Using iptables-save

Posted: December 9, 2010 in Devops, System Engineering

I just lost my netfilter persistance file (/etc/sysconfig/iptables) becuase I used /usr/bin/system-config-securitylevel-tui.
I see two options now:

  1. Edit /etc/sysconfig/iptables and then restart, or
  2. Use /sbin/iptables to insert rules then save with /sbin/iptables-save

I’m going for option 2, as I can create a backup of the config at the same time doing this:

example rule to allow port tcp/80:

/sbin/iptables -I RH-Firewall-1-INPUT 10 
    -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
test -d /var/backup/iptables || mkdir -p /var/backup/iptables
/sbin/iptables-save | /usr/bin/tee /etc/sysconfig/iptables 
    /var/backup/iptables/iptables-sysconfig-$(date +%s)

I’ve had problems in the past, where I’ve had so many NAT configurations to get into various machines in my small, home network. Using the ssh ProxyCommand, you can use a single exposed machine to forward your ssh sessions onto any machine in your network.

Read the rest of this entry »

I had a problem installing the tun/tap adapter for openVPN on my windows 7 machines. Windows complains about the driver not being digitally signed. I don’t care about this so I switched it off by doing this:

Hit your windows key and type cmd in the ‘Search Programs and Files Box’, now instead of just hitting ENTER, use CTRL+SHIFT ENTER to run as Administrator. Type the following into the cmd prompt and reboot.

bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS
bcdedit.exe -set TESTSIGNING ON

Done!

Performing many tasks can take some time, and we know that XenServer can deal with a few of these operations at once. I had some issues, but finally have a one-liner that is suitable (using xargs again :-))

xe vm-list is-control-domain=false power-state=running --minimal | 
    tr -d [:cntrl:] | 
    xargs -d, -n1 -P5 -I '{}' xe vm-param-list uuid='{}'

You notice that I strip all control characters out with tr. This is to get rid of a strange line break that xargs will process even when running -r.

Everybody wants servers now!
Now that servers are virtual, everybody knows you can click a button and give them what they want!
Before you know it, you’ll have tripled your server count!

How can you make sure that things won’t fail in a massive way?
Physically plan your virtual setup!

Think about this, you’ve got sixteen machines to create a pool of hypervisors. They’ve all got two, quad-core processors and thirty-two gigabytes of RAM.

You only have one switch per rack, and you plan to use four racks (four hypervisors in each rack). This gives you the possibility to recover from a rack failure (most likely switch failure) as long as you keep the pool on seventy-five percent loaded on CPU, RAM, Network and Storage.

BUT!!!

You must also think about maximum VM sizing. If you size a single VM over twenty-five percent of the capacity of one hypervisor, then you risk not being able to migrate all machines from the four hypervisors that are allowed to fail.

QNAP TS-219P

Posted: July 27, 2010 in Hardware

After long and hard thought over what kind of NAS I would buy to satisfy my requirements, I ended up with the QNAP TS-219P.  This was primarily based on the CPU, RAM and features.

After a few days, I’m loving this device. Performance is great!