Jason Antman's Blog » Projects

Virtualization Options

Jason Antman — Sat, 20 Mar 2010 01:55:53 +0000

As I mentioned in Downtime past few days, coping with storms, as a result of some things I noticed with a recent power outage, I’ve decided to take the leap to virtualization. Given the cost of current hardware that supports HVM (Intel VT-x or AMD-V ), I immediately decided that I might as well give up on any thoughts of doing full virtualization or getting new-ish hardware. So I settled on the next step up from what have now – a set of HP Proliant DL360 G3 servers. I got them with a 90 day warranty from a reputable dealer, dual 2.8GHz Xeon (512K cache), 2Gb RAM, dual 36.4Gb U320 15k RPM SCSI disks and dual power supplies for $99 each. My next step is to decide what virtualization software to use.

My main goals for the project are:

Lower power consumption through consolidation of servers.
Possibility to add capacity or resources by remotely powering up an idle server and migrating VMs to it.
Limited fault tolerance – ability to manually restore a VM that was running on failed hardware, onto an idle server.

I originally thought Xen, just out of reflex. However, given that all of my servers have the same base – the same distribution and, ideally, the same kernel and patch level – it seemed like a lot of overhead to duplicate that for multiple VMs. So I started looking into OS-level virtualization. There are relatively few options, and I’ll admit that aside from Solaris Containers (which I learned about while working at Sun) I don’t know much about it. But OpenVZ seems to be the front runner in that area. My initial impression was that it made a lot of sense – keep one common kernel, but allow containers/virtual environments (CTs/VEs) to have, essentially, their own userland. Unfortunately, it doesn’t seem to be as hyped as Xen, and I haven’t heard very much about it in the enterprise context. And it requires running a kernel from the OpenVZ project, which means I can’t just script updates through yum as easily as normal.

On the up size, OpenVZ would allow me to eliminate the duplication of the kernel, and seems to have much less overhead than Xen (and logically so). On the down side, I lose the ability to virtualize other OSes, kernel versions, or make pre-packaged VMs. I’ve decided that if I wanted to do that, I could dedicate a single machine.

I’ve spent the last day or so doing a lot of research, and have come up with the following questions and concerns about OpenVZ which I hope to be able to answer (I’ll post the answers in a follow-up).

How do I handle distribution and kernel upgrades? The logical solution would be to migrate the CT to another host while I upgrade CT0 (the hardware OS/host/dom0 in Xen speak). But if the guest and host kernels must match, how does this work?
Can I do package upgrades within the guest/CT easily? WIll this play well with Puppet?
How will I handle backups? Is it logical to run bacula within each CT, or just on CT0? If just on CT0, how do I easily verify that a particular CT was backed up?
WIll everything play well with Puppet? (see below)
Am I willing to throw away my KickStart-based installs? And, similarly, am I willing to give up the possibility of migrating from a container to a Xen host or a physical host (easily)?
OpenVZ live migration relies on rsync. This means that there’s a significant delay (compared to shared storage) and also that I can’t migrate off of a host that’s down. Is there a way around this?
Similarly, live migration requires root SSH key exchange (passwordless) between the hosts. This seems about equivalent to using hosts.equiv. Do I really want root on one box to mean root on another box (and all of the containers on that box)?
Can I still firewall CT0? How will this work?

It seems to me that OpenVZ may be significantly less enterprise-class than Xen. Sure, this is just my home setup, but I hold it to the same standards I use for my work systems. In fact, I usually test new technologies at home before I suggest them at work. A lot of the writing on the OpenVZ wiki seems to be riddled with spelling errors. They claim “zero downtime” live migration, but if they have to rsync 2Gb of MySQL tables, that sounds like a lot more than “zero”. And, most shockingly, the Hardware testing wiki page talks about making sure your hosts aren’t overclocked or undercooled, and running cpuburn to test your system under high load. Sorry, but the engineers at HP, Sun, IBM, etc. handle that for me and most people I know. So, I’m a bit worried about the seriousness of the OpenVZ project.

