Grant McWilliams

Tech

Tech

 

Prerequisites

 

  • XCP/Xenserver
  • Access to Internet

 

Update: June 2nd, 2014 - I changed most of the tgtadm long format options to short format due to my not being able to remember the long format. For some reason --lld didn't seem like a valid option. I did however keep --lun and --backing-store.

Creating an iSCSI target on Xen Cloud Platform 1.1

Premise: I have two pools – The first has one host in it that acts as a router, firewall and Host for a couple of special VMs for (DNS, DHCP, NFS, Web) the hosts in a second pool. I've added iSCSI SAN to it's lists of jobs using a software iSCSI target in the 8 steps below.

 

1. Install tgt from CentOS repos

yum --enablerepo=base install scsi-target-utils

2. Start the tgt service

service tgtd start

chkconfig tgtd on

3. Preparing for LVM

 

I'm using a separate hard drive - /dev/sdb and creating one partition which will be used as my LVM Physical Volume. We'll then add it to the Volume Group and carve it up into Logical Volumes. This way I can just add another hard drive to the Volume Group when we want more capacity and the rest of the tutorial stays the same. The bold letters are what I input, I accepted the defaults everywhere else.

Add a comment

There's been a flurry of activity around The Man, The Myth, The Legend in the Xen Howtos section and for good reason - CentOS6 was released. It all started as a simple update to my installation tutorials but ultimately I spent half a week on it. There were some issues with how I was doing things because CentOS5 used the old Xen kernel and CentOS6 uses the new libvirt kernel. As of RHEL5/CentOS6 Xen Host (dom0) support is no longer in the kernel. However, Xen Guests (DomU) is and  is handled by libvirt. Last week the last bits of Xen Dom0 support were merged into Linux Kernel 3.0. This means that going forward all Linux distributions will have Xen Dom0 ability unless the distributors remove it.

I've written and tested two xen tutorials this week.

During the process of writing these tutorials I shrunk the size of the Disk Image. I did this because I like nice small VM disk images (and sparse too) so I can duplicate them and move them around easily. It's fairly easy to resize a disk image so I updated all four tutorials on how to resize Dom0 Disk Images and Logical Volumes as well as DomU Logical Volumes and partitions. I attempted to make it clearer too what the scenario was so people would know what the tutorial was trying to accomplish.

As always have lots of fun and let me know if something doesn't work via the comments.

Add a comment

Note: I lost my original xen config files so I've created new ones here. I no longer have a xen system so I can't test them. Please let me know if the tutorial still works or not -Grant

Introduction

A lot of this tutorial was stolen from my CentOS 5 Installation which in turn was stolen from the CentOS wiki. I've shortened and updated it for installing a CentOS 6 DomU. I just copy and paste all the indented lines into a root terminal and voila! a CentOS VM.

1. Creating an Virtual Disk Image

The first step is to create an disk image that will act as the VM hard drive. The following command will create a 4 GB sparse disk image named /srv/xen/centos6.img. A sparse file is created in such a way that the disk image doesn't actually take up the whole 4GB until you fill it up. If you'd like a larger (11GB) disk image substitute seek=10240 into the following line. I make my VMs nice and small so I can move them around easier. Making a disk image larger or adding a second drive later is easier than making it smaller or taking a drive away.

 

dd if=/dev/zero of=/srv/xen/centos6.img oflag=direct bs=1M seek=3800 count=1

2. Preparing the Xen configuration file for installation

Xen uses one configuration file per VM. We will start out with a config to do the install and replace it later with a config for normal operation. Now we download the install kernel, ramdisk and xen config file.

wget http://mirror.centos.org/centos/6/os/x86_64/isolinux/vmlinuz -O /boot/vmlinuz-xen6-install
wget http://mirror.centos.org/centos/6/os/x86_64/isolinux/initrd.img -O /boot/initrd-xen6-install
wget http://www.grantmcwilliams.com/files/xen-centos6-x86_64-install -O /etc/xen/centos6

  

 

3. Starting the installation

A kickstart file holds instructions for automatic installation and is referenced in my xen config above. My example kickstart file is very minimal but is enough to get a working CentOS 6 VM.

 

Add a comment

Note: I lost my original xen config files so I've created new ones here. I no longer have a xen system so I can't test them. Please let me know if the tutorial still works or not - Grant

Introduction

A lot of this tutorial was stolen from my CentOS 5 Installation which in turn was stolen from the CentOS wiki. I've shortened and updated it for installing a CentOS 6 DomU. I just copy and paste all the indented lines into a root terminal and voila! a CentOS VM.

