Professional Documents
Culture Documents
IT6205
MINOR MODIFICATIONS
When minor modifications are made to this syllabus, those will be reflected in the
Virtual Learning Environment (VLE) and the latest version can be downloaded from
the relevant course page of VLE. Please inform your suggestions and comments
through the VLE. http://vle.bit.lk
ONLINE LEARNING MATERIALS AND ACTIVITIES
You can access all learning materials and this syllabus in the VLE: http://vle.bit.lk, if
you are a registered student of BIT degree program. It is very important to participate
in learning activities given in the VLE to learn this subject.
FINAL EXAMINATION
Final exam of the course will be held at the end of the semester. Each course in the
semester 6 is evaluated using a two hour structured question paper.
IT6205
OUTLINE OF SYLLABUS
Topic
Hours
03
04
3- Host Management
13*
4- Network Management
15*
05*
6- Virtualization
05
Total for the subject
45
* Students are expected to have practical work to complete their learning in these
topics.
The recommended operating system that should use for this module is Centos 6 or
better.
REQUIRED MATERIALS
Main Reading
Ref 1: Evi Nemeth, Garth Snyder, Trent R. Hein, Trent R. Hein and Ben Whaley UNIX
and Linux System Administration Handbook (4th Edition), Pearson Education, Inc.,
2011.
Ref 2: https://lopsa.org/CodeOfEthics
IT6205
DETAILED SYLLABUS:
Section 1 : Introduction to System & Network Administration (03hrs)
Instructional Objectives
Find the required information using Man/info pages and other documents
IT6205
IT6205
IT6205
Para virtualization
Introduction to Xen
6.1.7.
Introduction to KVM
IT 6205
Section 1.0
Introduction to System & Network
Administration
Security Management
Firewalls
Usernames
Password control
Resource Access Control
Performance Management
Availability
Response Time
Accuracy
10
11
12
13
Printing
eMail
2012, University of Colombo School of Computing
14
15
16
Challenges of System/Network
Administration
Systems or Network Administration is
more than just installing computers or
networks.
It is about planning and designing an
efficient community of computers that
allow users to get their jobs done.
17
Challenges of Administration
Design Logical, Efficient networks
18
Comparison of System/Network
Management Styles
Fire-Fighting
Managing by responding to situations when
they happen (Reactive)
Preventative management
Monitor network and make repairs and
changes before problems appear (Proactive)
These are two opposite extremes.
Most real managers combine both.
19
Fire-Fighting
Investigate the Fault or Problem
Isolate the problem and identify/define it
Use tests and tools to diagnose the problem
Solve the problem and document the solution
Prioritize multiple problems
20
21
22
23
24
Handling crises
Have the foresight
Take time to anticipate and plan for the emergency
Prevent crises by carrying out all careful procedures.
2012, University of Colombo School of Computing
25
26
27
Multics
28
Unics / UNIX
Former Multics group at Bell
29
UNIX
UNIX was originally
written in assembler and
B
Dennis Ritchie improves
B and named it C
In 1973, most of UNIX
was rewritten in C
30
UNIX
http://www.bbc.co.uk/news/technology-15287391
31
BSD
In 70s AT&T was under a courts order not
to sell software
AT&T gave away UNIX to Universities
charging only for media
Kernighan took UNIX to his University at
Berkeley
Berkeley released BSD (Berkeley
Software Distribution) version of UNIX
BSD too went through many releases until
BSD 4.4 was released. This too become
accepted in the commercial world So, two
competing versions reined namely System
V and BSD1
2012, University of Colombo School of Computing
32
GNU's
Not
Unix
33
GNU
GNU distributed it's software under the
GNU General Public License (GPL)
GPL mandated changes to GPLed
programs also to be under GPL
By 1990, the GNU system was almost
complete
GNU Herd, the kernel of the GNU
system was not ready
http://www.gnu.org/
34
Finally on Unix
Most of the Unix versions were based on BSD or System
V
IEEE developed a standard to enable various flavors of
Unix to inter-network. This ANSI standard known as
POSIX
(Portable
OS
Interface
for
Computer
Environments) is the collective name of a family of
related standards specified by the IEEE to define
the application programming interface (API), along with
shell and utilities interfaces for software compatible with
variants of the Unix operating system, although the
standard can apply to any operating system. The
term POSIX was suggested by Richard Stallman in
response to an IEEE request for a memorable name.
2012, University of Colombo School of Computing
35
What is Linux?
Linux is a free Unix-type operating system originally
36
http://www.linux.org
37
38
Linux Lineage
While many UNIX systems are based on System V of AT&T or BSD (Berkeley
Systems Distribution) of the University of California, Berkeley, Linux has been
developed without using the source codes of these two systems.
As a result, Linux can
function as an independent
UNIX-type operating system
and
can
be
freely
redistributed
without
infringing the license. The
development of Linux has
been based on the activities
of many volunteers and its
functions and reliability are
comparable with any of the
commercially
marketed
UNIX systems.
PC UNIX
BSD
UNIX
FreeBSD
Minix
System V
Linux
2012, University of Colombo School of Computing
39
Hardware
40
Linux Distributions
41
42
43
Distribution
Appl/Installation tools
Distribution Types
RedHat
Debian
Slackware
Source-based
Mandrake
Suse
Storm
Corel
Plamo
Gentoo
Sorcerer
http://distrowatch.com/
2012, University of Colombo School of Computing
45
46
Linux Kernel
Linus Torvalds releases Linux kernel version 3 to celebrate
20 years of penguin-powered computing
47
What is GNU/Linux?
GNU/Linux is
Operating System that compose with
LINUX Core Kernel
GNU Software Free software
GNU/Linux is free.
You can redistribute and modify GNU/Linux while you
dont break GPL.
48
1.3 Ethics
49
Ethics
Systems and Network administrators play a critical role in the
security and availability of the systems and networks they are
responsible for. During the course of their duties it is inevitable
that they will come into contact with sensitive, personal or
restricted information.
For these reasons system and network administrators must
display an exemplary work ethic.
50
51
52
sharing
knowledge
and
53
https://www.usenix.org/lisa
2012, University of Colombo School of Computing
54
Ethics LOPSA
The League of Professional System Administrators
(LOPSA) is a nonprofit corporation with members
throughout the world. Their mission is to advance the
practice of system administration; to support, recognize,
educate, and encourage its practitioners; and to serve
the public through education and outreach on system
administration issues.
LOPSAs System Administrators' Code of Ethics can be
found at: https://lopsa.org/CodeOfEthics
55
56
man page
The Linux equivalent of HELP is man (manual)
A man page (short for manual page) is online software
documentation, serving as content for the man system, for an
entity typically encountered in Unix /Linux systems.
Such entities include computer programs (including library
and system calls), formal standards and conventions, and
even abstract concepts. A user may invoke a man page by
issuing the man command.
