|
|
Below is a sample script to configure the ssh STONITH agent for the Heartbeat system. STONITH will reboot nodes when things go wrong to restore the integrity of the cluster.
The STONITH test program supports the -n option to list parameters and the -l option to list nodes. The following is an example of using it with the ssh agent:
# stonith -t ssh -n
hostlist
# stonith -t ssh hostlist="node-0 node-1" -l
node-0
node-1
The hostlist tuple is the only configuration option for ssh. It is assumed that you have passwordless ssh logins allowed between root on all the nodes in the cluster so the host name list is all that’s needed.
The important thing to note about the constraint is that you are constraining the parent of the clones (which in this example has an ID of “DoFencing“) not a clone instance.
ssh is the simplest and in many ways least useful method of STONITH, but it’s good for an example as everyone knows it. Once you get ssh going it’ll be trivial to get the other methods working.
See below for the script to insert the XML in the CIB.
Continue reading Heartbeat version 2.0 CIB STONITH example configuration
Having read paypalsucks.com I am concerned about the safety of my money if I was to chose to do business with them. However there are many ways of making money by using them.
Does Paypal still suck? If so are there any other better options? The merchantinc.com recommended by paypalsucks.com seems to only cater for business customers.
After reading advice from ProBlogger I have become convinced that I should create separate blogs for some of the content that is currently on my blog. The first such blog that I will create will be about computer security. Naturally it will cover SE Linux to some degree, but the exact focus is something I have not yet determined.
Here are the options I’m considering:
- The exact topic to be covered, computer security is a broad area, choosing which sub-topics to focus on and which users to present it to is a difficult task.
- The length of the articles, this will to some degree depend on the posting frequency. If I am going to post 4+ times per week then most of the posts would be small. But for one or two posts per week I could make them 1000+ word posts.
- The mix of news, educational material, and background information. I think that all of these areas are important, and to some extent the mix will depend on what news happens and what technologies I am involved in developing, testing, and using. But I will have a plan as to what to present and on days when there is little news and I have not worked on anything exciting I will find new material to write about based on the plan.
-
The use of code snippets in a blog? It’s easy to split the post and have the feed not include the source code, would that be of interest or would you rather have the complete post in the feed for offline reading?
Also if you have any other suggestions for blogs that you would read if I was to write them then plese send them in via a blog comment or email.
Faye and I have created Cafepress stores selling shirts and other things with SE Linux logos, here are the two designs:
There are shirts, coffee mugs, mouse-mats, and other things. The designs feature a graphical representation of MLS security and a variety of text about SE Linux. There are also some baby shirts etc.
If you have any ideas for other SE Linux shirts then please let me know by private mail. I’ll give a free shirt to anyone who has an idea that I implement.
I have now got a Debian Xen domU running the strict SE Linux policy that can boot in enforcing mode. I expect that tomorrow I will have it working with full functionality and that I will be able to run another SE Linux Play Machine in the near future.
After getting the strict policy working I want to build a Debian kernel with CONFIG_AUDITSYSCALL and an audit package so that I can audit system calls that an application makes and also so that the auditd can collect the SE Linux log messages. Other people have talked about packaging audit for Debian, hopefully one of them will do it first and save me the effort, but it shouldn’t be too difficult to do if they don’t.
Then I need to investigate some options for training people about SE Linux. As I don’t currently have the bandwidth for serving large files I’m thinking of basing some SE Linux training on Xen images from the jailtime.org repository. My rough plan at the moment is to have people download Xen images, run through them while consulting a web page, and ask questions on an IRC channel. I’m not sure what the demand will be for this but some web pages teaching people about SE Linux will be a useful resource even if the IRC based training doesn’t work out.
Another thing I want to do is to get PolyInstantiated Directories working in Debian. The pam_namespace.so module needed for this is written for a more recent version of PAM, so I might just work on merging the Debian patches with the latest upstream PAM instead of back-porting the module to the ancient Debian PAM.
A few weeks ago Dell advertised new laptops for $849AU, this was a significant development but I didn’t get around to blogging about it. Now I have just discovered that they have a special deal for $799AU for a laptop including delivery! This is an amazing deal and gives you an AMD Sempron 3500 CPU (not a really fast CPU and only 32bit, but it’s faster than the 1.7GHz Pentium-M that is currently satisfying all my requirements for portable computing), 512M of RAM, an 80G hard drive and a 1280×800 display.
It’s far from a high-end laptop (having a lower screen resolution and less RAM than my 3yo Thinkpad) but it will suffice for most things you might want to do on the move apart from running Xen.
The exciting thing about this is that as it’s so cheap that most people will probably choose it in preference to a desktop system – the cheapest desktop system that Dell currently offers as a package is $898. The cheap desktop has a dual-core Athlon64, 1G of RAM, and a 160G hard drive. But for most tasks other than games such things aren’t really required.
