A feature of ZFS automatic snapshots is automatic cleanup of snapshots when disk space is ‘low’. 95% full is considered an emergency, and all snapshots are purged, which probably isn’t desired with several TB free!
The following will appear in /var/adm/messages
Sep 21 05:24:49 host time-sliderd: [ID 702911 daemon.crit] tank exceeded 90% capacity. Weekly, hourly and daily automatic snapshots were destroyed
Sep 21 05:24:49 host time-sliderd: [ID 702911 daemon.notice] 43 automatic snapshots were destroyed
and later
Sep 22 06:18:40 host time-sliderd: [ID 702911 daemon.emerg] tank is over 95% capacity. All automatic snapshots were destroyed
Sep 22 06:18:40 host time-sliderd: [ID 702911 daemon.notice] 758 automatic snapshots were destroyed
Warning level exceeded: Destroy hourly and daily snapshots, oldest first, until threshold no longer exceeded.
Critical level exceeded: Also destroy weekly snapshots, oldest first, until threshold no longer exceeded.
Emergency level exceeded: Also destroy monthly snapshots, then frequent (15min) snapshots, until threshold no longer exceeded.
We can view the current thresholds as follows
root@host:~# svcprop time-slider | grep level
zpool/critical-level integer 90
zpool/emergency-level integer 95
zpool/warning-level integer 80
And change the thresholds as follows:
svccfg -s time-slider setprop zpool/emergency-level=99
svccfg -s time-slider setprop zpool/critical-level=98
svccfg -s time-slider setprop zpool/warning-level=97
svcadm refresh time-slider
References:
http://arc.opensolaris.org/caselog/LSARC/2008/571/proposal.txt
http://www.stormsail.com/2009/07/06/opensolaris-and-time-slider/
This is an example of a clean Easy VPN (EzVPN) Server configuration with Network Extension Mode (NEM) and Split Tunneling, for Cisco ASA software version 8.4. The Cisco website has some more sample configurations, but they tend to be entire device configurations, rather than just the changes that need applying from a clean or existing device configuration, and they haven’t been updated since the NAT configuration changed in ASA 8.3, which makes no nat configurations incompatible with earlier versions.
This has been tested on a pair of Cisco ASA devices running software 8.4(2), on the ASA5505 with base licence (part number ASA5505-BUN-K9, available for about £185+VAT new from reputable places).
Sections in bold are ones you will almost certainly need / want to change for your specific configuration.
Sections in italics show that the name has been chosen by myself, and could be changed in your configuration, as long as you’re consistent and change every occurrence of that name.
EASY VPN SERVER SIDE
====================
!=== A clean start ===
configure factory-default 192.168.80.1 255.255.255.0
!=== Generic Basic config ===
hostname easyserver
interface Vlan2
ip address 192.0.2.2 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.0.2.1 1
!-- Optional - allow pings outbound
policy-map global_policy
class inspection_default
inspect icmp
!=== IPsec configuration ===
crypto ipsec ikev1 transform-set MapOutsideDynamicXform esp-aes-256 esp-sha-hmac
crypto dynamic-map MapOutsideDynamic 5 set ikev1 transform-set MapOutsideDynamicXform
crypto map MapOutside 60 ipsec-isakmp dynamic MapOutsideDynamic
crypto map MapOutside interface outside
crypto ikev1 enable outside
!=== Group / tunnel policy and logins ===
group-policy easyvpnclientpolicy internal
group-policy easyvpnclientpolicy attributes
nem enable
username eznemuser1 password eznemuser1pass
tunnel-group eznemgroup type remote-access
tunnel-group eznemgroup general-attributes
default-group-policy easyvpnclientpolicy
tunnel-group eznemgroup ipsec-attributes
ikev1 pre-shared-key eznemgrouppass
!=== No NAT within our own extended network ===
!-- This is necessary otherwise the default PAT rule will cause
!-- RPF failures and easyclient network won't be able to access
!-- the easyserver network, and easyserver network access to
!-- easyclient will be subject to PAT.
object network clientnet
subnet 10.67.66.0 255.255.255.0
object network servernet
subnet 192.168.80.0 255.255.255.0
nat (inside,outside) source static servernet servernet destination static clientnet clientnet no-proxy-arp route-lookup
!=== For tunnel all clients to obtain Internet access ===
!-- If you want to tunnel everything, use this section, not the
!-- one below. This might be useful if the easyclient is on
!-- an ISP which tampers with traffic to the internet, but the
!-- easyserver is on more desirable connectivity.
object network clientnet
nat (outside,outside) dynamic interface
same-security-traffic permit intra-interface
!=== For split tunneling ===
!-- You don't need the section above if you use this one. It
!-- causes only traffic to the networks listed below to go
!-- over the VPN, other traffic to the Internet uses the local
!-- ISP of the easyclient.
group-policy easyvpnclientpolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnelNetworks
access-list SplitTunnelNetworks standard permit 10.0.0.0 255.0.0.0
access-list SplitTunnelNetworks standard permit 172.16.0.0 255.240.0.0
access-list SplitTunnelNetworks standard permit 192.168.0.0 255.255.0.0
In contrast, the client side is much easier
EASY VPN CLIENT SIDE
====================
!=== A clean start ===
configure factory-default 10.67.66.1 255.255.255.0
!=== Generic Basic config ===
hostname easyclient
interface Vlan2
ip address 198.51.100.2 255.255.255.0
route outside 0.0.0.0 0.0.0.0 198.51.100.1 1
!=== Easy VPN Client ===
vpnclient server 192.0.2.2
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup eznemgroup password eznemgrouppass
vpnclient username eznemuser1 password eznemuser1pass
vpnclient enable
We’ve reduced the cost of additional RAID1 iSCSI backed storage space for virtual private servers from £30/year per 20GB, to £10/year per 10GB.
Jump Networks is delighted to be peering at LINX, with a GE connection to the LINX Brocade LAN.