1. Creating an Virtual Disk Image

The first step is to create an disk image that will act as the VM hard drive. The following command will create a 4 GB sparse disk image named /srv/xen/centos6.img. A sparse file is created in such a way that the disk image doesn't actually take up the whole 4GB until you fill it up. If you'd like a larger (11GB) disk image substitute seek=10240 into the following line. I make my VMs nice and small so I can move them around easier. Making a disk image larger or adding a second drive later is easier than making it smaller or taking a drive away.

 

dd if=/dev/zero of=/srv/xen/centos6.img oflag=direct bs=1M seek=3800 count=1

2. Preparing the Xen configuration file for installation

Xen uses one configuration file per VM. We will start out with a config to do the install and replace it later with a config for normal operation. Now we download the install kernel, ramdisk and xen config file.

wget http://mirror.centos.org/centos/6/os/i386/isolinux/vmlinuz -O /boot/vmlinuz-xen6-install
wget http://mirror.centos.org/centos/6/os/i386/isolinux/initrd.img -O /boot/initrd-xen6-install
wget http://www.grantmcwilliams.com/files/xen-centos6-i386-install -O /etc/xen/centos6

 

 

 

3. Starting the installation

A kickstart file holds instructions for automatic installation and is referenced in my xen config above. My example kickstart file is very minimal but is enough to get a working CentOS 6 VM.

 

Add a comment

n case you've been living under a rock for the past few weeks you'll know that Google released it's Google+ service. Normally I wouldn't take Google too seriously when dealing with social networking because they've been completely unsuccessful in the past (Orkut, Waves, Buzz) and in the latter case the results were disasterous. However, Google+ is a force to be reckoned with. I've been using Google+ along with Facebook for the last week or two to get an idea of how good/bad it is. Here's a few thoughts first.

  • Looks kind of like Facebook mixed with a 1984 Apple Mac
  • The people who are on it currently are techies mostly so there's very little of this -
  • It's very easy to find and add friends
  • It's got it's tenticles in everything (something FB has just started by allowing you to like things on third party sites)
  • You can search your posts
  • I don't see any Notes functionality
  • There's no game apps (but there's hints of that coming in code)You can add posts from igoogle or gmail
  • You can drag and drop media on your post box
  • You can import entire on disk photo albums in one shot
  • The handling of photos is on a completely different level
  • There's group video chats
  • There's outside feeds for your wall
  • You have complete control over who sees what
I think if you know google products you'll see a lot of integrated code here. Google reader, picassa, google chat, gmail, google search etc...
 
  • What's missing in google+
  • games and apps
  • notes
  • wall posts
  • direct messages (uses email)

Apps

Facebook largely unseated MySpace because of it's numerous apps and games. We'll see how fast Google adds this ability.

Notes

The notes will be really easy if they integrate blogger but for me they'd still need to have the same level of access control.

Wall

Wall posts, would be easy but I'm not sure they'll do it because it would be difficult to integrate it into their access control system. Currently when you post you get to see which circles (or all) can view the post. If someone else posts on your wall how do you decide this? They'd have to give up some of the access control functionality if they allowed wlal posts unless all wall posts were moderated by the wall owner. For instance someone wants to post on my wall, I'd look at the post and decide which circles get to view it before any could. That would be possible.

Messages

Direct messages should probably be handled in chat/mail. It's all starting to blur anyway. In Facebook a message has persistance whereas chat messages disapear as soon as you close the window. Facebook has already started to merge these two things into one although very clumsily. I think I'd rather Google use chat to handle user messages than email since it saves it in your email anyway and has direct delivery if both parties are online.

Design

Design wise I think FB is a bit tighter and more space effecient. I also think that having contrast between sidebars, comments etc.. is a nice thing which Facebook does. Google+ was designed by the same guy who did the Macintosh interface from the 80s and although reviewers have raved about it I think the designer isn't aware that at some point computers started coming with colored monitors standard. Maybe he designed it on an 80s Mac. Here's hoping that Google tightens it up a bit in the future.

 

 

 

 

 

Add a comment
Google+ tip for the day - make it look like Facebook!
 
You may or may not want to do this depending on whether you like the 1984 MAC look of Google+ or not.
 
