bill in the moment. McGettigan’s served up some good burgers, Guinness but a poor fish’n’chips.

Wednesday

Crossing the creek on an abbra.
Crossing the creek on an abbra.

We decided to hit the Dubai City Souks around Deira (Al Ras metro stop) – we didn’t get around to the fish market unfortunately but we were enveloped in the aromas of the Spice Souk and the Perfume Souk, marvelled at the Gold Souk and dodged offers of fake handbags and watches in the Covered Souk (that was kept for later!). We then took an abbras (small wooden dhows) – water taxi – across the creek to Bur Dubai Souk.

 

Looking back a Deira.
Looking back at Deira.

Despite being told that you don’t walk anywhere in Dubai before leaving, this was part of the original Dubai with plenty of streets to meander around. There’s also lots of small food stalls and – if you don’t have hygiene phobias – you’ll easily pick up a chicken shawarma for about 50cent.

Back to the hotel then to meet Conor via the Al Ghubaiba metro stop.

 

Cruising around a lake in Safa Park.
Cruising around a lake in Safa Park.

We decided to take a walk around Safa Park with Conor – grab an ice cream and spin around a lake on a boat. It’s a 64 hectare urban park with three lakes, over 200 species of birds, and 16,924 different trees and bushes. It’s also one of the few places you’ll find grass rather than sand.

We finished up Tuesday by heading back to Dubai mall to get our dinner and to check out the famous fountainsset on the 30-acre Burj Khalifa Lake, the fountain shoots water jets as high as 150 metres, equivalent to that of a 50-storey building. The fountain is 275 metres long and has five circles of varying sizes and two central arcs. It has been designed by California-based WET, the creators of the Fountains of Bellagio in Las Vegas.

2014-10-29 20.00.37 2014-10-29 21.27.05 2014-10-29 21.27.45

 

 

 

 

We found a nice Italian but no alcohol on sale here. You can get a drink, just mainly in hotels and other licensed places.

Thursday

2014-10-30 12.12.51After two days on the Northern end of the city, we decided to head south to Jumeirah via the Dubai Marina metro stop (which interestingly, for me, brought us past Dubai Internet City). There’s a lovely marina here but the more interesting walk is to head towards Jumeirah Open Beach and Walk – a couple of kilometres of a pedestrianised zone of boutique shops, cafes and beach. The heat at this time of year is not unbearable but a Starbucks Frappuccino has never tasted so good! Back to the hotel for lunch and a quick dip to cool off.

2014-10-30 16.35.01The afternoon heralded a complete change of scenery as our guide, Umar, collected us in his Land Rover jeep for a desert safari (with two others). This took us out of Dubai – which quickly changed from metropolis to desert – for about 6 hours. Our first stop was quad biking which was exhilarating – dune bashing at speed over and into sand dunes. Emily even got a spin on the quad around the flatter areas.

Little did we realise that after a bit of dune bashing on a quad, we were about to do it for real. These images look pretty tame compared to our experience. Umar was taking no prisoners and Emily – who enjoyed the first five minutes – turned quickly grey while breaking out in a cold sweat for the next ten minutes. I’d be lying if I said I didn’t sweat a bit myself as I glanced parts of cars left behind whizzing past the window!

2014-10-30 17.14.30 2014-10-30 17.17.20 2014-10-30 17.19.33 2014-10-30 17.21.48 2014-10-30 17.22.28 2014-10-30 17.00.22

 

 

 

 

 

 

 

After some photo ops in the dessert, we were brought to a dessert campsite for a traditional dinner, belly dancing, camel rides, henna tattoos and more.

2014-10-30 18.07.00 2014-10-30 17.57.33 2014-10-30 18.29.41

 

 

 

 

 

Friday (Holy Day – our Sunday)

We kicked the morning off with a water taxi from Al Ghubaiba on one end of the the city to Dubai Mall Marina on the other. We taxi’d to Al Ghubaiba when we realised the Metro doesn’t kick off until 1PM. Taxis, by the way, are also very cheap. The boat ride took about 1 hour 30 minutes and gave a fantastic view of all of Dubai from the see as well as the (incomplete) The World, the Burj Al Arab and Jumeirah Palm.