Most worrisome is a post I found in the OpenVZ forum, “Stopping puppet on hn stops it in all VE”. It seems that, since CT0 is aware of all of the guest container processes, they show up in ps lists. Most, if not all RedHat init scripts use killproc to stop and restart services. This means that a service syslog stop on the CT0 (host) will stop all syslog processes, including all of them in the CTs. This seems like a major issue. Sure, I could replace killproc on CT0 with a script that parses the process list, isolates the PIDs for those running on CT0, and kills them. But what else needs to be fixed? Nagios check scripts would need to be adjusted. Is there anything else that would come back and bite me?

The bottom line is that (I guess this is logical) it seems that containers in OpenVZ will seem - and act - a lot less like a logical host than they would under Xen.



New web server, WP optimization
Jason Antman — Mon, 01 Mar 2010 04:19:12 +0000
Tonight, more or less on a whim, I moved my blog from my older (dual 1GHz Pentium III Coppermine, 1GB RAM, 10k RPM SCSI disks, Compaq Proliant DL360 G1, OpenSuSE 10.2 32-bit) web server to my newer one (dual 1.4GHz Pentium III, 2GB RAM, 10k RPM SCSI disks, HP Proliant DL360 G2, CentOS 5.3 32-bit). I did some profiling with ab (ApacheBench), and just moving from one server to the other got some serious performance gains (I was profiling with runs of 1000 requests total, 10 concurrent requests). I also added the W3 Total Cache Wordpress plugin, which got the numbers to look even better!
As a side note, this was all done pretty quickly (moving the database and tarball for the vhost, installing the plugin, changing DNS), so please give me a heads-up if you experience any problems.
The numbers are rather impressive:
  Total Time(s) RPS Avg. Connection Time (ms)
Old Server 1192.252 838.75 11,893
New Server 569.121 1757.09 5,667
Default W3tc Config 23.754 42,098.44 237
Tuned W3tc 12.281 81,428.76 122
All tests were performed on my workstation, a Dell Precision 470, two dual-core Xeons at 2.8 GHz, 2GB RAM, 16GB swap, OpenSuSE 11.1 64-bit. This was on the same LAN and subnet as the servers, with the workstation connected via a 1Gbps copper Ethernet link and the web-serving interfaces of the servers connected via 100Mbps (There’s a trunk in between, from the gigabit aggregation switch to the 100Mbps distribution switch). 


Parsing Nagios status.dat in PHP
Jason Antman — Mon, 22 Feb 2010 03:42:33 +0000
If you’re just looking for the script or PHP module, you can get them via Subversion at: http://svn.jasonantman.com/nagios-xml/.
A while ago (back in late 2008), I wrote a PHP script that parses the Nagios status.dat file into an associative array. My original use was to output XML which was then read by another script on another server and used for a small custom GUI. It’s a very simple PHP script that just takes the path of the status.dat file (which, obviously, must be readable by the user running the script).
At that time, I was using Nagios v2. Since then, I’ve moved to Nagios v3, and have updated the script to include the ability to parse v3 status.dat files, as well as a function to detect the version of a status file. I also refactored the code so that the parsing functions are all contained in a single file (statusXML.php.inc) which is safe to include in other scripts. The actual statusXML.php file now just includes examples of how to call all of the functions and output XML (though it is equally useful to output the serialized array, or use it directly).
Since I posted my script online, two people have been kind enough to send back their modifications:
Artur Krzywański modified the original (r4) version of statusXML.php to allow selection of the keys to be returned.
Whitham D. Reeve II of General Communication, Inc., who needed higher performance for a very large status file, rewrote my script in C as a PHP module.
Both of these generous contributions have been included in my Subversion repository as of the current revision, 5. Unfortunately, due to my delay in putting my Nagios3 code into svn, both of these contributions are Nagios v2 only.
As time permits, I plan on merging Artur’s changes into the current version of statusXML.php.inc. Unfortunately, C isn’t one of my strong points, but I plan on also updating Whitham’s PHP module code to work with Nagios3 as soon as possible.
Stay tuned for updates, and thanks to both gentlemen for contributing their work. I’m always interested in hearing how people are using my code, and how they are making it better.
Also: While I added this project to Nagios Exchange, and plan on adding it to Monitoring Exchange, I don’t always keep those sites up to date (I can’t access Nagios Exchange right now, and who knows if I’ll have time to update it tomorrow). I strongly recommend directly checking out from Subversion at http://svn.jasonantman.com/nagios-xml/ or taking a look at the code through ViewVC at http://viewvc.jasonantman.com/cgi-bin/viewvc.cgi/nagios-xml/. 