Also a local PC company Suntrom has advertised a new Lenovo Thinkpad with a Celeron-M 1.5GHz, 256M of RAM, 1024×768 display, and a 40G hard drive for $799. The Thinkpad has considerably less compute power than the Dell laptop, but it is a bit cheaper. If Lenovo has maintained the Thinkpad quality (while IBM owned the brand Thinkpad was the Rolls-Royce of laptops) then it would probably be the better choice.
On many occasions I have heard people say that they want a laptop computer to save space. When a desktop machine cost $1200 and a laptop cost $3500 that idea was ridiculous. But now that a laptop appears to be the cheapest system in the Dell range on sale in Australia that would be quite a reasonable criteria for purchases. Of course the extra sales of laptops will help fund further laptop technology developments (such as flash storage) that will be of use to those of us who are serious about computing and use laptops they way that they were intended.
I have been “name dropped“. ;)
It seems that I even beat Keith Owens (*) who works in the same office, but maybe Dave hasn’t met him yet…
(*) I can name drop too!
Apparently they are planning a reality TV show that might be named “Kids Nation” where 40 children are allowed to develop their own society for 40 days. The claims are that there is “no parental supervision”, but of course with many TV cameras watching I’m sure that even the most stupid children can work out that there are reasons to behave relatively well. Also I’m sure that they will remove children from the show if it becomes necessary to avoid injury.
It will be interesting to see how well this develops. Maybe it could evolve into a new form of schooling, just leave children alone in a school with lots of security cameras watching them and let them study or not as they wish. It would be cheaper than running a regular high-school, and as there is little scope for providing a worse education than many (most?) high-schools currently provide it should be worth a try.
For a long time I have thought that the premise behind The Lord of the Flies was bogus. I believe that a major contributing factor towards much of the violence that is present in schools is the pointlessness of the entire system. There are very few students who are so stupid that they can’t realise that the education system is failing them. Whenever you put a large number of people in a confined space with nothing useful to do the results will be bad. If a group of students from a violent school were placed on an island without any supplies then I’m sure that they would soon realise that they need to cooperate to stay alive.
Update:
It seems that the Sudbury Valley school implements some ideas similar to mine. They also have a page of links to some other schools that do similar things.
From reading my web stats yesterday it seems that one Planet has polled by blog feed 1693 times over the first 14.25 days of this month. This is about 5 polls per hour. Another Planet has polled my blog 994 times for an average of about 3 hits per hour.
How frequently does it make sense to poll blogs? Speaking for myself I think that waiting an extra 10 minutes to see my latest blog post isn’t going to hurt anyone, and encouraging Planet readers to reload the page so frequently probably isn’t doing them a favour either.
For my own personal Planet installation (which mainly aggregates other Linux Planets for my own personal use) I have it poll the feeds every four hours. For a Planet installation designed for general readership it would make sense to have it poll more frequently. Maybe once every hour or once every half-hour.
When I initially set up my own planet installation I aggregated the entire feed list of Planet Debian and Planet Linux Australia and it generally took between 10 and 30 minutes to poll all the feeds with 20 minutes being common (Planet does not support parallel downloads). So for a moderate sized Planet with frequent polling you might have one poll end after the next cron job for a poll has begun.
It’s a pity that Planet doesn’t support pings. Will the next version do so? I would rather have my blog ping the Planets that I know of that aggregate my content and save thousands of needless polls while also giving a faster update.
Finally if you need a fast response for a dialogue then probably blogs and Planets are not the communication mechanism to use, a mailing list would probably be more appropriate.
Currently I am considering the priority scheme to use for some highly available services running on Linux with Heartbeat.
The Heartbeat system has a number of factors that can be used to determine the weight for running a particular service on a given node. One is the connectivity to other systems determined by ping (every system that is pingable can add a value to the score), one is the number of failures (every failure deducts a value from the total score), one is the weight for staying on the same node (IE if the situation changes and the current node is not the ideal node you might not want to immediately move the service to a different node as that gives some seconds of no service), and one is the preference for each node that may run the service.
For a given node to run a particular service then the score has to be greater than all other nodes and also greater than zero. If all nodes have a score that is zero or less then the service will not run.
Now in the case of a service that repeatedly fails (EG a filesystem mount that relies on a hardware RAID which is not connected) then what should we do? One option is to have the score for running on a particular node be for example 100 times the value that is subtracted on failure. In this case after 100 failures on that node (and an appropriate number of failures on other nodes which are permitted to run the service) it will be disabled. Then the service has to be explicitly re-enabled (or a node rebooted) before it will run again.
The other option would be to have the value that is subtracted on failure be less than a billionth of the score for running on a particular node, so that the service will keep trying to start for the next few hundred years. The up-side of this is that there is less fiddling required, the down-side is that some CPU and disk resources will be kept active in repeatedly starting the service.
Now I have to decide which option to take in this regard, any comments would be appreciated.
|
|