Use man <command> to display help for that command
Use man -k <keyword> to find all commands with that
keyword
Output is presented a page at a time. Use b for to scroll
backward, f or a space to scroll forward and q to quit
2012, University of Colombo School of Computing
57
58
59
60
61
62
63
64
IT 6205
Section 2.0
Installing an Operating System
Boot Process
BIOS
GRUB
/etc/rc.d/
rc3.d
/etc/inittab
Linux
Kernel
init
/etc/rc.d/
rc.sysinit
Login
Shell
RL Specific
/etc/inittab
/etc/rc.d/
rc5.d
Welcome to Linux ..
IT 6205
Section 3.0
Host Management
Root Privileges
su
Create a shell with the effective user ID. If no
user is specified, create a shell for a privileged
user.
su [option] [user]
Login as a user.
switch will
allow you to login
as root
Root Privileges
sudo
If you have privileges, sudo allows you to
execute commands as superuser.
sudo [options] [command]
Main advantage of sudo is you can create
policies for users and limit their access to
execute programs.
These policies are located in /etc/sudoers file
User Management
Passwd file
- Locates in /etc/passwd
- When we create a user and a password it will
store these user information in the passwd
file. There are seven fields of information.
Each record consists of seven fields
separated by colons ' : ' symbol.
Username : Password : User Identifier(UID) : Group
Identifier(GID) : Name of the User : Home Directory : Program
or Shell
2012, University of Colombo School of Computing
User Management
Group file
- Locates in /etc/group
- Group file is text file, it defines the groups
on the system.
- In the group file there are three data fields.
- Groupname : Password : Group ID: Users
User Management
Home Directory
- Personal workspace of the user. Only the
user and super user has the access to this
personal directory. User directories are
stored under /home/[user]
- Eg: /home/saman
Setting permission and ownership
- Linux has three types of permissions.
Read Write Execute
- We can allocate permissions by using
binary numbers.
2012, University of Colombo School of Computing
User Management
Triplet for u: rwx => 4 + 2 + 1 = 7
Triplet for g: r-x => 4 + 0 + 1 = 5
Tripler for o: r-x => 4 + 0 + 1 = 5
Which makes : 755
10
User Management
Adding/deleting users
- Superuser or privileged user can add or
remove users from the system.
- useradd [user] [options]
11
User Management
Modify user account information
- usermod [options] [user]
Disabling logins
- System administrator can block users
temporary without deleting their account
using pw lock [user] command.
- To unlock you have to use pw unlock
[user]
- Another way to block user is
- usermod L [user]
2012, University of Colombo School of Computing
12
13
14
RPM remove
To remove you can use the e option
Rpm ev [package]
15
16
17
18
19
20
21
22
23
Disk Partitioning
RAID(Redundant Array of Inexpensive disks)
RAID is normally used to spread data among
several physical hard drives with enough
redundancy that should any drive fail the data
will still be intact. Once created a RAID array
appears to be one device which can be used
pretty much like a regular partition.
24
Disk Partitioning
There are several kinds of RAID but there are two
most common here.
25
Disk Partitioning
LVM (Logical Volume Manager )
LVM is a way of grouping drives and/or partition
in a way where instead of dealing with hard and
fast physical partitions the data is managed in a
virtual basis where the virtual partitions can be
resized.
26
27
28
29
Controlling Processes
Process Attributes
PID or process ID, an integer.
PPID or parent process ID, an integer.
Nice number, the degree of friendliness of the process
towards other processes (process priority is calculated
from nice numbers and recent CPU usage).
TTY, the terminal to which the process is connected
RUID, or real user ID. The user issuing the command.
EUID, or effective user ID. The one determining access
permissions to system resources.
2012, University of Colombo School of Computing
30
Controlling Processes
Process Attributes ctd:
EGID, or effective group owner. Different from
RGID when SGID has been applied to a file.
RGID, or real group owner. The group of the
user who started the process
31
32
Controlling Processes
Signals
Signals are a way of sending simple messages to
processes.
Most of these messages are already defined and can
be found in <linux/signal.h>.
signals can only be processed when the process is in
user mode.
If a signal has been sent to a process that is in kernel
mode, it is dealt with immediately on returning to user
mode.
Signals are one of the oldest inter-process
communication methods used by Unix TM systems.
2012, University of Colombo School of Computing
33
Controlling Processes
Process states in Linux:
Running: Process is either running or ready to run
Interruptible: a Blocked state of a process and
waiting for an event or signal from another process
Uninterruptible: a blocked state. Process waits
for a hardware condition and cannot handle any
signal
Stopped: Process is stopped or halted and can be
restarted by some other process
Zombie: process terminated, but information is
still there in the process table.
2012, University of Colombo School of Computing
34
Controlling Processes
Commands
top - display top CPU processes
top [-] [d delay] [p pid]
top provides an ongoing look at processor
activity in real time. It displays a listing of the
most CPU-intensive tasks on the system, and
can provide an interactive interface for
manipulating processes. It can sort the tasks by
CPU usage, memory usage and runtime.
35
Controlling Processes
36
Controlling Processes
proc - process information pseudo-filesystem
/proc is a pseudo-filesystem which is used as
an interface to kernel data structures rather than
reading and interpreting /dev/kmem. Most of it is
read-only, but some files allow kernel variables
to be changed.
37
Controlling Processes
proc - cpuinfo
38
Controlling Processes
proc - meminfo
39
Controlling Processes
nice - run a program with modified scheduling
priority
nice [OPTION] [COMMAND [ARG]...]
Run COMMAND with an adjusted scheduling
priority. With no COMMAND, print the current
scheduling priority. ADJUST is 10 by default.
Range goes from -20 (highest priority) to 19
(lowest).
40
Controlling Processes
Watch this will execute a program periodically,
showing output fullscreen
Watch [OPTION] <command>
41
Controlling Processes
time The time command runs the specified
program command with the given arguments.
When command finishes, time outputs giving
timing statistics about this program run.
time [OPTION] <command>
42
43
File System
Path Names
In linux everything has a absolute path unlike
windows.
Everything starts from root ( / )
44
File System
File Names
Filenames can contain any normal text
character including spaces and special
characters.
Filenames can be almost any length.
It is best to stick to a-z, A-Z,_, -, and
numbers.
45
File System
File Tree
46
File System
File Types
Regular File : It comes under the Normal File
category.
Directory : These are special types of files that
are lists of other files.
Symbolic Link : A symbolic link is a reference
to another file ( a shortcut to any file ).
47
File System
File Types
Socket : Special type of file that provides
inter-process networking protected by the file
systems access control
Named Pipe : A special type of file that acts
more or less like sockets and form a way for
processes to communicate with each other,
without using network socket semantics.
