View processes (PID) using disk I/O

Posted in Informational, Issues, Storage on July 28th, 2009 by termina

Install the sysstat package

apt-get install sysstat

# iostat -m
Linux 2.6.27-14-generic (slowaris)      07/28/2009      _x86_64_

avg-cpu:  %user   %nice %system %iowait  %steal   %idle
4.88    6.65    3.03    1.49    0.00   83.95

Device:            tps    MB_read/s    MB_wrtn/s    MB_read    MB_wrtn

md0             221.24         0.64         0.78    1765002    2159490

We can see that I/O isn’t terribly high here, but there are 221 transfers per second going on.

To check what processes are causing I/O

echo 1 > /proc/sys/vm/block_dump

tail -f /var/log/syslog | grep md0

Jul 28 08:20:12 server kernel: [2752582.434647] kvm(17362): READ block 1017744552 on md0
Jul 28 08:20:12 server kernel: [2752582.502401] kvm(17362): READ block 615283608 on md0
Jul 28 08:20:13 server kernel: [2752582.634622] kvm(17362): READ block 1017744576 on md0
Jul 28 08:20:14 server kernel: [2752583.964709] kvm(17362): READ block 1017744608 on md0
Jul 28 08:20:14 server kernel: [2752584.372889] kvm(1868): dirtied inode 17367041 (live-default-32.img) on md0
Jul 28 08:20:14 server kernel: [2752584.372908] kvm(1868): dirtied inode 17367041 (live-default-32.img) on md0

We see that kvm is causing some disk I/O; now where know where to start investigating!

To turn off these messages

echo 0 > /proc/sys/vm/block_dump

OpenVZ on Ubuntu 8.10

Posted in Services on July 14th, 2009 by termina

Other OpenVZ Ubuntu 8.10 guides that I’ve seen have you use the old lenny repository; since this no longer exists let’s try another way!

I used a 64-bit machine; steps will be the same for 32-bit. If you have 64-bit and just want to download the kernel I used: http://bbis.us/~will/openvz-ubuntu810.tar.gz

Now let’s build the kernel.

cd /usr/src
wget http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.27.tar.bz2
tar xjf linux-2.6.27.tar.bz2
cd linux-2.6.27

wget http://download.openvz.org/kernel/branches/2.6.27/2.6.27-briullov.1/patches/patch-briullov.1-combined.gz
gunzip patch-briullov.1-combined.gz

wget http://download.openvz.org/kernel/branches/2.6.27/2.6.27-briullov.1/configs/kernel-2.6.27-x86_64.config.ovz
#OR
wget http://download.openvz.org/kernel/branches/2.6.27/2.6.27-briullov.1/configs/kernel-2.6.27-i686.config.ovz

cp kernel-2.6.27-*.config.ovz .config
patch -p1 < patch*

make oldconfig

make
make modules_install install

cd /boot
mkinitramfs -o /boot/initrd.img-2.6.27 2.6.27

vi /boot/grub/menu.lst

#Replace uuid entries with your disks uuid
title           Ubuntu 8.10 OpenVZ 2.6.27
uuid            2d5b2466-4bdf-44c7-b8e5-4d46a9f927c8
kernel          /boot/vmlinuz-2.6.27 root=UUID=2d5b2466-4bdf-44c7-b8e5-4d46a9f927c8 ro quiet splash
initrd          /boot/initrd.img-2.6.27
quiet

grub-install /dev/sda

apt-get install vzctl vzquota

reboot

If everything went according to plan, you’ll boot into your new kernel. If you get a kernel panic, or things are not working as expected, you may have to

make menuconfig

Once the kernel is working, let’s create a container.

cd /var/lib/vz/private

mkdir 1

debootstrap hardy 1

When you see:

#I: Base system installed successfully.

