Apr 012015

Beware, so you (too) won’t be bitten by this.

If you’re running vanilla KVM with default qemu-kvm -packages in RHEL (CentOS and probably others):


In short, q35 -support was a technical preview which is now dropped from qemu-kvm (qemu-kvm-rhev -only feature from now on), back to “pc”…

Oct 142014

Usually one of the first things we want to do with a new server is to restrict access to SSH -service.

So far it seems that everyone advices “disable firewallD, install iptables service and use it like you’ve always used” but how about trying to get along with this new tech?

Restricting access to SSH isn’t as hard as it might seem at the first glance. First we check what services are allowed in public (usually the default) and internal -zones:

# firewall-cmd --zone=internal --list-services
dhcpv6-client ipp-client mdns samba-client ssh
# firewall-cmd --zone=public --list-services
dhcpv6-client ssh

Then we add our admin-IP to internal -zone:

# firewall-cmd --permanent --zone=internal --add-source=<admin-ip>

Remove access to SSH-service from public:

# firewall-cmd --permanent --zone=public --remove-service=ssh

And reload the changes into use:

# firewall-cmd --reload

–permanent makes changes which stay over reboot/reload, but they aren’t active immediately – without –permanent the changes are active immediately but are lost on reload/reboot

Service definitions can be found (in RHEL/CentOS 7) at /etc/firewalld/services/ – if you create a new one -> use –reload to make it active.

Oct 092014

Nowadays LVM has  a cache feature, where we can bolt an SSD as a cache-device to a logical volume.

Let’s imagine we have the following setup:

  •  4x 2TB SATA disks in RAID10 configuration, /dev/md0
  • 2x 120GB SSD disks in RAID1 configuration, /dev/md1

First we’ll create the logical volume which we’ll be working with:

# pvcreate /dev/md0
# vgcreate storage /dev/md0
# lvcreate -n volume -L 4TB storage /dev/md0

Next we’ll bolt the cache-device (which should be RAID1-mirrored in case of disk failure) to the volume, first we’ll extend the volume group to contain the SSD-device:

# vgextend storage /dev/md1

Then we’ll create a cache volume and a metadata volume (there’s 1GB free on purpose):

# lvcreate -n metadata -L 1GB storage /dev/md1
# lvcreate -n cache -L 118GB storage /dev/md1

Now we’ll convert these into a cache pool (this will fail if there isn’t at least the same amount free what’s used for metadata, 1GB, because it’s used for failure recovery):

# lvconvert --type cache-pool --poolmetadata storage/metadata storage/cache

Then all what’s left is attaching the cache to a logical volume:

# lvconvert --type cache --cachepool storage/cache storage/volume

It should say “storage/volume is now cached” and lvs output should look something like this:

# lvs
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
cache storage Cwi---C--- 118.00g
volume storage Cwi-a-C--- 4.0t cache [storage_corig]

Oh, and if you want the cache to survive a reboot, youll need a package which provides /usr/sbin/cache_check -binary. In Debian that’s “thin-provisioning-tools”, and in RHEL/CentOS/derivatives the package is device-mapper-persistent-data.
Tests were performed on Debian testing Jessie and CentOS 7.0.1406 Core in 10/2014. Official documentation can be found here.

Jan 202013

Debian Squeeze was released 06.02.2011.
Please note that Wheezy is still in testing -stage.  Debian Wheezy was released 04.05.2013

Just some quick steps how to do the upgrade (on your own risk).

Update Squeeze

aptitude update
aptidude upgrade
  1. Copy /etc/apt/sources.list to /etc/apt/sources.list.d/debian-wheezy.list and replace squeeze with wheezy. Or copy them inside sources.list. Use whatever mirror which is closest to you.
    deb http://ftp.fi.debian.org/debian/ wheezy main contrib non-free
    deb http://ftp.fi.debian.org/debian/ wheezy-updates main contrib non-free
    deb http://security.debian.org/ wheezy/updates main contrib non-free
  2. Update repository
    aptitude update
  3. Upgrade critical parts first – it will complain about libept1 – just let it be removed.
    aptitude install dpkg apt aptitude
  4. (Dist-)upgrade rest
    aptitude upgrade
    aptitude dist-upgrade
    Replace grub2 with grub1 (or just keep your old menu.lst at /boot/grub/)

    aptitude purge grub-pc
    aptitude install grub-legacy
  6. Always check that /boot/grub/menu.lst or /boot/grub/grub.cfg exists and defaults to right kernel
  7. Reboot and hope for the best


<complete instructions>
</complete instructions>

Dec 102011

Once upon a time, virtual was installed under full virtualization (KVM) -mode. Network wasn’t bridged, it was routed.

And then the problem: IPv6 -traffic flowed nicely inbound, but outbound was capped to about 128 kbps.

Troubleshooting: after googling around with ipv6, kvm and debian we came around to this, Debian bug report about GSO Ipv6 issues under KVM. It’s supposed to be fixed in 2.6.32-5-amd64 (2.6.32-39) -package…well, upgrading didn’t work for us, propably another (similar kind of) bug or something needs to be done at host-machine.

Workaround:  disabling virtio_net’s gso worked for us:

ifdown eth0; modprobe -r virtio_net; modprobe virtio_net gso=0; ifup eth0
Dec 092011

Debian Squeeze was released 06.02.2011 and Lenny’s support will (probably) be is discontinued since 06.02.2012.


Problem: apt-get update && apt-get dist-upgrade broke everything, server did not boot anymore.

Troubleshooting: squeeze has grub2, which our Xen 3.x and pygrub didn’t understand

Solution: upgrading with following steps, use apt-get or aptitude, whichever you like.

  1. Update Lenny
    aptitude update
    aptidude upgrade
  2. Replace lenny with squeeze in /etc/apt/sources.list – or add necessary entries to another file under /etc/apt/sources.list.d/
    deb http://ftp.fi.debian.org/debian/ squeeze main contrib non-free
    deb http://ftp.fi.debian.org/debian/ squeeze-updates main contrib non-free
    deb http://security.debian.org/ squeeze/updates main contrib non-free
  3. Update repository
    aptitude update
  4. Upgrade critical parts first
    aptitude install dpkg apt aptitude
  5. (Dist-)upgrade rest
    aptitude upgrade
    aptitude dist-upgrade
  6. Replace grub2 with grub1 (or just keep your old menu.lst at /boot/grub/)
    aptitude purge grub-pc
    aptitude install grub-legacy
  7. Check that /boot/grub/menu.lst exists and defaults to right kernel
  8. Reboot and hope for the best


Also remember to use 2.6.39 -kernel from backports for live migration to work.
Update 01/2013: 2.6.32 -kernel usually works just fine, Lenny’s EOL date is 6.2.2012.