20141213

move kvm guest notes

Move (not live migration) a KVM VM from a host B to a host C.

Assuming that the guest VM is bridged and that both KVM hosts are in the same ethernet segment.

Shutdown guest VM.

Copy guest VM image from host B to host C.
b# scp /vm/vm2.qcow2 root@c:/vm


Dump XML definition and copy it to the destination host.
b# virsh dumpxml vm2 > vm2.xml
b# scp vm2.xml root@c:/etc/libvirt/qemu


On host C (the destination host) define the quest xml definition.
c# virsh define /etc/libvirt/qemu/vm2.xml
Domain vm2 defined from /etc/libvirt/qemu/vm2.xml


Start VM guest on the destination system.
c# virsh start vm2
Domain vm2 started


Disable autostart for the VM guest in B (the original host).
b# virsh autostart vm2 --disable
Domain vm2 unmarked as autostarted


Enable autostart for the moved VM guest in C (the destination host).
c# virsh autostart vm2
Domain vm2 marked as autostarted






Move KVM guest to another Host



20141212

install debian-packaged awstats





Notes on installing and using debian-packaged AWStats to analyze Apache logs.



Install debian packaged awstats ( now v7.0 )
# apt-get install awstats




I would use the following setup in apache2 installations with site(s) or virtual host(s) that belong to the same person-organization and I would NOT use it in a shared hosting environment.



Get the apache configuration file.
# wget https://raw.githubusercontent.com/ipduh/apache2_awstats_conf/master/awstats.conf -O /etc/apache2/conf.d/awstats.conf


Restart Apache.
# /etc/init.d/apache2 restart




Enable ipduh_intel awstats plugin and disable PTR lookups.
# wget https://raw.githubusercontent.com/ipduh/apache2_awstats_conf/master/awstats.conf.local -O /etc/awstats/awstats.conf.local
IP numbers relay much more information than PTR names and PTR names can be (and commonly are) abused-manipulated.



Install the ipduh_intel awstats plugin.
# wget https://raw.githubusercontent.com/ipduh/awstats_plugins/master/ipduh_intel.pm -O /usr/share/awstats/plugins/ipduh_intel.pm




Create the apache password file and add the user 'user' with password 'userpass'
# htpasswd -cb /etc/awstats/A2Passwords user userpass
Add the user 'user2' with password 'user2pass' to the apache passwords file
# htpasswd -b /etc/awstats/A2Passwords user2 user2pass




Create an awstats configuration file for each (virtual) host in /etc/awstats. The configuration files should have the form awstats.host.conf e.g. for a host named example.com the configuration file would be awstats.example.com.conf and it could look like the following.
Include "/etc/awstats/awstats.conf"
SiteDomain="example.com"
HostAliases="www.example.com"
DirData="/logs/sites/example.com/awstats"
LogFile="/logs/sites/example.com/access_all"





Analyze for first time the access logs of one host.
# cat /logs/sites/example.com/access/* >> /logs/sites/example.com/access_all
# /usr/lib/cgi-bin/awstats.pl --configdir=/etc/awstats/ -config=example.com




View the awstats analysis with a web browser at http://example.com/awstats/awstats.pl?config=example.com



Get rid of debian package cronjob
# rm /etc/cron.d/awstats




20141207

BGP as IGP with next-hop-self RR vs Fully Connected Mesh





A comparison of BGP as iGP with next-hop-self in a fully connected mesh vs BGP as iGP with next-hop-self with two Route Reflectors.

This is an effort to figure out the best of the two setups in terms of configuration and maintenance cost and it is inspired by a quest in the AWMN mailing list to find the best setup for AWMN nodes with many routers .

( AWMN is a wireless BGP internet where each wireless node has an Autonomous System Number and 1 to 15 routers with wireless interfaces. The routing within each node is done with static Routes or some iGP --usually OSPF-- or iBGP with next-hop-self. )



I assume that:

The maintenance cost is equal to the number of iBGP sessions --the number of connections in the mesh.

The total configuration cost is equal to the number of (neighbor) configuration stanzas for all iBGP connections.

The cost of adding a router is equal to the number of (neighbor) iBGP configuration stanzas needed in all the nodes in the mesh.













