Category Archives: Virtualization

Lost in… migration…

VPS import in the VMmanagerOVZ 5.64.1 works without errors, as it shows in panel status and in the log files.
BUT! You can face the problems in the feature because there can be wrong file permissions inside the imported VPS.

I’ve found this issue after in the imported VPS the MySQL server can’t start. This happens because of wrong permissions for the whole mysql data directory:

# ls -la /var/lib/mysql/mysql/user*
-rw-rw---- 1 sshd postfix 10466 Feb 25  2014 /var/lib/mysql/mysql/user.frm
-rw-rw---- 1 sshd postfix   292 Feb 25  2014 /var/lib/mysql/mysql/user.MYD
-rw-rw---- 1 sshd postfix  2048 Feb 25  2014 /var/lib/mysql/mysql/user.MYI

this is because of the bug in the VMmanagerOVZ:

Aug 10 02:01:31 [23156:1] libmgr INFO id=4430c2 Run ssh command 'ssh -i /usr/local/mgr5/etc/ssh_id_rsa -o UserKnownHostsFile=/usr/local/mgr5/etc/vemgr_known_hosts root@xxx.xx.xx.xxx 'cd /vz/private/105 && tar czpf - *' | tar xzpf - -C /var/lib/vz/private/113' on root@yyy.yy.yy.yyy 
Aug 10 02:14:03 [23156:1] libmgr INFO id=4430c2 Ssh command finished with status 0

it uses tar command on the host machine without –numeric-owner option – in this case tar saves user/group names from the host machine.

The temporary solution for this issue:

# mv /bin/tar{,.orig}
`/bin/tar' -> `/bin/tar.orig'
# vim /bin/tar
# chmod a+x /bin/tar
# ls -la /bin/tar*
-rwxr-xr-x 1 root root    132 2016-08-13 14:21 /bin/tar
-rwxr-xr-x 1 root root 340584 2010-03-11 03:21 /bin/tar.orig
# cat /bin/tar
#!/bin/bash
if [ "${1}" = "czpf" -a "${2}" = "-" ]; then
  /bin/tar.orig --numeric-owner -czf - ${@:3}
else
  /bin/tar.orig ${@}
fi
#

Install OpenStack nova CLI on MacOS X

1. Check the Python installation. Currently, the nova client does not support Python 3.

$ python -V
Python 2.7.2

2. Install python-novaclient using pip, don’t panic if you already installed python-novaclient using easy_install.

$ sudo easy_install pip
Searching for pip
Best match: pip 1.3.1
Processing pip-1.3.1-py2.7.egg
pip 1.3.1 is already the active version in easy-install.pth
Installing pip script to /usr/local/bin
Installing pip-2.7 script to /usr/local/bin
 
Using /Library/Python/2.7/site-packages/pip-1.3.1-py2.7.egg
Processing dependencies for pip
Finished processing dependencies for pip
 
$ sudo pip install python-novaclient
Requirement already satisfied (use --upgrade to upgrade): python-novaclient in /Library/Python/2.7/site-packages
Requirement already satisfied (use --upgrade to upgrade): iso8601>=0.1.4 in /Library/Python/2.7/site-packages/iso8601-0.1.4-py2.7.egg (from python-novaclient)
Requirement already satisfied (use --upgrade to upgrade): prettytable>=0.6,<0.8 in /Library/Python/2.7/site-packages/prettytable-0.7.2-py2.7.egg (from python-novaclient)
Requirement already satisfied (use --upgrade to upgrade): requests>=0.8 in /Library/Python/2.7/site-packages/requests-1.2.3-py2.7.egg (from python-novaclient)
Requirement already satisfied (use --upgrade to upgrade): simplejson in /Library/Python/2.7/site-packages/simplejson-3.3.0-py2.7-macosx-10.8-intel.egg (from python-novaclient)
Cleaning up...

as you can see pip listed python-novaclient in their packages. but you always can delete and reinstall python-novaclient using pip now, or simple use update option.

difference between the ssh-keygen keypair fingerprint and Amazon EC2 fingerprint

we’re have an RSA ssh keypair, and can check it fingerprint

$ ssh-keygen -l -f ~/.ssh/id_rsa.pub
2048 f5:26:50:e6:f6:92:b6:7b:87:4d:64:6c:90:6d:1a:a0  mmalchuk@mmalchuk (RSA)
$ ssh-keygen -l -f ~/.ssh/id_rsa
2048 f5:26:50:e6:f6:92:b6:7b:87:4d:64:6c:90:6d:1a:a0  mmalchuk@mmalchuk (RSA)

now upload this public key into Amazon EC2 cloud:

$ ec2-import-keypair mykeypair --public-key-file ~/.ssh/id_rsa.pub
KEYPAIR	mykeypair	26:f4:9f:a3:f6:0e:4e:31:6c:25:06:9c:eb:4d:cf:ae

ok, key uploaded, but with different fingerprint? no!
ssh-keygen use SHA1 algorithm, but Amazon EC2 uses MD5 instead ;)
let’s check different way:

$ openssl pkey -in ~/.ssh/id_rsa -pubout -outform DER | openssl md5 -c
(stdin)= 26:f4:9f:a3:f6:0e:4e:31:6c:25:06:9c:eb:4d:cf:ae

ok, fine, this is our key uploaded ;)

Openstack VNC Security

If we want to secure connections to VNC ports we should add an iptables rules like:

-A INPUT -s MYNETWORK/24 -p tcp -m multiport –dports 5900:5910 -j  ACCEPT
-A INPUT -p tcp -m multiport –dports 5900:5910 -j REJECT

But in this case we should know how much VNC ports will be running on hardware node (5900+N)… Do you know that iptables can use extended packet matching modules? For example the OWNER module. This module attempts to match various characteristics of the packet creator, for locally generated packets. And we try to use it for block all outgoing (n.b. match is only valid in the OUTPUT and POSTROUTING chains) connections from all VNC servers:

-A OUTPUT -d MYNETWORK/24 -m owner –uid-owner qemu -j ACCEPT
-A OUTPUT -m owner –uid-owner qemu -j REJECT

статистика загрузки openvz серверов

очень полезный скрипт покажет загрузку каждой запущенной виртуалки:

#!/bin/sh
for VZ in $(/usr/sbin/vzlist -H -o veid); do
  echo -n "CPU usage for VEID $VZ: " && vzps h -o %cpu -E $VZ |\
   awk '{sum += $1} END {print sum}';
done