Device File : Character devices and Block
devices
2012, University of Colombo School of Computing
48
File System
File commands
Chmod: changes a permission of a file
Permissions
u - User who owns the file.
g - Group that owns the file.
o - Other.
a - All.
r - Read the file.
w - Write or edit the file.
x - Execute or run the file as a program.
2012, University of Colombo School of Computing
49
File System
chmod
Numeric Permissions: CHMOD can also to
attributed by using Numeric Permissions:
400 read by owner
001
execute
anybody
by
50
File System
File commands
Chown : change file owner and group
chown [OPTION] [OWNER][:[GROUP]] FILE
51
File System
Umask
The User Mask
Who determines the default permissions when a new
file is created?
Default permissions
completely insecure:
before
applying
mask
are
52
File System
Umask
System default can be changed by umask command (a
shell builtin).
umask statement placed in a startup script (typically,
/etc/profile or /etc/bashrc).
Reassigns default file and directory permissions.
53
File System
Umask
Use umask w/o arguments to show your current
permission setting
Bash builtin shows 4 digit 0066 (inode actually stores
12 binary permission bits)
54
File System
The User Mask Value Table
55
56
IT 6205
Section 4.0
Network Administration
You can also add the routing table entry for the own
network explicitly as follows.
route add -net 192.168.1.0 netmask 255.255.255.0
eth0
10
11
12
/etc/sysconfig/network-scripts/ifcfg-<interface-name>
For each
network interface on a Red Hat Linux system,
there
is
a
corresponding
interface
configuration script. Each of these files
provide information specific to a particular
network interface.
13
14
15
16
17
18
19
20
21
Serving a Page
User of client machine types in a URL
Server name is translated to an IP address via DNS
Client connects to server using IP address and port
number
Client determines path and file to request
Client sends HTTP request to server
Server determines which file to send
Server sends response code and the document
Connection is broken
22
Apache History
NCSA (National Centre for Supercomputing Applications, Uni
24
ncsa
patches
Apache 0.9
Apache 1.2
Apache 1.3.29
shambala
Apache 2.0
APR Utils
APR
New Proxy
Apache 2.0
Java
PHP
Perl
httpd-2.x.x
modules
modules
.
25
Installing Apache
rpm -Uvh httpd-2.x_NN.rpm
Source package http://httpd.apache.org/
26
Apache Configuration
Basic site setup:
/site_home (www)
/conf
/logs
/htdocs
Generally Default site home is /etc/httpd
The configuration file is httpd.conf
config files reside in the conf directory
27
Apache Configuration
Validating the Configration Files
/usr/local/apache/bin/apachectl configtest
Syntax OK
28
Apache Configuration
Who runs the httpd daemon?
Superuser?
Security risk
Only user who can access port 80
Solution is for master process to be started by root, bind
to socket, then change to another user
Nobody?
Not portable across UNIXES
Creating a user and group to run the web server
on Linux, /usr/sbin/useradd and /usr/sbin/groupadd
or /etc/passwd and /etc/group
Put user and group info in httpd.conf
User apache
Group apache
2012, University of Colombo School of Computing
29
Apache Configuration
Create new user on Linux:
30
Apache Configuration
Setting the default document directory
31
ServerName www.foobar.com
Designates the default host name (later - virtual
host names)
For example, use localhost
Starting the server
/etc/init.d/httpd start
/usr/local/apache/bin/apachectl start
32
Error Responses
Apache can respond to an error by
33
Error Responses
Examples
Redirect server errors to an error logging CGI program:
ErrorDocument 500 /cgi-bin/log-error
Log strange incoming requests, like DELETE
ErrorDocument 400 /cgi-bin/log-hacks
Notes
Any error response page starting with http:// will cause the
server to send a redirect to the client
#ErrorDocument 402 http://www.example.com/subscription_info.html
2012, University of Colombo School of Computing
34
Log Files
First line of troubleshooting when setting up a server
Provided flexible logging
Logs are written in a Customizable format
Logs can be written directly to a file or to an external program.
Conditional logging can be made based on the characteristics of the
request.
Directives provided for this,
TransferLog To create log file
LogFormat - To set a custom format
CustomLog - To define a log file and format
TransferLog & CustomLog directives can be used multiple times in each
server to cause each request to be logged to multiple files.
Important to remember log file rotation as well.
35
Log Formats
Define the log locations in httpd.conf:
36
Log Formats
Content HTTP request
Server Response code
Content length in bytes
The default CLF can be altered to store more information using the
LogFormat directive.
37
Log Formats
ErrorLog Format
38
Log Formats
LogFormat %H %m %t %U simple
CustomLog logs/access.log simple
This willlogs Protocol,Date,Time and URL requested
Exercise:
Try these with your configured apache server.
LogFormat %h ip
LogFormat %h %l %u %t \%r\ %>s %b detailed
CustomLog logs/access.log detailed
CustomLog logs/ip.log ip
39
DefaultType directive
example: DefaultType text/html (application/octetstream)
sets the type for any document not otherwise
recognized
AddType directive
example: AddType image/jpeg (AddType
application/x-tar .tgz)
associates MIME type with file extension or override
the MIME configuration
can be used to set multiple types
2012, University of Colombo School of Computing
40
41
42
Apache is Modular
Loadable modules
CGI handler
the Apache group distributes 34 modules
LoadModule directive selectively includes
modules in server
43
Apache is Modular
Loadable Modules vs. Compiled Modules
44
Apache is Modular
How do I know which directives are in which modules?
45
46
47
48
49
<Directory>
What is it?
<Directory /clients/smallco>
Options Indexes FollowSymLinks
</Directory>
2012, University of Colombo School of Computing
50
<Directory>
Syntax
<Directory /clients/cars>
ErrorDocument 404 cars404.html
</Directory>
Syntax
The directory path is a full path to the directory affected
Wild cards * and ? may be used
* is match any sequence of characters
? is match any single character
may also use [] to enclose character ranges
51
<Directory>
Syntax
52
<Location>
What is it?
<LocationMatch>
53
What is it?