Get a little program that prints tables of maintenance and configuration costs for both setups.
$ wget https://raw.githubusercontent.com/ipduh/fmvsrr/master/fmvsrr.pl && chmod 755 fmvsrr.pl


Print costs for 2 to 27 routers.
$ ./fmvsrr.pl 27
N    = Number of routers
Πfm  = Maintenance Cost in a Fully Connected Mesh
Πrr  = Maintenance Cost in a Two Route Reflectors Setup
Kfm  = Total Configuration Cost in a Fully Connected Mesh
Krr  = Total Configuration Cost in a Two Route Reflectors Setup
Nfm  = Cost of adding one router in a Fully Connected Mesh
Nrr  = Cost of adding one router in a Two Route Reflectors Setup

N=2 Πfm=2  Πrr=2+  Kfm=2  Krr=2+  Nfm=2  Nrr=2+
N=3 Πfm=3  Πrr=3+  Kfm=6  Krr=3+  Nfm=6  Nrr=3
Ν=4  Πfm=6  Πrr=6  Kfm=12  Krr=9  Nfm=6  Nrr=3
Ν=5  Πfm=10  Πrr=7  Kfm=20  Krr=11  Nfm=8  Nrr=3
Ν=6  Πfm=15  Πrr=8  Kfm=30  Krr=13  Nfm=10  Nrr=3
Ν=7  Πfm=21  Πrr=9  Kfm=42  Krr=15  Nfm=12  Nrr=3
Ν=8  Πfm=28  Πrr=10  Kfm=56  Krr=17  Nfm=14  Nrr=3
Ν=9  Πfm=36  Πrr=11  Kfm=72  Krr=19  Nfm=16  Nrr=3
Ν=10  Πfm=45  Πrr=12  Kfm=90  Krr=21  Nfm=18  Nrr=3
Ν=11  Πfm=55  Πrr=13  Kfm=110  Krr=23  Nfm=20  Nrr=3
Ν=12  Πfm=66  Πrr=14  Kfm=132  Krr=25  Nfm=22  Nrr=3
Ν=13  Πfm=78  Πrr=15  Kfm=156  Krr=27  Nfm=24  Nrr=3
Ν=14  Πfm=91  Πrr=16  Kfm=182  Krr=29  Nfm=26  Nrr=3
Ν=15  Πfm=105  Πrr=17  Kfm=210  Krr=31  Nfm=28  Nrr=3
Ν=16  Πfm=120  Πrr=18  Kfm=240  Krr=33  Nfm=30  Nrr=3
Ν=17  Πfm=136  Πrr=19  Kfm=272  Krr=35  Nfm=32  Nrr=3
Ν=18  Πfm=153  Πrr=20  Kfm=306  Krr=37  Nfm=34  Nrr=3
Ν=19  Πfm=171  Πrr=21  Kfm=342  Krr=39  Nfm=36  Nrr=3
Ν=20  Πfm=190  Πrr=22  Kfm=380  Krr=41  Nfm=38  Nrr=3
Ν=21  Πfm=210  Πrr=23  Kfm=420  Krr=43  Nfm=40  Nrr=3
Ν=22  Πfm=231  Πrr=24  Kfm=462  Krr=45  Nfm=42  Nrr=3
Ν=23  Πfm=253  Πrr=25  Kfm=506  Krr=47  Nfm=44  Nrr=3
Ν=24  Πfm=276  Πrr=26  Kfm=552  Krr=49  Nfm=46  Nrr=3
Ν=25  Πfm=300  Πrr=27  Kfm=600  Krr=51  Nfm=48  Nrr=3
Ν=26  Πfm=325  Πrr=28  Kfm=650  Krr=53  Nfm=50  Nrr=3
Ν=27  Πfm=351  Πrr=29  Kfm=702  Krr=55  Nfm=52  Nrr=3



When the full mesh topology is used in a node with 10 routers the configuration and maintenance cost is ~4.5 times larger from a two-route-reflectors setup and the 11th router would cost me ~20 configuration stanzas and logging in 11 routers instead of ~3 stanzas in three routers ...