Go to http://userstyles.org/styles/50051/google-facebook and follow the link for installing Stylish which they have for most web browsers. I've installed it in both Firefox and Chrome.
 
Once Stylish is installed in your web browser refresh the page and you'll see a link to install the Facebook style. Click that and browse Google+ again.

 

 
 
 
 
 
 
 
 
Add a comment

If you were the single largest commercial entity in the world don't you think you could afford to hire someone that could work on your website without taking it offline?

Or even freeze the content on the website, copy it, do the updates, then flip IP addresses so now the new one will show up? Maybe Walmart pays their IT people like they pay their other employees.

Oh and I'd be curious how fast the response from help@walmart.com would be. LOL

 

 

 

Add a comment

Sometimes you are in the trenches and you can't see anything but dirt. On occasion you're allowed to stand on a step ladder to get an idea of where you are. I just got that opportunity yesterday. In the mid 90s I started using Windows as my primary OS, then soon after ran Windows and Linux simultaneously. By 2002 I'd deleted all of my Windows clients and servers and having owned a version of Windows since. However, this is not my entire history in the computing world. Throughout the mid 80s and early 90s I used Amigas (yes, I'm one of those). If you're unaware of what the Amiga is you might want to look it up on wikipedia as they have a decent article on the history and collapse of the Amiga. In short it was created by a small group of geniuses who didn't posses enough capital to go anywhere with it. It was then sold to an incredibly ignorant company - Commodore. Commodore went from being the 10th largest PC company in the world to bankrupt in about 2 years in the early 90s. Then Amiga was sold to a European PC company called Escom who also went bankrupt a couple of years later. Then it was sold again to Gateway 2000 who did next to nothing with it for a few years and in 2000 it was sold again to some investors who created Amiga Inc. No new computers have been released in 15 years and yet people keep paying for this thing and you may be confused as to why. That's understandable so I'll try to explain.

 

 

Add a comment

And now for something completely different

How to install the Amiga Replacement Operating System in VirtualBox. We'll be using the Icaros distribution of AROS and installing it in VirtualBox so we can play with it.

 

 

Step 1: Getting the ISO

Download the icaros Live DVD from www.icarosdesktop.com

  1. http download - http://www.icarosdesktop.com/icarosfiles/IcarosLive_1_5_1-1.7z.exe
  2. Rename it without the .exe extension ie. IcarosLive_1_5_1-1.7z
  3. Extract it by double clicking it. You should have a .iso file now.

 

Add a comment

Back in the old Amiga days we knew the value of specialized processors for specialized jobs. The Amiga could do things that computers with 10x the power couldn't do. However when it got to something that it's specialized processors weren't designed for it was slow again. The first time the Intel CPUs added a special processor into the CPU was in the i486 days and that processor was the floating point co-processor. Before the integration floating point math was handled by a special chip on the motherboard or by software routines. The hardware floating point math was somewhere around 20 times faster than in software. Every once in a while Intel and Amd added additional instructions that would speed up some function. Most of these instructions where multimedia related (SSE, 3DNOW) and none of them effected my life any. Fast forward to 2005 or so and we see VIA the underdog in the Intel x86 race add instructions in it's CN400 chipset to speed up encryption algorithms. So for one particular function (AES encryption/decryption) this CPU/chipset combo was blazing fast but for everything else it was still dog slow. Interesting idea but poorly executed perhaps. I did build a mini-ITX router using the VIA chipset. With VIA Padlock providing hardware encryption/decryption it's been great for SSH, OpenSSL and AES disk encryption via Cryptsetup. It however, doesn't make a very fast desktop computer.

 

Intel has grabbed this idea of hardware AES support and added it to their new CPUs. CPUs that in their own right are fast enough to be useful so I picked up a 2.5 ghz Core i5 system. My main desktop computer is an AMD Phenom II 6 core system at 2.8 ghz which I'll be using as a baseline. It's fairly fast but has no hardware crypt support. I'm going to demonstrate some typical benchmarks to show the general speed of each CPU then focus on the hardware crypt support using OpenSSL, OpenSSH and Cryptsetup.

