<VirtualHost 123.123.123.123:80>
  ServerName example.org:80
  ...
  DocumentRoot /home/example.org/public_html
  <Directory /home/example.org/public_html>
    AllowOverride All
    ...
  </Directory>
  ...
</VirtualHost>

In order to prevent the htaccess lookups on the filesystem without losing the htaccess functionality – at least at the DocumentRoot level- I transformed the configuration to the following:

<VirtualHost 123.123.123.123:80>
  ServerName example.org:80
  ...
  DocumentRoot /home/example.org/public_html
  <Directory /home/example.org/public_html>
    AllowOverride None
    Include /home/example.org/public_html/.htaccess
    ...
  </Directory>
  ...
</VirtualHost>

Let’s see what we have accomplished with this:

1. httpd does not waste any time looking for and parsing htaccess files resulting in faster request processing,
2. the virtual host administrator can still override the configuration options of the document root manually or through the web interface of the web application.

Seems like a win-win situation performance and functionality wise.

But, as usual, there is no win-win situation without a downside. In this case, the above trick weakens the server’s security. Let’s see how.

Although the configuration of a directory can be set in both httpd.conf and the directory’s htaccess file, not all directives can be used in both contexts. htaccess files support a subset of the directives that can be used in the Directory context within httpd.conf. By including the htaccess file in httpd’s configuration the vhost admin is no longer restricted to that subset of directives.

This means that by implementing the above configuration the virtual host administrator is granted more privileges regarding the configuration of the virtual host. This also means that a potential attacker, that would exploit a vulnerability of the web application, would be granted the same privileges once he got write access to that htaccess file.

So, although this trick may seem like a good idea at first, it is in fact a rather bad idea and should never be used in production, unless you trust the virtual host administrator and the web application. I do not intend to use such a configuration and I do not recommend it. There are by far better ways to speed up Apache.

Your comments and suggestions are welcome.

Related Articles

• .htaccess Cheat Sheet
• SSL-enabled Name-based Apache Virtual Hosts with mod_gnutls
• Use mod_deflate to Compress Web Content delivered by Apache
• Script for Apache Error Report
• Using the mod_dav_svn SVNParentPath directive with multiple authz files

wget ftp://ftp.cc.uoc.gr/mirrors/linux/fedora/linux/development/rawhide/source/SRPMS/supervisor-3.0-0.4.a10.fc16.src.rpm

The simplest way to build an RPM for our CentOS release is to use the --rebuild option of rpmbuild:

rpmbuild --rebuild supervisor-3.0-0.4.a10.fc16.src.rpm

Wait a few seconds for it to finish and then your binary RPM package will be in ~/<your_building_env>/RPMS/....

To satisfy dependencies, you will also need the package python-meld3. So, download and rebuild it:

wget ftp://ftp.cc.uoc.gr/mirrors/linux/fedora/linux/development/rawhide/source/SRPMS/python-meld3-0.6.7-4.fc16.src.rpm
rpmbuild --rebuild python-meld3-0.6.7-4.fc16.src.rpm

Having built RPM packages for supervisor and python-meld3, you can now transfer them to a testing box and install them:

yum localinstall /path/to/supervisor.rpm /path/to/python-meld3
yum install python-elementtree

We also installed elementtree as this is a dependency missing from the supervisor spec file (note to self: file a bug report).

Finally, try to start supervisord:

/etc/init.d/supervisord start

Surprisingly, it complains about the missing elementtree!

Starting supervisord: Traceback (most recent call last):
  File "/usr/bin/supervisord", line 5, in ?
    from pkg_resources import load_entry_point
  File "/usr/lib/python2.4/site-packages/pkg_resources.py", line 2479, in ?
    working_set.require(__requires__)
  File "/usr/lib/python2.4/site-packages/pkg_resources.py", line 585, in require
    needed = self.resolve(parse_requirements(requirements))
  File "/usr/lib/python2.4/site-packages/pkg_resources.py", line 483, in resolve
    raise DistributionNotFound(req)  # XXX put more info here
pkg_resources.DistributionNotFound: elementtree

Checking the requirements file at: /usr/lib/python2.4/site-packages/supervisor-3.0a10-py2.4.egg-info/requires.txt there are no special version requirements:

meld3 >= 0.6.5
elementtree
[iterparse]
cElementTree >= 1.0.2

After some investigation on the supervisor-users mailing list, I found a message that indicated that setuptools.setup() should be used instead of distutils.core.setup() in the setup.py script.

