theconsultant.net

Introduction

One of my fields of interest is video making. I’ve been eyeing the HD stuff with a bit of curiosity, and pretty much convinced myself to step up to HD production. When I learned that Microsoft released an add-on to Xbox 360, consisting of an HD-DVD drive in an external USB-accessible enclosure, after some penny pinching, I took the plunge and bought it.

HD-DVD (and Blu-Ray) drives are part of the security layer designed by Advanced Access Control System (AACS), a new generation in viewer rights restriction, that successed Content Srambling System (CSS), implemented on DVDs. AACS is non-exclusively licensed by AACS Licensing Authority, and restricts what a buyer (in essence a long term renter of a right to watch) of a HD video disk can do.

Specifically, AACS mandates that a viewer should not be allowed to watch HD output from software player if there is an unencrypted path between the player and the video output device. In essence, if your video card doesn’t support High Defenition Content Protection (HDCP), and if your monitor is not connected to your video card over DVI or HDCP, but over analog or component outputs, your viewing experience will be “degraded”.

“Degradation” in plain terms means that if you have HDCP path to your monitor/TV, you will view content in it’s 1080p (1920×1080 resolution, deinterlaced) glory. If you have DVI outputs, well, you get 1080i (1920×1080, interlaced, but it’s OK, because output is 60Hz, and most decent HD TVs and monitors will do proper deinterlacing, in essence outputing 1080p). If you have component or analog out, you might be lucky, and video studio will let you watch the same video in a “pleb” 960×540 resolution. It is still better then 640×480 (or 720×480 - remember that TV pixels are not square, but are at 4:3 ratio, so depending on what your scaler does, resolution might differ) resolution of a Standard Defenition (SD) video signal, but you paid for 1080p, right? This is up to the studio, however, and very few are liberal enough to allow you even that. So most often you get to view the trailers and extra filler on disk in 540×900, but are not authorized to watch the main feature at all. These rights are both bitmasks on the video streams, and additional rights data in the encrypted XML data files on the disks.

I can think of a couple HD-DVD disks that were released totally unencrypted with no AACS bits. Problem is that there are talks about enforcing ROM Mark by the players. ROM Mark is a special sector that pressed disks have, and burned do not. Idea is that if the disk has ROM mark, it was pressed, and thus must have AACS. If the disk doesn’t have ROM mark, it was burned, and thus it must have unencrypted, uncopyrighted content (again, extra bits in the video stream that player checks for) obtained from, say, consumer video recorder. “Nature’s Colors” and “Running Scared” (EU release) are reportedly unencrypted. Depending on how stupid the implementation of the check is, these titles might stop working.

Ultimately, AACS consortium had a problem. How do you keep “pirates” from “stealing” your HD video, when your “customers” and “pirates” are one and the same? I mean, in the end, someone has to watch the stuff, right? Otherwise, why would anyone buy the videos? Hmmm. A problem indeed.

I have to give HD-DVD manufactureres a credit, however. Remember region protection? The annoying thing, that made you rip and burn the DVDs you bought in Machu Pichu, that told you about the history of the ruins, just so you could watch it? The thing that forced folks from UK wait 6 month to a year before “Lord of the Rings” DVDs would come out in UK? Well, in HD-DVDs it’s gone (Although there are rumors of it coming back in a year or so, but in current iteration nothing supports it). So I bought a bunch of Studio Canal HD-DVD titles from Amazon.fr, that are not offered in North America. They play fine. In Blu-Ray world, things are more complicated. There are three regions that break down thusly: USA + Japan, Europe and those thieving Chinese and Russians. So Blu-Ray player sactually don’t let one watch US version of “SpiderMan III” in Europe (And as far as I know, neither HD-DVD nor Blu-Ray made it to Russia or China yet, so there are only Region A and Region B, as far as Blu-Ray is concerned).

To keep those thieving “consumers” from “stealing” HD content, and god forbid end up with unprotected version of it, AACS created a rather complicated scheme.

The Scheme

This is my understanding of AACS, which is very high level, and probably very wrong. No warranties for the next few paragraphs.

Warning! Acronym overload coming right up.

At the lowest level, every element on the disk is encrypted with a Title Key (TK). Element can be the movie itself, trailers, various data files on the video disk, etc. Title Keys are unique to a particular movie, at least to a particular pressing of a disk (So EU version of “Bourne Supremacy” would have different TKs then US version of “Bourne Supremacy”, and then Japanese version of “Bourne Supremacy”.) Title Keys are stored on the disk itself, encrypted with a Volume Unique Key (VUK).

Muselix64’s hack, that made all the news in early January, consisted of a way to decrypt the video elements by taking the user supplied VUK, and using it to extract the TKs, and do decryption.