<Files>
Example:
Make any file with a .foo extension be served as text/plain
<Files *.foo>
ForceType text/plain
</Files>
Guess what ForceType does
Syntax
<Files filename>
Can use * and ? wildcards
Can use regular expression with <Files ~ regex> syntax
Can be used both inside and outside a <Directory> section
2012, University of Colombo School of Computing
54
Virtual Hosts
More than one apparent server on one machine
56
Virtual Hosts
Virtual Host types
57
58
59
60
61
<VirtualHost www.smallco.com>
ServerName www.smallco.com
ServerAdmin webmaster@mail.smallco.com
DocumentRoot /clients/smallco/htdocs
ErrorLog /clients/smallco/logs/errors
TransferLog /clients/smallco/logs/access
</VirtualHost>
<VirtualHost www.bigco.com>
ServerName www.bigco.com
ServerAdmin root@mail.bigco.com
DocumentRoot /clients/bigco/htdocs
ErrorLog /clients/bigco/logs/errors
TransferLog /clients/bigco/logs/access
</VirtualHost>
2012, University of Colombo School of Computing
62
63
64
65
66
67
68
Virtual Hosts
Two ways of running Apache for virtual hosts
69
Virtual Hosts
Almost any configuration directive can be put inside
<VirtualHost>
Exceptions are mainly directives that control the httpd
daemon, like
User, Group
ServerRoot
BindAddress
MinSpareServers, MaxSpareServers,
MaxRequestsPerChild
70
Virtual Hosts
Example Scenario #3
Bigco Inc merges with Medium Corp
Web sites are consolidated, so requests to
www.mediumco.com should now go to
www.bigco.com
Medium Corp has designated BigISP as their primary
nameserver
Add www.mediumco.com to /etc/hosts
Use ServerAlias directive
71
Virtual Hosts
Example Scenario #3
<VirtualHost 192.168.123.1>
ServerName www.gizmos.com
ServerAlias www.widgets.com
ServerAdmin root@mail.gizmos.com
DocumentRoot /clients/gizmos/htdocs
ErrorLog /clients/gizmos/logs/errors
TransferLog /clients/gizmos/logs/access
</VirtualHost>
72
NameVirtualHost 192.168.1.1
NameVirtualHost 172.20.30.40
<VirtualHost 192.168.1.1 172.20.30.40>
DocumentRoot /www/server1
ServerName server.example.com
ServerAlias server
</VirtualHost>
73
# IP-based
<VirtualHost 172.20.30.50>
DocumentRoot /www/example4
ServerName www.example4.edu
</VirtualHost>
<VirtualHost 172.20.30.60>
DocumentRoot /www/example5
ServerName www.example5.gov
</VirtualHost>
<VirtualHost 172.20.30.40>
DocumentRoot /www/example3
ServerName www.example3.net
</VirtualHost>
74
75
What is DNS?
DNS (Domain Name System)
76
HTTP
IP address (128.143.71.21)
Resolver
Name
server
Hostname
(neon.tcpip-lab.edu)
77
Hostname (neon.tcpip-lab.edu)
IP address (128.143.71.21)
78
Local
Name
Server
Referral to lk NS
.
Name Server
lk
Name Server
lk
jp
ac
gov
com
Referral to ac.lk NS
Query for add. A
Answer
Resolver
Query
Referral to cmb.ac.lk NS
ac.lk
Name Server
cmb.ac.lk
Name Server
Answer to ucsc.cmb.ac.lk
Resolver
add. A ucsc.cmb.ac.lk
79
cmb
mrt
Root Servers
80
http://www.root-servers.org
81
Reverse lookup
82
83
84
85
name space
Authority is delegated from a parent and to a child
lk zone
msc
www
ftp
mcs mit
86
google
isi sun tislabs
moon
msc.ucsc.lk zone
ucsc
lk domain
ucsc.lk zone
edu com
lk
www
What is BIND?
87
What is BIND?
BIND (Berkeley Internet Name Domain system)
domainname
domain
domainname
nameserver ipaddr
server
Example
% more /etc/resolv.conf
nameserver 203.252.57.2
nameserver 203.252.32.4
domain cmb.ac.lk
/etc/named.conf file
/etc/named.conf
options {
directory "/var/named";
};
91
zone "." IN {
type hint;
file "root.hints";
};
zone cmb.ac.lk" IN {
type master;
file "zone/cmb.ac.lk";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "zone/127.0.0";
};
// for localhost
zone 20.168.192.in-addr.arpa" IN {
type master;
file "zone/192.168.20";
};
Value
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
meaning
a host address
an authoritative name server
a mail destination (Obsolete - use MX)
a mail forwarder (Obsolete - use MX)
the canonical name for an alias
marks the start of a zone of authority
a mailbox domain name (EXPERIMENTAL)
a mail group member (EXPERIMENTAL)
a mail rename domain name (EXPERIMENTAL)
a null RR (EXPERIMENTAL)
a well known service description
a domain name pointer
host information
mailbox or mail list information
mail exchange
text strings
Version number
NS.UCSC.LK.
admin.ucsc.lk. (
2002021301
; serial
30M
; refresh
15M
; retry
1W
; expiry
1D )
; negative ttl
Timing parameter
93
IN
SOA ns.cmb.ac.lk.
2003081001
86400
1800
1209600
86400 )
admin.cmb.ac.lk. (
; Serial (2003-08-10 #01)
; Refresh (daily)
; Retry (30 minute)
; Expire (2 weeks)
; Minimum TTL (1 day)
; end of SOA
:
or
replace
with @
94
IN
NS
NS
NS
ns.cmb.ac.lk.
ns2.cmb.ac.lk.
ns.ac.lk.
95
IN
IN
A
A
IN
IN
IN
192.168.20.100
192.168.30.100
A
127.0.0.1
CNAME
CNAME
namal
www
IN
IN
IN
IN
MX
MX
A
A
10
20
mail.cmb.ac.lk.
namal.cmb.ac.lk.
192.168.20.50
192.168.20.55
IN
PTR
mail.cmb.ac.lk.
96
Glue Record
A glue record is the IP address of a name server held at
the domain name registry. Glue records are required when
you wish to set the name servers of a domain name to
a hostname under the domain name itself.
Example:
set the name servers of cmb.ac.lk to anduna.cmb.ac.lk
and ns.ac.lk
you would need to also provide the glue records (i.e. the IP
addresses) for anduna.cmb.ac.lk and ns.ac.lk.
97
Glue Record
If you did not provide the glue records for these name
servers then your domain name would not work as anyone
requiring DNS information for it would get stuck in a loop.
What is the name server for cmb.ac.lk?
aduna.cmb.ac.lk
What is the IP address of aduna.cmb.ac.lk?
don't know, try looking at name server for cmb.ac.lk
What is the name server for cmb.ac.lk?
aduna.cmb.ac.lk
98
More on DNS
RFC 1537 recommends the following values for top-level domain
servers in the SOA:
86400 ; Refresh 24 hours (8hrs for non-top level domains)
7200 ;
2592000 ;
More on DNS
In the new version of bind, the TTL in SOA is now interpreted as the
"negative caching" time (See RFC 2308). The default TTL value is
defined by $TTL directive in the first line of your zone file. E.G.
$TTL 4d
@
100
IN
SOA ..
Negative Caching
Classical DNS caching stores only the results of successful name
resolutions. It is also possible for DNS servers to cache the results
of unsuccessful name resolution attempts; this is called negative
caching.
To extend the example above, suppose you mistakenly thought
the name of the company's web site was www.uccs.lk and
typed that into your browser. Your local DNS server would be
unable to resolve the name, and would mark that name as
unresolvable in its cache; a negative cache entry. Note that
regular caching is sometimes called positive caching to
contrast it to negative caching.
