Wednesday, November 30, 2011

Xen vs. KVM yet again

Interesting read on Baremetal vs. Xen vs. KVM benchmark

In short: Xen with HVM guests + PV drivers (that is, full virtualization mode with paravirtualised drivers, as opposed to paravirtualized mode) and KVM are equally effective. In some tests one was marginally faster, in some tests it was the other.

If you read my old posts, I was in favor of Xen for better performance of its PV (paravirtualized) guests and ability to run on older CPUs. Today all my boxes have hardware support for virtualization and I don't even use PV mode. While it's still slightly faster, it's not worth the additional complexity. If you've ever had a VM that failed to boot when PyGrub couldn't find the right kernel, you know what I mean. HVM + drivers/tools, that's the way to do it on any platform - be it Xen server or Virtualbox on a desktop.

Even shorter: virtualization platforms are so mature there's no real difference in performance or stability. For large installations, advanced features and management tools are the important factors. For one machine - familiarity and ease of use.

Friday, November 25, 2011

How to run a network monitoring station on a XenServer VM

I spent way too much time on this seemingly simple task, I hope someone will find this guide useful.

Network monitoring applications require a promiscous mode on a network interface. Easy on a physical machine, didn't work on XenServer. Interface inside a VM switched to promiscous mode, but the traffic was filtered before it reached VM. Only for a brief period I could see all the packets, then only broadcasts got through. Just like on the switch that's learning - that should have pointed me to the right answer.

Open VSwitch

I googled for a solution and found some (e.g. this one from Citrix), but nothing worked. Until I remembered that XenServer 6 uses Open VSwitch by default and all the answers I found were for earlier versions using bridging backend. Now it should be easy. VSwitch works like a high-end, configurable switch so I'll just put the right port into traffic mirroring mode, right? Wrong.

To configure Open VSwitch in XenServer you use a VSwitch Controller virtual appliance. Installation is simple - just download the file, open it with XenCenter and select a VM. Then configure an IP address if you don't use DHCP, point the web browser at it and enter a pool to use. At this point it complained it can't work with free XenServer license. Which Citrix failed to mention on their website.

The other solution

It's always good to have a backup plan. Mine was simple: set XenServer to use the old bridging code. I rejected it at first for two reasons:
- it requires a reboot,
- VSwitch has more features (which I didn't need at the moment, but I might one day) and should perform better.

After scheduling a downtime for VMs, I typed one simple command into a CLI:
xe-switch-network-backend bridge
Reboot and it's done. You can check with 'cat /etc/xensource/network.conf' to be sure.

Forcing promiscous mode - the old way

Now all you have to do is put the right interfaces into promiscous mode. Interfaces - because you need to do it on both PIF and VIF (physical and virtual interface, one that connects to the real network and one that connects to VM). First, find the UUIDs of the interfaces with:
xe vif-list
xe pif-list
If you've got many VMs and NICs, you'll get a long list. You can try filtering, e.g. xe vif-list vm-name-label="My monitoring VM", see xe help vif-list for details. However, some filters didn't work for me. Once you have UUIDs, do:
xe pif-param-set uuid= other-config:promiscuous="true"
xe vif-param-set uuid= other-config:promiscuous="true"
Check if it worked:
xe pif-param-list uuid=
xe vif-param-list uuid=
Disconnect VIF from VM and connect it back:
xe vif-unplug uuid=
xe vif-plug uuid=
Note: unplug/plug only works if you have XenServer Tools installed. Otherwise reboot the VM.

Other possible ways

Some howtos for older XenServers used: brctl setageing xenbr0 0 (or whatever Xen bridging interface you use). I didn't need it, but you can try it if xe ...param-set fails.

I could probably configure VSwitch without Citrix controller appliance. I might one day.

Friday, July 8, 2011

Important new releases

I don't usually write about the releases : Who am I kidding? I only write about releases, it's been months since I wrote a useful Howto. I promise one as soon as I find some mythical free time.

