|
Mike Fedyk
[Recent Entries][Archive][Friends][User Info]
Below are the 8 most recent journal entries recorded in the "Mike Fedyk" journal:
|
11:59 pm
[Link] |
Stats gathering library
I mentioned previously about using sysstat to create an unified stats gathering lib for tools to use, and it looks like someone else has already started a project to fill that gap.
Check out libstatgrab:
The libstatgrab library provides an easy-to-use interface for accessing system statistics and information. Available statistics include CPU, Load, Memory, Swap, Disk I/O, and Network I/O. It was developed to work on Linux, FreeBSD, and Solaris. The package also includes two tools: saidar provides a curses-based interface for viewing live system statistics, and statgrab is a sysctl-like interface to the statistics.
Tags: libstatgrab, linux, monitoring, statistics
|
|
11:02 pm
[Link] |
Linux Firewall Distributions
RedWall Firewall:
redWall is a bootable CD-ROM firewall which focuses on Web-based reporting of the firewall's status. It includes Snort, snortsam, dansguardian, and support for fwbuilder, squidguard, reporting (using BASE/sarg/ntop/webfwlog), VPN (Openswan/PoPToP/Openvpn), Spam Filtering (spamassassin, dcc, razor2, clamav, amavis-new, dspam and maia mailguard), and mail-based, alerting. Configuration data are stored on a floppy or USB disk. SmoothWall Firewall:
SmoothWall is a popular Internet Security software package (based on Linux) offering automated modem/advanced ISDN autoprobing, ethernet ADSL/cable, USB ADSL (Alcatel Speed Touch Home only in 1.x; additional support for USR, Fuji, ECI, etc in 2.x), and multiple ethernet card support within 5 minutes of install. Web managed and with full facilities normally only seen in expensive commercial offerings, it also offers SSH, DHCP, and full firewall logging and auditing functionality.
IPCop:
IPCop Linux is a complete Linux Distribution whose sole purpose is to protect the networks it is installed on. By implementing existing technology, outstanding new technology and secure programming practices IPCop is the Linux Distribution for those wanting to keep their computers/networks safe.
Devil-Linux:
Devil-Linux is a special secure Linux distribution which is used for firewalls, routers, gateways, and servers. The goal of Devil-Linux is to have a small, customizable, and secure Linux system. Configuration is saved on a floppy disk or USB stick, and it has several optional packages. Devil-Linux boots from CD, but can be stored on CF cards or USB sticks. My goal is to find one that I like and integrate bwmtools, bandwidthd and ShoreWall into their frontends.
The proprietary vendors need a bit more competition in this space IMO.
Also I think Shorewall would make a fine standard firewall framework for Linux. Either that or some standard API needs to be created for Linux Firewalls.
Tags: firewall, linux
|
|
05:27 am
[Link] |
2.6.20-16 in Ubuntu Feisty released
Looking at the changelog for 2.6.20-16 that was just released, I see some "forward ports" done from the Ubuntu Edgy 2.6.17 kernel.
I wonder how much effort is being put into merging these changes upstream. In the best case, forward ports shouldn't be needed since all of the patches would have been merged upstream.
Hopefully the load of carrying the patches will be encouragement enough to get them merged upstream.
Tags: feisty, kernel, linux, ubuntu
|
|
09:42 pm
[Link] |
Routing, VMware & Wireless
I spent today hacking with my friend Charles Wyble in addition to returning and borrowing some books. :)
We setup a Linux router in a VMware guest. His machine now has five ethernet ports (one built-in and four in a multi-port card), but the tulip driver in Ubuntu Dapper Server has a weird probing quirk. The ports that physically are ordered 1, 2, 3, 4 were detected as eth4, eth1, eth2, eth3. No problem. Just reorder the network interface names in /etc/iftab and we're set.
Next we configured the vmware networking so that each vmnet is associated with the correspondingly named ethX number. So eth1 -> vmnet1, etc. Then we added a "host only" interface, but it took over vmnet1 and that was fun debugging. "Why am I not seeing my public IP address on this interface?!"
After getting packets flowing, installed shorewall and setup a dmz. A cursory look at this setup shows that there is a price to pay in resource usage. What would take 2-7% cpu usage (a torrent of FC5 at 600Kbyte/s) to do on the the host system takes about 25% processor usage within the VM guest on an AMD Athlon XP 2200+. The security and flexibility of this setup is unquestionable, but it is good to know the cost.
Also Charles had a problem with Windows in a VMware guest on his Ubuntu Feisty 64bit laptop not being able to get out to the network. It turned out not being a windows problem, but a ndiswrapper problem with his bcm43xx chipset wireless card. Plugging in a wired ethernet connection worked around the problem and getting a Ralink mini-PCI card will be a more permanent solution.