Project Announcement – PHPsa
Jason Antman — Tue, 29 Sep 2009 20:36:27 +0000
So, here’s the “official” scoop on the new project that I’m planning/starting to work on. I’m calling it PHPsa for now, and it’s going to (hopefully) be an integrated dashboard/portal for SysAdmins. While there are a number of tools that fit into this general category (perhaps with  being the closest, though it’s security-minded), I feel that there’s a real gap in terms of tool integration. My daily workflow, which includes multiple trips to and correlation among Nagios, Cacti, DNS, DHCP, Puppet, logs, and other tools really leaves something to be desired. So, I’m setting out to create a modular SysAdmin dashboard that unifies many of the common SysAdmin-related tools into a modular dashboard.
The first overall design goals that I’ve set are:
A modular, plugin-based architecture that allows admins to select which features/tools they want, and allows easy development of new modules.
Design with legacy tools in mind – easy ways to tie in to tools that weren’t written with PHPsa in mind, both in terms of linking to information and gathering/unifying information.
RBAC, including per-module rules and the possibility for a limited read-only view (client/user mode).
Use of data sources, specifically databases, from existing tools with as little modification as possible.
Support for database abstraction, though I’ll be using MySQL.
Eventually, implement RSS feeds of pertinent information.
Balance Ajax/DHTML with the desire for important things to have canonical, static, bookmark-able URLs.
So, here are some of the things that I’m planning on integrating, with obvious bias towards getting my own projects done before I integrate pre-existing tools:
MultiBindAdmin, my DNS and DHCP administration tool (specifically geared towards split-view DNS with the inside view behind NAT).
RackMan, my tool for mapping devices’ physical locations in racks (and tacking patching).
My simple config tool for Puppet.
Nagios.
Cacti.
Nathan Hubbard’s MachDB.
Bacula (monitoring/status only).
Syslog via rsyslog (or any other syslog-to-SQL solution).
Possibly a front-end to Google Analytics.
Some of my custom scripts for graphing SpamAssassin, DNS queries, etc.
Some sort of Apache log analysis, like Webalizer.
Mail log analysis, possibly AWstats.
So, the first big issues that I’m going to tackle:
General layout. Specifically, how to handle a more-or-less consistent layout while integrating tools that weren’t designed for PHPsa. I’ll probably end up using iFrames (or even a frameset) for tools that don’t integrate well.
How to correlate data/objects between different tools (i.e. how to display information from Nagios, Cacti, MultiBindAdmin and MachDB for a given host?).
Do I want to use a templating engine like Smarty or hand-code all of the HTML?
How will I handle plugins?
How much code do I want to re-write and how much can I use as-is from other tools? And, on a related note, how much existing data can I access easily from other tools, vs having to use grabber scripts that dump data in MySQL?
Update 2010-02-03: I think this may become a semi-official project for me at $work, which means that I’ll be able to dedicate quite a bit more time to it. Unfortunately, it also means that I will, most likely, have to give up Nathan Hubbard’s MachDB in favor of OCS Inventory NG, a more mature project that already includes inventory support for Linux, Windows and Mac. 


DNS Move
Jason Antman — Thu, 17 Sep 2009 18:07:23 +0000
Yesterday I finally began moving DNS for my sites from GoDaddy to my own in-house system of master/slave BIND9. While both DNS servers are currently at the same location and on the same WAN connection (heck, they’re beind the same router, too), so is all of the rest of my infrastructure. Migrating jasonantman.com was definitely the most critical task, this has allowed me to easily use my new project, MultiBIND Admin to manage DNS. In addition to just being simpler than using GoDaddy’s tool, it allows me to manage DNS for both the external view and the NATed internal view in one tool. I did have a brief mail outage thanks to some incorrect MX records being served by the slave, and a few other issues with the caching DNS servers at work not expiring the old records, but all seems to be well now. It was a relatively smooth transition, though I haven’t yet moved over some of my older less used domains.
The next part of my project, when I move the ambulance corps hosted services in-house, will be trying to find a decently-priced DNS hosting company that will just act as a slave, to keep DNS up if my WAN connection goes down. 