2014-10-29 13.15.16 2014-10-31 10.40.24 2014-10-31 10.44.38 2014-10-31 11.38.47 2014-10-31 11.50.42 2014-10-31 12.01.20

 

 

 

 

 

 

 

 

A quick bit of shopping in our destination – the much more manageable Dubai Mall Marina – with a spot of brunch and then the metro back to the hotel. The afternoon was spent with Conor in a suburb known for its vast quantities of high quality but fake handbags and watches. The girls wrapped up their Christmas shopping here.

2014-10-31 19.33.11Conor and his girlfriend Laura took Emily home for the night leaving myself and Cherrie to head out ‘properly’. Conor directed us to Madinat Jumeirah – a hotel resort – which reminded me a lot of the Venetian in Las Vegas. We had a lovely meal here (take your pick of many restaurants) and, importantly, a bottle of wine!

We taxi’d from there to the Burj Kahilfa where our destination was At.Mosphere on the 122 floor. A bar with some lovely looking tapas – alas my food quota had been reached. We may have thought we were high on the 46th floor of the hotel, but 122 floors up is something entirely different. And that was only just over half way up the building. There’s no entry fee but a minimum spend of 300 dirhams per person applies (~€65). This is easy to reach with about 3 - 4 drinks each. Reservations aren’t required but I’d strongly recommend it. This place is at it’s best if you can ring ahead to get a window seat looking down on the city.

Saturday

wild-wadi-rides-jumeirah-sceirah-final-heroConor, Laura and Emily collected us Saturday morning to head to Wild Wadi Waterpark. Conor’s residency card got us a good 40% discount on the expensive headline rates but it’s well worth the cost – even if you’re just a party of adults. We spent a good few hours here enjoying the slow streams to being scared witless on the Jumeirah Sceirah.

One question was also answered here – what do women who normally wear a Hijab do in a place like Wild Wadi? Well, they wear a burqini. A swimsuit equivalent of the Hijab. Dubai is very much a melting pot of cultures and we had no issues anywhere we went in terms of culture or clothing. Cherrie, Laura and many other non-Islamic girls in their bikinis co-mingled without issue / stares / comment with Islamic women in their burqini’s. There just was no issue here. I, however, will confess to being somewhat jealous of the burqini from a purely sun protection point of view!

The evening was spent with a return trip to Dubai mall for a last supper with Conor and Laura and a final spot of shopping.

2014-11-01 18.50.28 2014-11-01 19.50.12 2014-11-01 19.50.39

 

 

 

 

Then early to bed for a 4AM rise to get to the airport for the trip home.

Notes / Comments / Takeaways

  • We all loved Dubai and would happily go back. We wouldn’t want to live our lives there but would happily spend a few years working there (under a different life path!).
  • Forget whatever you’ve been told about dress code / covering up. We saw all fashion types form skimpy to Nijab co-exist in all places we visited. Don’t assume that that extends outside Dubai though.
  • Also forget the rumours of the UAE’s big firewall blocking access to (or download of) social media apps. One of their biggest mobile companies were running an offer of unlimited social data for x dirham a month where two of the four sample apps were Facebook and Twitter. Both of which seem to be in widespread usage there.
  • If you dash for the metro and, after catching your breath, look around and notice a lot of women looking at you with a smirk on their faces with no other men in sight, you’re most likely in the women and children only carriage. You won’t be arrested for this! And don’t worry, you’ll find women and children in all carriages, this is just for those who prefer to travel without men under whatever traditions / beliefs they have.
  • We booked the flights and hotel as a package via Expedia. We stayed in the Conrad Dubai but, with the way we travelled, any hotel near a metro would have been fine.

IXP Manager – Planning for v4

A lot has changed in the 3 to 5 years that the decision was made to use certain libraries / technologies / methods on IXP Manager.