Oracle has released an early version of Java 7. It promises some important features, most importantly native support for other languages on JVM. Speaking of which, O'Reilly has a short summary. Also from Oracle, new version of VirtualBox is mostly a bugfix release.

Samsung, as a part of Khronos group, is working to make GPUs useful (yep, I'm not a gamer, for me they're useless power drains most of the time). You've probably heard of OpenCL, a platform for running all-purpose software on GPUs or special-purpose accelerators (with a nice feature of falling back to CPU if nothing else is available). WebCL is a JavaScript binding for OpenCL that allows to use GPU computing in client-side web apps. Samsung not only released the WebCL implementation, it also did it under BSD license, meaning it's free to use for any purpose.

On more personal side, I got a couple of machines for an experimental XenServer pool, meaning I can test new features without jeopardizing production VMs. Shiny!

Thursday, June 2, 2011

Xen support in mainline Linux kernel

For the past two years, Xen infrastructure has been getting included in the Linux kernel piece by piece. It's finally done. A nice coincidence is that new version we'll be called 3.0 instead of  2.6.30  2.6.40 - just like Xen was the feature so important it justified the change (in reality, there was no single large addition, just the sum of small changes since 2.6.0 made today kernel something completely different).

Soon an ordinary Linux system will be able to run as Xen dom0 (host) without any changes in the kernel, just like it is with KVM, VirtualBox and some other virtualization solutions. I hope it will stop the decline of Xen: when it's no harder to setup then its competitors and offers better performance, it's becoming and interesting choice again.

Thursday, March 31, 2011

Password storage, part 2 - my choice

Note: read  Part 1 for general considerations.

After some tries I settled on Keepass family. The original app works on Windows and has two lines: Keepass Classic (1.x) and Keepass Professional (2.x). Before you jump to the latter (it has a bigger version number and it's called professional, so it must be better, right?), bear in mind that Keepass 2 is written in .NET. What's wrong with that?

- It severely limits the number of systems that can run it. While you can use it on most versions of Windows and (with Mono) on Linux, BSD and MacOS X, .NET runtime needs to be installed. What if you need to run it on someone else's machine? No problem in carrying a few MB portable Keepass binary with you, but .NET Framework is large and invasive.
- It's way slower then Keepass Classic.

Supported systems

Keepass 1.x only runs on Windows, but there are ports and clones for almost any system and device: Linux, MacOS X, PDAs/smartphones (iPhone, Blackberry, Android, Windows Mobile) and even dumb phones (using Java Mobile, almost any phone can run it). All of them use the same file format. I mostly use KeepassX on Linux, supplemented by Windows and phone versions.

Windows version can be integrated with Portable Apps Suite and Bart Preinstalled Environment, two great tools that many IT professionals carry around. No problem in using my passwords on a friend's computer, got Keepass Portable and the database is backed on my USB drive [*].

Organizing passwords

Generate a new random password in the free pas...Image via Wikipedia Keepass can organize your passwords in the tree structure (eg. you can start by dividing into Personal and Work, than in Personal into Shops, Forums, Websites...). Useful if you have dozens of them. Even better, you can search your database. When adding a new entry, you have a choice of writing a password or generating a new one with a given length and set of characters. There's even an option to generate pronouncable passwords. I usually go with a long random string of mixed case letters, numbers and several special characters.

Keepass database is a single file. It means in case of corruption, you lose it all, so Keepass automatically writes backups. It's protected with a strong encryption, so it's safe to send it over the network. Just remember to choose good password: containing numbers, special signs and REALLY long - like, 20 characters or more.

Noticed that Keepass gives you an option to see the password you're typing instead of asterisks and to correct it in case of a mistake? All apps written by security-savvy people do it. Asterisks give little protection against someone looking over your shoulder (they can see the keyboard anyway!), but discourage from using strong passwords.