So, the dependency resolution depends on the way the package has been installed! I didn’t even bother to patch setup.py… Knowing that the dependencies are correctly installed, I commented out the elementtree line and also the meld3 line as this caused the same error.

So, my /usr/lib/python2.4/site-packages/supervisor-3.0a10-py2.4.egg-info/requires.txt file looks like this:

#meld3 >= 0.6.5
#elementtree
[iterparse]
cElementTree >= 1.0.2

Now supervisor starts without errors:

# /etc/init.d/supervisord start
Starting supervisord:                                      [  OK  ]
# cat /var/log/supervisor/supervisord.log
2011-05-12 02:56:08,221 CRIT Supervisor running as root (no user in config file)
2011-05-12 02:56:08,267 INFO RPC interface 'supervisor' initialized
2011-05-12 02:56:08,267 CRIT Server 'unix_http_server' running without any HTTP authentication checking
2011-05-12 02:56:08,271 INFO daemonizing the supervisord process
2011-05-12 02:56:08,272 INFO supervisord started with pid 21337

This is what it takes to run supervisord 3 in CentOS 5 or RHEL 5. If you have any comments and suggestions, please let me know in the comments below.

Related Articles

• High CPU usage while running CentOS as guest on Virtualbox or VMware
• Sticking with CentOS, RPMforge and yum-priorities for now
• YUM-Priorities Configuration for a CentOS Desktop
• Awaiting CentOS 6
• My running dog

#################################################################################
# mod_python and mod_wsgi compatibility note
#################################################################################
# mod_wsgi will deadlock if run in daemon mode while mod_python is enabled
# do not enable both mod_python and mod_wsgi if you are going to use the
# WSGIDaemonProcess directive
# In previous version of mod_wsgi, apache would segfault when both mod_wsgi
# and mod_python were enabled.  This update does not guarantee that will not
# happen.
#################################################################################
# Do not enable mod_python and mod_wsgi in the same apache process.
#################################################################################

Keep this in mind if you plan to mix both modules under the same Apache instance.

Update: As Graham pointed out in this comment, there is no issue if mod_python 3.3.1 is used. That’s great news because I would miss the flexibility of mod_python when it comes to request processing.

Related Articles

• My running dog
• Spamassassin FH_DATE_PAST_20XX test buggy in 2010
• Making a directory writable by the webserver
• SELinux audit reports script
• Beagle Part II

DELETE FROM bb_posts WHERE post_id IN (
    SELECT post_id FROM (
        SELECT DISTINCT(p.post_id)
        FROM bb_posts AS p LEFT JOIN bb_topics AS t ON p.topic_id=t.topic_id
        WHERE t.topic_status=1
    ) AS bb_posts_in_deleted_topics
);

Then remove all deleted posts:

DELETE FROM bb_posts WHERE post_status=1;

Finally, remove all deleted topics:

DELETE FROM bb_topics WHERE topic_status=1;

In the bbPress administration panel, you can now use the “Tools” section to recount posts.

Related Articles

• Reclaiming the forums from bots
• bbPress for WordPress
• bbPress registration functions patch
• Remove-Generator-Meta-Tag WordPress Plugin
• Effectively remove a user from the system

#! /usr/bin/env bash
#
# Error Report for httpd
#
# Requires:
#   - scanerrlog - http://www.librelogiciel.com/software/ScanErrLog/action_Presentation
#   - jaxml - http://www.librelogiciel.com/software/jaxml/action_Presentation
#
 
cat /var/log/httpd/error_log \
    /var/www/vhosts/*/log/error_log \
    | python /usr/local/bin/scanerrlog.py -f text \
    | /bin/mail -s "`hostname` - Apache Error Report" root@localhost
 
exit 0

Some notes:

1. Make sure that this cronjob runs before log rotation takes place.
2. The above shell script concatenates the error_log files from the main web server and all virtualhosts. Edit the paths to reflect your server configuration and virtualhost layout.
3. Edit the path to scanerrlog.py.