Now, VUK is generated by the software player. In order to generate the VUK, player has to use the Volume Identificator (VID), stored on the disk, and the Media Key, that is again unique per title, and hash the two together.

Sounds simple, right? But in order to obtain the Volume ID, some magic is involved. Volume ID is 16 bytes, and first 8 bytes can actually be extracted by reading the Burst Cutting Area (BCA) from the disk. No special tricks, really. The remaining 8 bytes can be obtained by reading the copyright data section on disk. Here things get harder.

Media Key is generated by using the Media Key Block (MKB) that is also stored on the disk, with a Device Key unique to the decrypting device (in case of a stand-alone player) or decrypting software (in case of a Home Theater PC).

But before the drive will let you read the data, it will want you to authenticate yourself to it using a key signed by AACS LA.

So here is part section 4.3 of the AACS spec 0.91 on how the drive and the software talk to each-other:

By the drive authentication, the drive and the PC host verify each counterpart is an AACS compliant device that has valid certificate signed by the AACS LA and can sign and verify digital signatures specified in this document. In addition, the drive and the PC host verify each counterpart is not revoked by checking the Host Revocation List (HRL) and the Drive Revocation List (DRL), respectively. To do this, the drive shall store the most recent HRL it has encountered and the PC host shall store the most recent DRL it has encountered. When the drive authentication is successful, the drive and the PC host have a shared Bus Key (BK), and can proceed to the further steps. Figure 4-6 shows the protocol flow for drive authentication and key sharing used in AACS.

AACS Common Specification, version 0.91. Pages 44 onwards document the intricacies of a drive talking to the system, where neither trusts each-other, and both trust things signed by AACS LA key.

So each device or software player has a different Device Key, but they all generate the same Media Key when combined with the Media Key Block.

So we generate a Media Key Block, then we convince the drive that we are for real, get the Volume ID, generate the Media Key, combine the two together, generate the VUK, use VUK to obtain the TKs, and then we decode each element as required, and get to see the Jack Black and Naomi Watts in all high resolution glory.

I swear, only mathematician can be excited by something this complicated. And we haven’t even looked at subset difference, key revocation, and other complicated things, designed to keep movie studios in control.

Content revocation? *blink*.

Yes, if you bought a copy of “Serenity” on HD-DVD (or Blu-Ray), and 4 years from now it is deemed that girls wearing dresses in martial arts scenes (Summer Glau is hawt!) are against the law, AACS LA would be able update the list of keys on the drive and Device Keys, to prevent you from being able to decrypt, and thus watch, content on “Serenity” HD-DVD. Since drive updates it’s list of revocations each time you insert new media into it, they will need to release a bunch of HD-DVDs with updated lists, and wait till you get one, and put it in a drive. Since Device Keys are supposed to cycle every 18 months or so, in about 18 months you will not be able to play back the new disks, since your software player won’t have the Device Keys for them (at this point old disks will still play fine). You will download a “free” software update for your PowerDVD, and it will remove the keys to play back “Serenity”. Easy, right?

Now you understand why I called you a “renter” in the beginning of this post.

At this point it’s almost 4 am, and I got to head to work in less then 5 hours. In next session I will talk about Xbox 360 HD-DVD add-on, and maybe get to cover some neat things you can do by sending CDBs to various devices. Or maybe something completely ifferent.

dynamips is an emulator of various Cisco platforms, that is licensed under GNU GPL, and runs under Windows, Linux, Solaris, MacOS, etc.

Dynamips started off as a MIPS emulator for Cisco 7200, and gradually ended up capable of emulating Cisco 7200 family, Cisco 3600 family, 2600 family (with some exceptions), and Cisco 3725 and 3745. Since it is a hardware emulator, it is bug for bug compatible with the real iron, and IOS on it would have the same bugs as on the physical hardware. Since it supports hypervisor mode, it is possible to run more then one router emulation on a single system, all connected through virtual network. Latest release candidates support packet capture on the virtual interfaces between the routers.

Performance of the emulator is not that great (1 or 2K packers per second, compared to 100s of kpps that actual hardware supports), but it is useful in testing configurations, preparing for Cisco certifications, debugging IOS, etc. I found it while reading up on IOS security, but there are people in both Cisco TAC and preparing/passing CCIE exams, that indicated in 7200emu formus that they use dynamips.

Current PC with a Gig or two of RAM can support a dozen or so router instances.

Based on the information from the developer, we should not expect switch emulation support in the forseeable future, since switches use custom ASICs, so while the main CPUs (MIPS or PPC) that the switches use, are supported, it is very tricky to emulate the power on self-tests of the ASICs (sending packets over loopback, etc), that switches attempt before declaring themselves functional. However 7200 is a bitchin’ platform for pretty much anything, capable of running latest and greatest IOS.