101
Negative Caching
The value to be used for negative caching in a zone is now
specified by the Minimum field in the Start Of
Authority resource record for each zone. As mentioned
above, this was formerly used to specify the
default TTL for a zone.
102
More on DNS
Root DNS servers (totally 13) a.root-servers.net, ..,
m.root-servers.net
a.root-servers.net root server is about 12,000 queries/sec
Why 13 Root Servers?
Primary Name Server
unique
has SOA (Source of Authority) of that domain
add/change/remove of the domain name records
Secondary NS
possibly many for a domain
name records backup from Primary NS periodically
add/change/remove are worthless
fault tolerance when the Primary NS is down
103
More on DNS
Cache Poisoning an attacker obtains the ability to put
data into our nameserver's cache
Create a separate user for the DNS server, with shell equal
to /bin/false.
104
More on DNS
configuration syntax
/etc/named.boot (v4)
/etc/named.conf (v8,9)
New Name Daemon Control program
ndc (v8), rndc (v9)
Hostnames can contain letters, numbers, and hyphens, and
may not start with a hyphen. Underscore _ is not a valid
character in a hostname.
UDP/TCP port 53
UDP query/response ( < 512 bytes )
On normal conditions, DNS UDP traffic occupies more
than 99% of the total DNS traffic of a specified server!
TCP response (>512 bytes) + zone transfer
105
More on DNS
Average size of a DNS packet is 150 bytes
Diagnostic tool on the web: http://www.dnsreport.com
The BIND name daemon control interface program (ndc)
can provide version information when used with newer
versions of BIND:
# ndc status
106
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
version "Unkonwn";
listen-on
{ a.b.c.d; };
allow-transfer {"none";};
};
// UCSC Domains and their settings
zone "." in {
type hint;
file "named.root";
};
zone "cmb.ac.lk" {
type master;
file "master/cmb.ac.lk.db";
allow-transfer { p.q.r.s; };
also-notify { p.q.r.s; };
};
107
DNS Example
zone "cmb.ac.lk" {
type slave;
file "slave/cmb.ac.lk.db";
masters {a.b.c.d;};
notify no;
};
zone "248.192.IN-ADDR.ARPA" {
type master;
file "master/cmb.ac.lk-rev.db";
allow-transfer { p.q.r.s; };
also-notify { p.q.r.s; };
};
DNS Example
$TTL 3h
cmb.ac.lk.
IN
SOA aduna.cmb.ac.lk. root.aduna.cmb.ac.lk. (
2011092702
; serial
3h
; refresh every 3 hrs
1h
; rerty every hour
2w
; expire after 14 days
2d )
; 2 day
$ORIGIN cmb.ac.lk.
@
IN
TXT
"University of Colombo, Sri Lanka"
IN
NS
aduna.cmb.ac.lk.
IN
NS
ns.ac.lk.
IN
A
10.20.50.112
IN
MX
10
king.cmb.ac.lk.
IN
MX
50
queen.cmb.ac.lk.
aduna
IN
A
10.20.50.234
108
DNS Tools
Domain Information Groper (dig) is a network administration commandline tool for querying Domain Name System (DNS) name servers for any
desired DNS records. # dig A www.ucsc.lk
109
End of Section 4
110
IT 6205
Section 5.0
Automating System Administration
Shells
The shell is a UNIX program that interprets the commands you enter
from the keyboard
UNIX provides several shells, including the Bourne shell, the Korn
shell, and the C shell
Steve Bourne at AT&T Bell Laboratories developed the Bourne shell
as the first UNIX command processor
The Korn shell includes many extensions, such as a history feature
that lets you use a keyboard shortcut to retrieve commands you
previously entered
The C shell is designed for C programmers use
Linux uses the freeware Bash shell as its default command interpreter
(compatible with Bourne shell, created & distributed by the GNU
project)
You can choose the one that best suites your way of working ..
2012, University of Colombo School of Computing
Command-line Editing
Shells support certain keystrokes for performing command-line
editing
For example, Bash supports the left and right arrow keys, which
move the cursor on the command line
Not all shells support command-line editing in the same manner
Multiple Command Entry
You may type more than one command on the command line by
separating each command with a semicolon(;)
When you press Enter, UNIX executes the commands in the order
you entered them
You can use the clear command to clear your screen; it has no
options or arguments
You can access the command history with the up and down arrow
keys with most shells
2012, University of Colombo School of Computing
Shell Scripts
What are they for?
To automate certain common activities an user
performs routinely.
They serve the same purpose as batch files in
DOS/Windows.
Example:
rename 1000 files from upper case to lowercase
Or:
% ./myshellscript
(should always work)
2012, University of Colombo
School of Computing
12
#!/bin/bash
# For Bourne-Again Shell
#!/bin/sh
# This is for Bourne Shell
Comments start with '#', with the exception of #!, $#, which
are a special character sequences.
Everything on a line after # is ignored if # is not a part of a
quoted string or a special character sequence.
2012, University of Colombo
School of Computing
14
Internal Variables
$# Will tell you # of command line arguments supplied
16
$0 = <directory-of>/shift.sh
$1 = 1
$2 = 2
$3 = foo
$4 = bar
$0 = <directory-of>/shift.sh
$1 = 2
$2 = foo
$3 = bar
shift:
Environment
These (and very many others) are available to your shell:
$PATH - set of directories to look for commands
$HOME - home directory
$MAIL
$PWD personal working directory
$PS1 primary prompt
$PS2 input prompt
$IFS - what to treat as blanks
Control Flow: if
General Syntax:
if [ <expression> ]; then
<statements>
elif
<statements>
else
<statements>
fi
if
Some Logical Operators:
-eq
--- Equal
-ne
--- Not equal
-lt
--- Less Than
-gt
--- Greater Than
-o
--- OR
-a
--- AND
File or directory?
-f
--- file
-d
--- directory
2012, University of Colombo
School of Computing
20
for
Syntax:
for variable in <list of values/words>[;]
do
command1
command2
done
for
for file in *.txt;
do
echo File $file:;
echo "===START===;
cat $file;
echo "===END===;
done
while
Syntax
while <expression>
do
command1
command2
done
until
Syntax
until <expression>
do
command1
command2
done
Exercise
All the *.conf files in the current directory will be copied
with that file name.org
More Examples
#!/bin/bash
# This is my script to make a backup of a # .conf file
d=`date +%d%m%y`;
cp -pv $1 $1.$d.org;
echo "Copying Finished";
vi $1
for i in *.txt;
do
echo "File name: $i";
echo "=====START=======";
cat $i;
echo "=====END=======";
done;
More Examples
#!/bin/bash
if [ "${1##*.}" = "tar" ]
then
echo This appears to be a tarball.
else
echo At first glance, this does not appear to
be a tarball.
fi
if [ "$2" = "help" ]
then
echo " ===============HELP ============";
fi
28
Cron
Cron gives the ability to run commands periodically on
the system.