I guess it was a windows problem, since a windows NDIS driver caused the problem. Heh.
Tags: linux, ralink, shorewall, vmware
|
04:35 pm
[Link] |
Optimizing Linux Performance by Phillip G. Ezolt
Today I finished reading Optimizing Linux Performance by Phillip G. Ezolt.
Even though I already knew a lot about the subject, it did fill in a few gaps in my knowledge of oprofile, kcachegrind, valgrind, vmstat, iostat, script, objdump, gdb and sar. It also clued me into a few tools I didn't know about like ltrace, gprof, memprof, ipcs and etherape.
One tool it didn't mention is dstat. The package description says it all:
<dstat>Dstat is a versatile replacement for vmstat, iostat and ifstat. Dstat overcomes some of the limitations of these programs and adds some extra features.
.
Dstat allows you to view all of your network resources instantly, you can for example, compare disk usage in combination with interrupts from your IDE controller, or compare the network bandwidth numbers directly with the disk throughput (in the same interval).
.
Dstat also cleverly gives you the most detailed information in columns and clearly indicates in what magnitude and unit the output is displayed.
.
Dstat is also unique in letting you aggregate block device throughput for a certain diskset or network bandwidth for a group of interfaces, i.e. you can see the throughput for all the block devices that make up a single filesystem or storage system.
.
Dstat's output, in its current form, is not suited for post-processing by other tools, it's mostly meant for humans to interpret real-time data as easy as possible.
One thing about dstat is that it uses six times more memory than vmstat (but the output is prettier):
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
mfedyk 23001 0.6 0.5 5452 3824 pts/5 S+ 21:27 0:00 python /usr/bin/dstat 1
mfedyk 23027 0.0 0.0 1780 588 pts/6 S+ 21:28 0:00 vmstat 1
</dstat>
I liked the examples used to for discovering performance problems but not most of the solutions proposed. I understand the point of the book isn't detailing the way optimize your system libraries (glibc, gtk, etc.), but building menu caches in nautilus (the latency performance example) might have gone over better with me if there was at least a mention of improving the library being called. Sometimes the best course of action is to improve the library you're calling in the Open Source Way(tm) instead of just working around problems you find in your application code.
The book also shows areas where Linux and its performance tools could be improved. It got me thinking about how to change the entire Linux performance monitoring ecosystem by first griping about how things are currently and pontificating on how things would be with a few changes.
Right now, every performance monitoring system (cacti, munin, etc.) has it's own performance gathering code. sysstat's sar (System Activity Reporter) is already written in C. It needs to store more statistics and have language bindings to Perl, Python, Ruby, PHP, etc. for polling its database, and a generic stats reporting API for stats gathering agents like snmpd, etc. This would allow one project to be the focal point for system monitoring statistics gathering and remove the duplication of work.
With this work done, performance monitoring *might* be close to what windows currently offers. I don't say that lightly. This is a serious area where Linux needs to catch up.
gnome-system-monitor (g-s-m): The lines are so thick it looks like they were drawn with a crayon. Vital stats like nice, system, hard and soft irq cpu usage are not shown. So much vertical space is wasted with the child sized buttons to change the colors of the lines. At least it doesn't flicker when updating its stats anymore. This tool has improved steadily over time but still needs a lot of work. Compare this with Windows' Task Manager. While not the best, it does present more information in less screen space than g-s-m.
Also since the book was written when Fedora Core 2 was current, there have been a few things that have improved since the book was written. For instance, major and minor faults are accounted for properly now. Let's get that per process block and socket/pipe statistics gathering into the kernel.
Tags: linux, optimizing, performance, phillip g. ezolt
|
|
06:22 pm
[Link] |
Xen or VMware or OpenVZ?
Of course openVZ is not mutually exclusive with either Xen or VMware. They can be used together, but that is not the purpose of this post...
I found an interesting link to a forum post on the centos mailing list talking about OpenVZ today.
It says that once the memory limits are reached in an OpenVZ Virtual Environment (VE) it kills the process that hit the limit.
<speculation>I suspect (since I haven't researched and found the details yet) that after reaching the memory limit in a VE, OpenVZ simply refuses allocating memory when processes request more memory. That can be bad because a lot of apps don't handle this very well and die. You would see this also if you simply limited the memory allowed to a process group or user.</speculation>
What happens differently when a virtualized kernel (like in Xen or VMware) hits its physical memory limit is that it starts using swap and if swap is full or unavailable[1] it will discard as many memory pages as possible, disk cache, exeutables mmmap()ed, etc. This can allow more memory to be allocated, though with a serious drop in performance.
