Tym razem po drugiej stronie mikrofonu:
Zaopiekuj się moimi logami
Witold Duranek
więcej na:
http://jesien.org/2013/pl/agenda
Zapraszam,
Jesień Linuksowa 2013
Reply
Zerofree your filesystem
Lets assume that you have file image:
|
1 |
dd if=/dev/zero of=file.1 bs=4k count=128 |
on top of it you create filesystem ext3/ext4
|
1 |
mkfs.ext4 /root/file.1 |
mount it, create remove some files etc. and you gonna make it more space efficient, that’s why
|
1 |
zerofree /root/file.1 |
on umount filesystem in result you get unallocated space zeroed. Zeros of course are easily to compress or deduplicate and you save some space. In the same way you can treat virtual disk image. More about that on
http://rwmj.wordpress.com/2010/05/18/tip-compress-raw-disk-images-using-qcow2/
Some notes about memory ballooning in VMware
Couple days ago I found out that memory usage grow rapidly on one server. After couple minutes of investigation, it was clear that memory balloon take place. Of course it will happen only if you have vmware tools installed. To find out what was happening, you can look at vmware performance counters to discover how many pages were reclaimed from particular VM. But if you want to try to get these numbers from VM, you can simply
|
1 |
cat /proc/vmmemctl |
This will only happens when you choose vmware tools modules, not provided with linux kernel (option –clobber-kernel-modules in vmware-config-tools.pl). Standard kernel module vmw_balloon doesn’t provides this feature, more about naming convention
http://comments.gmane.org/gmane.linux.kernel/1037049
Memory ballooning also indicates that free memory on host drops below 4 %, it’s first line of ,,defence” in overcommited environment. Moreover it’s not always bad when VM starts to balloon’ing, because when you have overprovisioned VM with plenty of free memory, you can take it back without performance degradation.
Manage your hard disks
Make one step forward after rediscovering newly added hard disk, simply how to resize it. In virtual world simply put the new disk size, but how to reflect this change in guest operating system:
|
1 2 |
# echo 1 > /sys/block/<devname>/device/rescan # partprobe |
Continuing how to make them unavailable first to guest operating system in LVM style:
|
1 2 3 |
# lvchange -an <lv_name> # vgexport <vg_name> # echo 1 > /sys/block/<devname>/device/delete |
In virtual world just remove selected hard disk.
Sign your scripts
Remote command execution from one host to another is nothing new in more complex infrastructure. It is usually going to happen at low user level privilege and it’s also password less ssh communication based on ssh keys. But what happens when ssh keys leaked or this account was compromised, now it gives us ability to escalate privileges on remote hosts. One way to prevent from happening this scenario is to allow execute only specific commands by entering them in authorized_keys file by command statement. Another way is to use PKI and signed all scripts (the same way as in MS Powershell). How it can be done is mentioned in:
https://www.usenix.org/system/files/login/articles/105516-Schaumann.pdf
you can download bash wrapper command from
https://github.com/jschauma/sigsh
and put them into command statement in authorized_keys just like that:
|
1 |
command="/usr/local/bin/sigsh.sh -p /bin/bash -c /usr/local/etc/cert.tmp" |
Now you can post command to execute on remote system by:
|
1 |
ssh -tt witalis@<host> < /home/witalis/test.sh_signed |
it will be interpreted as bash commands.
So now I could review all commands that should be executed on remote site by signing them, each modification won’t be executed.