Archive for the ‘System Engineering’ Category

Using iptables-save

Posted: December 9, 2010 in Devops, System Engineering

I just lost my netfilter persistance file (/etc/sysconfig/iptables) becuase I used /usr/bin/system-config-securitylevel-tui.
I see two options now:

  1. Edit /etc/sysconfig/iptables and then restart, or
  2. Use /sbin/iptables to insert rules then save with /sbin/iptables-save

I’m going for option 2, as I can create a backup of the config at the same time doing this:

example rule to allow port tcp/80:

/sbin/iptables -I RH-Firewall-1-INPUT 10 
    -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
test -d /var/backup/iptables || mkdir -p /var/backup/iptables
/sbin/iptables-save | /usr/bin/tee /etc/sysconfig/iptables 
    /var/backup/iptables/iptables-sysconfig-$(date +%s)

Everybody wants servers now!
Now that servers are virtual, everybody knows you can click a button and give them what they want!
Before you know it, you’ll have tripled your server count!

How can you make sure that things won’t fail in a massive way?
Physically plan your virtual setup!

Think about this, you’ve got sixteen machines to create a pool of hypervisors. They’ve all got two, quad-core processors and thirty-two gigabytes of RAM.

You only have one switch per rack, and you plan to use four racks (four hypervisors in each rack). This gives you the possibility to recover from a rack failure (most likely switch failure) as long as you keep the pool on seventy-five percent loaded on CPU, RAM, Network and Storage.


You must also think about maximum VM sizing. If you size a single VM over twenty-five percent of the capacity of one hypervisor, then you risk not being able to migrate all machines from the four hypervisors that are allowed to fail.