Zerofree your filesystem

Lets assume that you have file image:

on top of it you create filesystem ext3/ext4

mount it, create remove some files etc. and you gonna make it more space efficient, that’s why

on umount filesystem in result you get unallocated space zeroed. Zeros of course are easily to compress or deduplicate and you save some space. In the same way you can treat virtual disk image. More about that on

http://rwmj.wordpress.com/2010/05/18/tip-compress-raw-disk-images-using-qcow2/



Some notes about memory ballooning in VMware

Couple days ago I found out that memory usage grow rapidly on one server. After couple minutes of investigation, it was clear that memory balloon take place. Of course it will happen only if you have vmware tools installed. To find out what was happening, you can look at vmware performance counters to discover how many pages were reclaimed from particular VM. But if you want to try to get these numbers from VM, you can simply

This will only happens when you choose vmware tools modules, not provided with linux kernel (option –clobber-kernel-modules in vmware-config-tools.pl). Standard kernel module  vmw_balloon doesn’t provides this feature, more about naming convention

http://comments.gmane.org/gmane.linux.kernel/1037049

Memory ballooning  also indicates that free memory on host drops below 4 %, it’s first line of ,,defence” in overcommited environment. Moreover it’s not always bad when VM starts to balloon’ing, because when you have overprovisioned VM with plenty of free memory, you can take it back without performance degradation.



Manage your hard disks

Make one step forward after rediscovering newly added hard disk, simply how to resize it. In virtual world simply put the new disk size, but how to reflect this change in guest operating system:

Continuing how to make them unavailable first to guest operating system in LVM style:

In virtual world just remove selected hard disk.



Sign your scripts

Remote command execution from one host to another is nothing new in more complex infrastructure. It is usually going to happen at low user level privilege and it’s also password less ssh communication based on ssh keys. But what happens when ssh keys leaked or this account was compromised, now it gives us ability to escalate privileges on remote hosts. One way to prevent from happening this scenario is to allow execute only specific commands by entering them in authorized_keys file by command statement. Another way is to use PKI and signed all scripts (the same way as in MS Powershell). How it can be done is mentioned in:

https://www.usenix.org/system/files/login/articles/105516-Schaumann.pdf 

you can download bash wrapper command from

https://github.com/jschauma/sigsh

and put them into command statement in authorized_keys just like that:

Now you can post command to execute on remote system by:

it will be interpreted as bash commands.

So now I could review all commands that should be executed on remote site by signing them, each modification won’t be executed.