Scanerrlog has some quite nice features that let you further customize the report. Make sure you read the help message.

Related Articles

• SELinux audit reports script
• Strange mod_dav_svn error
• Speed up Apache by including htaccess files into httpd.conf
• SSL-enabled Name-based Apache Virtual Hosts with mod_gnutls
• How to integrate seaudit-report in logwatch

function rsse_add_related_posts($PostBody) {
  if (!rsse_verify_feed()) { return $PostBody; }
  if (function_exists('yarpp_related')) {
    $PostBody .= yarpp_related(array('post'),array(),false,false,'rss');
  }
  return $PostBody;
}
 
add_filter('the_content', 'rsse_add_related_posts', 252);

This code used a function of another plugin to attach a ‘related posts‘ section at the end of the full content of each feed entry. As soon as I commented out the above filter and started attaching the related-posts section to the feed content through the YARPP plugin’s administration interface, everything was normal again. No more php-cgi processes timing-out or over-consuming the CPU cycles.

The following graph shows clearly the problematic period:

php-cgi processes consuming the CPU

The httpd error_log included many errors like the following:

[...]
Allowed memory size of 33554432 bytes exhausted (tried to allocate 18893 bytes)
[...]
mod_fcgid: process ... exit(communication error), terminated by calling exit(), return code: 1
[...]
[warn] (104)Connection reset by peer: mod_fcgid: read data from fastcgi server error.
[...]
[warn] mod_fcgid: stderr: PHP Fatal error:  Allowed memory size of 33554432 bytes exhausted (tried to allocate 4864 bytes)
[...]
Premature end of script headers: index.php
[...]

Note that these errors might appear in several occasions.

In my case, finding that faulty piece of code was a huge relief, I can tell you.

Related Articles

• WordPress 2.0.6 – Feed Issues Resolved
• G-Loaded Feeds
• Redmine deployment delayed
• Issue addressed: Author feeds deliver full content
• Status of content availability via feeds

But first, let’s install some dependencies. I assume that you will try the code on a machine aimed for testing, so I won’t be using the system’s package manager but instead use easy_install to install the needed Python modules. Other commands like pip could be used as well. If you do not want to mess with your system-wide python installation, just use virtualenv and pip, but I won’t go into the details about how to use these tools in the current document.

Install the needed dependencies:

easy_install pycrypto
easy_install pyasn1
easy_install pam
easy_install twisted

Make sure you have gcc installed, because it will be needed to complete the installation of Twisted and PyCrypto.

I have created a project for this code at Bitbucket, called RapidSSH. This will make it easier to share code and ideas about SSH server implementations in Python using Twisted.

Filename: scripts/rapidsshd_unix.py

#!/usr/bin/env python
#
# This file is part of rapidssh - http://bitbucket.org/gnotaras/rapidssh/
#
# rapidssh - A set of Secure Shell (SSH) server implementations in Python
#            using Twisted.conch, part of the Twisted Framework.
#
# Copyright (c) 2010 George Notaras - http://www.g-loaded.eu
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
#
# Initially based on the sshsimpleserver.py kindly published by:
# Twisted Matrix Laboratories - http://twistedmatrix.com
#
 
import sys
import pam
 
from twisted.conch.unix import UnixSSHRealm
from twisted.cred import portal
from twisted.cred.credentials import IUsernamePassword
from twisted.cred.checkers import ICredentialsChecker
from twisted.cred.error import UnauthorizedLogin
from twisted.conch.checkers import SSHPublicKeyDatabase
from twisted.conch.ssh import factory, userauth, connection, keys, session
from twisted.internet import reactor, defer
from zope.interface import implements
from twisted.python import log
 