Cron jobs can be set up by the administrator or by
users.
The Cron Table is stored in /etc/crontab
Users can edit cron jobs with: crontab e
List with: crontab l
29
Cron cont
Each entry has 6 fields:
Minutes 00-59
Hours 0-23 (Mid-night is 0)
Day of the month 1-31
Month of the year 1-12
Day of the week 0-6 (Sunday is 0)
Job to be executed
* all legal values
, multiple entries are separated by comma
# implies comments
30
Cron Example
Field Rules:
single number ie. 1
range ie. 1-4
ranges w/step ie. 1-100/5
list ie. 1,3,5,7
wildcard ie. *
0 17 * * 1,2,3,4,5 /usr/backup
Run /usr/backup at 5pm Monday-Friday every week, in every month in
the year
Cron daemon starts by rc files. Once started never terminates. It checks
the crontab file every minute (for any changes)
Cron allow us to schedule programs for periodic execution. However,
cron is not a general facility for scheduling program execution off-hours
use the at command
31
0 0 * * * cmd
5 4 * * 6 cmd
- 4:05am on Saturdays
0 1 */5 * * cmd
33
Virtualization
Virtualization
24 Virtualization
As enterprise data centers continue to rack up servers to slake the insatiable information appetite of the modern business, system administrators struggle with a
technical conundrum: how can existing systems be managed more efficiently to
save power, space, and cooling costs while continuing to meet the needs of users?
Software vendors have historically discouraged administrators from running their
applications with other software, citing potential incompatibilities and in some
cases even threatening to discontinue support in cases of noncompliance. The result has been a flood of single-purpose servers. Recent estimates have pegged the
utilization of an average sever at somewhere between 5% and 15%, and this number continues to drop as server performance rises.
One answer to this predicament is virtualization: allowing multiple, independent
operating systems to run concurrently on the same physical hardware. Administrators can treat each virtual machine as a unique server, satisfying picky vendors
(in most cases) while simultaneously reducing data center costs. A wide variety of
hardware platforms support virtualization, and the development of virtualizationspecific CPU instructions and the increasing prevalence of multicore processors
have vastly improved performance. Virtual servers are easy to install and require
less maintenance (per server) than physical machines.
983
984
Chapter 24
Virtualization
Although server virtualization is our primary focus in this chapter, the same concepts apply to many other areas of the IT infrastructure, including networks, storage, applications, and even desktops. For example, when storage area networks or
network-attached storage are used, pools of disk space can be provisioned as a
service, creating additional space on demand. Applying virtualization to the desktop can be useful for system administrators and users alike, allowing for customtailored application environments for each user.
The many virtualization options have created a struggle for hapless UNIX and
Linux administrators. With dozens of platforms and configurations to choose
from, identifying the right long-term approach can be a daunting prospect. In this
chapter, we start by defining the terms used for virtualization technologies, continue with a discussion of the benefits of virtualization, proceed with tips for selecting the best solution for your needs, and finally, work through some hands-on
implementation activities for some of the most commonly used virtualization
software on our example operating systems.
Full virtualization
985
Such hypervisors are also known as bare-metal hypervisors since they control the
physical hardware. The hypervisor provides an emulation layer for all of the hosts
hardware devices. The guest operating system is not modified. Guests make direct
requests to the virtualized hardware, and any privileged instructions that guest
kernels attempt to run are intercepted by the hypervisor for appropriate handling.
Bare-metal virtualization is the most secure type of virtualization because guest
operating systems are isolated from the underlying hardware. In addition, no kernel modifications are required, and guests are portable among differing underlying architectures. As long as the virtualization software is present, the guest can
run on any processor architecture. (Translation of CPU instructions does, however, incur a modest performance penalty.)
VMware ESX is an example of a popular full virtualization technology. The general structure of these systems is depicted in Exhibit A.
Guest OS N
Guest OS 1
Guest OS 0
Disk
CPU
Memory
Virtualization
Full virtualization is currently the most accepted paradigm in production use today. Under this model, the operating system is unaware that it is running on a
virtualized platform. A hypervisor, also known as a virtual machine monitor, is
installed between the virtual machines (guests) and the hardware.
Chapter 24
Virtualization
Paravirtualization
Paravirtualization is the technology used by Xen, the leading open source virtual
platform. Like full virtualization, paravirtualization allows multiple operating systems to run in concert on one machine. However, each OS kernel must be modified to support hypercalls, or translations of certain sensitive CPU instructions.
User-space applications do not require modification and run natively on Xen machines. A hypervisor is used in paravirtualization just as in full virtualization.
The translation layer of a paravirtualized system has less overhead than that of a
fully virtualized system, so paravirtualization does lead to nominal performance
gains. However, the need to modify the guest operating system is a dramatic
downside and is the primary reason why Xen paravirtualization has scant support
outside of Linux and other open source kernels.
Exhibit B shows a paravirtualized environment. It looks similar to the fully virtualized system in Exhibit A, but the guest operating systems interface with the hypervisor through a defined interface, and the first guest is privileged.
Guest
OS
Guest
OS N
N
(modified)
(modified)
(modified)
Privileged
guest (host)
Guest OS 1
986
Paravirtualized hypervisor
(e.g., Xen, LDoms)
System Hardware
Disk
CPU
Memory
Cloud computing
987
commonly known in this context).1 AIX workload partitions and Solaris containers and zones are examples of OS-level virtualization.
OS-level virtualization is illustrated in Exhibit C.
Exhibit C OS-level virtualization architecture
D is
Virtual machine
k
Host Kernel
Virtu
a
CPU
Vir
tu
al
l mac
hine
2
ma
ch
em
ine
or y
Native virtualization
In an attempt to distinguish their hardware offerings, the silicon heavyweights
AMD and Intel are competing head to head to best support virtualization through
hardware-assisted (native) virtualization. Both companies offer CPUs that include virtualization instructions, eliminating the need for the translation layer
used in full and paravirtualization. Today, all major virtualization players can take
advantage of these processors features.
Cloud computing
In addition to traditional virtualization, a relatively recent offering in the industry
known informally (and, to some, begrudgingly) as cloud computing is an alternative to locally run server farms. Cloud computing offers computing power as a
service, typically attractively priced on an hourly basis. The most obvious benefit
is the conversion of server resources into a form of infrastructure analogous to
power or plumbing. Administrators and developers never see the actual hardware
they are using and need have no knowledge of its structure. The name comes from
the traditional use of a cloud outline to denote the Internet in network diagrams.
As a system administration book, this one focuses on cloud computing at the
server level, but applications are also being moved to the cloud (commonly
known as software-as-a-service, or SAAS). Everything from email to business
productivity suites to entire desktop environments can be outsourced and managed independently.
1. This is not entirely true. Solaris containers have a feature called branded zones that allows Linux
binaries to run on a Solaris kernel.
