|
|
I believe that an ideal installation process for Linux would have the option of performing a Xen install.
The basic functionality of installing the Xen versions of the required packages (the kernel and libc), the Xen hypervisor, and the Xen tools is already done well in Fedora and it’s an option to install them in Debian. But more than that is required.
Xen has two options for networking, bridging and routing. The bridging option can be confusing to set up and changing a system from routed to bridged networking once it’s running is a risky process. I have documented the basic requirements for running bridging in a previous post, but it would be better if there was an option to have Xenbr0 as the primary device from the initial install – and there are non-Xen reasons for doing this so it would be a more generally useful feature.
Another common requirement for a Xen server is to have a DVD image on the local hard drive for creating new DomU’s. If we are going to need a copy of the DVD on the local hard drive for Xen installation and we need data from the DVD for the Dom0 installation then it makes sense to have one of the early installation tasks (immediately after running mkfs) be to copy the contents of the DVD to the hard drive. Hard drives are significantly faster than DVDs – especially for random access. It would also avoid the not uncommon annoyance of getting part way through an install only to encounter a DVD or CD read error…
Here are some reasons for running Xen (or an equivalent technology) when not running more than one DomU:
- Avoid problems booting. Everyone who has spent any significant amount of time running servers has had problems where machines don’t boot. Even with a capable out of band management option such as the HP ILO it can be unreasonably inconvenient to fix such problems. Separating the base hardware management tasks of the OS from the user process management tasks makes recovery much easier. If a DomU stops booting then it’s easy to mount it on the Dom0 and chroot into it to discovere the problem.
- Easier upgrades. Often you have users demand that you install software that only works with a newer version of the OS. You can install the new version under a different DomU, test it, and then replace the old DomU when you think it’ll work – this gives a matter of minutes of down-time instead of hours for the upgrade. If the upgrade doesn’t work then you destroy the DomU and create one for the old version. Running two versions of the OS at the same time with NFS shares for the data files is also possible.
- Security. If a DomU gets cracked the Dom0 will not necessarily be compromised, this puts you in a good position to track down what the attackers have done. You can get a dump of the DomU’s memory to enable experts to examine what the attackers were doing. Reinstalling a DomU to replace data potentially corrupted by an attacker is much easier than reinstalling an entire machine.
Even in situations when reason #2 was the motivation for installing Xen I believe that most systems will want to have a Xen DomU running the same version as the Dom0 for the initial install. Therefore integrating the installation process would make things easier. Among other benefits if you have a server with multiple CPUs (the minimum number seems to be two CPUs on all recent machines) and hardware RAID then doing two installations at the same time is likely to give better performance overall. Also I believe that it will often be the case that the Dom0 will exist purely to support DomU’s, therefore if you only install the Dom0 then you have done less than half the installation!
For a manual installation there are some reasons for not doing this all at the same time. Having the sys-admin enter configuration data for some DomU’s at the same time as the Dom0 can get confusing. However for an automated install this would be desirable. I would like to boot from a CD and have the installation process take all configuration from the network (either via NFS or HTTP) and then perform the complete installation of the Dom0 and the DomU’s automatically.
Let me know what you think of these ideas, it’s just at the conceptual stage at the moment.
In a default configuration of Xen there will be a virtual Ethernet device created for each interface which will be associated with a bridge. A previous post documented how to configure a bridge named xenbr0.
The basic configuration of Xen that most people use is to have a single virtual Ethernet port for each Xen instance and have them all connected to the one bridge, and then the Dom0 will have an IP address on the bridge interface that is used for routing packets to the outside world. This works really well if you have a subnet that you are using for all Xen DomU IP addresses, if you are using NAT for communication, or if the DomU needs no communication outside the Dom0 and other DomU’s on the same machine (a common case for testing).
But if you have a collection of servers that you want to consolidate on a single piece of hardware then you end up using a single sub-net that spans some physical machines, some Xen Dom0’s, and some DomU’s. The solution to this is to use bridged networking.
Unfortunately most documentation of bridged networking is really confusing, and non of my google searches turned up the most relevant fact:
When setting up a bridge on the local Ethernet you must make your physical ethernet device (eth0 or whatever) be strictly a slave to the bridge and then assign the IP address used for the physical network to the bridge.
ifconfig eth0 up
brctl addif xenbr0 eth0
For example if you have 10.0.0.42 being the IP address used by the Dom0 on the local Ethernet via device eth0 and you want to use bridging for DomU’s then you simply make eth0 owned by xenbr0 (the typical name for the Xen bridge) with the above commands in your script to configure the xenbr0 device. Then treat xenbr0 in the same way that you treated eth0 before enabling bridging.
Also there’s nothing stopping you from having one bridge for DomU’s that can talk directly to the physical Ethernet and another for DomU’s that are only to use routed networking, see my previous post about using multiple ethernet devices in Xen for more background information.
This article in The Age about Mohamed Haneef shows the terrorist threat that we face.
The chance that I will be injured by Al Quaeda in any way is quite remote. The chance of being attacked by ASIO is a lot greater.
