lost and found ( for me ? )

Fedora 15 : install KVM and fly WIndows XP as a guest VM


Here’s an explanation of how to install KVM in Fedora 15.
[root@f15 ~]# cat /etc/redhat-release
Fedora release 15 (Lovelock)
[root@f15 ~]# uname -r
2.6.40.4-5.fc15.i686
[root@f15 ~]# qemu-kvm --version
QEMU emulator version 0.14.0 (qemu-kvm-0.14.0), Copyright (c) 2003-2008 Fabrice Bellard

Before installing KVM , check your CPU supports the VT technology.
[root@f15 ~]# egrep '(svm|vmx)' /proc/cpuinfo | uniq
flags    : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc arch_perfmon pebs bts aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm xsave lahf_lm dts tpr_shadow vnmi flexpriority

Intel CPU : vmx
AMD CPU : svm

Install KVM and other recommended packages via yum.
[root@f15 ~]# yum install kvm virt-manager libvirt libvirt-python python-virtinst

start libvirtd if you have not started it.
[root@f15 ~]# /etc/init.d/libvirtd start
Starting libvirtd (via systemctl):                      [  OK  ]

If you have enabled SElinux , store VM images under /var/lib/libvirt/images/ directory.
By default , SElinux assings the security labels to VM images and processes dynamically.
 <seclabel type='dynamic' model='selinux'>
<label>system_u:system_r:svirt_t:s0:c515,c855</label>
<imagelabel>system_u:object_r:svirt_image_t:s0:c515,c855</imagelabel>
 </seclabel>

As for VM image files , SElinux assings system_u , object_r and svirt_imagte_t to a VM
[root@f15 ~]# ls -lZ /var/lib/libvirt/images/WinXP.img
-rw-------. qemu qemu system_u:object_r:svirt_image_t:s0:c515,c855 /var/lib/libvirt/images/WinXP.img

Regarding kvm processes , SElinux assings system_u , system_r and svirt_t to a VM.
[root@f15 ~]# ps -eZ | grep qemu-kvm
system_u:system_r:svirt_t:s0:c515,c855 6037 ?  00:11:47 qemu-kvm

Install WIndows XP as a guest VM
Application -> System tool -> start virt-mangeer



Installing Win XP




That’s it.


virsh # list --all
Id Name              State
----------------------------------
 3 WinXP             running

virsh # qemu-monitor-command --hmp WinXP 'info network'
Devices not on any VLAN:
 hostnet0: fd=21 peer=net0
 net0: model=rtl8139,macaddr=52:54:00:5e:3c:85 peer=hostnet0

virsh # qemu-monitor-command --hmp WinXP 'info block'
drive-ide0-0-0: type=hd removable=0 file=/var/lib/libvirt/images/WinXP.img ro=0 drv=raw encrypted=0
drive-ide0-1-0: type=cdrom removable=1 locked=0 file=/dev/sr0 ro=1 drv=raw encrypted=0


unbound : how to use only TCP protocol for name resolution



root@hat1:~# unbound-control status | head -1
version: 1.4.12

unbound.conf
do-udp: no
do-tcp: yes

disable "do-udp" and "enable do-tcp".
unbound performs name resolution services for all domains by TCP queries.
root@hat1:.../unbound# dig @127.1 www.google.co.jp

; <<>> DiG 9.9.0a2 <<>> @127.1 www.google.co.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65056
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.co.jp. IN A

;; ANSWER SECTION:
www.google.co.jp. 345600 IN CNAME www.google.com.
www.google.com. 604800 IN CNAME www.l.google.com.
www.l.google.com. 300 IN A 72.14.203.105
www.l.google.com. 300 IN A 72.14.203.106
www.l.google.com. 300 IN A 72.14.203.99
www.l.google.com. 300 IN A 72.14.203.147
www.l.google.com. 300 IN A 72.14.203.103
www.l.google.com. 300 IN A 72.14.203.104

;; Query time: 909 msec

root@hat1:~# tshark -i br0 port 53
Capturing on br0
 0.000000 z.z.z.z -> x.x.x.x TCP 74 33277 > domain [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=764240 TSecr=0 WS=128
 0.005809 x.x.x.x -> z.z.z.z TCP 74 domain > 33277 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 SACK_PERM=1 TSval=2710269251 TSecr=764240 WS=128
 0.005886 z.z.z.z -> x.x.x.x TCP 66 33277 > domain [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=764242 TSecr=2710269251

TCP queries could reduce the risk of the cache poisoning compared to non-DNSSEC UDP queries.
However I think this is not good solutions against the cache poisoning considering the network latency , the overhead of TCP protocol , the load of Caching name servers , Authoritative name servers , network devices such as load balancer , firewall etc.