 

Before you get all excited because you have a recent Intel CPU and you think it has AES-NI in it you might want to check Intel's beta comparison chart (which seems impossible to find by googling) at http://ark.intel.com/MySearch.aspx?AESTech=true. You can also use this comparison to check other options in the CPU like VT and VT-D. I keep this chart bookmarked before I make any purchases of Intel CPUs otherwise I'd end up with a bunch of stuff I don't want. Do NOT assume anything when dealing with Intel. For instance the Core i5-460 does NOT have AES but the core i5-560 does which sort of makes sense since the i5-560 is a bigger more powerful CPU right (as shown by the bigger model number)? Not necessarily true as seen by a weirder example - the Core i5-650 (AES-NI) and the Core i5-750 (No AES-NI). Why would a more expensive, more powerful CPU with a higher number not include AES-NI? I don't know, ask Intel.

 

To show the differences between hardware and software encryption I've prepared three computers without hardware crypt support and two that do. The company that started it all was VIA with their padlock instructions in their CN400 chipset so I've included an Epia SP Mini-ITX motherboard sporting a Via C3 at 1.3 Ghz and 1 GB of DDR ram. As a reference I've included a basic MSI Wind netbook with an Intel Atom 230 at 1.6 ghz. I don't expect much of anything out of this dog slow CPU but I think what we'll see is how much encryption impacts it and even though we may choose not to do full disk encryption we may connect to a VPN or log into https websites and feel the pain. The other CPU with hardware encryption instructions is the new Intel Sandy Bridge Core i5-2520 at 2.5 Ghz. This has the aforementioned AES-NI instructions which should speed things up nicely. The Core i5 is a dual core CPU so for contrast I've included an AMD Athlon II X3 - a triple core CPU running at 2.9 Ghz. With another 400 mhz and an additional core this should give the Core i5 some competition. Lastly I've included an AMD Phenom II X6 - a hexacore beast running at 2.8 ghz which through brute force should be able to turn some pretty good numbers.

 

VIA Mini-ITX

VIA C3 @ 1333 mhz

CN400 Chipset

1 GB 400 mhz DDR ram

Intel Netbook

Intel Atom 230 @ 1600 mhz

1 GB DDR2 ram

AMD

AMD Athlon II 435 @ 2900 mhz

2 GB ram

Intel AES-NI

Intel Core i5-2520 @ 2500 mhz

8 GB of ram

AMD Hexacore

AMD Phenom II X6 @ 2900 mhz

4 GB of ram

 

Baseline Benchmarking with Passmark

The first test is a general benchmark to demonstrate the overall performance of the systems. The passmark statistics can be found at http://www.cpubenchmark.net.

The interesting thing to note about this chart is the incredible speed Intel is getting out of each one of it's i5 cores. The Core i5 has 2/3 the performance of the Phenom X6 with 1/3 the cores and at a lower clock speed. This is very impressive. The Athlon II doesn't fare so well against the Core i5 and I think it's safe to say both the Atom and the C3 are dog slow. You don't realize how bad the Atom is until you compare it to a run of the mill desktop CPU and realize it has about 1/10 the power. It has to be noted that the Atom and C3 only have one core but still one core in the Core i5 are 6x times faster than one core in the Atom. Just for kicks I looked up the speed of an ancient AMD Athlon 2600+ from 8 years ago which we wouldn't even think about building a computer out of now it trounces the Atom! The Atom uses less electricity and costs pennies to make which is why it exists.

 

OpenSSL

Our first encryption specific test is using openssl's benchmark argument. I've tested both the aes-128-ecb cipher and the aes-128-cbc ciphers and only posted the results for 8192 Byte blocks.

Woh! Our next to worthless VIA C3 puts a big lump on the Hexacore! In fact the VIA C3 beats the Hexacore in both tests by as much as 50%! The numbers for the VIA C3 are VERY impressive. For a CPU with 1/30th of the power of the Phenom II X6 it's pretty fast for doing this one thing. The Intel Core i5 pulls ahead by a good margin using it's hardware AES-NI instructions which is expected with a 2x - 10x speed improvement over the Hexacore.

 

Truecrypt

  

Truecrypt 7.0a has support for AES-NI but not for Padlock which shows up in the VIA C3's horrible results. Ten MB/second encryption speed isn't worth anything.  I also included results for Twofish with no CPU provides hardware acceleration for which shows the advantages of having hardware crypt support. The Atom is dog slow as we'd expect but almost usable. You could encrypt a USB thumb drive and not notice the impact too much outside of your CPU going to 100% when you write to it.