The main benefit of being in a democracy is having a legal system where the defendant is presumed innocent until proven guilty and where they have the right to legal representation. The war in Iraq has not brought the US or Australian system of government to Iraq, instead it is bringing Saddam Hussein’s system of government to Australia and the US.
Traditionally under the Australian and US legal systems innocent people are not punished, unlike under Saddam Hussein. Now ASIO has the authority to detain innocent civilians indefinitely if they believe that it helps them in some way – and there is no method of policing ASIO to ensure that even such excuses are met.
Traditionally under the Australian and US legal systems everyone who is accused of a crime is entitled to a trial, unlike under Saddam Hussein. Now ASIO and the CIA have been given the authority to punish anyone without a trial. ASIO can also extend the punishment to anyone who might receive evidence of such actions and publish it (I guess that the CIA can do the same).
Saddam lost the battle but his legacy is winning the war.
For the best definition of Terrorism see Noam Chomsky’s paper. The actions taken by the Australian government against the people of Iraq, foreign citizens in Australia, and almost certainly Australian citizens (it’s not credible to believe that ASIO has such powers and doesn’t use them occasionally on Australians) fits the definition of Terrorism.
Elections are coming soon, both in the US and in Australia. Whatever you do, don’t vote for Neo-Cons (Republicans in the US or Liberals in Australia).
PS Before anyone suggests that I should worry about ASIO kidnapping me in retaliation for this, I’m sure that they know of the Streisand Effect. I’ll try and avoid any unplanned down-time for my blog after this post goes out to avoid false-alarms… ;)
Update: I incorrectly wrote “guilty until proven innocent” above, that is the current Australian government policy not the way it should be.
Here’s an interesting piece in the Washington Post about what might happen when the US withdraws from Iraq.
I regret not blogging before the war started. It would have been good if I could have pointed to a blog post predicting the same thing before the invasion took place. I’ve always thought that the two possibilities for Iraq were for the country to be partitioned (which would be likely to weaken Turkey and strengthen Iran and thus be avoided by the US if possible) or run by an absolute despot.
I’m just in the process of converting a multi-user system to a Xen DomU. It was running on a stand-alone Fedora Core 5 i386 system and I want to run it on a Fedora 7 DomU under a CentOS 5 Dom0 on an Opteron system.
The first stage of the conversion was to copy an image of the Fedora Core 5 system and make it a DomU under CentOS. I had some problems getting a Fedora Core 5 Xen kernel to boot so I installed a 64bit CentOS 5 kernel with the Fedora Core 5 user-space and surprisingly everything worked. I had expected to have problems with kernel modules, but everything just worked! I had expected that the 32bit modutils would be unable to load 64bit modules, but things just worked.
The first stage was to have the old server NFS export /home and have it mounted by the Xen DomU, this worked well for about a week. The next step was to move the data on to the new server. My first attempt was to have the Dom0 running the filesystems and NFS exporting them to the DomU but this caused an OpenOffice error “Error saving the document Name: General Error. General input/output error.“.
So having 32bit Fedora Core 5 with a 64bit Cent OS 5 kernel NFS mounting from a 32bit Fedora Core 5 system works well, while mounting from a 64bit Cent OS 5 system fails. If anything I would have expected better results from having the same version of the kernel on NFS client and server.
The next issue is whether a 64bit Fedora 7 system in a DomU can NFS mount the data from the Cent OS 5 kernel with Fedora Core 5 user-space. If not it’ll make testing the Fedora 7 upgrade significantly more painful than it might otherwise be.
If only we had a network filesystem for Unix that supported POSIX semantics.
Don Marti writes about the idea of setting a Troll-bit on forum posts such that every reply would also be flagged.
I’ve been thinking about how to solve such issues for mailing lists. I think that the way to do this is to create a new list for every contentious topic and automatically subscribe everyone who posted to the thread after the messages that were flagged as being too far off-topic. After that time anyone who tries to post to the main list with a matching subject or a header indicating that the message is a reply to an off-topic message would have their message redirected to the new list – and they would be automatically subscribed.
This would keep the off-topic messages away from the main list and also serve as a minor dis-incentive for people to post to threads that start going off-topic as most people won’t want to be subscribed to the new list for off-topic messages.
However such messages would still be archived (in a different section) so if the moderator mis-classified a thread it could still be reviewed by other people.
Also when moderating such threads it would be interesting to experiment with consensus moderation of posts. If N subscribers of the list who post regularly use a web form to indicate that a certain post was too far off-topic and should spawn a new list then that could happen.
I agree with Joey Hess’ rant about forums, so solving a problem for forums is not of interest to me, but hacking on a list server is something that I would do if I had enough spare time.
I have just been reading the LinuxWorld Community blog which seems to be mostly Don Marti’s personal blog (currently there seems to be no-one else blogging on that site).
