How secure is the ftp built in to isi_gather_info?

[Daniel Cornel]

I am looking for any input on the steps and processes that an isi_gather_info goes through, specifically, for the upload to isilon.  Occasionally our uploads are refused and fail and we are trying to verify ports opened etc.  Also, a question was raised as to the security of the ftp process.  Does anyone have experience digging on this topic?

[Saker Klippsten]

We do not allow Internet. When gather is complete it spits out the path and file name, I copy to my laptop, disconnect from our production network, join our separate wifi network and upload manually via FileZilla.

Have always had issues in the past with uploading files to Isilon one of our clusters is 30 nodes and the logs are in the GB's always failed... So I manually upload to be sure. 

-s

On Mar 5, 2014, at 5:31 AM, Daniel Cornel <aqua...@hotmail.com> wrote:

I am looking for any input on the steps and processes that an isi_gather_info goes through, specifically, for the upload to isilon.  Occasionally our uploads are refused and fail and we are trying to verify ports opened etc.  Also, a question was raised as to the security of the ftp process.  Does anyone have experience digging on this topic?

--
You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-gr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Chris Pepper]

We have had a lot of trouble getting through our FTP filters. They seem to break every year or so, until IS fixes the FTP filter. To gather I use an (incremental) alias:

> igi='time isi_gather_info --incremental'

Chris

[David Hasson]

We actually have a workaround for sftp, as EMC maintains a sftp server that works with the same credentials (e.g. anonymous/email).  It's at the same address.

Try using sftp manually and see how that goes, and if you want to get tricky with scripts feel free to email me.

-David

[Daniel Cornel]

Usage: isi_gather_info [OPTION]...

Options:
  -h                  Print this message and exit.
  -v                  Print version info and exit.
  -u USER             Login as USER instead of default root.
  -p PASSWORD         Use PASSWORD.
  -i                  Include only the listed utility.  See also the
                      -l option for a list of utilities to include.
                      The special value "all" may be used to include
                      every known utility.
  --incremental       Gather only logs changed since last log upload
  -l                  List utilities and groups which can be included
                      (see -i and --group)
  -f FILENAME         Gather FILENAME from each node.
  -n NODES            Gather information only from the given nodes.
                      Must be a list or range of LNNs (what you see
                      in "isi stat" output). For example: '1,4-10,12,14'.
                      If no nodes are explicitly listed, the whole array
                      is used.  Note that nodes are automatically
                      excluded if they are down.
  --local-only        Do not gather any information from other nodes.
  --skip-node-check   Skip check for node availability.
  -s gather_script    Run gather_script on every node.
  -S gather_expr      Run gather_expr on every node.
  -1 gather_expr      Run gather_expr on the local node.
  -a analysis_script  Run analysis_script on results.
  -A analysis_expr      Run analysis_expr on every node.
  -t TARFILE          Save all results to TARFILE instead of default tar file.
  -x exclude_tool     Excludes the specified tool from being gathered from each                                                                                    node.
  -I                  Save results to IFS (default)
  -L                  Save all results to local storage: /var/crash/support/
  -T TEMPDIR          Save all results to TEMPDIR instead of default dir.
                      (overrides -L and -I)
  --tardir <dir>      Place the final package directly into <dir>.
  --symlinkdir <dir>  Create a symlink to the final package in <dir>.
  --varlog_recent     Gather all logs in /var/log, but not the compressed and
                      rotated old logs (Default is for all logs).
  --varlog_all        Gather all logs in /var/log, including compressed and
                      rotated old logs (Default).
  --nologs            Do not gather normal required minimal logs.
  --group <name>      Add a specific group of utilities to the tarball.

Configuration:
  --noconfig         Use built-in defaults and bypass the configuration file.
  --save-only        Save the CLI specified configuration to file and exit.
  --save             Save the CLI specified configuration to file and run.