Integrating with other applications

Keepass can import passwords from several applications, including Firefox, and export to XML (both human and machine readable) or TXT. There are plugins to integrate it with web browsers and other apps. I don't use them though, there's a simpler and more secure option: press Ctrl-Shift-A while visiting a page, Keepass will auto-type your username and password. It matches application titlebar to the entry's Title and URL field. To make sure the match is correct, install Hostname in Titlebar extension in Firefox. For other apps, use Ctrl-C to copy password to clipboard (Ctrl-B for username). Keepass will clear your clipboard after a specified time (20s by default).


[*] Some would consider it insecure: if you don't control the machine, it might steal the password you use - or ALL passwords once Keepass database is unlocked. In my opinion it's secure enough provided that you:

1) trust your friends not to intentionally steal your password,
2) trust your friends to secure their machines.

While condition 1 is generally always met, condition 2 rules out many machines. When I need to work from an untrusted system, I use Keepass on my phone. It's damn inconvenient to type a Keepass password on the phone's keyboard (obviously I've chosen a strong one) and even worse to read on the phone and type on the computer  the password from Keepass, considering that most of them look like F25c6D-SGe#r5vK;DVb5, but I do it maybe twice a year.

Enhanced by Zemanta

Wednesday, March 30, 2011

Password storage, part 1 - considerations

Typical user needs passwords for dozens if not hundreds of different systems: computers, mail and IM accounts, forums, shops, newsletters etc. It is clearly impossible to remember more than a handful of good passwords, which leaves two choices:
- write down the passwords, or
- use the same password for different systems.

Both choices can be insecure, but experts agree: reusing password is the worst choice.

Some kind of password storage system is then essential. As usual, we have many options, but neither of them really stands out. I'd like my password storage to have the following six characteristics, ordered from the most important:
#1 Security
#2 Reliability
#3 Ease of use
#4 Universal access
#5 Portability

Obviously, you don't want anybody to see your passwords. It's easy to say you want maximum security, but this requirement t interferes with all other characteristics.

In the digital age, if you loose all your passwords, you might as well restart your life. OK, maybe it's not that dramatic, but you'd waste days to regain access to your data and some will be irrepplacably lost. You might even consider reliability more important than security, I won't argue. Questions to ask when assessing the system:

- Is the storage easy to backup?
In case of the software, that rules out everything that stores passwords in locations like Windows registry. A hidden file somewhere deep in your home directory is marginally better. A known location is preferred.

- Is it likely that the storage can be corrupted? What then - do I loose all information or a part of it?
That again rules out registry. Also, be careful with the software that stores all your passwords in one encrypted file. A one byte error can make it inaccessible. On the other hand, one file is trivially easy to backup, so there's no excuse not to have dozens of copies scattered everywhere.

Ease of use
If the system is too complicated, people won't use it. Simple. But many so-called security professionals get it wrong. You can see it in every other office. If you implement authentication system that requires complicated, often changed passwords and limits access to data, you'll probably find out your users share accounts and post the password on the bulletin board.

How does it apply to a password storage system? Ideally, it should be completely transparent: you need to login somewhere, magic happens, you're in. Browser password manager get's close to the ideal, especially when not protected with master password. Convenient, insecure, unreliable and limited to one app.

On the other end of the spectrum is a password written down on a piece of paper, sealed in an envelope and stored in a safe, protected by walls, locks, alarm systems and armed guards. When you need it, go to the safe, authenticate to the guard, disarm alarm system, use the key and code to open the deposit box, break the seal, take out the paper. Codes to nuclear warheads where stored that way. Guess what? After the cold war had ended, it turned out some of the codes were set to a string of zeros. Lesson learned: even in maximum security environment you can't make your system too hard to use or it WILL be circumvented.

Universal access and portability
Ideally, it should be equally easy to use your system with every website and every application. Taking your passwords from one computer to another (e.g. on a USB drive or over the network) is very convenient, but might clash with #1. If you use different operating systems, you want your system to work with all of them. Maybe you need a command line and a GUI version.

