Rant: SELinux disabled? I don’t get it!

03/06/2013 – 11:15 pm

Shockingly enough, whenever users ask for help with their Linux setup (RHEL, CentOS, Scientific etc), one of the most common suggestions you hear is: “Set SELinux to permissive or disable it.”

Honestly, if somebody can’t trouble-shoot SELinux issues by looking at the audit.log or using tools that do it for them (audit2allow etc), they haven’t got much experience. That’s fine. But should they really be advised to sacrifice security? I don’t think so. Actually SELinux can be very helpful in reminding the user of his mistakes as well… “Should this executable be run here? Do we want to store this in a non-standard place?”

Read the rest of this entry »

Fedora 18 on Lenovo Thinkpad X1 Carbon

19/05/2013 – 03:47 pm

Linux has made a lot of progress in terms of hardware support over the past few years. However, selecting a laptop with the intention of running Linux on it can be a bit of a challenge. You are well advised to do some research, because you may have the odd component, which is not supported well. And being a laptop, you usually have no way of replacing such components; you have to live with the existing driver support and hope that they are under active development within the Linux community.

Prior to purchasing the Core i7 version of the Lenovo X1 Carbon (referred to as X1C in this article) I did do my homework, because not only did I want to run Linux on it; no, I actually wanted to remove Windows altogether. Spoiler alert: That’s entirely possible on the X1C. Read the rest of this entry »

Virtualisation with FreeBSD and VirtualBox

21/10/2012 – 12:51 pm

There’s not a lot of choice for FreeBSD users who want to run virtual machines on a FreeBSD server. There’s of course Jails, which is perfect if you want to run only FreeBSD guests. And there’s some development taking place in order to run Xen Dom0 on FreeBSD, but I don’t think that’s anywhere near usable yet.
That leaves us “only” with VirtualBox. To be honest, I haven’t taken it seriously so far, because I perceived it as a tool to quickly spin up VMs on a desktop environment only. (With its main benefit being that it runs on a number of operating systems for free. This comes in handy if you need to provide OS images to developers, for example.)

It wasn’t until I gave it a go on a Linux server that I realised how powerful it has become over the last few years. And the good news: There’s a FreeBSD port for it, which is under active development. Read the rest of this entry »

New, Clean CentOS 6.2 x86_64 EC2 AMIs for all Regions

20/06/2012 – 07:26 pm

As I’ve previously written, the flexibility in the EC2 cloud is also a bit of a problem at times, because it’s time consuming and rather annoying to find OS images, which suit one’s requirements. There a tons of images for some Linux distributions from various sources, very little for others, but commonly they are either bloated with stuff that the majority won’t need, or are made to serve a particular purpose, hence not really suitable for everyone either. And even if you find one, it doesn’t mean that you find something similar (let alone identical) in a different region!

Well, all I really want is a clean and slim CentOS 6 image. It’s easier to customise yourself than to remove somebody else’s customisations. If a clean AMI is what you are looking for, too, read on.

Read the rest of this entry »

There’s no such thing as “The” Cloud

25/02/2012 – 05:08 pm

Personally I think “The Cloud” is one of the most abused terms of modern IT language. There are certainly some connotations going along with it, which get business people excited: scalable, flexible, resilient, on-demand pricing, low entry costs. And then the whole Nonsense-as-a-Service terminology (SaaS, IaaS, BaaS and whatnot)! It certainly gets the high-level non-technical business folk’s meetings started! Sadly, they are not likely to ever come to a conclusion which makes sense on a technical level. The image, which many if not most people have in mind is that “The” Cloud is the answer to all IT problems, a no-brainer, and on top of it there’s a (in my opinion false) understanding that you chuck your stuff into “The” Cloud and it will then magically apply all those great features to your application. It couldn’t be further from the truth, unless you are willing to pay a serious amount of money and let someone else manage all that for you. That however removes on-demand, and low entry costs from your equation. Depending on the company you hire to do that, you’ll sometimes sacrifice flexibility, too.

You, as an IT person, certainly have been asked (or asked yourself) this question in the recent past: “Should we move services to ‘The’ Cloud?”
Read the rest of this entry »

GlusterFS on CentOS 6.x incl. Geo Replication

18/02/2012 – 07:25 pm

For those of you who are interested in clustered storage, I’ve put together a very quick run-through for GlusterFS (3.2.5) on CentOS 6.2. It also includes setting up Geo Replication. It’s very short, but tackles a few of the pitfalls. Just head this way.