Virtualization
OS Virtualization
(e.g., Solaris containers,
HP Integrity VM,
IBM workload partitions)
988
Chapter 24
Virtualization
Cloud services are commonly bundled with a control interface that adjusts capacity on demand and allows one-click provisioning of new systems. Amazons Elastic Compute Cloud (EC2) is the most mature of the first-generation services of
this type. It has been widely adopted by companies that offer next-generation web
platforms. Love it or hate it, utility computing is gaining traction with bean counters as a cheaper alternative to data centers and localized server infrastructure.
Talking heads in the IT industry believe that cloud technologies in their myriad
forms are the future of computing.
Cloud computing relies on some of the same ideas as virtualization, but it should
be considered a distinct set of technologies in its own right.
Live migration
A final concept to consider is the possibility of migrating virtual machines from
one physical machine to another. Most virtualization software lets you move virtual machines in real time between running systems, in some cases without interruptions in service or loss of connectivity. This feature is called live migration. Its
helpful for load balancing, disaster recovery, server maintenance, and general system flexibility.
Comparison of virtualization technologies
Although the various virtualization options are conceptually different, each technique offers similar results in the end. Administrators access virtual systems in
the same way as they access any normal node on the network. The primary differences are that hardware problems may affect multiple systems at once (since they
share hardware) and that resource contention issues must be debugged at the
same level at which virtualization is implemented (e.g., in the hypervisor).
A practical approach
989
A reduced ecological impact is an easy marketing win for businesses as well. Some
estimates suggest that nearly one percent of the worlds electricity is consumed by
power-hungry data centers.2 Modern multicore CPUs are used more efficiently
when several virtual machines are running simultaneously.
Virtualization
Business continuitythat is, the ability of a company to survive physical and logical crises with minimal impact on business operationsis a vexing and expensive problem for system administrators. Complex approaches to disaster recovery
are simplified when virtual servers can be migrated from one physical location to
another with a single command. The migration technologies supported by most
virtualization platforms allow applications to be location independent.
990
Chapter 24
Virtualization
future attempts to move reluctant users to new platforms. Slow and steady wins
the race.
Its important to choose the right systems to migrate since some applications are
better suited to virtualization than others. Services that already have high utilization might be better left on a physical system, at least at the outset. Other services
that are best left alone include these:
Starting with a small number of less critical systems will help establish the organizations confidence and develop the expertise of administrators. New applications
are obvious targets since they can be built for virtualization from the ground up.
As the environment stabilizes, you can continue to migrate systems at regular intervals. Large organizations might find that 25 to 50 servers per year is a sustainable pace.
Plan for appropriate infrastructure support in the new environment. Storage and
network resources should support the migrations plans. If several systems on the
same physical host will reside on separate physical networks, plan to trunk the
network interfaces. Include appropriate attachments for systems that will use
space on a SAN. Make smart decisions about locating similar systems on the same
physical hardware to simplify the infrastructure. Finally, make sure that every virtual machine has a secondary home to which it can migrate in the event of maintenance or hardware problems on the primary system.
Dont run all your mission-critical services on the same physical hardware, and
dont overload systems with too many virtual machines.
Thanks to rapid improvements in server hardware, administrators have lots of
good options for virtualization. Multicore, multiprocessor architectures are an obvious choice for virtual machines since they reduce the need for context switches
and facilitate the allocation of CPU resources. New blade server products from
major manufacturers are designed for virtual environments and offer high I/O
Introduction to Xen
991
and memory capacity. Solid state disk drives have inherent synergy with virtualization because of their fast access times and low power consumption.
Initially developed by Ian Pratt as a research project at the University of Cambridge, the Linux-friendly Xen has grown to become a formidable virtualization
platform, challenging even the commercial giants in terms of performance, security, and especially cost. As a paravirtual hypervisor, the Xen virtual machine
monitor claims a mere 0.1%3.5% overhead, far less than fully virtualized solutions. Because the Xen hypervisor is open source, a number of management tools
exist with varying levels of feature support. The Xen source is available from
xen.org, but many distributions already include native support.
Xen is a bare-metal hypervisor that runs directly on the physical hardware. A running virtual machine is called a domain. There is always at least one domain, referred to as domain zero (or dom0). Domain zero has full hardware access, manages the other domains, and runs all device drivers. Unprivileged domains are
referred to as domU. All domains, including dom0, are controlled by the Xen hypervisor, which is responsible for CPU scheduling and memory management. A
suite of daemons, tools, and libraries completes the Xen architecture and enables
communication between domU, dom0, and the hypervisor.
Several management tools simplify common Xen administration tasks such as
booting and shutting down, configuring, and creating guests. Xen Tools is a collection of Perl scripts that simplify domU creation. MLN, or Manage Large Networks, is another Perl script that creates complex virtual networks out of clean,
easily understood configuration files. ConVirt is a shockingly advanced GUI tool
for managing guests. It includes drag-and-drop live migration, agentless multiserver support, availability and configuration dashboards, and template-driven
provisioning for new virtual machines. For hardened command-line junkies, the
unapologetic built-in tool xm fits the bill.
Linux distributions vary in their support of Xen. Red Hat originally expended
significant resources on including Xen in its distributions before ditching it for
the competing KVM software. Xen is well supported in SUSE Linux, particularly
in the Enterprise 11 release. Canonical, the company behind Ubuntu Linux, has
Virtualization
Introduction to Xen
992
Chapter 24
Virtualization
taken an odd approach with Xen, wavering on support in most releases before
finally dropping it in version 8.10 in favor of KVM (although Xen is still mentioned in documentation). Once installed, basic Xen usage differs little among
distributions. In general, we recommend Red Hat or SUSE for a large Xen-based
virtualization deployment.
Xen essentials
A Linux Xen server requires a number of daemons, scripts, configuration files,
and tools. Table 24.1 lists the most interesting puzzle pieces.
Table 24.1 Xen components
Path
Purpose
/etc/xen
xend-config.sxp
auto
scripts
/var/log/xen
/usr/sbin/xend
/usr/sbin/xm
Each Xen guest domain configuration file in /etc/xen specifies the virtual resources available to a domU, such as disk devices, CPU, memory, and network
interfaces. There is one configuration file per domU. The format is extremely flexible and gives administrators granular control over the constraints that will be
applied to each guest. If a symbolic link to a domU configuration file is added to
the auto subdirectory, that guest OS will be automatically started at boot time.
The xend daemon handles domU creation, migration, and other management
tasks. It must always remain running and typically starts at boot time. Its configuration file, /etc/xen/xend-config.sxp, specifies the communication settings for
the hypervisor and the resource constraints for dom0. It also configures facilities
for live migration.
See the footnote on
page 308 for more info
about sparse files.