# Logging
# Currently logging to STDERR
log.startLogging(sys.stderr)
 
# Server-side public and private keys. These are the keys found in
# sshsimpleserver.py. Make sure you generate your own using ssh-keygen!
 
publicKey = 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAGEArzJx8OYOnJmzf4tfBEvLi8DVPrJ3/c9k2I/Az64fxjHf9imyRJbixtQhlH9lfNjUIx+4LmrJH5QNRsFporcHDKOTwTTYLh5KmRpslkYHRivcJSkbh/C+BR3utDS555mV'
 
privateKey = """-----BEGIN RSA PRIVATE KEY-----
MIIByAIBAAJhAK8ycfDmDpyZs3+LXwRLy4vA1T6yd/3PZNiPwM+uH8Yx3/YpskSW
4sbUIZR/ZXzY1CMfuC5qyR+UDUbBaaK3Bwyjk8E02C4eSpkabJZGB0Yr3CUpG4fw
vgUd7rQ0ueeZlQIBIwJgbh+1VZfr7WftK5lu7MHtqE1S1vPWZQYE3+VUn8yJADyb
Z4fsZaCrzW9lkIqXkE3GIY+ojdhZhkO1gbG0118sIgphwSWKRxK0mvh6ERxKqIt1
xJEJO74EykXZV4oNJ8sjAjEA3J9r2ZghVhGN6V8DnQrTk24Td0E8hU8AcP0FVP+8
PQm/g/aXf2QQkQT+omdHVEJrAjEAy0pL0EBH6EVS98evDCBtQw22OZT52qXlAwZ2
gyTriKFVoqjeEjt3SZKKqXHSApP/AjBLpF99zcJJZRq2abgYlf9lv1chkrWqDHUu
DZttmYJeEfiFBBavVYIF1dOlZT0G8jMCMBc7sOSZodFnAiryP+Qg9otSBjJ3bQML
pSTqy7c3a2AScC/YyOwkDaICHnnD3XyjMwIxALRzl0tQEKMXs6hH8ToUdlLROCrP
EhQ0wahUTCk1gKA4uPD6TMTChavbh4K63OvbKg==
-----END RSA PRIVATE KEY-----"""
 
 
class PamPasswordDatabase:
    """Authentication/authorization backend using the 'login' PAM service"""
    credentialInterfaces = IUsernamePassword,
    implements(ICredentialsChecker)
 
    def requestAvatarId(self, credentials):
        if pam.authenticate(credentials.username, credentials.password):
            return defer.succeed(credentials.username)
        return defer.fail(UnauthorizedLogin("invalid password"))
 
 
class UnixSSHdFactory(factory.SSHFactory):
    publicKeys = {
        'ssh-rsa': keys.Key.fromString(data=publicKey)
    }
    privateKeys = {
        'ssh-rsa': keys.Key.fromString(data=privateKey)
    }
    services = {
        'ssh-userauth': userauth.SSHUserAuthServer,
        'ssh-connection': connection.SSHConnection
    }
 
# Components have already been registered in twisted.conch.unix
 
portal = portal.Portal(UnixSSHRealm())
portal.registerChecker(PamPasswordDatabase())   # Supports PAM
portal.registerChecker(SSHPublicKeyDatabase())  # Supports PKI
UnixSSHdFactory.portal = portal
 
if __name__ == '__main__':
    reactor.listenTCP(5022, UnixSSHdFactory())
    reactor.run()

Some notes:

• The server uses the very same public and private keys as found in the sshsimpleserver.py script. Make sure you generate new keys using ssh-keygen if you plan to run this on a public server (although this not recommended).
• Twisted included a module for PAM authentication, twisted.cred.pamauth, but unfortunately I could not locate one of its dependencies to make it work. So, I used the excellent python-pam to create a custom PAM authenticator class.
• I can guess what you might thought when you read about this code:
  

  Python is a cross-platform programming language. Twisted runs on Windows. So, is this a solution for running a SSH server on Win32?