Blog of the author, where newest release candidates of the software are announced. Best place to check to see what bugs got fixed, and what line cards got supported in the latest release.

Forums/Discussion Board for c7200emu, that is moderated by the software’s author.

c7200emu - dynamips project page, detailing more or less up to date list of supported platforms.

Dynagen a dynamips configuration front-end, that allows one easily configure and manage dynamips instances. Currently considered a must have companion to dynamips.

dynamips TODO list, that allowes you to see what the developer is thinking about improving.

P.S. If you lack elf.h, try libelf. In order to build it, you might need GNU sed

(Sorry. If you don’t know what this is, please ignore it. It’s not important. Really.)

Setup: If A is self-adjoint, and W is an A-invariant subspace ⇒ W^⊥ is A-invariant.

Want: ∀ x∈W^⊥, Ax ∈ W^⊥〈Ax,w〉 = 0 ∀ w ∈ W ⇐ Orthonormal

Given:〈Ax,w) =〈x,Aw〉 ⇐ Self-Adjoint

Aw∈W ⇐ W is A-invariant

then〈x∈W^⊥, Aw∈W〉= 0

Since any self-adjoint matrix is ortho-diagonalizable, if A is self-adjoint, then ∃ an orthonormal basis B∈ℂⁿ made out of eigenvectors such that [A]_B

Want: k=n (that is, an orthonormal basis made out of eigenvectors).

Proof by contradiction: Suppose k less then n

Given:

W=span(v₁, v₂, .. v_k), A-invariant (this is trivial, but see Appendix A)

then W⊥ is A-invariant, then A is restricted to subspace W^⊥

A_W^⊥: W^⊥ → W^⊥

Then ∃ v∈W^⊥, an eigenvector of A_W^⊥.

But since A_W^⊥v = A_v, v is an eignevector to of A perpendicular to W.

We assumed that S is maximal, but we ended up with a contradiction, since the set {v₁, v₂, .. ,v_k, v/ ||v||} is an orthogonal set of eigenvectors.

So k must be equal to n. As a result, A is orthodiagonalizable.

Conclusion

HTML is really not suited for doing math.

Appendix A

If λ₁≠λ₂,〈v₁,v₂〉must be 0

Here is how: Av₁=λ₁v₁, Av₂=λ₂v₂

Given that: λ₁〈v₁,v₂〉 = 〈λ₁v₁,v₂〉= 〈Av₁,v₂〉= 〈v₁,Av₂〉= 〈v₁,λ₂v₂〉=λ₂〈v₁,v₂〉⇒ λ₁〈v₁,v₂〉= λ₂〈v₁,v₂〉

Since λ₁≠λ₂, 〈v₁,v₂〉=0

.

QED

In Part I I’ve translated some Kino songs for Alan.

I’ve realized that I never translated “Группа крови ” (Gruppa Krovi “Blood Type”), even though I promised.

We aim to please here, so here is the translation:

Теплое место, но улицы ждут
Отпечатков наших ног.
Звездная пыль - на сапогах.
Мягкое кресло, клетчатый плед,
Не нажатый вовремя курок.
Солнечный день - в ослепительных снах.

Pleasant (lit: Warm) place, but streets wait
For footprints of our feet.
Stardust is on our high boots.
Soft chair, tartan plaid,
Firing pin not depressed on time.
Sunny day in blinding dreams.

Группа крови - на рукаве,
Мой порядковый номер - на рукаве,
Пожелай мне удачи в бою, пожелай мне:
Не остаться в этой траве,
Не остаться в этой траве.
Пожелай мне удачи, пожелай мне удачи!

Blood type on the sleeve
My sequencial number is on the sleeve.
Wish me luck in fight, wish me
Not to remain on this grass
Not to remain on this grass
Wish me luck, wish me luck!

И есть чем платить, но я не хочу
Победы любой ценой.
Я никому не хочу ставить ногу на грудь.
Я хотел бы остаться с тобой,
Просто остаться с тобой,
Но высокая в небе звезда зовет меня в путь.

And I something to pay with, but I don’t want
A victory at any cost.
I don’t want to put my foot on anyone’s chest
I want to remain with you,
Just remina with you
But sunrise (lit: High star in the sky) is calling me on my way.

Группа крови - на рукаве,
Мой порядковый номер - на рукаве,
Пожелай мне удачи в бою, пожелай мне:
Не остаться в этой траве,
Не остаться в этой траве.
Пожелай мне удачи, пожелай мне удачи!

Translator’s note: Tsoj wrote songs in a rather terse way, with setenses that are not really complete. He is trying to conjure up imagery, and imagery that he is trying to conjure is not necessarily easy to translate into a different language.