In previous major version changes we made some serious architecture changes in one sweep. For example v2 -> v3 saw the complete migration from Doctrine ORM v1 to v2 (which was a change from the Active Record pattern to the Data Mapper pattern).

Today, IXP Manager is a very large project and to do such a sweeping migration in one go would stifle development, break something that isn’t actually broken and take a lot of time.

But, sticking with older technologies and libraries has negative effects also. It creates developer apathy (for which I can personally vouch for). It also provides a major stumbling block for bringing on new developers and contributors (who wants to learn Zend Framework 1 now which has been EOL’d for sometime?).

So, our plan for v4 is to bring in new technologies without throwing away or rewriting everything we have.

IXP Manager is a MVC application that currently uses Doctrine2 as the Model, Smarty as the View and ZF1 as the Controller. Doctrine2 is still current and won’t be changing.

Smarty will remain as the view engine for current / unmigrated functionality. But Smarty is… oh my God… soooooo bad. v4 will default to Twig which is more modern and far better structured from a programming point of view. Coupled with the new framework, it will also allow for a nicer means of skinning. For the interested, Twig has some very nice features including layouts, macros and also some nice security features.

ZF1 has served us well but it’s been EOL’d and is now quite outdated. The new hotness in PHP is Laravel, which I’ve been using to great effect for a while now. Laravel show cases some of the new and best functionality of PHP and using very modern techniques (such as IoC).

But more importantly, Laravel will let us do things in a much different and much more flexible manner for the IXPs using IXP Manager. Some of these include:

  •  Job queues: built-in and simple (to use) support for job queues via Beanstalkd and others. Queuing jobs will provide functionality that we at INEX have been looking for (and it’s also an FAQ from other IXPs) -> reconfiguring services on demand (or, at least quicker than a twice daily cronjob).

Put this together with:

  • Events: Laravel allows us to trigger events and subscribe to them.

A key example of queue and event functionality would be that a change to a VLAN interface (such as checking the route server client box) would trigger a vlan interface changed event. One subscriber to this event would be the route server configuration manager. Based on the VLAN change, this event handler can then queue events. The route servers themselves would monitor these queues and rebuild / reconfigure the route servers appropriately on demand.

Similar handlers for route collectors, DNS ARPA changes, etc. can offer much more real time control of all the services at an IXP.

IoC decouples logic from the controller. What this means is that IXPs who want to do things differently than INEX (let’s say use Cacti instead of MRTG as an example), can swap out MRTG with Cacti with one line of code (that’s assuming we write contracts – interfaces – for such handlers and a Cacti version is coded of course!). But that’s the kind of power and flexibility we’re looking to bring in.

Other features Laravel provides includes:

  • Much improved unit testing on controller actions. Right now, we spin up Apache and MySQL to test controller actions. This is no longer required with Laravel making tests easier to write, more robust and more focused with built in support for mock objects.
  • A much nicer and more structured way of creating command line interfaces rather than the quite clunky way we have of doing it currently.
  • A much more natural way to develop REST API endpoints with json:api compatible responses.

And that leads us to the front end. Right now, the front end and the back end are tightly coupled. During the development lifetime of v4, we want to move more towards an API is Everything back end with a decoupled front end.

This separation will again aid unit testing providing a more reliable and robust IXP Manager. It will allow other IXPs to create their own front end on member facing portals or, even, move to IXP Manager as their back end system but retaining investment of current member portals by adding new features from IXP Manager through API endpoints. It will also allow existing systems in IXPs to integrate with IXP Manager to provision services and ports for example.

One of the bigger tests of this plan will be the (long awaited and badly needed) revamp of the member facing area. We’re currently planning the UI / UX of this to deliver key information to members in the best way possible. This will include Bootstrap v3 which is fluid from the ground up so mobile browsers to wide screen browsers should be supported naturally.

During the early stages of v4, we’ll create the API endpoints necessary to support the member portal functions and then create a front end on that using Ember.js.