  Well, at the moment it won’t run because internally it uses some Python modules that are available on UNIX platforms only. But, I intend to investigate the possibility of running this on Windows since I already need something like that.

We can now enjoy our Python SSH server. Run as root:

python scripts/rapidsshd_unix.py

From another machine, connect to the server using an ssh client:

ssh -p 5022 rocky@arena

If you have deployed your public key in the ~/.ssh/authorized_keys file on the remote machine (arena), you should be able to authenticate using the public key:

ssh -p 5022 -i /path/to/private.key rocky@arena

You should get output like the following on the server:

[root@arena ~]# python ssh.py
2010-03-26 21:30:05+0000 [-] Log opened.
2010-03-26 21:30:05+0000 [-] __main__.UnixSSHdFactory starting on 5022
2010-03-26 21:30:05+0000 [-] Starting factory <__main__.UnixSSHdFactory instance at 0xb7a0b0cc>
2010-03-26 21:30:13+0000 [__main__.UnixSSHdFactory] disabling diffie-hellman-group-exchange because we cannot find moduli file
2010-03-26 21:30:13+0000 [SSHServerTransport,0,192.168.0.172] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2010-03-26 21:30:13+0000 [SSHServerTransport,0,192.168.0.172] outgoing: aes256-ctr hmac-sha1 none
2010-03-26 21:30:13+0000 [SSHServerTransport,0,192.168.0.172] incoming: aes256-ctr hmac-sha1 none
2010-03-26 21:30:14+0000 [SSHServerTransport,0,192.168.0.172] NEW KEYS
2010-03-26 21:30:14+0000 [SSHServerTransport,0,192.168.0.172] starting service ssh-userauth
2010-03-26 21:30:17+0000 [SSHService ssh-userauth on SSHServerTransport,0,192.168.0.172] rocky trying auth none
2010-03-26 21:30:17+0000 [SSHService ssh-userauth on SSHServerTransport,0,192.168.0.172] rocky trying auth publickey
2010-03-26 21:30:17+0000 [SSHService ssh-userauth on SSHServerTransport,0,192.168.0.172] rocky trying auth publickey
2010-03-26 21:30:17+0000 [SSHService ssh-userauth on SSHServerTransport,0,192.168.0.172] rocky authenticated with publickey
2010-03-26 21:30:17+0000 [SSHService ssh-userauth on SSHServerTransport,0,192.168.0.172] starting service ssh-connection
2010-03-26 21:30:17+0000 [SSHService ssh-connection on SSHServerTransport,0,192.168.0.172] got channel session request
2010-03-26 21:30:17+0000 [SSHChannel session (0) on SSHService ssh-connection on SSHServerTransport,0,192.168.0.172] channel open
2010-03-26 21:30:17+0000 [SSHChannel session (0) on SSHService ssh-connection on SSHServerTransport,0,192.168.0.172] pty request: xterm (24L, 80L, 0L, 0L)
2010-03-26 21:30:17+0000 [SSHChannel session (0) on SSHService ssh-connection on SSHServerTransport,0,192.168.0.172] getting shell

This first release of the RapidSSH project exists solely for demonstration purposes. Don’t get fooled by the small amount of code. Information about how to put the pieces together is scarce and it required a lot trial&error and source code reading. The above implementation contains none of the customizations I had in mind. These will be done as soon as I find some time to do so. Until then it will be nice to hear about your experiences or implementations you have worked on.

Related Articles

• Use Python to get the web page data in Epiphany
• Epiphany Python Console – Open New Tab
• Python IRC Bot
• Python Crash Course
• Set up the VNC Server in Fedora

The permissive mode exists mainly for testing. In this mode, the auditing mechanism generates notices (AVC Denials) about the action/event that was blocked, but without actually blocking that action/event. It is just a way to check what would have happened if SELinux had been running in enforcing mode. There are two ways to switch SELinux to permissive mode. One is to configure it through its configuration file (/etc/selinux/config on EL) to start in permissive mode on boot and the other is to use the aforementioned utility, setenforce, to switch modes while the system is live.