Of course Victor Tsoj is dead (in spite of the “Tsoj lives!” graffitti that pops up every once in a while). However Ленинград (Leningrad) did a kind of tribute to Kino’s Gruppa Krovi:

В магнитофоне играет группа “Кино”,
Ты говоришь мне: “Выключи это гавно”.
Тебя ломает от всякого старья,
Заткнись, это любимая песня моя.

Tape deck is playing group “Kino”
You are telling me “Turn off this shit”
You are getting headache from random old stuff.
Shut up, this is my favorite song.

О, группа крови на рукаве.
О, группа крови на рукаве.

Oh, blood type on the sleeve.
Oh, blood type on the sleeve.

Ты можешь помолчать хотя бы пять минут,
Или пожелай мне удачи в бою.
Группа крови - моя любимая песня,
И когда мне плохо, её я пою:

Can you be quite for just 5 minutes,
Or wish me luck in the (upcoming) fight.
“Grouppa Krovi” is my favorite song,
And when I feel down, I sing it.

О, группа крови на рукаве.
О, группа крови на рукаве.

В магнитофоне играет группа “Кино”,
Ты говоришь мне: “Выключи это гавно”.
Тебя ломает от всякого старья,
Заткнись, это любимая песня моя.

О, группа крови на рукаве.
О, группа крови на рукаве.

О, группа крови на рукаве.
О, группа крови на рукаве.

О, группа крови на рукаве.
О, группа крови на рукаве.

repeat first verse and reprise as needed.

MP3 is available while it’s available.Translator’s (mine!) notes:
ломает is a conjugated form of ломать - to break. However it is also used as slang for ломка (literally: breakage), which is the general unwellness feeling one gets when one is craving drugs (or coming down from a trip).

On a separate note about drugs…. Don’t do them, m’kay? I don’t really want to project my morals onto anyone else on the interweb, however not too long ago I’ve read a book by Eugenij Roizman (Евгений Ройзман), called “City without Drugs” (Город без наркотиков). Oh, my…. He talks how in the late 1990s city of Ekaterinburg in Russia got flooded with drugs of all kinds, and how he got involved in fighting drug distribution, rehabilitating addicts, and generally fight the lack of care by law enforcement (that was commonly bought off by the drug dealers and distributers).

Most effective method that actually worked was to handcuff the addict to the heating radiator for a month, feeding him, and once the initial craving got broken, getting him into hard physical labor - construction, etc.

Parents that had “connections” and had clue, were arranging, paying even, police to arrest their teenage kids, and jail them for a year. Jail their children! That’s because even though situation in Russian jails is not great, and cases of tuberculosis and hepatitus are common, people with clue realized that chancing that in jail is infinitely better then guaranteed death from OD, AIDS or hep C in 2 - 3 years. “Normal” rehab didn’t work, and people were back to being on the street and addicts in weeks after leaving care. So people without connections were bringing their children to Mr Roizman, into the care of a NGO fund that he created. Many of addicts to whom Mr Roizman helped went on to lead normal lives - finished universities, married, have kids, and now are thankful to him.

If I ever want to identify unknown device installed in a system….

First I’ll attempt to obtain a PCI device ID:

Under Linux, I’ll use lspci.
Under Windows, I’ll use Unknown Devices (And ignore any other piece of software that claims to be called “Unknown Device Identifier”, and that was stolen from Mike Moniz
Under MacOS X, I’ll use system_profiler
Under Solaris, I’ll use /usr/X11/bin/scanpci -v

Then I’ll reference the PCI device ID with the Canonical list of PCI device IDs from Craig’s site.

At that point I can grep the pcidevs.txt, and learn exciting things.
For example, suppose I wonder what an unknown device in a PowerMac G5 is.

From system profiler I know this:

pci8086,1012:

  Type:	Ethernet Controller
  Bus:	PCI
  Slot:	SLOT-3
  Vendor ID:	0x8086
  Device ID:	0x1010
  Subsystem Vendor ID:	0x8086
  Subsystem ID:	0x1012
  Revision ID:	0x0001

So I do a bit of grepping:

stany@gilva:~/Desktop[01:54 PM]$ grep V.*8086 pcidevs.txt
V       8086    Intel Corporation
stany@gilva:~/Desktop[01:54 PM]$ grep ^S.*1012 pcidevs.txt
S       1012    SiS650 GUI 2D/3D Accelerator
S       1012    DFE-580TX 4-Port Server Adapter
S       1012    PRO/1000 MT Dual Port Server Adapter
S       1012    PRO/1000 MF Dual Port Server Adapter
S       1012    PRO/100 S Server Adapter (D)
S       1012    PRO/100 S Server Adapter (D)
S       1012    Realtek AC'97 Audio
S       1012    Intel USB 2.0 Enhanced Host Controller
S       1012    PRO/Wireless 3945ABG Network Connection
stany@gilva:~/Desktop[01:54 PM]$ grep ^D.*1010 pcidevs.txt
D       0020    LSI53C1010-33 PCI to Dual Channel Ultra160 SCSI Multifunction Controller
D       0021    LSI53C1000/1000R/1010R/1010-66 PCI to Ultra160 SCSI Controller
D       1010    SST-128P Adapter
D       1010    Duet 1S(16550)+1P
D       1010    C101/PCI Super Sync Board
D       1010    82546EB Dual Port Gigabit Ethernet Controller (Copper)
D       0003    SG1010 6 Port Serial Switch & PCI to PCI Bridge
stany@gilva:~/Desktop[01:54 PM]$

