■vSRXの電源OFFを行うタイミングについて確認してみる。
ホストOSはDebian jessie。vmplayerとvSRXのシングル構成については以下。
$ lsb_release -d
Description: Debian GNU/Linux 8.1 (jessie)
$ vmplayer -v
VMware Player 12.0.0 build-2985596
vmplayerでvSRXを試す。
http://labunix.hateblo.jp/entry/20150412/1428767862
(Linux版)VMware Player 7.1.2からVMware Workstation 12 Playerにアップデートする。
http://labunix.hateblo.jp/entry/20150829/1440858021
■1台の仮想マシンだけなら以下の起動、起動確認、電源OFFが行える。
$ vmrun -T player list | \
awk '!/junos-vsrx-12.vmx/{print "vmrun -T player start junos-vsrx-12.vmx nogui"}' | sh
$ vmrun -T player list | awk -F/ '/vmx/{print $NF}'
junos-vsrx-12.vmx
$ ssh admin@192.168.152.15
Password:
root@% cli
root> request system halt at now
Halt the system at now? [yes,no] (no) yes
$ vmrun -T player list | awk '/junos-vsrx-12.vmx/{print "vmrun -T player stop "$0}' | sh
■問題はいつなら電源を切ってもよいか。ということ。
syslog、snmp、pingで確認してみる。
■ホストOS側でsyslogを受け取るように設定。
$ grep -A 1 "udp\|192.168.152.15" /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
--
fromhost-ip, isequal, "192.168.152.15" -/var/log/vSRX.log
&~
■vSRX側でsyslog転送する。
root@% cli
root> configure
root# set system syslog host 192.168.152.1 any warning
root# commit
root# exit
root> show configuration system syslog
user * {
any emergency;
}
host 192.168.152.1 {
any warning;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
■時刻を合わせる。
syslog、snmpの場合、時刻がホストOSと一致している必要がある。
root> configure
root# set system time-zone Asia/Tokyo
root# set system ntp server 192.168.152.1
root# show | compare
[edit system]
+ time-zone Asia/Tokyo;
+ ntp {
+ server 192.168.152.1;
+ source-address 192.168.152.15;
+ }
root# commit
root# exit
root> show configuration system time-zone
time-zone Asia/Tokyo;
root> set date ntp 192.168.152.1
30 Aug 03:58:17 ntpdate[5806]: step time server 192.168.152.1 offset 0.000039 sec
root> set date ntp
30 Aug 04:09:06 ntpdate[6833]: step time server 192.168.152.1 offset -0.000075 sec
offset=0.000, frequency=0.000, jitter=0.002, stability=0.000
root> show ntp status
status=0664 leap_none, sync_ntp, 6 events, event_peer/strat_chg,
version="ntpd 4.2.0-a Tue Mar 3 22:07:26 UTC 2015 (1)",
processor="i386", system="JUNOS12.1X47-D20.7", leap=00, stratum=4,
precision=-19, rootdelay=8.036, rootdispersion=1.545, peer=62828,
refid=192.168.152.1,
reftime=d98c822b.5119c085 Sun, Aug 30 2015 4:10:35.316, poll=6,
clock=d98c823a.2d3876ff Sun, Aug 30 2015 4:10:50.176, state=3,
offset=0.000, frequency=0.000, jitter=1.570, stability=0.000
root> show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
*192.168.152.1 172.16.16.88 3 - 47 64 1 0.254 -1.741 1.787
■SNMPとトラップの設定
root# set snmp community public authorization read-only clients 192.168.152.0/24
root# set snmp interface ge-0/0/0
root# commit
root# show interfaces ge-0/0/0
unit 0 {
family inet {
address 192.168.152.15/24;
}
}
root# show snmp
interface ge-0/0/0.0;
community public {
authorization read-only;
clients {
192.168.152.0/24;
}
}
root# set snmp trap-group public targets 192.168.152.1
root# set snmp trap-group public categories startup chassis link
■再起動コマンド投入後のログ。
syslogで「e1000」NICが起動した後、SNMP Trapが3つ出て入ればOKの様子。
root> request system reboot
Reboot the system ? [yes,no] (no) yes
Shutdown NOW!
$ sudo tail -f /var/log/vSRX.log
Aug 30 04:25:52 192.168.152.15 mgd[1170]: UI_REBOOT_EVENT: System rebooted by 'root'
...
Aug 30 04:27:33 192.168.152.15 e1000: chip 1 has already been started
Aug 30 04:27:33 192.168.152.15 e1000: chip 0 has already been started
$ sudo tcpdump -i vmnet8 -n -v udp port 161 or 162 | \
awk '/.1.3.6/{print $(NF-2)}'
.1.3.6.1.2.1.31.1.1.1.1.507="ge-0/0/0"
.1.3.6.1.2.1.31.1.1.1.1.507="ge-0/0/0"
.1.3.6.1.2.1.31.1.1.1.1.508="ge-0/0/0.0"
■電源OFFコマンド投入後の電源を切るタイミングは以下のログが出てから約10秒後。
root> request system halt
Halt the system ? [yes,no] (no) yes
Shutdown NOW!
$ sudo tail -f /var/log/vSRX.log
Aug 30 04:34:07 192.168.152.15 mgd[1175]: UI_REBOOT_EVENT: System halted by 'root'
Aug 30 04:34:13 192.168.152.15 usp_trace_ipc_disconnect:Trace client disconnected. Attempting to reconnect
Aug 30 04:34:13 192.168.152.15 usp_trace_ipc_reconnect:USP trace client cannot reconnect to server
■ところで、最初に認識されたNIC(ge-0/0/0)はuntrustにアサインされている。
デフォルトでは無効なので、「ping」を有効にする。
root> show security zones untrust
Security zone: untrust
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Screen: untrust-screen
Interfaces bound: 1
Interfaces:
ge-0/0/0.0
root> conf
root#set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services ping
■結局のところ、pingに応答しなくなったときが一番確実にゲストOSの電源OFFが出来るタイミング。
$ ping 192.168.152.15
64 bytes from 192.168.152.15: icmp_seq=19 ttl=64 time=2.59 ms
64 bytes from 192.168.152.15: icmp_seq=20 ttl=64 time=1.42 ms
64 bytes from 192.168.152.15: icmp_seq=21 ttl=64 time=5.18 ms
64 bytes from 192.168.152.15: icmp_seq=22 ttl=64 time=2.81 ms
64 bytes from 192.168.152.15: icmp_seq=23 ttl=64 time=1.36 ms
64 bytes from 192.168.152.15: icmp_seq=24 ttl=64 time=4.68 ms
64 bytes from 192.168.152.15: icmp_seq=25 ttl=64 time=3.43 ms
From 192.168.152.1 icmp_seq=50 Destination Host Unreachable
From 192.168.152.1 icmp_seq=51 Destination Host Unreachable
From 192.168.152.1 icmp_seq=52 Destination Host Unreachable
From 192.168.152.1 icmp_seq=53 Destination Host Unreachable
From 192.168.152.1 icmp_seq=54 Destination Host Unreachable
From 192.168.152.1 icmp_seq=55 Destination Host Unreachable