Other changes in v4 will include:

  • A switch from package management via Git sub-modules to composer and Packagist as is current standard practice.
  • Introduction of Bower for front end asset management.
  • And we’ll need a task runner for pulling everything together – for that we’ll use Grunt (although that’ll mostly be a development / release prep tool rather than an end user requirement).

So, that’s what we’re looking at! It won’t happen overnight but we’ll continue our policy of release early, release often and we’ll update the documentation and provide complete upgrade instructions at the appropriate times. Some of the above is also subject to change depending on practical experience / issues as we move towards it.

Comments, ideas, etc. are all welcome.

EU Data Retention Directive Declared Invalid

The Court of Justice of the European Union today declared the Data Retention Directive invalid in a joint case brought by Digital Rights Ireland and an Austrian group. This is a great win by privacy advocates against a law that was over reaching, uncontained and unsafe. The courts own press release is a short three page read but some of the key elements include (all emphasis theirs):

  • the data “may provide very precise information on the private lives of the persons whose data are retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented”;
  • the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data
  • “the directive covers, in a generalised manner, all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime”
  • “the directive fails to lay down any objective criterion which would ensure that the competent national authorities have access to the data and can use them only for the purposes of prevention, detection or criminal prosecutions concerning offences that … may be considered to be sufficiently serious to justify such an interference” and “the directive does not lay down substantive and procedural conditions under which the competent national authorities may have access to the data and subsequently use them”
  • “the directive does not provide for sufficient safeguards to ensure effective protection of the data against the risk of abuse and against any unlawful access and use of the data.”
  • and, shockingly (if none of the above was shocking enought), “the directive does not require that the data be retained within the EU“.

This is indeed a good day for digital rights, privacy rights and common sense. We all owe a debt of gratitude to the volunteers at Digital Rights Ireland.

Peering Week Articles on trefor.net

I spent the first few days of St Patrick’s week last month in Leeds at the first of the two annual Euro-IX conferences on behalf of INEX. Trefor Davies, of trefor.net, organised a series of articles called Peering Week on his blog to coincide with it:

During Peering Week we have had 18 excellent contributions from some of the people who run the internet in Europe. This might sound dramatic especially considering that the internet is made up of sixty or seventy thousand Autonomous Networks. The contributors this week run Internet Exchanges where a greats many of these networks connect to each other.

My contribution was about our IXP management system called IXP Manager – co-written by myself and Nick Hilliard for INEX. This tool is now being used to manage two IXPs in the UK, at least five more across Europe, a couple that we know about in the US and it is now the de facto choice for IXPs in Africa and Asia – where we are working with ISOC.

You can read the full article on Tref’s blog here: INEX’s IXP Manager – tools to help manage an Internet Exchange.

I’m glad to say that the good folks at Euro-IX helped ensure I wasn’t too homesick on St. Patricks’s Day – as the days proceedings wrapped up, we were greeted by:

guinness_array_header

Save Seanad Éireann

There’s very little good about the Seanad in its current form; it’s been broken for a long long time. So, why save it? Here’s why:

  • It can be fixed. A lot of trees have given their life for report after report on how to reform the Seanad. We just haven’t had a Government willing to get their hands dirty and fix it. Prof. and Senator John Crown had also published a laudable Seanad Reform Bill.
  • Once it’s gone, it’s gone. No, this isn’t a Home Store and More ad. Do you realise the changes required to the constitution to effect abolition of the Seanad? Twenty three articles will be changed – some of them substantially. It’s easy to just abolish the Seanad but can you imagine ever reintroducing it? With this many changes? It would never happen.
  • This is a political stunt. Yes, it is. Enda Kenny announced his plan to abolish the Seanad in a pre-election publicity stunt. Somehow forgetting that only months previous to this, he had put forth a strong argument for retention and reform. I truly believe that if he and many of his cohort of Ministers were in opposition, they’d be railing against abolition.
  • It’s bad for democracy. I had an interesting talk with a friend who works for a NGO recently and she, if I may paraphrase her, explained that democracy itself is not the real goal but rather good democracy is. The Seanad does, or at least should, offer a different voice to the legislative process than the Dáil does. It has a different membership pulled from different panels with, generally speaking, more diverse experience than the typical group of TDs. It provides checks and balances on the legislative process. Granted, the selection of many of these panels is undemocratic – but then that’s what reform is for.
  • All power will be concentrated on a government controlled Dáil. Ireland has no clear distinction between the executive branch of Government and the legislative branch. This, I believe, is a deficit in our democracy as the decisions of executive (the TDs that are members of the cabinet / Ministers) are often made with one eye on the next election. The Taoiseach and his Ministers make up the cabinet and they also control the Dáil thorough the Government majority. Thus, they have and wield complete control of these two branches – and, as we saw in this term – have also clashed with the judicial branch on a number of occasions including a referendum to cut their salaries. This is way too much power and plainly undemocratic. You may not worry about this during a Fine Gael / Labour coalition but what, through whatever circumstances, it was Sinn Fein wielding that power? Or a vast coalition of the loony left? Or the conservative right? A reformed Seanad can and should provide a counter balance to this. Preferably with the possibility of an opposition controlled Seanad.
  • We deserve a better debate. If the Seanad is to be abolished, we at least deserve a better debate on the real issues rather than the cynical and, frankly, pathetic campaign that Fine Gael is currently running (Save Money – Reduce Politicians). We also deserve to see Enda Kenny stand over his position in a live debate rather than running away from it.
  • We deserve to hear minority and opposition voices. Even in its current form, the Seanad has always allowed minority, opposition and differing voices on a range of social, political and other issues. This is a good thing – think of the likes of Senators David Norris, Eoin Harris, John Crown, Rónán Mullen, Joe O’Toole and Feargal Quinn. I mightn’t (and certainly don’t in Mullen’s case) agree with them on various issues but the point is that the Seanad is a platform for these issues. Which is a sign of a healthy democracy. Look also at how the Government has used it position of power to silence the so called rebel TDs through the removal of speaking times.

For these, any many other reasons, I will be voting NO in the referendum to abolish Seanad Éireann. I hope you do likewise.

The contents of this posting may be used freely in whole, part or edited without attribution. Get the message out!

Popular Science Shuts Down Online Comments

Because they’re realised that the internet is full of trolls, idiots and spambots. And, seriously, who could blame them. It seems that science fact is something that can be debated with references to debunked or pseudo-scientific research (or even the Bible) in areas such as evolution and climate change.

Quite worryingly, they talk about recent research in which a fractious minority wields enough power to skew a reader’s perception of a story though the comments that follow it – and, with this, came to the decision to switch off the nut jobs:

If you carry out those results to their logical end–commenters shape public opinion; public opinion shapes public policy; public policy shapes how and whether and what research gets funded–you start to see why we feel compelled to hit the “off” switch.

Monitoring LDAP – Example with Munin

Following up from my articles on Creating an LDAP Addressbook / Directory, then Securing LDAP with TLS / SSL and Multi-Master LDAP Replication; I’ll now look at monitoring LDAP with Munin as an immediate example and Nagios to follow.

First we need to enable monitoring on LDAP – execute:

cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {2}back_monitor.la
EOF

after ensuring {2} is the appropriate next sequence for oldModuleLoad. You can check this my running:

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=module{0},cn=config

Now create a user with access to the monitoring information:

cat <<EOF | ldapadd -H ldapi:/// -D cn=admin,dc=nodomain -w h.TDVyELBjm0g
dn: cn=monitor,dc=nodomain
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: monitor
description: LDAP monitor
userPassword: cA.5rMfzHw9vw
EOF

Lastly, configure the monitor database:

cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: olcDatabase={2}Monitor,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMonitorConfig
olcDatabase: {2}Monitor
olcAccess: {0}to dn.subtree="cn=Monitor" 
  by dn.base="cn=monitor,dc=nodomain" read by * none
EOF

The monitoring module should now be active and you can test with:

ldapsearch -D cn=monitor,dc=nodomain -w cA.5rMfzHw9vw -H ldapi:/// -b cn=Monitor

Configuring Munin

Munin is a networked resource monitoring tool that can help analyze resource trends and “what just happened to kill our performance?” problems. It is designed to be very plug and play. A default installation provides a lot of graphs with almost no work.”