(V stands for Vendor, S for subsystem and D for device ID)

So logic would imply that this is an Intel Corporation PRO/1000 MT Dual Port Server Adapter, specifically 82546EB Dual Port Gigabit Ethernet Controller (Copper).

An excercise for the reader is to identify the following device:
pci bus 0×0006 cardnum 0×04 function 0×00: vendor 0×1106 device 0×3044

VIA Technologies Inc VT6306 VIA Fire II IEEE-1394 OHCI Link Layer Controller

MSI P4N SLI motherboard has a build in nVidea nForce 04 NIC. OpenSolaris doesn’t have driver for it, however a driver can be downloaded from Masayuki Murayama’s Free NIC drivers for Solaris page (Drivers there are SPARC/x86 capable, one might need a functional 64 bit compiler to recompile them for their platform).

His driver will work out of the box, as long as the PCI device ID matches the ones in adddrv.sh script. To verify that, one might need to run /usr/X11/bin/scanpci -v and verify that the PCI id matches. In my case, PCI ID was pci10d3,38, which was not in the adddrv.sh script, however is in fact an nForce4 ethernet controller.
After I’ve added the ID in the script, driver worked right away.

root@dara:/[07:49 PM]# cd ; /usr/X11/bin/scanpci -v
[...]
pci bus 0x0000 cardnum 0x0e function 0x00: vendor 0x10de device 0x0038
 nVidia Corporation MCP04 Ethernet Controller
 CardVendor 0x3462 card 0x7160 (Card unknown)
  STATUS    0x00a0  COMMAND 0x0007
  CLASS     0x06 0x80 0x00  REVISION 0xa2
  BIST      0x00  HEADER 0x00  LATENCY 0x00  CACHE 0x00
  BASE0     0xfe9fc000  addr 0xfe9fc000  MEM
  BASE1     0x0000c481  addr 0x0000c480  I/O
  MAX_LAT   0x14  MIN_GNT 0x01  INT_PIN 0x01  INT_LINE 0x05
  BYTE_0    0x62  BYTE_1  0x34  BYTE_2  0x60  BYTE_3  0x71

[...]
root@dara:/[07:50 PM]# modinfo | grep nfo
 Id Loadaddr   Size Info Rev Module Name
 44 feabbbc4   1e50  15   1  mntfs (mount information file system)
141 febc78d4   4768  88   1  devinfo (DEVINFO Driver 1.73)
219 f946c000   fc40 207   1  nfo (nVIDIA nForce nic driver v1.1.2)
root@dara:/[07:50 PM]# dmesg | grep -v UltraDMA

Sat Nov 25 19:50:28 EST 2006
Nov 25 19:38:58 dara.NotBSD.org nfo: [ID 306776 kern.info] nfo0: doesn't have pci power management capability
Nov 25 19:38:58 dara.NotBSD.org nfo: [ID 130221 kern.info] nfo0: nForce mac type 11 (MCP04) (vid: 0x10de, did: 0x0038, revid: 0xa2)
Nov 25 19:38:58 dara.NotBSD.org nfo: [ID 451511 kern.info] nfo0: MII PHY (0x01410cc2) found at 1
Nov 25 19:38:58 dara.NotBSD.org nfo: [ID 426109 kern.info] nfo0: PHY control:0, status:7949<100_BASEX_FD,100_BASEX,10_BASE_FD,10_BASE,XSTATUS,MFPRMBLSUPR,CANAUTONEG,EXTENDED>, advert:de1, lpar:0
Nov 25 19:38:58 dara.NotBSD.org nfo: [ID 119377 kern.info] nfo0: xstatus:3000<1000BASET_FD,1000BASET>
Nov 25 19:38:58 dara.NotBSD.org nfo: [ID 716252 kern.info] nfo0: resetting PHY
Nov 25 19:38:58 dara.NotBSD.org gld: [ID 944156 kern.info] nfo0: nVIDIA nForce nic driver v1.1.2: type “ether” mac address 00:13:d3:5f:53:2f
Nov 25 19:38:58 dara.NotBSD.org npe: [ID 236367 kern.notice] PCI Express-device: pci1462,7160@e, nfo0
Nov 25 19:38:58 dara.NotBSD.org genunix: [ID 936769 kern.notice] nfo0 is /pci@0,0/pci1462,7160@e
Nov 25 19:38:58 dara.NotBSD.org unix: [ID 954099 kern.info] NOTICE: IRQ21 is being shared by drivers with different interrupt levels.
Nov 25 19:38:58 dara.NotBSD.org This may result in reduced system performance.
Nov 25 19:38:58 dara.NotBSD.org last message repeated 1 time
Nov 25 19:38:58 dara.NotBSD.org last message repeated 1 time
Nov 25 19:38:59 dara.NotBSD.org nfo: [ID 831844 kern.info] nfo0: auto-negotiation started
Nov 25 19:39:04 dara.NotBSD.org nfo: [ID 503627 kern.warning] WARNING: nfo0: auto-negotiation failed: timeout
root@dara:/[07:50 PM]#