The Hexacore is about 3x times faster than the X3 which is interesting as it only has twice the number of cores. I can't really explain that one. However the Core i5 pulls ahead by quite a large margin but only because of AES-NI. AES speed is about 2.5x that of the Hexacore which is VERY impressive for a 2 core CPU pulling off 1.9 GB/sec average encryption/decryption speed. However, using twofish as the cipher shows the hexacores muscle and is roughly twice as fast as the Core i5.

 

Real World Benchmarks

Benchmarks are fun to look at but what we really need is a real world test - although the bars here are not to scale I'm afraid so you'll need to use the numbers. For a real world test I could just encrypt a volume and write to it but the results across this wide range of hardware would be irrelivent because the disk systems and drives themselves are vastly different in speed. So to create a more fair playing field and focus on the encryption abilities I've created a 400 MB ramdisk, then created a file inside and using losetup attached it to a loopback device. Once I have the loopback device I can format or encrypt the device as I please. To limit human error I've created a script named testluks.sh that I used to automate this process on each machine. This script is available in the Bash Downloads section.

 

The commandline I used to do the actual encryption is as follows

cryptsetup -q -c aes-cbc-essiv:sha256 -h ripemd160 luksFormat /dev/loop0 ./secure.key

 

The secure.key file you'll need to create yourself if you want to duplicate this benchmark. You can make a keyfile by reading data out of /dev/urandom. I won't get into how secure this data is here as I'm mainly interested in testing speed. If you want to Cryptsetup or Truecrypt in production you may want to research keyfiles more thoroughly. It should be noted that Truecrypt has a decent keyfile generator.

sudo dd if=/dev/random of=./secure.key bs=1 count=256

 

Once I had an encrypted device in ram I used dd to write a large file into it using the following command string

dd if=/dev/zero of=/media/cryptdisk/bigfile.bin bs=10240 count=25000

I found in my research mentions of Padlock needing it's data aligned in order for the hardware encryption to do it's job. I didn't have time to research this but if anyone has an insight I'd like to hear it.

There's a couple of things to note here. The encryption/decryption numbers I got from the software decryptors were rock solid in that they varied very little. The numbers I got from from Core i5 varied by 100 MB/sec and even put encrypted ramdisk speed higher than unencrypted ramdisk speed part of the time.  I'm not sure why this variance exists so to get as reliable numbers as possible I ran it a bunch of times and took the average for both encrypted and unencrypted ramdisks. Maybe the variance has to do with immature drivers or possibly even bottlenecks in the CPU that don't always appear. At this point it's just speculation.

 

The other question these numbers brings up is what happened to Padlock? We can write to our ramdisk at 111 MB/sec but when encrypted we can only write at 31 MB/sec even with hardware encryption? To get some answers I ran some more tests just on the VIA C3 where I stressed the write speeds of the ramdisk, the mounted loopfile in ram and the encrypted loopfile in ram. This shows something very interesting, the C3 doesn't seem to have enough CPU power to handle the overhead of several layers of filesystems and loopbacks. This is a guess of course but you can see that we can write to the ramdisk at 111 MB/sec but to a mounted ext2 formatted file in ramdisk is just 44 MB/sec. We lost 67 MB/sec just in that process so something is a little off. We only lost another 13 MB/sec in the encryption process. I also tested writing to a hard drive partition, a loop device inside a hard drive partition and an encrypted loop device in a hard drive partition. According to hdparm the drive itself can read at about 30 MB/sec so I wasn't expecting too much here. The result was that I can write to the harddrive at 19 MB/sec, to an unencrpyted loopback file on the harddrive at 19 MB/sec and to an encrypted loopback file on the harddrive at 11 MB/sec. It's clear that Padlock works best over a network.

I think the summary here is that VIA did a great job on Padlock and saddled it with a pathetic CPU.

 

Summary

AES-NI rocks but equal results can be had by throwing a lot of horsepower at it. Soon I'll be working on an Intel Hexacore with AES-NI and will be excited to see what kind of numbers I can get out of it. I also think that AMD has no other choice but to jump on the AES bandwagon because Intel is killing them. The AES decrypt speed on Intels Hexacore has been clocked at over 3 GB/sec. I'll be benchmarking one later in the summer.

I'd be interested in playing with the new VIA's new 1.4 Ghz quad core Isaiah chips with Padlock in them. As  a general purpose CPU it's posting faster numbers than AMD's new Brazos CPU and I'd bet the AES performance on it is heads above any of the other CPUs.  Maybe my mini-ITX router board will get replaced in the near future...

 

Add a comment