September 2009 Project Updates
Jason Antman — Thu, 17 Sep 2009 18:00:38 +0000
I know I haven’t been posting a lot, but here’s an update on some of my projects:
PHP EMS Tools – I’ve done quite a bit of work for the ambulance corps, and intend on rolling this into the main distribution. I’ve also added an Asterisk/AGI module to handle crew call-ins. It’s going to be a long road, as I have to manually diff the ambulance corps version to the trunk version and merge the changes (leaving out anything specific to our organization), but I plan on doing it. The next version will also include historical tracking of roster information (member information, status, positions, committees, etc.) and LDAP integration for authentication.
PHPsa – My new project, tentatively called PHPsa, is an integrated dashboard for sysadmins. The idea is to develop a plugin-based portal for SA tools. Currently, I will be including some of my own projects – MultiBindAdmin (a tool to administer BIND and DHCPd, specifically geared towards split-view DNS with the inside behind NAT) and RackMan (a tool to track and visualize the location of devices within racks, including ability to temporarily move devices around) – as well as my updates to Nathan Hubbard’s MachDB.
 I’ve also done quite a bit of customization of the current version of Nathan Hubbard’s MachDB. My local version is in subversion. It adds detailed network interface information, information on expansion slots, and some extra details for the system and storage. I plan on developing a patch and contacting Nathan once I get a chance. It also includes a Python collector script that I developed. 


New Projects
Jason Antman — Thu, 16 Jul 2009 19:05:40 +0000
In terms of ongoing projects, I should be updating RackMan sometime soon, and also adding the demo site.
I’ve begun to move DNS for all of my domains in-house, mostly because since everything is behind NAT, it’s a real pain to manage DNS entries in two places (one of them being GoDaddy’s web interface). Because of the NAT issue, I’m also writing my own BIND configuration tool, currently named MultiBIND Admin. In addition to managing multiple zones in a sane way, it stores all configuration in MySQL. Among other things, it can store different IP addresses for A records for the inside and outside views. Zone files can either be pulled by a script on the name server (push capability is being worked on) or downloaded (for uploading to a DNS hosting provider like GoDaddy).
For my final project for my XML web design class, I’m going to be making some “mashup” with RackMan, Google Maps, Google Visualizer, Nagios, and a few other tools…
Stay tuned… 


Blinkenlights (blinkenlichten)
Jason Antman — Tue, 23 Jun 2009 15:54:31 +0000
I’ll be posting more on this in the next few days, but I did a few more upgrades at home, including a Proliant DL380G2  to replace my aged ML370 (G1) storage box (array is failing badly) and a Proliant DL360 G2 as a second web server (and possibly moving Nagios over to that box).
I’m running into some problems with the old management card for the Tripp Lite UPS, and I have a few other issues to sort out, but here’s a photo that I took this weekend after the upgrades (yes, it’s a bit blurry – that happens handheld at 1/10 sec).
 ACHTUNG!  ALLES LOOKENSPEEPERS!
 Alles touristen und non-technischen looken peepers! Das computermachine ist nicht fuer gefingerpoken und mittengrabben.
 Ist easy schnappen der springenwerk, blowenfusen und poppencorken mit spitzensparken. Ist nicht fuer gewerken bei das dumpkopfen. Das rubbernecken sichtseeren keepen das cotten-pickenen hans in das pockets muss; relaxen und watchen das blinkenlichten.
(For those of you who aren’t familiar with it, blinkenlights). 


