Xen Virtaul Machine

I have been using UML for quite a while now. Unlike most people my main reason for using it is security. You can run a UML instance inside a chrooted env as an unpriviledged user which is a bonus because it’s still a grey area if people can break out of a UML instance over the wire and remain connected (correct me if I am wrong). Breaking out into a chroot (/) as a user with no privs would definitely add another barrier to entry (I am not saying it can’t be broke, just that the guy cracking it is on a differnt level from the normal script kiddie at least until it becomes common knowledge how to do it).
Of course using UML has a price. Its slow. The main problem with UML Is IO. It’s really crap with high IO applications like databases. I tried it with PostgreSQL and it was awfull. Too much context switching.
I had heard of Xen on the grapevine and decided to have a look at it to see if it would be any faster and I was pleasently suprised to find that it is as easy to install as a new kernel. It was at this point that I really kicked myself, Xen as it stands today (version 2.0.7) does not support SMP. So I would be losing a processor using it. Unfortunately this is not acceptable on the machine I am on so I decided to postpone my foray into Xen and stick with UML for the time being on this box or at least until Xen domain 0 can support an SMP machine.
I am however tempted to invest in a single proc machine and run Xen on it. I am confident that Xen does what it says on the tin and that performance gains are substantial over UML but I would rather run a vanilla machine on a dual proc than lose one of them.

Moving from Lilo to Grub

Is a pain in the ass, or at least it was for me. I have been a die hard lilo fan for a fair while but I wanted to try Xen which meant I needed to use Grub. The biggest problem I had was not realizing that if your grub.conf file is missing then you need to boot manually from the grub command line. The command line is actually quite simple once you know the steps to boot your machine (If you get a VFS error you probably don’t have your file system built into your kernel, try again).
Not knowing how the hell

title blah
root (hd0,0)
kernel /vmlinuz-nnnnnn root=/dev/sda2

the bits in bold above related to each other I created 4 entries in
/boot/grub/grub.conf
and tried each in turn until I realized that
root (hd0,0) is the partition my /boot/*files* are on
and
root=/dev/sda2
is the actual root file system. Would it not have been simpler doing

title blah
boot (hd0,0)
kernel /vmlinuz-nnnnnn root=/dev/sda2

Software Raid

I created identical partition tables on my two SATA disks or rather I made the/dev/sdb identical to /dev/sda because my current root file system resides in /dev/sda2 and /boot/ is on /dev/sda1
/dev/sda1 == 200MB /boot/
/deb/sda2 == 2GB /
/deb/sda2
/dev/sdb1
/deb/sdb2
/deb/sdb3
I then ran the following command.

mdadm --create --verbose /dev/md0 --level=1 --raid-devices=2 /dev/sda3 dev/sdb3

To make sure everything is running properly:

cat /proc/mdstat
Personalities : [linear] [raid0] [raid1] [raid5] [multipath]
md0 : active raid1 sdb3[1] sda3[0]
196996992 blocks [2/2] [UU]
[==>..................]  resync = 10.3% (20347136/196996992) finish=46.4min speed=63318K/sec
unused devices: 

The next step is that when the resync is finished is to use lvm and set myself up some areas to work in.

isd200_get_inquiry_data

If you are compiling a Linux kernel and it fails complaining about
isd200_get_inquiry_data
ide_fix_friveid
Make sure that
CONFIG_USB_STORAGE_ISD200=n
when
CONFIG_USB_STORAGE=y

pxe Linux Install

I recently purchased a Dual Opteron HP Proliant and decided today to install Debian on it. The first problem is that there is no CD/DVD in it. I know I could have just ripped one out of another PC but I decided to do things a bit differently.
Basically I wanted to install Debian on the machine and the simplest way to do this if we are not allowed to use a CD is to use PXE and some ingenuity.
These are a rough set of steps I followed
apt-get install tftp-hpa and tftpd-hpa
You will also need a dhcp server and a resolver
apt-get install dnsmasq dhcpd
mkdir /tftpboot
grab The debian net insall bits
cp netboot.tar.gz /tftpboot/
cd /tftpboot/
tar -zxvf netboot.tar.gz
chown -R nobody:nogroup /tftpboot/*
edit /etc/xinetd.conf and add the following
service tftp
{
disable = no
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /tftpboot
}
/etc/init.d/xinetd restart
add the following to /etc/dhcp3/dhcpd.conf
host box2 {
hardware ethernet 00:00:1a:19:4e:7c;
filename “pxelinux.0”;
fixed-address 192.168.1.10;
}
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.20 192.168.1.30;
}
add the following to /etc/dnsmasq.conf
interface=eth1
dhcp-host=00:00:1A:19:4E:7C,box2
For those using an iptables firewall
iptables -A OUTPUT -p udp -o eth1 -j ACCEPT
iptables -A INPUT -p udp -i eth1 -j ACCEPT
iptables -A INPUT -p udp -i eth1 –dport 67:68 –sport 67:68 -j ACCEPT
iptables-A INPUT -p udp -i eth1 –dport 67:68 –sport 67:68 -j ACCEPT
iptables-A OUTPUT -p udp -o eth1 –dport 53 -j ACCEPT
iptables-A INPUT -p udp -i eth1 –sport 53 -j ACCEPT
Set the client machine to use network boot and restart it and hey presto a Debian installer. I chose linux26 at this point because I am using SATA disks with an Adaptec 1210SA controller.

ssh Notes

I had an odd problem using ssh that stumped me for a bit.
Using ssh -vvv user@host
Cutting out all the fluf we see that normally (when using a public key) we get something like the following
……………………
debug1: Next authentication method: publickey
debug1: Trying private key: /home/user/.ssh/identity
debug3: no such identity: /home/user/.ssh/identity
debug1: Trying private key: /home/user/.ssh/id_rsa
debug3: no such identity: /home/user/.ssh/id_rsa
debug1: Offering public key: /home/user/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 433
debug2: input_userauth_pk_ok:
debug3: sign_and_send_pubkey
debug1: read PEM private key done: type DSA
…………………..
I noticed that I had changed the perms on the users directory from
drwxr-xr-x 33 user user 2048 Aug 14 18:57 user
To
drwxrwxr-x 33 user user 2048 Aug 14 18:57 user
This meant that I lost access using public keys. The verbose output with this error is as follows.
………….
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/user/.ssh/identity
debug3: no such identity: /home/user/.ssh/identity
debug1: Trying private key: /home/user/.ssh/id_rsa
debug3: no such identity: /home/user/.ssh/id_rsa
debug1: Offering public key: /home/user/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
……………..
Removing group writable permissions from the users home directory solved the problem.