Archive

Archive for the ‘Server Admin’ Category

Convert an existing Windows installation to a Xen guest

January 19th, 2010

I’ve been dual booting Linux and Windows for as long as I’ve run Linux on the desktop. Recently I installed Xen on Ubuntu and subsequently decided to port my old Windows bare-metal install to a Xen domU.

Running Windows as a Xen domU has several advantages, the most obvious being the ability to access Windows while running Linux. Additionally, you can take advantage of features such as domain migration, save/restore and LVM snapshots.

In this article, I’ll walk through how I converted my existing Windows XP Professional bare-metal (normal) install to a Xen guest (domU). In my setup, the Xen dom0 is running on an LVM volume on a separate physical disk from the original Windows installation. I will show you how to move the original Windows installation to a LVM logical volume. You will need a retail or volume Windows license. Xen emulates different hardware that will cause you to have to reactivate Windows. An OEM license is not allowed to move hardware. While I’d argue the physical hardware is still the same, I’m sure there is some definition that says otherwise ;). Finally, I converted a Windows XP installation, but the same procedure should work with any NTFS-based Windows installation (Vista, 7, Server 2003, Server 2008).

Server Admin ,

Installing Xen on Ubuntu 9.10

January 16th, 2010

Recently I switched to Ubuntu as the primary operating system on my desktop machine. As part of the switch, I wanted to install Xen to virtualize some additional operating systems. Xen provides very good performance when virtualizing Linux distributions due to paravirtualization. The latest versions can also virtualize certain unmodified guest operating systems on processors that support virtualization.

In a Xen setup, the Xen hypervisor runs directly on the hardware (bare-metal). The first guest operating system (dom0) runs “on top” of Xen and has full access to the underlying hardware. Additional guests (domU) also run on top of the Xen hypervisor, but with limited access to the underlying hardware.

Converting an existing Ubuntu install to a Xen dom0 install requires installing the Xen hypervisor. In previous versions of Ubuntu this could easily be done using apt. Unfortunately no packages exist for Ubuntu 9.10 (Karmic Koala). In this post I’ll describe the steps I took to install Xen from source on Karmic. If you’d rather install via binary packages you’ll need to find a third-party repository.

Server Admin , ,

IPv6 support for qmail-jms1

August 7th, 2009

This post is part of a series of posts dedicated to IPv6 support for qmail:

IPv6 support in qmail

Supporting IPv6 in qmail largely revolves around DNS lookups. Patches for tcpserver and sslserver allow incoming connections over IPv6. In order to support IPv6 in qmail:

  • DNS lookups should prefer AAAA records, falling back to A records only if AAAA records are not available
  • All code referencing IP addresses should support IPv4 and IPv6 addresses
  • SPF queries should support IPv6 addresses

The fujiwara patch

A qmail IPv6 patch has existed since 2002 that covers the first two issues above. It is written to apply cleanly on the base qmail-1.03 distributed on Daniel Bernstein’s site. It does not include support for SPF queries as SPF is not included in the original version of qmail.

Server Admin ,

IPv6 support for jgreylist

August 7th, 2009

This post is part of a series of posts dedicated to IPv6 support for qmail:

jgreylist Changes

jgreylist is a program provided by John Simpson to allow greylisting in qmail. John provides two versions, one written in Perl, and one written in C. I chose to only patch the C version.

jgreylist works by using the unix timestamps of empty files to track when individual IP address or class C blocks last visited your qmail server. John does a great job of explaining how this works on his jgreylist page. You should understand how his program, especially the C version, works and is configured before continuing.

Server Admin ,

IPv6 support for sslserver

August 7th, 2009

This post is part of a series of posts dedicated to IPv6 support for qmail:

ucspi-ssl

The ucspi-ssl package provides the sslserver program. sslserver accepts incoming SSL connections and passes them to another program such as qmail-smtpd. sslserver is almost identical to tcpserver except that it deals with encrypted SSL traffic rather than clear text.

I could not find an IPv6 patch for sslserver, however I was able to port the tcpserver patch to sslserver. You can easily apply my ucspi-ssl-0.70-ipv6.patch:

$ wget http://www.superscript.com/ucspi-ssl/ucspi-ssl-0.70.tar.gz
$ wget http://www.bltweb.net/qmail/ucspi-ssl-0.70-ipv6.patch
$ tar -xzf ucspi-ssl-0.70.tar.gz
$ cd host/superscript.com/net/ucspi-ssl-0.70
$ patch -p1 < ../../../../ucspi-ssl-0.70-ipv6.patch
$ package/compile
$ sudo package/install

sslserver

To understand what the sslserver portion of the IPv6 patch does, you should be familiar with the sslserver man page and read about how tcpserver handles IPv6 on Fefe’s ucspi-tcp page. Essentially, if a client connects via IPv4, sslserver exhibits it’s normal behavior. If a client connects with IPv6, the PROTO environment variable will be set to “SSL6” instead of “SSL“.

