Replace a Malware Appliance Hard Disk

book

Article ID: 168925

calendar_today

Updated On:

Products

Malware Analysis Software - MA

Issue/Introduction

This article describes steps to be taken to replace a hard disk in a Malware Analysis appliance. You may want to replace a disk due to either of the following:

This process applies to both S400 and S500 appliances.
All existing profiles will remain after completing this procedure.

 


 

Resolution

Prerequisites

  • Command Line Shell in serial console or SSH access

  • Replacement disk(s)

Before You Begin - Maintenance Activity
If the disk is not faulty, you must first mark the disk as faulty before removing it from RAID (for /dev/sdc). Run the following command:

[email protected]:~$ sudo mdadm --manage /dev/md127 --fail /dev/sdc1
mdadm: set /dev/sdc1 faulty in /dev/md127


Procedure
Follow these steps to replace a Malware Analysis appliance hard disk.

  1. Run raidcheck to remove the  disk (or faulty disk) from RAID, and to identify the disk's bay number in the appliance. For an S500, you will see output like this:
[email protected]:~$ sudo python /opt/mag2/usr/share/mag2/pyscripts/raidcheck.pyc
 Bay  Device     State
   1  /dev/sdc1  faulty spare
   2  /dev/sdd1  active sync
   3  /dev/sde1  active sync
   4  /dev/sdf1  active sync
   5  /dev/sdg1  active sync
   6  /dev/sdh1  active sync
 
 /dev/sdc1 is marked as faulty and needs to be removed from the RAID array.
 Continue to remove faulty disk? [y/N] y
 mdadm: hot removed /dev/sdc1 from /dev/md127
 
Instructions:
  - Shut down the system and replace the faulty disk in bay 1.

Done.
 [email protected]:~$ 
  1. Shut down the appliance.
  • On the web console, go to System Settings > Restart Showdown.
  • On the console menu, go to 5. Shutdown / reboot
Note: If you are running a software version earlier than 4.2.8, unplug the power cables; otherwise, it will automatically restart after a few seconds.
  1. Replace the hard disk, then power on the appliance.
  2. Once the Malware Analysis appliance is up, run raidcheck to add the new disk to RAID and perform RAID resync. Here is an example:
 [email protected]:~$ sudo python /opt/mag2/usr/share/mag2/pyscripts/raidcheck.pyc
 [sudo] password for g2: 
 Bay  Device     State
   1  /dev/sdc1  removed?
   2  /dev/sdd1  active sync
   3  /dev/sde1  active sync
   4  /dev/sdf1  active sync
   5  /dev/sdg1  active sync
   6  /dev/sdh1  active sync
 
 Replacement disk /dev/sdc found.
 Continue to partition the new disk? [y/N] y
 Checking that no-one is using this disk right now ...
 OK
 
 sfdisk: ERROR: sector 0 does not have an msdos signature
  /dev/sdc: unrecognized partition table type
 No partitions found
 Warning: partition 1 does not end at a cylinder boundary
 Warning: no primary partition is marked bootable (active)
 This does not matter for LILO, but the DOS MBR will not boot this disk.
 If you created or changed a DOS partition, /dev/foo7, say, then use dd(1)
 to zero the first 512 bytes:  dd if=/dev/zero of=/dev/foo7 bs=512 count=1
 (See fdisk(8).)
 mdadm: added /dev/sdc1
 Waiting until all RAID tasks are done: /dev/sdc1: spare rebuilding

Note: The RAID resync will take seven to eight hours to complete on an S500. It will take less time on an S400.
When the resync has completed, you will see a Done message.

S500 Example
[email protected]:~$ sudo python /opt/mag2/usr/share/mag2/pyscripts/raidcheck.pyc
 Bay  Device     State
   1  /dev/sdc1  active sync
   2  /dev/sdd1  active sync
   3  /dev/sde1  active sync
   4  /dev/sdf1  active sync
   5  /dev/sdg1  active sync
   6  /dev/sdh1  active sync
 
 Done.

S400 Example
 [email protected]:~$ sudo python /opt/mag2/usr/share/mag2/pyscripts/raidcheck.pyc
 Bay  Device     State
   1  /dev/sda1  active sync
   2  /dev/sdc1  active sync
 
 Done.