Monday, December 17, 2007

OpenSSH over high speed networks

We run gigabit Ethernet in the network at work. I noticed that my actual throughput on scp transfers was in the 200Mbit/s range. Iperf wirespeed tests indicated over 900Mbit/s. Now, obviously encryption will bring about some cost, but that seemed a bit much for me, so I set to try tuning things a bit. As a result, I think I can confidently make the following recommendations to those running OpenSSH over high speed networks:

1) Upgrade your SSH server. OpenSSH 4.3 was about 1/3 faster than various 3.6 or 3.9.
2) Turn off compression. This just slows you down over a high speed network. This should be done on the server side.
3) Use blowfish. In the /etc/ssh/ssh_config (client configuration file), set:
Ciphers blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
Blowfish was a bit faster than AES on the systems I tested.

The net effect was a boost to ~350Mbit/s, which is a significant improvement.

Monday, August 27, 2007

Get a UPS!

I love cheap uninterruptible power supplies (UPS). For the home user, they make a lot of sense. Replacing the batteries in a UPS often costs more than getting a new one on sale, so I just get a cheap one for each of my computers every year. I look for the $20-$40 deals they have at Fry's on a regular basis. My home has fairly dependable power. The outages I normally encounter are short, usually a second or two. That flash of power can be murder on my hard drives over the course of the year, however. For that reason, I go for the cheap, low capacity UPS devices. They work fine for these short bursts. If I needed the sorts of things which could keep me up and running for several minutes, and automatically shut down my machines, I'd go for something more costly, but a $20 UPS per year can save you a $100 hard drive, so I find it an investment well worth making.

Saturday, August 18, 2007

Who This?

One of the most annoying things on earth for me is a result of one of the many marvelous technological innovations the market has brought us. All too often, my home phone will ring. I answer it, "Hello?"

"Uh, who this?"

Who this?! What sort of numbskull would actually call someone else and demand their identity? As we have house guests, this problem is becoming more pronounced. My normal reply is "You called my house. Who are you?" Often, even this does not cause the other party to come to their senses. "I saw this number in my caller ID." What you get in your caller ID is not my problem. That's why it's your caller ID and not mine. At this point, I hang up. I have no time for rude jerks who don't know how to introduce themselves on the phone. Are these people so deathly afraid that they may be calling someone with whom they do not wish to speak? If mafia hitmen, government agents or bill collectors are hounding your every step, here's a free hint: Don't call phone numbers you don't know.

One would think that such rudeness would be the custom of the young, perhaps my own age and younger. But no, these people are often old enough to be my mother or father, yet, apparently they have either never been taught manners, or have grown so old and senile as to have forgotten them. This habit appears to have no age boundary. It seems to me that this is a good time to start educating people by encouraging corrective behavior. When someone calls you and asks for your identity, kindly inform them that you are the homeowner and would like for them to identify themselves. If they give you the caller ID excuse, remind them that the lack of message requesting a callback is a good indicator that none is demanded. Finally, if they still persist, reward their persistence with a click and a dial tone.

I have had plenty of strange numbers show up in my caller ID. When I actually decide to call one, I always say, "Hi, this is Robert Wicks. Did someone from this number call me?" Note the conspicuous absence of "Hoodis?," which is how it is normally pronounced, like some word in a foreign language describing some quaint local custom. I introduce myself and treat them with the respect that others deserve. Is a bit of consideration too much to ask?

Wednesday, April 4, 2007

beryl invisible borders

I use Gentoo Linux at home. It's a pretty neat experience, and much easier than a compiled distribution might initially seem. I'm constantly updating to experimental packages on it, and one of my favorites is Beryl, a beautiful window manager. Recently, I noticed that beryl's window edges were invisible. I could still grab the invisible window title and drag it around, but not having visible borders was frustrating. I tried changing nvidia drivers, and updating beryl components, but I finally found that I needed to come off the bleeding edge. The beryl components were versioned 9999. Once I scaled back to th 0.2.1 (the current release), things returned to normal

Thursday, March 1, 2007

Converting a VMWare workstation image to Xen

Recently I had to convert a VMWare virtual machine running Redhat Enterprise Linux 4 (vmclient running on vmhost) to it's own box. Due to the practical limitations of remote support, I decided that Xen might be a better solution than bare metal, without sacrificing performance. Since the server had been running on VMWare Workstation on a low memory box, the move to new hardware would boost performance no matter what I did. During my conversion experience, I discovered some useful resources scattered about the Internet. One of them was in German, which I don't speak, so I figured I would put things in one place for anyone challenged to do something like this in the future.

