move kvm guest notes

Move (not live migration) a KVM VM from a host B to a host C.

Assuming that the guest VM is bridged and that both KVM hosts are in the same ethernet segment.

Shutdown guest VM.

Copy guest VM image from host B to host C.
b# scp /vm/vm2.qcow2 root@c:/vm

Dump XML definition and copy it to the destination host.
b# virsh dumpxml vm2 > vm2.xml
b# scp vm2.xml root@c:/etc/libvirt/qemu

On host C (the destination host) define the quest xml definition.
c# virsh define /etc/libvirt/qemu/vm2.xml
Domain vm2 defined from /etc/libvirt/qemu/vm2.xml

Start VM guest on the destination system.
c# virsh start vm2
Domain vm2 started

Disable autostart for the VM guest in B (the original host).
b# virsh autostart vm2 --disable
Domain vm2 unmarked as autostarted

Enable autostart for the moved VM guest in C (the destination host).
c# virsh autostart vm2
Domain vm2 marked as autostarted

Move KVM guest to another Host


install debian-packaged awstats

Notes on installing and using debian-packaged AWStats to analyze Apache logs.

Install debian packaged awstats ( now v7.0 )
# apt-get install awstats

I would use the following setup in apache2 installations with site(s) or virtual host(s) that belong to the same person-organization and I would NOT use it in a shared hosting environment.

Get the apache configuration file.
# wget https://raw.githubusercontent.com/ipduh/apache2_awstats_conf/master/awstats.conf -O /etc/apache2/conf.d/awstats.conf

Restart Apache.
# /etc/init.d/apache2 restart

Enable ipduh_intel awstats plugin and disable PTR lookups.
# wget https://raw.githubusercontent.com/ipduh/apache2_awstats_conf/master/awstats.conf.local -O /etc/awstats/awstats.conf.local
IP numbers relay much more information than PTR names and PTR names can be (and commonly are) abused-manipulated.

Install the ipduh_intel awstats plugin.
# wget https://raw.githubusercontent.com/ipduh/awstats_plugins/master/ipduh_intel.pm -O /usr/share/awstats/plugins/ipduh_intel.pm

Create the apache password file and add the user 'user' with password 'userpass'
# htpasswd -cb /etc/awstats/A2Passwords user userpass
Add the user 'user2' with password 'user2pass' to the apache passwords file
# htpasswd -b /etc/awstats/A2Passwords user2 user2pass

Create an awstats configuration file for each (virtual) host in /etc/awstats. The configuration files should have the form awstats.host.conf e.g. for a host named example.com the configuration file would be awstats.example.com.conf and it could look like the following.
Include "/etc/awstats/awstats.conf"

Analyze for first time the access logs of one host.
# cat /logs/sites/example.com/access/* >> /logs/sites/example.com/access_all
# /usr/lib/cgi-bin/awstats.pl --configdir=/etc/awstats/ -config=example.com

View the awstats analysis with a web browser at http://example.com/awstats/awstats.pl?config=example.com

Get rid of debian package cronjob
# rm /etc/cron.d/awstats


BGP as IGP with next-hop-self RR vs Fully Connected Mesh

A comparison of BGP as iGP with next-hop-self in a fully connected mesh vs BGP as iGP with next-hop-self with two Route Reflectors.

This is an effort to figure out the best of the two setups in terms of configuration and maintenance cost and it is inspired by a quest in the AWMN mailing list to find the best setup for AWMN nodes with many routers .

( AWMN is a wireless BGP internet where each wireless node has an Autonomous System Number and 1 to 15 routers with wireless interfaces. The routing within each node is done with static Routes or some iGP --usually OSPF-- or iBGP with next-hop-self. )

I assume that:

The maintenance cost is equal to the number of iBGP sessions --the number of connections in the mesh.

The total configuration cost is equal to the number of (neighbor) configuration stanzas for all iBGP connections.

