読者です 読者をやめる 読者になる 読者になる

labunix's blog

labunixのラボUnix

vSRXの電源OFFを行うタイミングについて確認してみる。

■vSRXの電源OFFを行うタイミングについて確認してみる。
 ホストOSはDebian jessie。vmplayerとvSRXのシングル構成については以下。

$ lsb_release -d
Description:	Debian GNU/Linux 8.1 (jessie)
$ vmplayer -v
VMware Player 12.0.0 build-2985596

 vmplayerでvSRXを試す。
 http://labunix.hateblo.jp/entry/20150412/1428767862

 (Linux版)VMware Player 7.1.2からVMware Workstation 12 Playerにアップデートする。
 http://labunix.hateblo.jp/entry/20150829/14408580211台の仮想マシンだけなら以下の起動、起動確認、電源OFFが行える。

$ vmrun -T player list | \
    awk '!/junos-vsrx-12.vmx/{print "vmrun -T player start junos-vsrx-12.vmx nogui"}' | sh

$ vmrun -T player list | awk -F/ '/vmx/{print $NF}'
junos-vsrx-12.vmx

$ ssh admin@192.168.152.15
Password:
root@% cli
root> request system halt at now
Halt the system at now? [yes,no] (no) yes 

$ vmrun -T player list | awk '/junos-vsrx-12.vmx/{print "vmrun -T player stop "$0}' | sh

■問題はいつなら電源を切ってもよいか。ということ。
 syslog、snmp、pingで確認してみる。

■ホストOS側でsyslogを受け取るように設定。

$ grep -A 1 "udp\|192.168.152.15" /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
--
:fromhost-ip, isequal, "192.168.152.15" -/var/log/vSRX.log
&~

■vSRX側でsyslog転送する。

root@% cli
root> configure
root# set system syslog host 192.168.152.1 any warning
root# commit
root# exit
root> show configuration system syslog         
user * {
    any emergency;
}
host 192.168.152.1 {
    any warning;
}
file messages {
    any any;
    authorization info;
}
file interactive-commands {
    interactive-commands any;
}

■時刻を合わせる。
 syslog、snmpの場合、時刻がホストOSと一致している必要がある。

root> configure
root# set system time-zone Asia/Tokyo 
root# set system ntp server 192.168.152.1 
root# show | compare   
[edit system]
+  time-zone Asia/Tokyo;
+  ntp {
+      server 192.168.152.1;
+      source-address 192.168.152.15;
+  }

root# commit
root# exit
root> show configuration system time-zone 
time-zone Asia/Tokyo;
root> set date ntp 192.168.152.1 
30 Aug 03:58:17 ntpdate[5806]: step time server 192.168.152.1 offset 0.000039 sec
root> set date ntp 
30 Aug 04:09:06 ntpdate[6833]: step time server 192.168.152.1 offset -0.000075 sec
offset=0.000, frequency=0.000, jitter=0.002, stability=0.000
root> show ntp status          
status=0664 leap_none, sync_ntp, 6 events, event_peer/strat_chg,
version="ntpd 4.2.0-a Tue Mar  3 22:07:26 UTC 2015 (1)",
processor="i386", system="JUNOS12.1X47-D20.7", leap=00, stratum=4,
precision=-19, rootdelay=8.036, rootdispersion=1.545, peer=62828,
refid=192.168.152.1,
reftime=d98c822b.5119c085  Sun, Aug 30 2015  4:10:35.316, poll=6,
clock=d98c823a.2d3876ff  Sun, Aug 30 2015  4:10:50.176, state=3,
offset=0.000, frequency=0.000, jitter=1.570, stability=0.000
root> show ntp associations 
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*192.168.152.1   172.16.16.88     3 -   47   64    1    0.254   -1.741   1.787

■SNMPとトラップの設定

root# set snmp community public authorization read-only clients 192.168.152.0/24
root# set snmp interface ge-0/0/0
root# commit

root# show interfaces ge-0/0/0       
unit 0 {
    family inet {
        address 192.168.152.15/24;
    }
}

root# show snmp                   
interface ge-0/0/0.0;
community public {
    authorization read-only;
    clients {
        192.168.152.0/24;
    }
}

root# set snmp trap-group public targets 192.168.152.1
root# set snmp trap-group public categories startup chassis link

■再起動コマンド投入後のログ。
 syslogで「e1000」NICが起動した後、SNMP Trapが3つ出て入ればOKの様子。

root> request system reboot 
Reboot the system ? [yes,no] (no) yes 

Shutdown NOW!

$ sudo tail -f /var/log/vSRX.log
Aug 30 04:25:52 192.168.152.15  mgd[1170]: UI_REBOOT_EVENT: System rebooted by 'root'
...
Aug 30 04:27:33 192.168.152.15   e1000: chip 1 has already been started 
Aug 30 04:27:33 192.168.152.15   e1000: chip 0 has already been started 

$ sudo tcpdump -i vmnet8 -n -v udp port 161 or 162 | \
    awk '/.1.3.6/{print $(NF-2)}'
.1.3.6.1.2.1.31.1.1.1.1.507="ge-0/0/0"
.1.3.6.1.2.1.31.1.1.1.1.507="ge-0/0/0"
.1.3.6.1.2.1.31.1.1.1.1.508="ge-0/0/0.0"

■電源OFFコマンド投入後の電源を切るタイミングは以下のログが出てから約10秒後。

root> request system halt
Halt the system ? [yes,no] (no) yes

Shutdown NOW!

$ sudo tail -f /var/log/vSRX.log
Aug 30 04:34:07 192.168.152.15  mgd[1175]: UI_REBOOT_EVENT: System halted by 'root'
Aug 30 04:34:13 192.168.152.15   usp_trace_ipc_disconnect:Trace client disconnected. Attempting to reconnect 
Aug 30 04:34:13 192.168.152.15   usp_trace_ipc_reconnect:USP trace client cannot reconnect to server

■ところで、最初に認識されたNIC(ge-0/0/0)はuntrustにアサインされている。
 デフォルトでは無効なので、「ping」を有効にする。

root> show security zones untrust           

Security zone: untrust
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes  
  Screen: untrust-screen  
  Interfaces bound: 1
  Interfaces:
    ge-0/0/0.0
root> conf
root#set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services ping

■結局のところ、pingに応答しなくなったときが一番確実にゲストOSの電源OFFが出来るタイミング。

$ ping 192.168.152.15
64 bytes from 192.168.152.15: icmp_seq=19 ttl=64 time=2.59 ms
64 bytes from 192.168.152.15: icmp_seq=20 ttl=64 time=1.42 ms
64 bytes from 192.168.152.15: icmp_seq=21 ttl=64 time=5.18 ms
64 bytes from 192.168.152.15: icmp_seq=22 ttl=64 time=2.81 ms
64 bytes from 192.168.152.15: icmp_seq=23 ttl=64 time=1.36 ms
64 bytes from 192.168.152.15: icmp_seq=24 ttl=64 time=4.68 ms
64 bytes from 192.168.152.15: icmp_seq=25 ttl=64 time=3.43 ms


From 192.168.152.1 icmp_seq=50 Destination Host Unreachable
From 192.168.152.1 icmp_seq=51 Destination Host Unreachable
From 192.168.152.1 icmp_seq=52 Destination Host Unreachable
From 192.168.152.1 icmp_seq=53 Destination Host Unreachable
From 192.168.152.1 icmp_seq=54 Destination Host Unreachable
From 192.168.152.1 icmp_seq=55 Destination Host Unreachable