On Ubuntu, you can install Munin and the required packages for LDAP monitoring with:

apt-get install munin-node libnet-ldap-perl

Then edit /etc/munin/plugin-conf.d/munin-node and add a section such as:

[slapd_*]
env.server 127.0.0.1
env.binddn cn=monitor,dc=nodomain
env.bindpw cA.5rMfzHw9vw

During the install, Munin may have detected OpenLDAP and added appropriate symlinks. If it didn’t, you can possibly do it from the output of:

munin-node-configure --suggest --shell

For me (Ubuntu 12.10), slapd showed up with an error Wrong amount of autoconf which I haven’t debugged. Instead I just created the symlinks manually:

ln -s /usr/share/munin/plugins/slapd_ slapd_statistics_bytes
ln -s /usr/share/munin/plugins/slapd_ slapd_statistics_pdu
ln -s /usr/share/munin/plugins/slapd_ slapd_statistics_referrals
ln -s /usr/share/munin/plugins/slapd_ slapd_operations_diff
ln -s /usr/share/munin/plugins/slapd_ slapd_statistics_entries
ln -s /usr/share/munin/plugins/slapd_ slapd_connections
ln -s /usr/share/munin/plugins/slapd_ slapd_waiters
ln -s /usr/share/munin/plugins/slapd_ slapd_operations

And restart Munin:

service munin-node restart

Multi-Master LDAP Replication

Following up from my articles on Creating an LDAP Addressbook / Directory and then Securing LDAP with TLS / SSL, I’ll now focus on multi-master replication. Actually, this example will focus on master-master but it can easily be extended out to multi-master.

If you’ve been reading the other articles, then some caveats and differences apply here:

  • if you plan to set up replication, I recommend you do it from the beginning which is what this article looks at;
  • in the Addressbook articale, we created a new dedicated database for the addressbook. Herein however, I replicate the default database. I’ll explain how to replicate any given database below too.

For your environment, ensure you have DNS names registered or that you are using named hosts defined in the /etc/hosts file. For our case, let’s assume we have a hosts file entry as follows:

10.20.30.40    ldap1
10.20.30.41    ldap2

and, for each of the two hosts, we have respectively included the following in the SLAPD_SERVICES variable in /etc/defaults/slapd of each host (change for ldap2):

SLAPD_SERVICES="ldap://ldap1/ ...."

I’m going to write each of the following LDIFs as commands you can copy and paste.

We’re going to start by setting server IDs, loading the syncprov module and creating a user for syncing the config database. On ldap1:

cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 1
EOF

Repeat above on ldap2 but change the server ID to 2. Then, on both:

cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}syncprov.la
EOF

On the above, ensure {1} is the next available module sequence by running the following first:

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=module{0},cn=config

Now, again on both servers:

cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: h.TDVyELBjm0g
EOF

We now need to update the server IDs and those of our peers. So, on both servers, run:

cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://ldap1/
olcServerID: 2 ldap://ldap2/
EOF

To get the replication running for the config database, we run the following on both servers:

cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
EOF
cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://ldap1/ binddn="cn=config" 
  bindmethod=simple credentials=h.TDVyELBjm0g 
  searchbase="cn=config" type=refreshAndPersist
  retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=ldap://ldap2/ binddn="cn=config" 
  bindmethod=simple credentials=h.TDVyELBjm0g 
  searchbase="cn=config" type=refreshAndPersist
  retry="5 5 300 5" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
EOF

You now have 2-way master-master replication of the configuration database. Make sure you check the logs for any issues and you can easily test by changing a config option on first, verifying on the second, reverting on the second and verifying again on the first.