Server Admin ,

IPv6 support for tcpserver and rblsmtpd

August 7th, 2009

This post is part of a series of posts dedicated to IPv6 support for qmail:

ucspi-tcp

The ucspi-tcp package provides the tcpserver and rblsmtpd programs. tcpserver accepts incoming TCP connections and passes them to another program such as qmail-smtpd. rblsmtpd blocks connections from RBL listed IPs.

Thanks to Fefe, a patch has been around for a while that adds IPv6 support to tcpserver. Fefe’s patch does not touch rblsmtpd, however.

I’ve modified Fefe’s patch to patch rblsmtpd as well. You can easily apply my ucspi-tcp-0.88-ipv6.patch:

$ wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
$ wget http://www.bltweb.net/qmail/ucspi-tcp-0.88-ipv6.patch
$ tar -xzf ucspi-tcp-0.88.tar.gz
$ cd ucspi-tcp-0.88
$ patch -p1 < ../ucspi-tcp-0.88-ipv6.patch
$ make
$ sudo make install

tcpserver

To understand what the tcpserver portion of the IPv6 patch does, you should read Fefe’s ucspi-tcp page. Essentially, if a client connects via IPv4, tcpserver exhibits it’s normal behavior. If a client connects with IPv6, the PROTO environment variable will be set to “TCP6“.

Server Admin ,

Qmail IPv6

August 7th, 2009

Adding IPv6 support to qmail can be a daunting task. A modern qmail system includes several different components, with various patches and configuration options for each. There are a few patches on the internet that claim to add IPv6 support for a specific component, but I had trouble finding patches for every piece of my qmail install.

I’m not trying to defend IPv6. I realize there are many people with strong feelings towards the subject, including qmail’s author. Switching to IPv6 is a monumental task. It may never happen, but something needs to – we can’t keep NATing forever.

Many software projects have already added support for IPv6. My Gentoo box has been on an IPv6 network, via Hurricane Electric’s free tunnel broker service for a while now. Mac OS X has support for IPv6, as do the latest versions of Windows. Even Windows XP can support IPv6 if enabled. Postfix, Exim, and Sendmail all support IPv6.

Server Admin , ,

FastCGI with a PHP opcode cache benchmarks

July 29th, 2009

In my previous post, I described how to implement FastCGI with a PHP opcode cache on an Apache webserver. My primary motivation for moving to FastCGI was to take advantage of the extra security provided by FastCGI with suEXEC over mod_php. In this post, I’ll compare the two environments and provide a few benchmark results.

Benchmark Setup

To compare mod_php to FastCGI with a PHP opcode cache, I used the ab tool on my desktop running PHP 5.3.0, mod_fastcgi 2.4.6 and Apache 2.2.11 on Gentoo linux. Apache had a limited number of modules enabled (actions alias authz_host dav deflate dir expires filter headers log_config mime rewrite setenvif status vhost_alias). The hardware consisted of a Intel Core2 Quad Q6600 (2 x 4MB L2 cache) with 2GB of RAM.

Server Admin , , , , , ,

FastCGI with a PHP APC Opcode Cache

July 7th, 2009

Hosting PHP web applications in a shared environment usually involves a choice between two exclusive options: host a fast application by using a persistent opcode cache, or host an application that your shared neighbors can’t snoop around or destroy. In this post I discuss a way to get the best of both worlds, by combining FastCGI with a single opcode cache per user.

This is a long post, ready to jump right in? Skip the history!

The evolution of mod_php to FastCGI

In the early days of all-you-can eat shared hosting, administrators served PHP via mod_php. mod_php loads the PHP interpreter into every web server process during server startup, thus alleviating the expense of starting an interpreter each time a script executes. This allowed executing PHP scripts relatively fast.

mod_php came with a few drawbacks:

Server Admin , , , ,

DKIM and DomainKeys for qmail

March 19th, 2009

DomainKeys and its successor DomainKeys Identified Mail (DKIM) are technologies that allow organizations to take responsibility for a message. This is done by cryptographically signing an email as it leaves an organization in route to its destination. The signature can be verified using the DNS system to establish trust. In theory the technologies help cut down on spam by proving a message originated from the domain it says it does.

Support for DomainKeys in qmail has existed for a while thanks to a patch by Russel Nelson. Kyle Wheeler created a set of wrapper scripts that can be used to provide support for DKIM and DomainKeys. Mihai Secasiu has some wrapper scripts similar to Kyle’s that provide support for DKIM via the libdkim library instead of Perl’s Mail::DKIM module.

Server Admin , , , ,