But the kernel tries hard to satisfy the allocation before refusing.
If my speculation above is correct and OpenVZ hasn't made any modifications to the linux Virtual Memory Manager so it will simulate "memory pressure" in each VE independently, then OpenVZ (and presumably the generic Linux resource limits code) will simply reach the limit and refuse further allocations without trying hard to find space for allocations and have serious problems with applications that don't handle memory allocation failures properly (that would be most programs).
This needs to be looked into further...
1. Some people have gotten into the habbit of configuring systems without swap. This mostly started because of the terrible VMM in the early 2.4.x kernel series. If you're running a kernel from kernel.org after 2.4.16 or any distro kernel, you should configure swap space on your system(s).
Tags: centos5, linux, openvz, virtualization, vmware, xen
|
06:06 pm
[Link] |
Linux Disk accounting with LVM Snapshots
I was reading a lot of data from one LVM logical volume and wanted to watch the disk statistics with iostat today. To my surprise, I was seeing the same activity on two logical volumes (LV) and the physical disk containing the two.
A little investigation showed that one LV was a snapshot of the other, and I was reading from one of the snapshots.
While I understand that the two LVs share some common Logical Extents (LE), I believe it is a bug that the disk statistics show activity on both logical volumes.
Should I report this in the centos bugzilla or on upstream's bts?
Thanks,
Mike Fedyk
http://lists.centos.org/pipermail/centos/2007-May/081227.html
Tags: centos5, linux, lvm
|
|
11:21 am
[Link] |
JBOD SATA enclosures: Multi-Lane SAS/SATA
Port multiplier support in libata is just hitting lowercase 'experimental' status and is still a ways off from hitting mainline at kernel.org. The only other option is a hardware raid controller like the MegaRAID SATA 300-8X. But that is not an option in my case because the servers I am working with only have 5 volt PCI-X slots and all of the 8-port SATA cards I have found are 3.3v only.
Another option for economical external JBOD SATA is the multi-lane SAS variety. One of the nice things about multi-lane SAS/SATA (and eSATA with Port Multipliers) enclosures is that they are easily partitionable. The multi-lane will allow you to connect up to four (up to 5 with eSATA) drives directly to as many as three servers within cabling distance per 12-drive enclosure.
With this setup I will be able to plug a 4-port SATA controller into any quad cpu rackmount server bought off of ebay without the expense of SCSI drives and without the dependency on any single controller model by using software raid. Another option is connecting all drives to one Linux server and export it over iSCSI and/or NFS and boot off the network.
There are a couple more offerings now when compared to even two months ago. Let's review the contenders:
PC-Pitstop SC-SATA12RM $849
At first glance you can easily see that it is composed of three 4in3-bay internal enclosures like the ISTAR BPU-340SATA. At first I was surprised they didn't use the 5in3 ISTAR BPU-350SATA to fit 15 drives into the same space, but then I remembered. I have used an internal enclosure like the 4in3. If you want to keep your drives in a rattling, vibrating box, then use one of those internal aluminum 4in3 enclosures.
PC-Pitstop SC-SATA12RMD $1,199
As one of the new products available, this enclosure comes with dual-power supply, improved cooling and a front cover with lock. Yet it also noticably uses four of the 3in2 internal enclosures similar to the ISTAR BPU-230SATA. Maybe that says something about the 4in3. I hope I'm wrong about these enclosures from PC-Pitstop as far as vibration is concerned.
Norco DS-1240 (available from iPCDirect) $599
There are several reviews available. Reviews by Amug, ExtremeTech, newegg for the eSATA model and Firewire model are available. All of them are favorable to the quality of the enclosure with several mentioning the steel construction and approx. 30lbs weight without drives. One went so far as to call it a "tank" and there were no complaints about the trays or loading mechanism. Any criticisms were confined to the ease of accidental disconnection and speed of the firewire or usb interface, noise of the fans, quality of the included Silicon Image controller or incompatibility of the port multiplier with the eSATA model. None of those criticisms are relevant to this model because it will be on a rack next to equally loud rackmount servers and this model uses multi-lane SAS connectors with thumb-screws.
I was able to find one review for PC-Pitstop's 8 drive tower model. It uses two multi-lane connectors but is not rackmount. It also seems to avoid problems by not using internal X-in-Y drive enclosures. I haven't found any negative reviews of multi-lane SAS JBOD enclosures.
Tags: enclosure, external, jbod, libata, linux, multi-lane, port_multiplier, sas, sata
|
|
![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
mfedyk's journal