Building a Rebuild-able Site
Jason Antman — Wed, 06 May 2009 13:42:43 +0000
At $WORK, my group runs about two dozen servers that provide services for over 60,000 users. They’re a mix of Windows and Linux, with some old Solaris stuff thrown in there. The one thing they have in common is they’re all hand-built, hand-configured, and old. They’ve been around for a while. At the moment, we don’t even have an adequate backup system.
So, being the closest thing to a SysAdmin we have (my official title is still Student Systems Programmer), it’s my job to build a new installation, configuration and backup infrastructure. We’ve already standardized on CentOS as a University-wide distro, and have a local full mirror, so I don’t need to choose a distro. I do, however, have to plan the installation and backup architecture. The main requirements are:
Lowest overall time for bare-metal recovery to a working system.
Ease of use, as people other than myself will need to administer it (so they should be able to do so from a cheat sheet in the wiki).
Repeatability – it should be easy and intuitive to make an almost-exact-copy of a machine.
I started a thread a few days ago on the SAGE mailing list, which you can find here.
At the moment, it looks like the general idea that I’m going with is to use Kickstart to install the systems, using a basic and minimal Kickstart file. Basic package selection (minimalist) with just what’s needed to configure the system with a hostname and network settings for the management VLAN. I’ll then have Kickstart install and configure a configuration management package – I’m leaning towards Puppet over Cfengine and am starting testing. The config management software will handle all of the customization for the system (everything different from the base generic Kickstart install) so it’s all kept under the control of config management from step 1.
The final part is a backup system, mainly for whatever eventually – whether out of human error or simple laziness – ends up out of the config management system’s control. Our previous SA had settled on Zmanda, the paid version of Amanda, which comes with specific plugins for MySQL and MSSQL. I’m also looking at Bacula, mainly because of its’ advanced features, scheduling (especially the new scheduling in Bacula 3) and scalability.
The beauty that I see in having Kickstart do something minimal and then letting Puppet handle the rest is that (especially since we’ve standardized on SunFire X4100’s with identical configurations) I can kickstart and rack up a few spare machines, and to get them up and running all I need to do is power them up (iLOM) and tell Puppet what to make them.
I’m currently starting testing of both Puppet itself and getting Kickstart to start the puppet install and daemon (instructions from David Lutterkort’s blog (Red Hat software engineer)). We’ll see how everything goes… 


Many Many Changes; Downtime
Jason Antman — Sun, 08 Mar 2009 00:05:09 +0000
Well, I don’t have time to go into a lot of detail, but I thought I’d give a recap of what’s going on. I went down to Mount Holly, NJ yestserday morning – about a 2-/12 hour drive each way, and picked up a 41U rack for the basement. Pretty damn heavy, took me two hours to disassemble it, wrangle it down the stairs, and get it back together. It’s an old round-hole rack, which didn’t seem to matter much until I found that the tabs of the Dell Rapid Rails are just a bit too big to fit in it, so neither my rack KMM nor the rails for my mail server will fit. A bigger problem, though, is that the guy told me it was the standard HP 29″ deep, and I found it to be 28-1/4″ deep when I started racking things up. So, though I just spent $200 on rails for old Proliants, they’re all about 1/2″ too long to fit.
Yesterday, I also had Cablevision show up to install the new Optimum Business with 5 static IPs.
So, last night around 9:00, I started the arduous task of (for the first time ever) powering down ALL of my machines, moving them to the new rack, and re-cabling. That took about 2-1/2 hours, after which my intent was to bring up the new Optimum connection, configure the Vyatta router, and roll over mail and web. From what I’d read of the Vyatta docs it seemed a relatively straightforward task, and being the stubborn jackass that I am, I decied, “hey, it’s my personal site, it’s low traffic, and I want it up before I go to sleep. I’ll roll over DNS before I bring everything up.”
That was a very bad idea. Vyatta isn’t nearly as simple as it seems – especially for someone who isn’t really a network (or at least router/firewall) guy. When they say Enterprise, they mean robust. They also mean that week-long bootcamps aren’t for naught. It took me about half an hour to figure out that even if no “firewall” ruleset is associated with an interface, it still has an implicit drop all. And if you only want to firewall what’s coming in from the outside world, and let everything out, you need to add explicit allow all rules to the in and out sides of the LAN inteface and the out side of the WAN interface.
To top all this off, I had some serious still-unexplained DHCP problems on the LAN, a serious issue since I just set all my hosts to DHCP (which I’ll probably undo soon). So, Yesterday was network work from 7:30 AM to 3 AM today (including driving to pickup the rack). By the time 3 AM rolled around, I was quite unhappy that I decided to roll over DNS in order to force myself to get things working, as I ended up going back to FiOS for client access only. Today started around 10 AM, and here I am – 6:30 PM, and I just got things working partially right. I have mail working – arguably the most important – for jasonantman.com only, though I have yet to setup any aliases.
On the web side, I’m working to setup name-based vhosts for all of the subdomains, but for some reason, blog is showing up for everything. Luckily it works right. So we’ll see….

	Total Time(s)	RPS	Avg. Connection Time (ms)
Old Server	1192.252	838.75	11,893
New Server	569.121	1757.09	5,667
Default W3tc Config	23.754	42,098.44	237
Tuned W3tc	12.281	81,428.76	122