Over the last year I was getting more and more curious/excited about OpenSolaris. Specifically I got interested in ZFS - Sun’s new filesystem/volume manager.

So I finally got my act together and gave it a whirl.

Test system: Pentium 4, 3.0Ghz in an MSI P4N SLI motherboard. Three ATA Seagate ST3300831A hard drives, one Maxtor 6L300R0 ATA drive (all are nominally 300 gigs - see previous post on slight capacity differences). One Western Digital WDC WD800JD-60LU SATA 80 gig hard drive. Solaris Express Community Release (SXCR) 51.

Originally I started this project running SXCR 41, but back then I only had 3 300 gig drives, and that was interfering with my plans for RAID 5 greatness. In the end the wait was worth it, as ZFS got revved since.

A bit about MSI motherboard. I like it. For a PC system I like it alot. It has two PCI slots, two full length PCI E slots (16x), and one PCIE 1x slot. Technically it supports SLI with two ATI Cross-Fire or Nvidea SLI capable cards, however in that case both full length slots will run at 8x. Single slot will run at 16x. Two dual channel IDE connectors, four SATA connectors, built in high end audio with SPDIF, built in GigE NIC based on Marvell chipset/PHY, serial, parallel, built in IEEE1394 (iLink/Firewire) with 3 ports (one on the back of the board, two more can be brought out). Plenty of USB 2.0 connectors (4 brought out on the back of the board, 6 more can be brought out from conector banks on the motherboard). Overall, pretty shiny.

My setup consists of four IDE hard drives on the IDE bus, and an 80 gig WD on SATA bus for the OS. Motherboard BIOS allowed me to specify that I want to boot from the SATA drive first, so I took advantage of the offer.

Installation of SXCR was from IDE DVD (a pair of hard drives was unplugged for the time).
SXCR recognized pretty much everything in the system, except built in Marvell Gig E nic. Shit happens, I tossed in a PCI 3Com 3c509C NIC that I had kicking around, and restarted. There was a bit of a hold up with SATA drive - Solaris didn’t recognize it, and wanted the geometry, number of heads and number of clusters so that it could create an apropriate volume label. Luckily WD made identical drive but in IDE configuration, for which it actually provided the heads/custers/sectors information, so I plugged those numbers in, and format and fdisk cheered up.

Other then that, normal Solaris install. I did console/text install just because I am alot more familiar with them, however Radeon Sapphire X550 PCIE video card was recognized, and system happily boots into OpenWindows/CDE if you want it to.

So I proceeded to create a ZFS pool.
First thing I wanted to check is how portable ZFS is. Specifically, Sun claims that it’s endinanness neutral (ie I can connect the same drives to the little endian PC, or big endian SPARC system, and as long as both run OS that recognizes ZFS, things will work). I wondered how it deals with device numbers. Traditionally Solaris is very picky about the device IDs, and changing things like controllers or SCSI IDs on a system can be tricky.

Here I wanted to know if I can just create, say, a “travelling zfs pool”, where I’ll have an external enclosure with a few SATA drives, an internal PCI SATA controller card, and if things go wrong in a particular system, I could always unplug the drives, and move them to a different system, and things will work. So I wanted to find out if ZFS can deal with changes in device IDs.