In case you haven’t heard: RedHat acquired Gluster back in October 2011, and that is very good news, because it will push development, broaden the user base, and ultimately make it more interesting for some of the bigger players out there, which will result in even better stability and performance altogether.

Frankly, there were times when GlusterFS was in a mess and the only people knowing how to configure and properly use it were the devs (or the freaks who hung out in IRC whole day, which I sometimes did too), because documentation was a nightmare. These things will now change (and have already changed as far as documentation is concerned). That’s brilliant progress.

If you don’t look at GlusterFS now, you’ll probably feel left out soon. ­čśŤ

Slim and up-to-date CentOS 6.2 AMIs for Amazon EC2

15/02/2012 – 09:22 pm

[Update 20/Jun: On request I’ve added the 64bit version for US-West-2 (Oregon) and US-East-1 (Virginia);┬á All other 64 bit AMIs have been updated]

As CentOS 6.x has finally caught up with RHEL’s update cycle (as far as possible for a clone/copy/fork/you name it), I thought it might be good to have up-to-date images on EC2. But to my surprise I didn’t find many. Maybe it’s because you can get RHEL instances there, but I still prefer not to be dependent on licensing.

Anyhow, most AMIs I’ve found are outdated (6.0) or littered/bloated or heavily customised. I didn’t find a single AMI to my liking in either Europe or in the US regions. Plus, I wanted SELinux in enforced mode, which the vast majority of AMIs out there don’t offer and which is a bit of a nuisance to rectify later (due to long relabeling procedure and required reboot). Hence I created my own, which I made public.

Read the rest of this entry »

Scientific Linux — an alternative to CentOS?

18/08/2011 – 10:43 am

As CentOS is currently in a bit worrying situation with security updates arriving late, and major and point releases being months behind, it’s probably a good idea to have a look around and check what else is out there that claims to be binary compatible with RHEL. With more than 100 active installations of CentOS, I just have to make sure that we’re ready for the worst case. Obviously purchasing subscriptions with RHEL for all those installations is not an option; the customers can’t possibly agree to the significantly higher costs that would force on them.

Now, I don’t want to spread rumours or create unnecessary panic. I don’t really doubt that the CentOS team will somehow manage to increase their pace a little bit, and their latest announcement regarding continuous releases (essentially “backported” security updates) goes into the right direction, if they can for once stick to their promised timelines.

Nonetheless, I need stability and consistency. That absolutely entails security updates, quite obviously. From my personal and professional experience, if it has to be Linux, RHEL-derivates are by far the best bet for enterprise environments. So, just in case, what else is in store for paranoid people like me who have committed to using RHEL and its forks/clones? (where FreeBSD sadly isn’t an option)

Read the rest of this entry »

FreeBSD 8.2 on Xen using Para-Virtualisation, Step-by-Step

08/08/2011 – 07:55 pm

Using FreeBSD on Xen is not exactly uncharted territory any more these days, however you’ll often find that people use hardware virtualisation (HVM) instead of para-virtualisation (PV). The latter can unleash quite a bit more potential, and of course features like memory ballooning, live migration, attaching of network interfaces or storage at runtime, etc. ┬áSome of these features may not yet be supported very well, but I’ve got trust in the FreeBSD community! (I only wish my C/C++ wasn’t so rusty and I had focused more on system-level development in the past. But well, writing tutorials to help others use it isn’t too bad either, is it? :P) ┬áProblem is that documentation with regards to this subject is scattered all over the place and often outdated.

So anyways, enough waffle here. Those of you who are interested, should follow this link: my step-by-step guide on how to set up a FreeBSD PV guest from scratch, including pygrub support. The tutorial will walk you through all the steps required from setting up an empty stub, over creating a HVM guest, to transforming that into a PV guest (or even hybrid, if you wish).

GlusterFS, a workhorse that needs to be tamed

31/07/2011 – 08:51 pm

I’m sure by now most of you will have heard of GlusterFS, which allows you to store data on a very large scale, replicated, striped, or both – across multiple physical boxes. At the face of it, and if you believe the marketing, it is THE most reliable and fastest solution. And yes indeed, it has got massive potential, and it has matured a lot over the years since I last wrote about it. However, it still has got a few nasty pitfalls, which you need to be aware of before deploying it into a production environment. You should really test thoroughly how it copes with your workload, and how your applications and infrastructure behave in case of failure.

Read the rest of this entry »