You can continue.

vi /etc/vz/dists/default
#Change redhat to debian OR copy ubuntu.conf to default

Create the container and set an IP

vzctl set 1 –applyconfig vps.basic –save
vzctl set 1 –ipadd 192.168.100.7 –save
vzctl set 1 –nameserver 192.168.100.1 –save

vzctl start 1

At this time you cannot enter the container. You will receive the error

Unable to open pty: No such file or directory

To fix this:

vzctl exec 1 update-rc.d -f udev remove

Restart and enter the container

vzctl restart 1

vzctl enter 1

If network doesn’t work add to /etc/sysctl.conf on server (not container):

net.ipv4.conf.default.forwarding=1
net.ipv4.conf.all.forwarding=1

Ubuntu 8.10 LDAP Server with TLS

Posted in HowTo, Networking, Services on July 8th, 2009 by termina

This should also work with Ubuntu 9.04

apt-get install slapd ldap-utils libnss-ldap libpam-ldap migrationtools

Much like Debian, we must perform an extra step to make our changes permanent.

dpkg-reconfigure slapd

Omit OpenLDAP server configuration? No
DNS domain name: your-server
Organization name: whatever
Database backend to use: HDB
Do you want the database to be removed when slapd is purged? No
Move old database? Yes
Admin password: <password>
Confirm: <password>
Allow LDAPv2 protocol: No

Now we will populate LDAP. You should probably add a temporary LDAP user for testing. After we populate LDAP we’ll remove it.

adduser test
cd /usr/share/migrationtools

Edit migrate_common.ph and replace “padl.com” with your domain and dc=padl,dc=com with dc=YOUR,dc=DOMAIN

./migrate_base.pl > /tmp/base.ldif

./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif

./migrate_group.pl /etc/group /tmp/group.ldif

Remove the top section of /tmp/base.ldif

dn: dc=dev
dc: dev
objectClass: top
objectClass: domain

Restart LDAP and add our information to LDAP


/etc/init.d/slapd restart

ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/base.ldif
ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/passwd.ldif
ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/group.ldif

To enable PAM I suggest


cd /tmp
wget http://st0rage.org/files/pam.d.tar
tar xf pam.d.tar -C /etc

Alternativly, you can try the following Ubuntu specific method:


auth-client-config -t nss -p lac_ldap
pam-auth-update ldap

Please note that I was unable to change user passwords with ‘passwd’ using this method.

Remove the test user

userdel test

Set up TLS Certificate

mkdir /etc/ldap/ssl
cd /etc/ldap/ssl

openssl req -new -nodes -out req.pem -keyout key.pem
#No challenge password, leave empty
openssl rsa -in key.pem -out new.key.pem
openssl x509 -in req.pem -out ca-cert -req -signkey new.key.pem -days 9999
mv new.key.pem server.pem
cat ca-cert >> server.pem

Enable TLS on server

ldapmodify -x -D cn=admin,cn=config -W

Paste in the following:

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/server.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/server.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/server.pem

Press ENTER a few times to finish modifying and then Control+C when you see:

modifying entry "cn=config"

Edit /etc/default/slapd and add

SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"

Restart slapd

/etc/init.d/slapd restart

If it fails, try:


chown -R openldap /etc/ldap/ssl
/etc/init.d/slapd restart

Client configuration

vi /etc/ldap.conf

uri ldaps://server
port 636
ssl start_tls
ssl on
tls_checkpeer no
tls_cacertfile /etc/ldap/ssl/server.pem


vi /etc/nsswitch.conf

passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: ldap

Now test! Make sure to stop nscd if you’re using it

/etc/init.d/nscd stop

Test LDAP

$ id test
uid=1001(test) gid=1001(test) groups=1001(test)

Remember to keep an eye on /var/log/auth.log if you run into any problems

Enable network virtio (Gigabit) in libvirt/kvm Virtual Machine Ubuntu 8.10

Posted in Issues, Networking on July 7th, 2009 by termina

If you create a domain with virt-manager, it does not always add the appropriate ‘virtio’ entry to the xml file for your VM.

If this is the case, you will notice that network speeds on the VM will not break 10/100 speeds.

To fix this, edit the xml file

vi /etc/libvirt/qemu/vm.xml

Make sure your network block looks like this (keep your MAC address the same)

<interface type='network'>
<mac address='00:16:36:0b:4c:9c'/>
<source network='default'/>
<model type='virtio'/>
</interface>

Shut down the VM and confirm it’s shut down

virsh shutdown vm

# virsh list
Connecting to uri: qemu:///system
Id Name                 State
----------------------------------

If you do not see your vm “running” you can proceed. If it’s still running you need to shut it down another way.

Update the xml definition

virsh define /etc/libvirt/qemu/vm.xml

Start the domain

virsh start vm

Log into the VM and test with a 1GB file

dd if=/dev/zero of=/tmp/test bs=1M count=1000
scp /tmp/test [email protected]:/tmp

You should see transfer speeds above 11-12 megabytes/second.