In order for ZFS to work reliably, it has to use a whole drive. It, in turn, writes an EFI disk label on the drive, with a unique identifier. Note that certain PC motherboards choke on EFI disk labels, and refuse to boot. Luckily most of the time this is fixable using a BIOS update.

root@dara:/[03:00 AM]# uname -a
SunOS dara.NotBSD.org 5.11 snv_51 i86pc i386 i86pc
root@dara:/[03:00 AM]# zpool create raid1 raidz c0d0 c0d1 c1d0 c1d1
root@dara:/[03:01 AM]# zpool status
  pool: raid1
 state: ONLINE
 scrub: none requested
config:

        NAME        STATE     READ WRITE CKSUM
        raid1       ONLINE       0     0     0
          raidz1    ONLINE       0     0     0
            c0d0    ONLINE       0     0     0
            c0d1    ONLINE       0     0     0
            c1d0    ONLINE       0     0     0
            c1d1    ONLINE       0     0     0

errors: No known data errors
root@dara:/[03:02 AM]# zpool list
NAME                    SIZE    USED   AVAIL    CAP  HEALTH     ALTROOT
raid1                  1.09T    238K   1.09T     0%  ONLINE     -
root@dara:/[03:02 AM]# df -h /raid1
Filesystem             size   used  avail capacity  Mounted on
raid1                  822G    37K   822G     1%    /raid1
root@dara:/[03:02 AM]# 

Here I created a raidz1 (zfs equivalent of RAID5 with one parity disk, giving me (N-1)*[capacity of the drives]. raidz can survive death of one hard drive. zfs pool can also be creatd with raidz2 command, giving an equivalent of raid5 with two parity disks. Such configuration can survive death of 2 disks) pool.

Note the difference in volume that zpool list and df produce. zpool list shows capacity not counting parity. df shows the more traditional available disk space. Using df will likely cause less confusion in normal operation.

So far so good.

Then I proceeded to create a large file on the ZFS pool:

root@dara:/raid1[03:04 AM]# time mkfile 10g reely_beeg_file

real    2m8.943s
user    0m0.062s
sys     0m5.460s
root@dara:/raid1[03:06 AM]# ls -la /raid1/reely_beeg_file
-rw------T   1 root     root     10737418240 Nov 10 03:06 /raid1/reely_beeg_file
root@dara:/raid1[03:06 AM]#

While this was running, I was running zpool iostat -v raid1 10 in a different window.

               capacity     operations    bandwidth
pool         used  avail   read  write   read  write
----------  -----  -----  -----  -----  -----  -----
raid1        211M  1.09T      0    187      0  18.7M
  raidz1     211M  1.09T      0    187      0  18.7M
    c1d0        -      -      0    110      0  6.26M
    c1d1        -      -      0    110      0  6.27M
    c0d0        -      -      0    110      0  6.25M
    c0d1        -      -      0     94      0  6.23M
----------  -----  -----  -----  -----  -----  -----

               capacity     operations    bandwidth
pool         used  avail   read  write   read  write
----------  -----  -----  -----  -----  -----  -----
raid1       1014M  1.09T      0    601      0  59.5M
  raidz1    1014M  1.09T      0    601      0  59.5M
    c1d0        -      -      0    364      0  20.0M
    c1d1        -      -      0    363      0  20.0M
    c0d0        -      -      0    355      0  19.9M
    c0d1        -      -      0    301      0  19.9M
----------  -----  -----  -----  -----  -----  -----

[...]
               capacity     operations    bandwidth
pool         used  avail   read  write   read  write
----------  -----  -----  -----  -----  -----  -----
raid1       8.78G  1.08T      0    778    363  91.1M
  raidz1    8.78G  1.08T      0    778    363  91.1M
    c1d0        -      -      0    412      0  30.4M
    c1d1        -      -      0    411  5.68K  30.4M
    c0d0        -      -      0    411  5.68K  30.4M
    c0d1        -      -      0    383  5.68K  30.4M
----------  -----  -----  -----  -----  -----  -----

10 gigabytes written over 128 seconds. About 80 megabytes a second on continuous writes. I think I can live with that.

Next I wanted to run some md5 digests of some files on the /raid1, then export the pool, shut system down, switch around IDE cables, boot system back up, reimport the pool, and re-run the md5 digests. This would simulate moving a disk pool to a different system, screwing up disk ordering in process.

root@dara:/[12:20 PM]# digest -a md5 /raid1/*
(/raid1/reely_beeg_file) = 2dd26c4d4799ebd29fa31e48d49e8e53
(/raid1/sunstudio11-ii-20060829-sol-x86.tar.gz) = e7585f12317f95caecf8cfcf93d71b3e
root@dara:/[12:23 PM]# zpool status
  pool: raid1
 state: ONLINE
 scrub: none requested
config:

        NAME        STATE     READ WRITE CKSUM
        raid1       ONLINE       0     0     0
          raidz1    ONLINE       0     0     0
            c0d0    ONLINE       0     0     0
            c0d1    ONLINE       0     0     0
            c1d0    ONLINE       0     0     0
            c1d1    ONLINE       0     0     0

errors: No known data errors
root@dara:/[12:23 PM]# zpool export raid1
root@dara:/[12:23 PM]# zpool status
no pools available
root@dara:/[12:23 PM]#

System was shutdown, IDE cables switched around, system was rebooted.