The cost of adding a router is equal to the number of (neighbor) iBGP configuration stanzas needed in all the nodes in the mesh.

Get a little program that prints tables of maintenance and configuration costs for both setups.
$ wget https://raw.githubusercontent.com/ipduh/fmvsrr/master/fmvsrr.pl && chmod 755 fmvsrr.pl

Print costs for 2 to 27 routers.
$ ./fmvsrr.pl 27
N    = Number of routers
Πfm  = Maintenance Cost in a Fully Connected Mesh
Πrr  = Maintenance Cost in a Two Route Reflectors Setup
Kfm  = Total Configuration Cost in a Fully Connected Mesh
Krr  = Total Configuration Cost in a Two Route Reflectors Setup
Nfm  = Cost of adding one router in a Fully Connected Mesh
Nrr  = Cost of adding one router in a Two Route Reflectors Setup

N=2 Πfm=2  Πrr=2+  Kfm=2  Krr=2+  Nfm=2  Nrr=2+
N=3 Πfm=3  Πrr=3+  Kfm=6  Krr=3+  Nfm=6  Nrr=3
Ν=4  Πfm=6  Πrr=6  Kfm=12  Krr=9  Nfm=6  Nrr=3
Ν=5  Πfm=10  Πrr=7  Kfm=20  Krr=11  Nfm=8  Nrr=3
Ν=6  Πfm=15  Πrr=8  Kfm=30  Krr=13  Nfm=10  Nrr=3
Ν=7  Πfm=21  Πrr=9  Kfm=42  Krr=15  Nfm=12  Nrr=3
Ν=8  Πfm=28  Πrr=10  Kfm=56  Krr=17  Nfm=14  Nrr=3
Ν=9  Πfm=36  Πrr=11  Kfm=72  Krr=19  Nfm=16  Nrr=3
Ν=10  Πfm=45  Πrr=12  Kfm=90  Krr=21  Nfm=18  Nrr=3
Ν=11  Πfm=55  Πrr=13  Kfm=110  Krr=23  Nfm=20  Nrr=3
Ν=12  Πfm=66  Πrr=14  Kfm=132  Krr=25  Nfm=22  Nrr=3
Ν=13  Πfm=78  Πrr=15  Kfm=156  Krr=27  Nfm=24  Nrr=3
Ν=14  Πfm=91  Πrr=16  Kfm=182  Krr=29  Nfm=26  Nrr=3
Ν=15  Πfm=105  Πrr=17  Kfm=210  Krr=31  Nfm=28  Nrr=3
Ν=16  Πfm=120  Πrr=18  Kfm=240  Krr=33  Nfm=30  Nrr=3
Ν=17  Πfm=136  Πrr=19  Kfm=272  Krr=35  Nfm=32  Nrr=3
Ν=18  Πfm=153  Πrr=20  Kfm=306  Krr=37  Nfm=34  Nrr=3
Ν=19  Πfm=171  Πrr=21  Kfm=342  Krr=39  Nfm=36  Nrr=3
Ν=20  Πfm=190  Πrr=22  Kfm=380  Krr=41  Nfm=38  Nrr=3
Ν=21  Πfm=210  Πrr=23  Kfm=420  Krr=43  Nfm=40  Nrr=3
Ν=22  Πfm=231  Πrr=24  Kfm=462  Krr=45  Nfm=42  Nrr=3
Ν=23  Πfm=253  Πrr=25  Kfm=506  Krr=47  Nfm=44  Nrr=3
Ν=24  Πfm=276  Πrr=26  Kfm=552  Krr=49  Nfm=46  Nrr=3
Ν=25  Πfm=300  Πrr=27  Kfm=600  Krr=51  Nfm=48  Nrr=3
Ν=26  Πfm=325  Πrr=28  Kfm=650  Krr=53  Nfm=50  Nrr=3
Ν=27  Πfm=351  Πrr=29  Kfm=702  Krr=55  Nfm=52  Nrr=3

When the full mesh topology is used in a node with 10 routers the configuration and maintenance cost is ~4.5 times larger from a two-route-reflectors setup and the 11th router would cost me ~20 configuration stanzas and logging in 11 routers instead of ~3 stanzas in three routers ...

