Rogierm's Blog

Storage performance difference between KVM and Xen

admin — Mon, 28 Jun 2010 21:04:31 +0000

Several blogs and manuals with examples on kvm or xen setups use NFS as storage backend. Mostly they state that for production use iSCSI is recommended. However there are examples where NFS is part of the architecture, eg. OpenNebula. I tried to find specific statistics on the performance differences between NFS, iSCSI and local storage. During this search I encountered some pointers that NFS and Xen is not a good combination, but never a straight comparison.

I decided to invest some time and setup a small test environment and run some bonnie++ statistics. This is not a scientific designed experiment, but a test to show the differences between the platforms. Two test platforms are setup, 1 with a Xen server (DL360G6) (xen1) and a 12 disk SATA storage server (storage1), and another with a KVM server (DL360G5) (kvm1) and a 2 disk SATA storage server (storage2) . Both servers are connected with a gigabit network. I’ve also run a test with a 100mb/s network between the kvm1 and storage2 server. For reference I’ve also done tests with the images on localdisk.

I realize that LVM and iSCSI storage is most efficient, but storage with image files is very convenient and in case of cloud setups sometimes the only option.

		Seq output						Seq input				Random
		Per Chr		Block		Rewrite		Per Chr		Block		Seeks
	Size	K/sec	%CP	K/sec	%CP	K/sec	%CP	K/sec	%CP	K/sec	%CP	/sec	%CP
Xen-guest-via-nfs-tapaio	1G	3570	5	2436	0	1366	0	26474	41	24831	0	6719.0	1
xen-guest-via-iscsi	1G	25242	40	12071	1	15175	0	32071	42	47742	0	7331.3	1
kvm-guest-nfs-1gb-net	1G	8140	16	17308	3	11864	2	40861	81	71711	3	2126.6	54
kvm-guest-nfs-qcow-100mb	1G	1922	3	9874	1	3994	0	10720	22	10441	0	595.4	33
kvm-guest-nfs-qcow-100mb-2nd	1G	9735	21	2039	0	3197	0	10729	22	10463	0	685.3	38
kvm-guest-nfs-qcow-100mb-3rd	1G	5327	10	7378	1	4421	0	10655	18	10512	0	706.3	39


xenserver-nfsmount	1G	41507	60	60921	7	29687	1	33427	48	64147	0	4674.4	11
kvmserver-nfs-1G	20G	31158	52	32044	17	10749	2	19152	28	18987	1	90.3	1
localdisk-on-nfs-server-cloudtest3	4G	41926	65	43805	7	18928	3	52943	72	56616	3	222.6	0

The conclusion of the tests is that local storage is fastest. NFS storage with Xen is not a good combination. Xen runs best with iSCSI backed storage. KVM with NFS runs significantly better. It is safe to say that if you want to use NFS use it with KVM, not with Xen. In any case iSCSI is always the best option for Xen. I have not yet tested KVM with iSCSI but I expect this to perform better than NFS.

How to eject CD in Mac OSX from command line

admin — Mon, 05 Apr 2010 21:34:09 +0000

Open Terminal
Enter the following command:$ drutil eject

How to access libvirtd from remote server

admin — Mon, 01 Mar 2010 23:42:22 +0000

Libvirt is a toolkit to interact with several virtualization platform from a single interface. Considering you can stop and start virtual machines through this API, security is quite important. Libvirt offers several options to give authenticated access from remote machines. By default most distributions disable remote network access for libvirtd. However, I would like to access libvirtd on some of my KVM servers from a single management host to gather some information. The documentation on how to set this up is not too good, so I decided to write up a short how-to.

Step 1: Enable network access for libvirtd
First enable network access for libvirtd on the KVM server(s). On CentOS/RHEL this is done by uncommenting or adding the following line in /etc/sysconfig/libvirtd:
LIBVIRTD_ARGS="--listen"

Step 2: Install a CA on the management server
Install the Perl certificate tools:
yum install openssl-perl
Create Certificate authority:
cd /etc/pki/tls/misc/ ./CA.pl -newca
Example output:
./CA.pl -newca CA certificate filename (or enter to create)


Making CA certificate ...