What are the choices?

1) Paper and pen
Don't laugh, the low-tech solution actually have some strong points. Paper is quite reliable (unless you have a terrible handwriting). It can be backed up with a copy machine. It's portable. It works with every opearing system, website and application.

On the other hand, paper storage scores terrible on #1 and #3. It's inconvenient. Typing the password you read from the paper is slow and prone to errors. The stronger the password, the worse it gets. It's also hard to keep the system secure, especially with dozens of passwords: that means either a large sheet of paper or many small cards, both unwieldy and devastating when lost.

However, it's easy to relatively securely store a few passwords that way - security guru Bruce Schneier recommends keeping them in the wallet. You might consider some form of simple encryption or obscufation. It won't stop a commited attacker - anything simple enough to do in your head is also too simple to be secure - but might be enough to stop a kid who accidentaly found your password card.

2) Text file
Only marginally more advanced then paper and pen, text file with all logins and passwords also has some merits. It's can't break. It's easy to copy. It works with every system with one obvious exception: the password to the computer you use to read the passwords has to be stored elsewhere (in organic memory, maybe). You can use it with Notepad on Windows and vi on Linux, copy-paste or retype passwords to every application.

To be secure you should never keep it unencrypted. And you absolutely shouldn't send it unencrypted. This reduces the portability. You can, however, choose an encryption software that doesn't require installation and keep on the USB drive together with your password file. You can find a program compatible with OpenPGP standard, they work on every operating system. However, it reduces ease of use which wasn't particularly great to begin with. Retrieving password requires decrypting, finding an entry, copy-pasting and securely deleting an unencrypted file. Adding new password is even worse: decrypt, enter your login, create a password (either with external tool or just by creating a random string, whatever you do, never reuse an old password), encrypt, securely delete a clear-text copy. Even security-savvy users don't want to bother doing that many times a day. Still, it's a good backup system - write your passwords once, enrypt with a strong password, store it everywhere you can.

3) Stored in an application
Mail client, instant messenger, web browser - all can store the passwords for you. It's handy and everyone but the most paranoid use that option to some extent. If you keep some considerations in mind, it's quite secure. Your computer should be protected anyway. If it's not, whichever option you choose, you're not safe: even keeping your passwords on the paper won't protect you from someone recording keys pressed on your keyboard. Never use it as your only password storage. Otherwise, one day you'd want to access your account with another application or from a different machine and you'll find there's no way to recover your password.

4) Password storage software
Generally, it's a graphical user interface to option number 2. Password store encrypts your secret data, you use a master password to unlock it. It's easier to add new entries, most apps have an integrated password generator. However, they usually work on one operating system only, be it Linux, Windows or MacOS. Some require installation, I recommend against them - choose one that works from the USB drive. Also note where it stores the passwords, so you can backup the file regularly. Passwords stores sometimes integrate with applications that require passwords, others have an auto-type feature, worst case - use clipboard.

It's quite clear that password store is the most secure option while being almost as convenient as storing password in the application. Which software I've chosen? Read part 2.
Enhanced by Zemanta

Tuesday, March 29, 2011

Xen 4.1 released

linux kernel booting under qemu (openwrt) + gn...Image via WikipediaAfter almost a year, a new major version of Xen hypervisor was released. Xen 4.1 adds several performance enhancements and support for very large systems.

There's also a new API: Xen 4.1 includes support for old xend/xm tools, but they're deprecated. You should migrate to xl command and libxl toolstack. There are some significant differences, so upgrade path is not easy. A terrible idea in my opinion: Xen was always harder to run then its competitors, adding another obstacle definitely won't help. That is, unless you run a high-level tool, in which case you don't care about the gory details.

Now if only I can get my hands on a physical machine to run some tests...
Enhanced by Zemanta