Full Mesh vs Route Reflectors


TSIG authenticated zone transfers in Bind

Notes on setting up secret key authenticated TSIG zone transfers in Bind 9.8.

Create an 128b HMAC-SHA256 of type HOST key to use as the shared secret.
# dnssec-keygen -a hmac-sha256 -b 128 -n HOST gemlocgem

The previous command creates two files.
# ls Kgemlo*
Kgemlocgem.+163+12752.key  Kgemlocgem.+163+12752.private

The 128b base-64 string we need for the shared secret is in both files.
# cat Kgemlocgem.+163+12752.key
gemlocgem. IN KEY 512 3 163 Wh47ever64iPdUhb9nd8hg==

Create a named.conf.keys file.
# cat named.conf.keys

key gemlocgem. {
  algorithm hmac-sha256;
  secret  "Wh47ever64iPdUhb9nd8hg==";

Make secret and named.conf.keys files non-readable by all in this system.
# chmod 640 Kgemlocgem.+163+12752.*
# chmod 640 named.conf.keys

Send named.conf.keys to the slave.
# toprod named.conf.keys

Include named.conf.keys and add server-key stanza in the named.conf of the server at
# cat named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.external";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.keys";

server {
  transfer-format many-answers;
  keys { gemlocgem.; };

One of the name servers ( e.g. the slave) is at and the other name server at

The named.conf file in the other server.
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.external";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.keys";

server {
  transfer-format many-answers;
  keys { gemlocgem.; };

Adjust allow-updates and allow-transfer directives to use TSIG in the options of both servers e.g.
  allow-transfer { key gemlocgem. ; };
  allow-update { key gemlocgem. ; };
You may use and other allow-transfer directives that specify IP addresses.

The systems used.
# named -v
BIND 9.8.4-rpz2+rl005.12-P1
# cat /etc/issue /etc/debian_version 
Debian GNU/Linux 7 \n \l


TSIG authenticated zone transfers between Bind Servers


Change hostname in debian

A better way to change the hostname in debian systems.

# hostname -f

Sanity-check the list of /etc/* files in which the hostname appears.
# cd /etc
# grep -ril `hostname -f` /etc |tee hostname.files.list
The above list seems fine but imagine what it would happen if the hostname was eth or work.

Save each file that contains the hostname to file.0 and replace geminus (old hostname) with gem (new hostname).
# perl -i.0 -p -e 's/geminus/gem/g;' `cat ./hostname.files.list`

Restart services (ssh and exim in this case) or better reboot the system if you can afford it.
# reboot

Change the hostname in debian systems


LXC container start at boot

Start a Linux Container at boot time

See the containers ' status.
# lxc-list



Link the container's config file to /etc/lxc/auto so it starts at boot time.
# ln -s /var/lib/lxc/squeezie/config /etc/lxc/auto/squeezie
squeezie is the name of the container.

Test if you can afford to reboot the host.
# reboot


# lxc-list 
  squeezie (auto)



start a LinuX Container at boot


change container root password from the host

Change a container's root password (you forgot) from the host.

I think that the easiest way is to run passwd chrooted to the container's root.

e.g. for the squeezie host created by the squeeze template
# chroot /var/lib/lxc/squeezie/rootfs/ passwd
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

Change a container's root password from the host


squeeze container on a wheezy host

Notes on putting a Debian squeeze Linux Container on a Debian Wheezy host.

The requirement; the Squeeze system in the container runs a TCP/IP application that should be accessible only by the host.

Create a bridge between a dummy network interface and the network interface used by the container.