Full Mesh vs Route Reflectors











20141205

TSIG authenticated zone transfers in Bind

Notes on setting up secret key authenticated TSIG zone transfers in Bind 9.8.

Create an 128b HMAC-SHA256 of type HOST key to use as the shared secret.
# dnssec-keygen -a hmac-sha256 -b 128 -n HOST gemlocgem
Kgemlocgem.+163+12752


The previous command creates two files.
# ls Kgemlo*
Kgemlocgem.+163+12752.key  Kgemlocgem.+163+12752.private


The 128b base-64 string we need for the shared secret is in both files.
# cat Kgemlocgem.+163+12752.key
gemlocgem. IN KEY 512 3 163 Wh47ever64iPdUhb9nd8hg==


Create a named.conf.keys file.
# cat named.conf.keys

key gemlocgem. {
  algorithm hmac-sha256;
  secret  "Wh47ever64iPdUhb9nd8hg==";
};



Make secret and named.conf.keys files non-readable by all in this system.
# chmod 640 Kgemlocgem.+163+12752.*
# chmod 640 named.conf.keys


Send named.conf.keys to the slave.
# toprod named.conf.keys


Include named.conf.keys and add server-key stanza in the named.conf of the server at 192.0.2.111
# cat named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.external";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.keys";

server 192.0.2.222 {
  transfer-format many-answers;
  keys { gemlocgem.; };
};



One of the name servers ( e.g. the slave) is at 192.0.2.222 and the other name server at 192.0.2.111

The named.conf file in the other server.
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.external";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.keys";

server 192.0.2.111 {
  transfer-format many-answers;
  keys { gemlocgem.; };
};


Adjust allow-updates and allow-transfer directives to use TSIG in the options of both servers e.g.
  allow-transfer { key gemlocgem. ; };
  allow-update { key gemlocgem. ; };
You may use and other allow-transfer directives that specify IP addresses.

The systems used.
# named -v
BIND 9.8.4-rpz2+rl005.12-P1
# cat /etc/issue /etc/debian_version 
Debian GNU/Linux 7 \n \l

7.7


TSIG authenticated zone transfers between Bind Servers



20141204

Change hostname in debian

A better way to change the hostname in debian systems.

# hostname -f
geminus


Sanity-check the list of /etc/* files in which the hostname appears.
# cd /etc
# grep -ril `hostname -f` /etc |tee hostname.files.list
/etc/mailname
/etc/hostname
/etc/exim4/update-exim4.conf.conf
/etc/hosts
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_ecdsa_key.pub
The above list seems fine but imagine what it would happen if the hostname was eth or work.

Save each file that contains the hostname to file.0 and replace geminus (old hostname) with gem (new hostname).
# perl -i.0 -p -e 's/geminus/gem/g;' `cat ./hostname.files.list`


Restart services (ssh and exim in this case) or better reboot the system if you can afford it.
# reboot




Change the hostname in debian systems

20141202

LXC container start at boot

Start a Linux Container at boot time

See the containers ' status.
# lxc-list
RUNNING

FROZEN

STOPPED
  squeezie



Link the container's config file to /etc/lxc/auto so it starts at boot time.
# ln -s /var/lib/lxc/squeezie/config /etc/lxc/auto/squeezie
squeezie is the name of the container.

Test if you can afford to reboot the host.
# reboot


...

# lxc-list 
RUNNING
  squeezie (auto)

FROZEN

STOPPED





start a LinuX Container at boot



20141201

change container root password from the host

Change a container's root password (you forgot) from the host.

I think that the easiest way is to run passwd chrooted to the container's root.

e.g. for the squeezie host created by the squeeze template
# chroot /var/lib/lxc/squeezie/rootfs/ passwd
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully




Change a container's root password from the host



20141120

squeeze container on a wheezy host

Notes on putting a Debian squeeze Linux Container on a Debian Wheezy host.

The requirement; the Squeeze system in the container runs a TCP/IP application that should be accessible only by the host.



Create a bridge between a dummy network interface and the network interface used by the container.