VMHost is a RHEL4 server with VMWare workstation running on it. First I found the directory containing the files for the server I want to clone. Looking in the /var/vmware/Virtual Machines directory, I see vmclient/vmclient.vmdk. This is the disk image. Fortunately, there is only a single image. I'm not sure what I would do if there were spanned images, which is one of the options you have with VMWare. I suppose you could append one to another, but I'd have to check into how best to do that.

I used qemu to convert from the vmware vmdk format to a raw disk image. Qemu is readily available at Convert the image by shutting down the VMWare session, then issuing the following:
qemu-img convert -f vmdk vmclient.vmdk -O raw vmclient.raw
Note that all the commands are on one line, so ignore any line breaks. This gives a disk image of vmclient in a format I can operate upon. For example do the following:

fdisk -l -u vmclient.raw
And the output will look something like this:
You must set cylinders.
You can do this from the extra functions menu.

Disk v-pt-dev1.raw: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes

Device Boot Start End Blocks Id
vmclient.raw1 * 63 208844 104391 83
vmclient.raw2 208845 8385929 4088542+ 8e
Linux LVM
This tells me that I have a disk image with two primary partitions. Knowing that the first partition is /dev/sda1 or /boot (which I could tell with the df command inside the original virtual machine), I know that the second partition is the LVM partition containing both / and swap.

I moved this raw file over to the Xen host server (xenhost), which I have already installed with a generic XenServer 3.1 install (I like XenSource's distribution, but the concepts here should work with any Xen implementation). I create a new default RHEL 4.4 install using the Xen Client which comes with Xenserver 3.1. I had an NFS mount with all the RHEL4 CD content copied into it and pointed the install at that. But you could download a new Xen Template (XGT) for CEntOS and use that instead if you wish.

After creating the working RHEL install under Xen, I know I will need the /lib/modules/ directory in my final box, but my migration technique is going to destroy everything but /boot in the process, so I copied the modules directory to /boot temporarily. I then shut down the XenVM and ssh directly into xenhost.

Looking under /dev/mapper, I see the logical volumes (they have some absurdly long names, but end in sda, sdb, etc, depending on how many drives you set up). Since I have set up only one drive, I only have an sda logical volume. I want to save my /boot from this LV (with the modules directory already copied to it). After verifying with fdisk -l -u VG{whatever}.sda that the layout is the same, with the first 208844 blocks being /boot, I issued the following command:
dd if=VG{whatever}.sda bs=512 count=208844 of=xenclientboot.img
This pulled the /boot from the logical volume. I then overwrite the LV with my VMware image:
dd if=vmclient.raw of=VG{whatever}.sda
This will not yet boot because it does not have a paravirtualized kernel. At least on the box I am using. It may work on more recent CPUs which have hardware virtualization, in which case, saving the /boot may be unnecessary (though it may still be desirable for performance). So:
dd if=xenclientboot.img bs=512 count=208844 of=VG{whatever}.sda
This copies the correct /boot over. Boot the new Xen Client system, move the modules directory from /boot to it's correct place in /lib/modules, run depmod -a, then netconfig and configure your network stuff. You might also want to copy the xenmond binary from /usr/sbin in any other Xen installations, along with the xenmond start script in /etc/init.d/. This will allow the XenClient to monitor the running Xen Client. Remember to do chkconfig --add xenmond after you copy the file so that it will be added to the correct runlevels. Reboot, then things should work. I'd appreciate any feedback on clarifying things, or if you see any errors or better ways to do this. I'm always looking for better methods.