root@dara:/[02:09 PM]# zpool status
no pools available
root@dara:/[02:09 PM]# zpool import raid1
root@dara:/[02:11 PM]# zpool status
  pool: raid1
 state: ONLINE
 scrub: none requested
config:

        NAME        STATE     READ WRITE CKSUM
        raid1       ONLINE       0     0     0
          raidz1    ONLINE       0     0     0
            c1d0    ONLINE       0     0     0
            c1d1    ONLINE       0     0     0
            c0d0    ONLINE       0     0     0
            c0d1    ONLINE       0     0     0

errors: No known data errors
root@dara:/[02:11 PM]#

Notice that the order of the drives changed. Was c0d0 c0d1 c1d0 c1d1, and now it’s c1d0 c1d1 c0d0 c0d1.

root@dara:/[02:22 PM]# digest -a md5 /raid1/*
(/raid1/reely_beeg_file) = 2dd26c4d4799ebd29fa31e48d49e8e53
(/raid1/sunstudio11-ii-20060829-sol-x86.tar.gz) = e7585f12317f95caecf8cfcf93d71b3e
root@dara:/[02:25 PM]#

Same digests.

Oh, and a very neat feature…. You want to know what was happening with your disk pools?

root@dara:/[02:12 PM]# zpool history raid1
History for 'raid1':
2006-11-10.03:01:56 zpool create raid1 raidz c0d0 c0d1 c1d0 c1d1
2006-11-10.12:19:47 zpool export raid1
2006-11-10.12:20:07 zpool import raid1
2006-11-10.12:39:49 zpool export raid1
2006-11-10.12:46:14 zpool import raid1
2006-11-10.14:09:54 zpool export raid1
2006-11-10.14:11:00 zpool import raid1

Yes, zfs logs the last bunch of commands on to the zpool devices. So even if you move the pool to a different system, command history will still be with you.

Lastly, some versioning history for ZFS:

root@dara:/[02:19 PM]# zpool upgrade raid1
This system is currently running ZFS version 3.

Pool 'raid1' is already formatted using the current version.
root@dara:/[02:19 PM]# zpool upgrade -v
This system is currently running ZFS version 3.

The following versions are suppored:

VER  DESCRIPTION
---  --------------------------------------------------------
 1   Initial ZFS version
 2   Ditto blocks (replicated metadata)
 3   Hot spares and double parity RAID-Z

For more information on a particular version, including supported releases, see:

http://www.opensolaris.org/os/community/zfs/version/N

Where 'N' is the version number.
root@dara:/[02:19 PM]#

Some numbers about power consumption of hard drives….

Maxtor DiamondMax 10 6L300R0, 7200 RPM, 300 gig (279.48GB formatted) ATA hard drive has the following power consumption: +5V 740 mA, +12V 1500 mA.

Seagate Barracuda ST3300831A, 7200 RPM, 300 gig (279.45GB formatted) ATA hard drive has the following power consumption: +5V 460 mA, +12V 560 mA.

Seagate tech spec sheet claims that their ‘cudas also take 2.8 amps of +12V to spin up. Maxtor doesn’t have a useful spec sheet for their product.

Observations: Seagate has a 5 year warranty on their drives. Lower power consumption means lower power dissipation, and thus cooler system. Lower power consumption means that you can get away with smaller power supply (or more drives in a system), and thus reduce your power consumption costs (that are more of an issue in a 24/7 environment) and air conditioning/cooling costs.

Conclusions: One should spec hard drives not only from the point of view of costs (WD is cheap but in my experience dies like a butterfly under a cold spell), but from the point of view of warranty and power consumption. Sadly vendors do not provide power consumtion information in their spec sheets, so the only way to find it out is by going to a computer store, asking to look at an OEM drive, and reading off the numbers.

Does anyone know how to merge multiple Keychains in Mac OS X?

I know I can copy items from one keychain to another, but that involves authenticating twice.

I tried going in and adding those other keychains to be part of my list, but they don’t stay. Frustrating.

Why am I doing this? I replaced my computer, and was not able to transfer my account at setup time, so I ended up with some old keychains that got copied over.

Suggestions, comments, rants?

All are welcome!

Dave

A photographer friend of mine, in the midst of the “controlled chaos” of his daughter’s 3rd birthday party, somehow got on to the topic of Pelican cases. He has been using them, and abusing them, for many years, and will do so for many more. But, he warned us that even though they are guaranteed against almost anything they are not covered against damage from toddlers! Being curious I decided to check.. and lo and behold, kids under five are put into the same catergory as Bear attacks and Shark bites, which their guarantee also does not cover.

Pelican™ Products Unconditional Lifetime Guarantee of Excellence

Let’s put it into perspective though! Go and read a few of the Survival Stories and then wonder just how destructive a toddler can be.