Upload Options:
  --upload            Upload logs to isilon automatically. (Default)
  --noupload          Do not upload logs to isilon automatically.
  --re-upload FILE    Re-uploads the specified FILE.
  --verify-upload     Creates a tar file and uploads to test connectivity.

  HTTP Upload Options:
    --http                 Attempt HTTP upload. (Default)
    --nohttp               Do not attempt HTTP upload.
    --http-host HOST       Specifies alternate HTTP site for upload.
    --http-path DIR        Specifies alternate HTTP upload directory.
    --http-proxy HOST      Specifies Proxy server to use.
    --http-proxy-port PORT Specifies Proxy port to use.

  FTP Upload Options:
    --ftp                 Attempt FTP upload. (Default)
    --noftp               Do not attempt FTP upload.
    --ftp-user USER       Specify alternate user for FTP.  (Default: anonymous)
    --ftp-pass PASS       Specify alternate password for FTP.
    --ftp-host HOST       Specifies alternate FTP site for upload.
    --ftp-path DIR        Specifies alternate FTP upload directory.
    --ftp-port PORT       Specifies alternate FTP port for upload.
    --ftp-proxy HOST      Specifies Proxy server to use.
    --ftp-proxy-port PORT Specifies Proxy port to use.
    --ftp-mode MODE       Mode of FTP file transfer (default: attempt both)
                          valid: both, active, passive

  ESRS Upload Options:
    --esrs                Attempt ESRS upload.

  SMTP Upload Options:
    --email             Attempt SMTP upload. (If set, SMTP is tried first.)
    --noemail           Do not attempt SMTP upload. (Default)
    --email-addresses   Specify email addresses. (separated by comma)
    --email-subject     Specify alternative email subject.
    --email-body        Specify alternative email text shown on head of body.
    --skip-size-check   Do no check size of gathered file.

  Multiple instances of -i, -f, -s, -S, -1 are allowed.
  gather_expr, analysis_expr can be quoted.
  Default temporary directory is /ifs/data/Isilon_Support/
  (change with -L or -T)

[Daniel Cornel]

What options are you using? After all this time, we are still having ftp issues and are attempting scripting.  Oddly, doing a isi_gather_info --verify-upload succeeds! but the real file almost immediately fails.  Can you share what ended up being successful for you?

On Wednesday, March 5, 2014 10:13:30 PM UTC-6, David Hasson wrote:

We actually have a workaround for sftp, as EMC maintains a sftp server that works with the same credentials (e.g. anonymous/email).  It's at the same address.

Try using sftp manually and see how that goes, and if you want to get tricky with scripts feel free to email me.

-David

On Wednesday, March 5, 2014, Chris Pepper <pep...@reppep.com> wrote:

        We have had a lot of trouble getting through our FTP filters. They seem to break every year or so, until IS fixes the FTP filter. To gather I use an (incremental) alias:

> igi='time isi_gather_info --incremental'

Chris

On Mar 5, 2014, at 11:04 AM, Saker Klippsten <sak...@gmail.com> wrote:

> We do not allow Internet. When gather is complete it spits out the path and file name, I copy to my laptop, disconnect from our production network, join our separate wifi network and upload manually via FileZilla.
>
> Have always had issues in the past with uploading files to Isilon one of our clusters is 30 nodes and the logs are in the GB's always failed... So I manually upload to be sure.
> -s
>
> On Mar 5, 2014, at 5:31 AM, Daniel Cornel <aqua...@hotmail.com> wrote:
>
>> I am looking for any input on the steps and processes that an isi_gather_info goes through, specifically, for the upload to isilon.  Occasionally our uploads are refused and fail and we are trying to verify ports opened etc.  Also, a question was raised as to the security of the ftp process.  Does anyone have experience digging on this topic?
>>
>> --
>> You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.

>> To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-group+unsubscribe@googlegroups.com.

>> For more options, visit https://groups.google.com/groups/opt_out.
>
> --
> You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-group+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-group+unsubscribe@googlegroups.com.