Generating a 1024 bit RSA private key

..........++++++

.............++++++

writing new private key to '../../CA/private/cakey.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:XX

State or Province Name (full name) [Berkshire]:XX

Locality Name (eg, city) [Newbury]:XXXXX

Organization Name (eg, company) [My Company Ltd]:XXXXX

Organizational Unit Name (eg, section) []:XXXX

Common Name (eg, your name or your server's hostname) []:CA XXX XXX

Email Address []:XXX
Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for ../../CA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number:

            d8:95:24:xx:xx:xx:13:9b

        Validity

            Not Before: Feb 25 23:14:08 2010 GMT

            Not After : Feb 24 23:14:08 2013 GMT

        Subject:

            countryName               = XX

            stateOrProvinceName       = XX

            organizationName          = XXXX

            organizationalUnitName    = XXXX

            commonName                = CA XXX XXX

            emailAddress              = XXXXX

        X509v3 extensions:

            X509v3 Subject Key Identifier:

                XXX

            X509v3 Authority Key Identifier:

                keyid:XXXX

                DirName:/C=XX/ST=XX/O=XXX/OU=XXXX/CN=CA XXX XXX/emailAddress=XXX

                serial:XXX
            X509v3 Basic Constraints:

                CA:TRUE

Certificate is to be certified until Feb 24 23:14:08 2013 GMT (1095 days)

Write out database with 1 new entries Data Base Updated

Step 3: Create CSR’s
openssl genrsa -des3 -out kvm-server1.tmp openssl rsa -in kvm-server1.tmp -out kvm-server1.key openssl genrsa -des3 -out mgmt-host.tmp openssl rsa -in mgmt-host.tmp -out mgmt-host.key openssl req -new -key kvm-server1.key -out kvm-server1.csr openssl req -new -key mgmt-host.key -out mgmt-host.csr

Step 4: Sign the certificates
openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything -out /root/mgmt-host.crt -infiles /root/mgmt-host.csr openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything -out /root/kvm-server1.crt -infiles /root/kvm-server1.csr
Example output:
Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: d8:95:24:4b:4e:b1:13:9c Validity Not Before: Feb 25 23:31:40 2010 GMT Not After : Feb 25 23:31:40 2011 GMT Subject: countryName = XX stateOrProvinceName = XX localityName = XX organizationName = XX organizationalUnitName = XX commonName = mgmt-host.xxx.nl emailAddress = xxxxx X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 6C:EA:8B:C1:D6:XX:B6:6B:5B:18:02 X509v3 Authority Key Identifier: keyid:C9:36:4A:XXXX:6F:FD:2E:86


Certificate is to be certified until Feb 25 23:31:40 2011 GMT (365 days)

Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

Step 5: Copy over the certificates to the correct location
On the management host (mgmt-host):
mkdir /etc/pki/libvirt mkdir /etc/pki/libvirt/private mkdir /etc/pki/libvirt-vnc

cp /root/mgmt-host.key /etc/pki/libvirt/private/clientkey.pem cp /root/mgmt-host.key /etc/pki/libvirt-vnc/clientkey.pem cp /root/mgmt-host.crt /etc/pki/libvirt/clientcert.pem cp /root/mgmt-host.crt /etc/pki/libvirt-vnc/clientcert.pem

Transfer the key and certificate files to the KVM server (kvm-server1). Ideally, you create the key and CSR on the host itself, so you only have to transfer the certificate. Then, copy the certificates and CA to the correct location on the KVM (libvirtd) server:

mkdir /etc/pki/libvirt mkdir /etc/pki/libvirt/private mkdir /etc/pki/libvirt-vnc


cp kvm-server1.key /etc/pki/libvirt/private/serverkey.pem

cp kvm-server1.key /etc/pki/libvirt-vnc/server-key.pem

cp kvm-server1.crt /etc/pki//libvirt/servercert.pem cp kvm-server1.crt /etc/pki/libvirt-vnc/server-cert.pem

Make sure the CA generated on the management server is available on the KVM server in the following file:
/etc/pki/CA/cacert.pem

Step 6: Reload libvirtd
/etc/init.d/libvirtd reload

Step 7: Test
With these certificates setup, you should be able to access libvirtd on kvm-server1 from mgmt-host. Use the following command to test:
virsh -c qemu://kvm-server1.xxxx.nl/system Welcome to virsh, the virtualization interactive terminal.