Load dummy module (with numdummies=1) at startup.
# echo dummy >> /etc/modules


Install the Linux ethernet bridge utilities.
# apt-get install bridge-utils


Add stanzas that create an inhost bridge that contains a dummy to /etc/network/interfaces
auto dummy0
  iface dummy0 inet static

auto etherisland
  iface etherisland inet static
  address 172.16.17.18
  netmask 255.255.255.128
  bridge_ports dummy0
  bridge_stp  off
  bridge_waitport 0
  bridge_fd 0



Load one dummy interface and restart networking.
# modprobe dummy
# /etc/init.d/networking restart




Install lxc and prerequisites.
# apt-get install lxc
which also installs debootstrap libcap2-bin and libpam-cap.

Mount control groups hierarchy now and at boot.
# mount /sys/fs/cgroup/
# echo "cgroup /sys/fs/cgroup  cgroup  defaults  0  0" >> /etc/fstab


Check your kernel for lxc support.
# lxc-checkconfig


Get the squeeze template.
# wget https://raw.githubusercontent.com/ipduh/lxc-squeeze/master/lxc-squeeze -O /usr/share/lxc/templates/lxc-squeeze


Allow execution to all.
# chmod 755 /usr/share/lxc/templates/lxc-squeeze


Create the Squeeze Container.
# lxc-create -n squeezie -t squeeze


Start the container in the background.
# lxc-start -n squeezie -d


Console into the squeezie container.
# lxc-console -n squeezie

Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself

Debian GNU/Linux 6.0 squeezie tty1

squeezie login: root
Password: 
Linux squeezie 3.2.0-4-amd64 #1 SMP Debian 3.2.63-2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

root@squeezie:~#
The password set by the template is squeezie.
Alternatively, you may ssh to squeezie from the host.

Change the root password
root@squeezie:~# passwd
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully



Give Temporary Internet Connectivity to the Squeeze Container.
root@squeezie:~# route add default gw 172.16.17.18
and in the host
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -s 172.16.17.0/25
To disable the Internet Connectivity reset your Firewall e.g.
# /etc/bif


Forward the application's TCP ports e.g. for port 80 and port 443.
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.16.17.16:80
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 172.16.17.16:443




Squeeze LXC on Wheezy

20141118

linux dummy interface



Linux Pseudo Device i.e. Dummy Interface Notes.



Create interface dummy0.
# modprobe dummy


I need (more dummies)
# rmmod dummy
# modprobe dummy numdummies=3
to Create 3 pseudo interfaces.

Set the Pseudo Interface(s ') MAC address(es).
# ifconfig dummy0 hw ether fc:de:ad:be:ef:10
# ifconfig dummy1 hw ether fc:de:ad:be:ef:11
# ifconfig dummy2 hw ether 00:00:0c:f0:00:0d
(: 00:00:0c:f0:00:0d :)

Set the Pseudo Interface(s ') IP address(es).
# ifconfig dummy0 172.16.17.18/25
# ifconfig dummy1 172.16.17.19/25
# ifconfig dummy2 192.0.2.8/26


Show dummy0 configuration.
# ifconfig dummy0
dummy0    Link encap:Ethernet  HWaddr fc:de:ad:be:ef:10  
          inet addr:172.16.17.18  Bcast:172.16.17.127  Mask:255.255.255.128
          inet6 addr: fe80::fede:adff:febe:ef10/64 Scope:Link
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:210 (210.0 B)


Create a bridge.
# brctl addbr etherisland


Set forwarding delay to 0 seconds.
# brctl setfd etherisland 0


Bridge dummy0 and dummy1 dummies.
# brctl addif etherisland dummy0 dummy1


List bridge(s).
# brctl show
bridge name bridge id          STP enabled interfaces
etherisland 8000.fcdeadbeef10  no          dummy0
                                           dummy1







Make an ethernet inhost island --a bridge that contains a pseudo interface-- stick.

Load dummy module (with numdummies=1) at system startup.
# echo dummy >> /etc/modules


The /etc/network/interfaces stanzas.
auto dummy0
  iface dummy0 inet static

auto etherisland
  iface etherisland inet static
  address 172.16.17.18
  netmask 255.255.255.128
  bridge_ports dummy0
  bridge_stp  off
  bridge_waitport 0
  bridge_fd 0
  bridge_hello 1





Linux pseudo interface i.e. dummy