One thing that disappointed me is that the theme designer made it look good at a width of 1000 pixels and no other size. At a smaller width the adverts on the right are cut off (more of a problem for the site owner than for the readers) and at a larger width you have a thin column of text in the middle of the screen. A quick test revealed that while my own blog looks good in wide windows it doesn’t work too well in 800 pixel width and gets very bad at lower widths – my blog would be essentially unusable at 640×480 resolution as the text column in the middle (the most important column) is the one that reduces in size. The LinuxWorld blog has a minimum size of 1000 pixels for the scaling so it allows horizontal scrolling in 640 pixel width and remains quite readable.
The top entry in a google search for web size stats is Browser News which claims that 12% of web browsers are on 800 pixel wide screens. The next link I found claims that as of January 2007 there are 26% of web users with screens that have higher than 1024×768 resolution and 14% with 800×600.
Apart from the first couple of months of blogging my blog has always looked good in screens greater than 1000 pixels wide, but not having it work at 800×600 is a problem. The first thing I did was alter the style.css file for the Blueline theme for WordPress to use 100% of the display width (not 86%). Wasting 14% of the screen width is not a good thing when using a width-intensive three-column theme. This change made my blog work well in 800 pixel width and be bearable in 640 pixel width.
The other change was to use min-width: 700px; in the style.css sections blogtitle, container, and navigation. This means that at 640 pixel width the text column will take more than 1/3 of the screen and should be quite readable (unless the reader has an unusually large font setting). The down-side to this is that if your window width is less than 700 pixels then you will have some horizontal scrolling, but I think that this is an acceptable trade-off.
I was forced to confront this issue when talking to a prospective client about the potential for blogs to be used in his business, he loaded up my blog on an ancient windows machine and it didn’t look very good at all, this coincidentally happened a few hours after I had been reading the LinuxWorld blog on a big screen.
A politician named Ron Paul is running for the Republican party nomination for president. Tech Crunch has an article about his Web 2.0 based campaign which also includes a link to a google interview with him.
Here’s the good things about him:
- He strongly defends the constitution and the rule of law, so he’s not a totally bad guy (unlike many of the current politicians who believe that the US president should be able to do whatever he wishes).
- He wants to refrain from “helping” other countries with their “defense” – such help from the US has caused most of the wars and terrorism around the world since WW2.
- He wants to reduce military spending to 1/3 current levels (he could reduce it to 1/10 current levels and still be able to prevent a combined attack by Russia and China).
- He wants to restore liberty.
- He seems to be in support of repealing most drug laws – but his statements weren’t clear.
Here’s the bad:
- He wants to remove income tax and give the smallest possible government – no consumer protection laws among other things.
- He thinks that hospitals should be run by churches and have no government funded medical system.
- He doesn’t want restrictions on pharmacists who refuse to sell certain drugs (IE the contraceptive pill) – but with no restrictions on who can be a pharmacist such things could be bought without prescription even…
Here’s the ugly:
- He claims that guns on planes might have prevented 9-11.
Still, he’s a lot better than any other Republican who seems to be in the running.
I recently had some problems with unaligned access on IA64, messages about unaligned access were being logged via printk and I couldn’t determine the cause – or even how to track it down. To test what an unaligned access means (which wasn’t documented anywhere that a quick google search could find) I wrote the test program in the second half of this post. Below is the output of the test program which accesses an integer at various offsets. As you can see it’s addresses that are congruent to 5, 6, and 7 mod 8 that cause the errors. At the int is 4 bytes long it seems that the cause of an unaligned access error is an access to a data type that crosses an 8 byte boundary. So a pointer or long long would have to be aligned to an 8 byte boundary, an int has to be at an address that is congruent to 4 or less mod 8, and a character can be anywhere.
Also if the sysctl /proc/sys/kernel/ignore-unaligned-usertrap is set to 1 then these messages will be disabled. But you really don’t want to do that, such errors apparently cause a significant performance loss so you want to file bug reports against programs that do this.
# ./a.out
index: 0
index: 1
a.out(10393): unaligned access to 0x607fffffff34ee25, ip=0x4000000000000961
index: 2
a.out(10393): unaligned access to 0x607fffffff34ee26, ip=0x4000000000000961
index: 3
a.out(10393): unaligned access to 0x607fffffff34ee27, ip=0x4000000000000961
index: 4
index: 5
index: 6
index: 7
index: 8
index: 9
a.out(10393): unaligned access to 0x607fffffff34ee2d, ip=0x4000000000000961
index: 10
a.out(10393): unaligned access to 0x607fffffff34ee2e, ip=0x4000000000000961
index: 11
a.out(10393): unaligned access to 0x607fffffff34ee2f, ip=0x4000000000000961
index: 12
index: 13
Below is the test program I used:
Continue reading unaligned access on IA64
Hewlet-Packard is sponsoring the recycling of old computers in Victoria, Australia in a program named Byteback – note that they accept all brands of computer and charge nothing to accept the e-waste. This is a really good thing, I’ll start saving up my old computer parts to deliver to them!
Is there a directory of computer recycling plants that accept old hardware for no charge? If you know of one in your area then please blog about it and send a track-back to my post.
|
|