Ubuntu : how to upgrade Ubuntu 11.04 to 11.10


Ubuntu 11.10 has been released on Oct 13th.

Here’s an explanation of how to upgrade from 11.04 to 11.10.

before upgrading
root@hat2:~# tail -1 /etc/lsb-release
DISTRIB_DESCRIPTION="Ubuntu 11.04"

root@hat2:~# update-manager

GUI shows up and click upgrade


upgrading


That's it !
root@hat2:~# uname -r
3.0.0-12-generic

root@hat2:~# tail -1 /etc/lsb-release
DISTRIB_DESCRIPTION="Ubuntu 11.10"

unbound : prefetch


[ what timing does unbound perform DNS prefetch ? ]



Seen from source files , prefetching algorithm is :

If TTL in the cache reaches 90% of original TTL , unbound seems to perform prefetch
# find . -name "*" | xargs grep -i prefetch
./util/data/msgreply.c: rep->prefetch_ttl = prettl;
./util/data/msgreply.c: rep->prefetch_ttl = PREFETCH_TTL_CALC(rep->ttl);
./util/data/msgreply.c: rep->prefetch_ttl += timenow;
./util/data/msgreply.c: rep->ttl, rep->prefetch_ttl, rep->an_numrrsets,
./util/data/msgreply.h:/** calculate the prefetch TTL as 90% of original. Calculation
./util/data/msgreply.h:#define PREFETCH_TTL_CALC(ttl) ((ttl) - (ttl)/10)

For example :

original TTL : 30 seconds
90% of original TTL : 30 - 30/10 = 27
In this example , unbound will perform prefetch when the remaining of TTL reaches less 3 seconds.
30(100%) - 27(90%) = 3



Please note that unbound will not perform prefetch if there are no requests of this query , even though TTL is less 3 seconds.



[ when prefetch enabled ]

unbound.conf ( default is no )
      prefetch: yes


name resolution for www.facebook.com.
original TTL is 30 seconds.
root@hat1:~/unbound-1.4.13# dig @127.1 www.facebook.com.

; <<>> DiG 9.9.0a2 <<>> @127.1 www.facebook.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40433
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.facebook.com. IN A

;; ANSWER SECTION:
www.facebook.com. 30 IN A 69.171.228.12


repeat dig command.

Seen from TTL and Query time , you could find whether unbound performes prefetch or not.
root@hat1:~/unbound-1.4.13# dig @127.1 www.facebook.com.

; <<>> DiG 9.9.0a2 <<>> @127.1 www.facebook.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55959
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.facebook.com. IN A

;; ANSWER SECTION:
www.facebook.com. 3 IN A 69.171.228.12

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; MSG SIZE  rcvd: 50

root@hat1:~/unbound-1.4.13# dig @127.1 www.facebook.com.

; <<>> DiG 9.9.0a2 <<>> @127.1 www.facebook.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37955
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.facebook.com. IN A

;; ANSWER SECTION:
www.facebook.com. 30 IN A 69.171.229.14
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; MSG SIZE  rcvd: 50


debug logs
unbound: [1385:0] info: server stats for thread 0: 19 queries, 18 answers from cache, 1 recursions, 1 prefetch


[ when prefetch disabled ]



unbound.conf ( default is no )
      prefetch: no


unbound does not perform prefetch.
root@hat1:~/unbound-1.4.13# dig @127.1 www.facebook.com.

; <<>> DiG 9.9.0a2 <<>> @127.1 www.facebook.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65369
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.facebook.com. IN A

;; ANSWER SECTION:
www.facebook.com. 0 IN A 69.171.228.12

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 13 01:33:40 2011
;; MSG SIZE  rcvd: 50

root@hat1:~/unbound-1.4.13# dig @127.1 www.facebook.com.

; <<>> DiG 9.9.0a2 <<>> @127.1 www.facebook.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25443
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.facebook.com. IN A

;; ANSWER SECTION:
www.facebook.com. 0 IN A 69.171.228.12

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; MSG SIZE  rcvd: 50

root@hat1:~/unbound-1.4.13# dig @127.1 www.facebook.com.

; <<>> DiG 9.9.0a2 <<>> @127.1 www.facebook.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49418
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.facebook.com. IN A

;; ANSWER SECTION:
www.facebook.com. 30 IN A 66.220.149.18

;; Query time: 116 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; MSG SIZE  rcvd: 50



When enabling prefetch , common sites ( FQDNs ) will be cached before expiring its data.
Benefits of this technique are low latency and high caching hit rate.