We can now replicate any other database by using similar changes to the above. Let’s say we want to replicate the database olcDatabase={1}hdb,cn=config, then execute the following on one server – remember, your configuration is now replicated!

cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcLimits
olcLimits: dn.exact="cn=admin,dc=nodomain" time.soft=unlimited 
  time.hard=unlimited size.soft=unlimited size.hard=unlimited
-
add: olcSyncRepl
olcSyncRepl: rid=004 provider=ldap://ldap1/ binddn="cn=admin,dc=nodomain" 
  bindmethod=simple credentials=O4PbIOzA9gvEQ searchbase="dc=nodomain" 
  type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcSyncRepl: rid=005 provider=ldap://ldap2/ binddn="cn=admin,dc=nodomain" 
  bindmethod=simple credentials=O4PbIOzA9gvEQ searchbase="dc=nodomain" 
  type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1
-
add: olcDbIndex
olcDbIndex: entryUUID  eq
-
add: olcDbIndex
olcDbIndex: entryCSN  eq
-
add: olcMirrorMode
olcMirrorMode: TRUE
EOF

NB: ensure you change the admin user and password above as appropriate for your database. Specifically, it should be the olcRootDN and oldRootPW as listed in the olcDatabase={1}hdb,cn=config object. Finally, execute the following on one server.

cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
EOF

References

World IPv6 Day with Irish Statistics

In case it passed you by, today was World IPv6 Day. In a nutshell: “Major Internet service providers (ISPs), home networking equipment manufacturers, and web companies around the world are coming together to permanently enable IPv6 for their products and services by 6 June 2012.” This includes top content providers such as Facebook (see under their hood), Google (read what they had to say), Yahoo! and Microsoft. In fact, you may not even have noticed but Google were advertising it front and centre on their search page:

Google Announcing World IPv6 Day on Their Search Page

Over at INEX, we were unable to pull out IPv6 traffic statistics on the exchange until recently and my colleague just got the first pass of that project complete this week in time for World IPv6 Day. Here’s how it looked over the hours leading up to and into World IPv6 Day:

Now, the peek of almost 40Mbps is, most assuredly, small compared to the overall peek of 24Gbps, but there is a very pronounced jump in IPv6 traffic which is certainly a good sign and a move in the right direction. The overall peering statistics at INEX are public and we’ll be breaking out IPv4 and IPv6 into separate graphs shortly also.

Why does IPv6 amount to < 0.2% of the traffic at the exchange? Well there are two main factors:

  • Until today, there has been very little mass or popular content available over IPv6. So, even if you were IPv6 enabled, there was very little for you access.
  • None of the large ISPs in Ireland are providing IPv6 connectivity to end users outside of certain closed test programs.

This is the classic chicken and egg problem: with no content available the ISPs were not motivated to provide IPv6 connectivity; and, conversely, with no IPv6 enabled eyeballs the content providers were not motivated to make their services available over IPv6.

While today was not necessarily a content provider only day, I’m unaware of any Irish ISPs that got involved. But, now that we have significant content available over IPv6, hopefully the ISPs will begin to ramp up their own programs. And – to be fair – it’s not all bad news with the ISPs in Ireland. Most have their core and edge networks IPv6 enabled, it’s the access layer that’s the issue (and it’s a really really big issue and a very difficult issue).

AMS-IX (the Amsterdam Internet Exchange) is in the top three IXPs in the world by traffic volume and they also make their IPv6 statistics public. As a second demonstration of traffic levels on World IPv6 Day, here is the week to date showing a huge differential for today:

If you’re not sure what all this is about, well then here are a few words from the creator of the Internet himself:

And if you’re keen to start experimenting with IPv6, first email and ask your ISP. They’ll say no, but do it anyway! Then head over to SixXS (and be sure to choose either HEAnet or Digiweb as your PoP as both are INEX members and as such you’ll have the lowest possible latency).