Type:  'help' for help with commands

       'quit' to quit

virsh #
Use the list command to see a list of running guests on the server. This only works if these guests have also been created via libvirtd. Manually started KVM guests will not show up in this list.

ONE Management Console show VNC display

admin — Thu, 25 Feb 2010 01:39:54 +0000

I’ve made some quick changes to ONEMC to show the VNC port in the interface. I’ve updated the template that onemc creates with a GRAPHICS section. This enables vnc on the quest.

As a workaround until ONE can use the VMID in the graphics section, I use a virsh command to get the vncport. To get this working the webserver user should be allowed to execute the virsh command via sudo. Add the following to sudoers:
apache ALL=(ALL) NOPASSWD: /usr/bin/virsh *
Also I encountered some problems with the model section in the KVM template so I commented that out as well.

Below the patch and a screenshot listing the vnc ports in ONEMC

onemc_funcs.patch

Strong ciphers on Foundry ServerIron

admin — Mon, 15 Feb 2010 20:24:16 +0000

When setting up SSL offloading on a Foundry ServerIron 4G-SSL the default installation allows weak (eg. DES, 56bit) ciphers and SSLv2. This is not a recommended setup, especially if you have to comply to certain security certifications, like PCI. The Foundry documentation does not give a lot of information on the ciphers that are supported. Below the commands to disable SSLv2 and allow only strong ciphers on an ssl accelerated host.

To change the ssl profile of a virtual server, always follow the following steps:

Remove the ssl profile from the virtual server
Change the ssl profile settings
Enable the ssl profile on the virtual server

server virtual vservername no port ssl ssl-terminate sslprofilename


exit
ssl profile sslprofilename

disable-ssl-v2

no  cipher-suite all-cipher-suites

cipher-suite rsa-with-3des-ede-cbc-sha

cipher-suite rsa-with-aes-128-sha

cipher-suite rsa-with-aes-256-sha

cipher-suite rsa-with-rc4-128-md5

cipher-suite rsa-with-rc4-128-sha
exit

server virtual vservername port ssl ssl-terminate sslprofilename

Racktables add custom object-type

admin — Sun, 31 Jan 2010 21:17:08 +0000

RackTables is a datacenter asset management system. By default is is configured with several object-types that are used in most datacenters, like network-switch, server, PDU, ups, etc. However, some obvious object types are missing. A firewall or loadbalancer are quite often used in datacenter environments. But RackTables is very flexible and extensible. You can easily add your own custom object type. To do this, follow the following steps.

Go to Configuration, Dictionary
Click RackObjectType
Click the ‘Edit’ tab
Add the Object-type you want and click the ‘+’

By default, you cannot attach an ip address to an object-type. This must be configured manually. To make the object IPv4 enabled, follow the following steps.

Go to Configuration, User-interface
Click the ‘change’ tab
Add the object id to the textbox named ‘List source: IPv4-enabled objects’

The list of IPv4 enabled objects should be something like:
{$typeid_4} or {$typeid_7} or {$typeid_8} or {$typeid_12} or {$typeid_445} or {$typeid_447} or {$typeid_50019} or {$typeid_2} or {$typeid_50063}

Racktables Rancid integration

admin — Sun, 31 Jan 2010 18:12:05 +0000

I use Racktables to keep track of the devices in our network. To backup the configuration of our network devices I use rancid. To prevent having to edit and update multiple configuration files and systems, I thought it would be a good idea to centralize this and use Racktables as a source for configuring other systems. Racktables is a very extensible system that allows you to add attributes to a category yourself. I’ve added a ‘Rancid’ attribute as a dictionary item containing ‘Yes’ and ‘No’. I’ve bound this attribute to the object categories (Networkswitch, firewall and router) I want to backup with Rancid. I’ve scheduled a cronjob that runs the attached script, creating the routers.db file that is used by rancid.

The script runs an sql query to include all devices that have the Rancid attribute set to ‘Yes’.

To use this script in your environment, you have to edit the sql query to use the id of your rancid attribute in the dictionary. In my case the rancid attribute has the id ’10003′ and the ‘Yes’ dictionary id is ’50030′. These values can be found by looking in the racktables database.