Load dummy module (with numdummies=1) at startup.
# echo dummy >> /etc/modules

Install the Linux ethernet bridge utilities.
# apt-get install bridge-utils

Add stanzas that create an inhost bridge that contains a dummy to /etc/network/interfaces
auto dummy0
  iface dummy0 inet static

auto etherisland
  iface etherisland inet static
  bridge_ports dummy0
  bridge_stp  off
  bridge_waitport 0
  bridge_fd 0

Load one dummy interface and restart networking.
# modprobe dummy
# /etc/init.d/networking restart

Install lxc and prerequisites.
# apt-get install lxc
which also installs debootstrap libcap2-bin and libpam-cap.

Mount control groups hierarchy now and at boot.
# mount /sys/fs/cgroup/
# echo "cgroup /sys/fs/cgroup  cgroup  defaults  0  0" >> /etc/fstab

Check your kernel for lxc support.
# lxc-checkconfig

Get the squeeze template.
# wget https://raw.githubusercontent.com/ipduh/lxc-squeeze/master/lxc-squeeze -O /usr/share/lxc/templates/lxc-squeeze

Allow execution to all.
# chmod 755 /usr/share/lxc/templates/lxc-squeeze

Create the Squeeze Container.
# lxc-create -n squeezie -t squeeze

Start the container in the background.
# lxc-start -n squeezie -d

Console into the squeezie container.
# lxc-console -n squeezie

Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself

Debian GNU/Linux 6.0 squeezie tty1

squeezie login: root
Linux squeezie 3.2.0-4-amd64 #1 SMP Debian 3.2.63-2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

The password set by the template is squeezie.
Alternatively, you may ssh to squeezie from the host.

Change the root password
root@squeezie:~# passwd
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

Give Temporary Internet Connectivity to the Squeeze Container.
root@squeezie:~# route add default gw
and in the host
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -s
To disable the Internet Connectivity reset your Firewall e.g.
# /etc/bif

Forward the application's TCP ports e.g. for port 80 and port 443.
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to

Squeeze LXC on Wheezy


linux dummy interface

Linux Pseudo Device i.e. Dummy Interface Notes.

Create interface dummy0.
# modprobe dummy

I need (more dummies)
# rmmod dummy
# modprobe dummy numdummies=3
to Create 3 pseudo interfaces.

Set the Pseudo Interface(s ') MAC address(es).
# ifconfig dummy0 hw ether fc:de:ad:be:ef:10
# ifconfig dummy1 hw ether fc:de:ad:be:ef:11
# ifconfig dummy2 hw ether 00:00:0c:f0:00:0d
(: 00:00:0c:f0:00:0d :)

Set the Pseudo Interface(s ') IP address(es).
# ifconfig dummy0
# ifconfig dummy1
# ifconfig dummy2

Show dummy0 configuration.
# ifconfig dummy0
dummy0    Link encap:Ethernet  HWaddr fc:de:ad:be:ef:10  
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::fede:adff:febe:ef10/64 Scope:Link
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:210 (210.0 B)

Create a bridge.
# brctl addbr etherisland

Set forwarding delay to 0 seconds.
# brctl setfd etherisland 0

Bridge dummy0 and dummy1 dummies.
# brctl addif etherisland dummy0 dummy1

List bridge(s).
# brctl show
bridge name bridge id          STP enabled interfaces
etherisland 8000.fcdeadbeef10  no          dummy0

Make an ethernet inhost island --a bridge that contains a pseudo interface-- stick.

Load dummy module (with numdummies=1) at system startup.
# echo dummy >> /etc/modules

The /etc/network/interfaces stanzas.
auto dummy0
  iface dummy0 inet static

auto etherisland
  iface etherisland inet static
  bridge_ports dummy0
  bridge_stp  off
  bridge_waitport 0
  bridge_fd 0
  bridge_hello 1

Linux pseudo interface i.e. dummy