ifup-local on bridge members on CentOS

I run a bunch of CentOS 6 physical servers as QEMU virtualization devices. These hosts have two NICs, one for management and one for virtual machine bridges.

When you use Linux for virtualization, it’s important to increase the amount of memory for network transmit and receive buffers. You also need to disable GSO and TSO, . . . → Read More: ifup-local on bridge members on CentOS

iptables and ipsets

I’m dragging my work environment from “artisan system administration” to mass-managed servers. Part of this is rationalizing, updating, and centralizing management of packet filter rules on individual hosts. Like many environments, I have a list of “management IP addresses” with unlimited access to every host. Managing this is trivial on a BSD machine, thanks to . . . → Read More: iptables and ipsets

Easy Security Project: standalone ssh-ldap-helper

I’ve been waiting for quite a while for an official way to centrally manage user authentication keys in OpenSSH. If you have a dozen servers, copying authorized_keys files around is a pain. If you have more than that, it’s really really painful. The OpenSSH guys have had good reasons for not wanting to link LDAP . . . → Read More: Easy Security Project: standalone ssh-ldap-helper

SolusVM KVM offline migration with shared storage

I’m building a new virtualization cloud with SolusVM, KVM, and a bit of Xen (to make use of older hardware). Each machine has its own hard disk, but it only holds the local operating system. All virtual machines reside on cheap iSCSI storage, so I can easily migrate VMs from one compute node to another. . . . → Read More: SolusVM KVM offline migration with shared storage

How to Lose your Job with SSH, part 1

A less sensational title for this post would have been “SSH Remote Forwarding,” but that’s not nearly as fun.

I used to be responsible for one of the few entry points into a global network. The company had actual manufacturing secrets — their products included various machines of war. We had internal firewalls to protect . . . → Read More: How to Lose your Job with SSH, part 1

IP Tables and VoIP

Here’s an iptables ruleset for a VoIP server with a Web interface. The goals are to allow management hosts to communicate with them freely, allow VoIP and HTTP(S) from the public, and drop everything else. It’s designed to be used as /etc/iptables.rules, and loaded with

# iptables-restore < /etc/iptables.rules

In Linux, you’re supposed to . . . → Read More: IP Tables and VoIP

NFSv4 and UIDs on OpenSolaris and Ubuntu

NFS clients and servers negotiate to use the highest NFS version they both support. NFSv4 usually performs much better than NFSv3, but requires a little more setup. Here I get NFSv4 working between an OpenSolaris file server and a diskless Ubuntu client. In theory, a plain mount(8) gives us a NFSv4 mount.

# mount server:/data1/opennebula/on22 . . . → Read More: NFSv4 and UIDs on OpenSolaris and Ubuntu

WordPress LDAP auth on Ubuntu

I support too many servers and applications to manage separate user databases for each. LDAP is a must. If an application can’t hook up to LDAP, I don’t want it. WordPress can be configured to use LDAP, and has several different LDAP plugins. I’ve had mixed results with PHP LDAP plugins. I usually find that . . . → Read More: WordPress LDAP auth on Ubuntu

Wherein I learn about initrd

Post summary: will someone PLEASE port a recent KVM to any BSD? There’s beer in it for you.

I’ve been attempting to upgrade my diskless virtualization cluster to Ubuntu 10.10. Diskless boot worked fine in the ESXi test area, but real hardware would not boot. This same hardware booted fine with Ubuntu 10.04 and 9.whatever. . . . → Read More: Wherein I learn about initrd

pxelinux.cfg/* versus RCS

I’m a fan of version control in systems administration. If you don’t have a central VCS for your server configuration files, you can always use RCS. I habitually add #$Id$ at the top of configuration files, so I can easily see who touched this file last and when.

On an unrelated note, I’m upgrading my . . . → Read More: pxelinux.cfg/* versus RCS