Download the racktables-rancid export script.
Download the wrapper script

Cisco ASA and tacacs enable fails

admin — Thu, 14 Jan 2010 21:34:28 +0000

While migrating the authentication of our ASA firewalls to tacacs, we enabled ‘enable’ authentication to tacacs and tried to switch to enable mode on the console. This did not work, and caused the following message in the tacacs log file:
Wed Jan 13 17:07:42 2010 [25444]: enable query for 'username' 13 from 10.x.x.x rejected
To fix this problem the tacacs configuration for the user needs to include the enable password in the profile, as shown below:
user = username { login = des "XXXXXXX" member = admin acl = mgmt_devices service = shell { priv-lvl = 15 } enable = des "XXXXXXX" }
We use the following configuration on the ASA to enable AAA to tacacs.
aaa-server tacacs protocol tacacs+ aaa-server tacacs (outside) host 1.1.1.1 key TACACSKEY aaa-server tacacs (outside) host 2.2.2.2 key TACACSKEY aaa authentication ssh console tacacs LOCAL aaa authentication telnet console tacacs LOCAL aaa authentication serial console tacacs LOCAL aaa authentication enable console tacacs LOCAL aaa authentication http console tacacs LOCAL aaa authorization command tacacs LOCAL

Cisco switch and Tacacs

admin — Thu, 14 Jan 2010 21:12:50 +0000

Tacacs is a great way to centralize user authentication, authorization and accounting. While tacacs originally is a Cisco thing, there is an open source server version available, tac_plus (http://www.gazi.edu.tr/tacacs/index.php?page=download). Installing the tacacs server is quite straight forward. Configuring the switch is not difficult either, as long as you think about possible failures. You don’t want to be locked out of your switches when your tacacs server is not available. I use the following configuration that uses two tacacs servers and asks for the enable password when neither of the tacacs servers is available. To enter ‘enable’ mode, the configured enable password suffices. Use the following Cisco configuration for a save AAA authentication.

NOTE: Always be careful when changing authentication and authorization configuration, as this might lock you out of the device. The savest way is to do this on the console of the machine.

aaa new-model aaa authentication login default group tacacs+ enable aaa authentication enable default enable aaa authorization exec default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated aaa authorization network default group tacacs+ if-authenticated aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ aaa session-id common tacacs-server host 1.1.1.1 single-connection tacacs-server host 2.2.2.2 single-connection tacacs-server key TACACSKEY tacacs-server directed-request
To restrict access to specific devices, you can configure an ACL in the tacacs configuration on the server (tac_plus.conf). See the example below.

user = username { login = des "XXXX" member = admin acl = mgmt_devices service = shell { priv-lvl = 15 } } group = admin { default service = permit service = exec { priv-lvl = 15 } } # acl's

acl = mgmt_devices { permit = 12.12.12.12 permit = 13.13.13.13 }

SIP with Speedtouch ADSL modem

admin — Sat, 02 Jan 2010 21:13:41 +0000

We have a small VOIP network with 10 phone, a dedicated DSL line from Orange/Online and an external Asterisk server in a datacenter. The DSL line is terminated on a Speedtouch modem. With the default settings of the modem we experienced two problems:

Incoming calls did not get through
The sound of outgoing calls disappeared while the call was not dropped

In the Asterisk logs we could see the following message:
[Dec 30 13:40:51] WARNING[1911] chan_sip.c: Maximum retries exceeded on transmis sion 0016c7ea-28120012-73ca27ca-35d5391a@10.0.0.45 for seqno 102 (Critical Respo nse) -- See doc/sip-retransmit.txt. [Dec 30 13:40:51] WARNING[1911] chan_sip.c: Hanging up call 0016c7ea-28120012-73 ca27ca-35d5391a@10.0.0.45 - no reply to our critical packet (see doc/sip-retrans mit.txt).

To fix this, you have to disable the SIP helper on the Speedtouch modem. Connect to the modem with telnet (default ip: 10.0.0.138, default user: Administrator, default password: ) and enter the following commands:
_{Administrator}=>connection {Administrator}[connection]=>appconfig application=SIP SIP_ALG=disabled {Administrator}[connection]=>exit