Guest domains disks are normally stored in virtual block devices (VBDs) in
dom0. The VBD can be connected to a dedicated resource such as a physical disk
drive or logical volume. Or it can be a loopback file, also known as a file-backed
VBD, created with dd. Performance is better with a dedicated disk or volume, but
files are more flexible and can be managed with normal Linux commands (such as
mv and cp) in domain zero. Backing files are sparse files that grow as needed.
Unless the system is experiencing performance bottlenecks, a file-backed VBD is
usually the better choice. Its a simple process to transfer a VBD onto a dedicated
disk if you change your mind.
993
Similarly, virtual network interfaces (aka VIFs) can be set up in multiple ways.
The default is to use bridged mode, in which each guest domain is a node on the
same network as the host. Routed and NAT modes configure guest domains to be
on a private network, accessible to each other and domain 0 but hidden from the
rest of the network. Advanced configurations include bonded network interfaces
and VLANs for guests on different networks. If none of these options fit the bill,
Xen network scripts are customizable to meet almost any unique need.
Xen guest installation with virt-install
One tool for simple guest installation is virt-install, bundled as part of Red Hats
virt-manager application.3 virt-install is a command-line OS provisioning tool.
It accepts installation media from a variety of sources, such as an NFS mount, a
physical CD or DVD, or an HTTP location.
For example, the installation of a guest domain might look like this:
This is a typical Xen guest domain with the name chef, a disk VBD location of
/vm/chef.img, and installation media obtained through HTTP. The instance has
512MiB of RAM and uses no X Windows-based graphics support during installation. virt-install downloads the files needed to start the installation and then
kicks off the installer process.
Youll see the screen clear, and youll go through a standard text-based Linux installation, including network configuration and package selection. After the installation completes, the guest domain reboots and is ready for use. To disconnect
from the guest console and return to dom0, type <Control-]>.
See page 1138 for more
details on VNC.
Its worth noting that although this incantation of virt-install provides a textbased installation, graphical support through Virtual Network Computing (VNC)
is also available.
The domains configuration is stored in /etc/xen/chef. Heres what it looks like:
name = "chef"
uuid = "a85e20f4-d11b-d4f7-1429-7339b1d0d051"
maxmem = 512
memory = 512
vcpus = 1
bootloader = "/usr/bin/pygrub"
on_poweroff = "destroy"
on_reboot = "restart"
on_crash = "restart"
vfb = [ ]
disk = [ "tap:aio:/vm/chef.dsk,xvda,w" ]
vif = [ "mac=00:16:3e:1e:57:79,bridge=xenbr0" ]
3. Install the python-virtinst package for virt-install support on Ubuntu.
Virtualization
994
Chapter 24
Virtualization
You can see that the NIC defaults to bridged mode. In this case, the VBD is a
block tap file that provides better performance than does a standard loopback
file. The writable disk image file is presented to the guest as /dev/xvda. This particular disk device definition, tap:aio, is recommended by the Xen team for performance reasons.
The xm tool is convenient for day-to-day management of virtual machines, such
as starting and stopping VMs, connecting to their consoles, and investigating current state. Below, we show the running guest domains, then connect to the console for chef. IDs are assigned in increasing order as guest domains are created,
and they are reset when the host reboots.
redhat$ sudo xm list
Name
ID Mem(MiB)
Domain-0
0
2502
chef
19
512
redhat$ sudo xm console 19
VCPUs
2
1
State Time(s)
r----397.2
-b---12.8
KVM
995
migrations. Table 24.2 describes the pertinent options; they are all commented
out in a default Xen installation. After making changes, restart xend by running
/etc/init.d/xend restart.
Table 24.2 Live migration options in the xend configuration file
Option
Description
xend-relocation-server
xend-relocation-port
xend-relocation-address
In the process of migrating a virtual machine between hosts, the domUs memory
image traverses the network in an unencrypted format. Administrators should
keep security in mind if the guest has sensitive data in memory.
Before attempting a migration, the guests configuration file must be in place on
both the source and destination servers. If the location of the disk image files differs between hosts (e.g., if one server mounts the shared storage in /xen and the
other in /vm), this difference should be reflected in the disk = parameter of the
domains configuration file.
The migration itself is simple:
redhat$ sudo xm migrate --live chef server2.example.com
Assuming that our guest domain chef is running, the command migrates it to
another Xen host, server2.example.com. Omitting the --live flag pauses the domain prior to migration. We find it entertaining to run a ping against chef s IP
address during the migration to watch for dropped packets.
KVM
KVM, the Kernel-based Virtual Machine, is a full virtualization tool that has been
included in the mainline Linux kernel since version 2.6.20. It depends on the Intel
VT and AMD-V virtualization extensions found on current CPUs.4 It is the default virtualization technology in Ubuntu, and Red Hat has also changed gears
from Xen to KVM after acquiring KVMs parent company, Qumranet.
Since KVM virtualization is supported by the CPU hardware, many guest operating systems are supported, including Windows. The software also depends on a
modified version of the QEMU processor emulator.
4. Does your CPU have them? Try egrep '(vmx|svm)' /proc/cpuinfo to find out. If the command displays no output, the extensions are not present. On some systems, the extensions must be enabled in
the system BIOS before they become visible.
Virtualization
a. This should never be blank; otherwise, connections will be allowed from all hosts.
996
Chapter 24
Virtualization
Under KVM, the Linux kernel itself serves as the hypervisor; memory management and scheduling are handled through the hosts kernel, and guest machines
are normal Linux processes. Enormous benefits accompany this unique approach
to virtualization. For example, the complexity introduced by multicore processors
is handled by the kernel, and no hypervisor changes are required to support them.
Linux commands such as top, ps, and kill show and control virtual machines, just
as they would for other processes. The integration with Linux is seamless.
Administrators should be cautioned that KVM is a relatively young technology,
and it should be heavily tested before being promoted to production use. The
KVM site itself documents numerous incompatibilities when running guests of
differing operating system flavors. Reports of live migrations breaking between
different versions of KVM are common. Consider yourself forewarned.
KVM installation and usage
Although the technologies behind Xen and KVM are fundamentally different, the
tools that install and manage guests operating systems are similar. As under Xen,
you can use virt-install to create new KVM guests. Use the virsh command to
manage them.5 These utilities depend on Red Hats libvirt library.
Before the installation is started, the host must be configured to support networking in the guests.6 In most configurations, one physical interface is used to bridge
network connectivity to each of the guests. Under Red Hat, the network device
configuration files are in /etc/sysconfig/network-scripts. Two device files are required: one each for the bridge and the physical device.
In the examples below, peth0 is the physical device and eth0 is the bridge:
/etc/sysconfig/network-scripts/peth0
DEVICE=peth0
ONBOOT=yes
BRIDGE=eth0
HWADDR=XX:XX:XX:XX:XX:XX
/etc/sysconfig/network-scripts/eth0
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
TYPE=Bridge