When performing tests on a live system, I usually take all precautions to minimize the risk of failure and usually, if possible, I am around to monitor the progress of the test. But, this time I had to use the custom SELinux policy for some days to see if it is actually effective or it needs further fine-tuning.

The Mistake: I used setenforce to set SELinux into permissive mode (/usr/sbin/setenforce 0). setenforce is for temporary changes and it is definitely not suitable for testing the policy for a long period of time. This is because if for any reason the system reboots, SELinux will be set back into the mode that is defined into its configuration file. The mode set by setenforce does not survive a reboot. So, if the custom policy happens to be incomplete, it will block the server’s normal operation after the reboot. And such reboots can happen…

This is exactly what I experienced yesterday. The datacenter on which my virtual server is hosted had problems with its main power supply. This caused one hour of downtime. But G-Loaded’s outage was a lot greater, because my custom SELinux policy was incomplete. SELinux was started in enforcing mode, so my faulty policy blocked my www service.

This should be a lesson to anyone who performs tests on live systems. The Right Thing™ was simple: boot the server into permissive mode and do as many tests as desired. I can blame the datacenter for the one-hour downtime, but for the 7-hour unavailability of G-Loaded I am the only one to blame.

Related Articles

• SELinux audit reports script
• Using a switch to prevent system shutdown/reboot/suspend
• Server upgraded to Fedora 6
• Use the Alternatives System to switch to a custom Firefox release
• How to integrate seaudit-report in logwatch

Configuration

The procedure must be performed by root.

First of all, you need to edit the /etc/sysconfig/clock file:

ZONE="Etc/GMT"
UTC=true

Please, read the notes below for more information about the settings above.

Then run the tzdata-update utility. This copies the correct zonefile to /etc/localtime:

/usr/sbin/tzdata-update

Finally, update the system time by either running ntpd or the ntpdate utility. Both are part of the ntp RPM package, so if this is not installed, just use “yum install ntp” to get it installed.

/usr/sbin/ntpdate -b pool.ntp.org

This will make sure your time is correct.

You can set a cronjob to update the system’s time using ntpdate, like this:

#
# Update the system time
#
55 23 * * * root /usr/sbin/ntpdate -4 -b pool.ntp.org 2>&1 >> /var/log/ntpdate.log

Notes

Here are some notes about the configuration of the timezone:

1. You can find the valid timezones by changing to the /usr/share/zoneinfo/ directory. From there, any relative path to a timezone file is a valid timezone. For example, “Etc/GMT“, “Europe/Athens“, “America/New_York” et cetera.
2. GMT and UTC time are practically the same and they both refer to the Greenwich Mean Time, so setting the timezone to “Etc/UTC” or “Etc/GMT” is practically the same.
3. In /etc/sysconfig/clock you can set whether the hardware clock is set to UTC/GMT time or to Local Time. I am not sure in what way the hardware clock gets involved is the time of the Operating System. But, anyway, if you know how the hardware clock is configured, set this accordingly to true or false. Usually, if I set the OS to use GMT time, I also set this to true regardless of the actual hardware clock configuration. More info on this is still needed.
4. In /etc/sysconfig/clock you may see the options ARC=false and SRM=false. These change the way the “epoch” is assumed by the console on Alpha systems and have no effect if you do not use such a platform. Delete them or leave as is, unless you know you need to set one of them to true.
5. In order to set the correct timezone, you could just create a symlink at /etc/localtime pointing to the correct timezone file in /usr/share/zoneinfo/. Then again, this would render the system configuration file /etc/sysconfig/clock (and thus all other applications that use it) useless and ineffective, so this method is generally not recommended.

Final thoughts

Setting your server to use the correct time is very important. Generally, I hate it when I see web sites or other services having incorrect time. This reveals the web server or the web application administrator’s laziness or inability to properly configure the time. I hope this guide will help get rid of this issue.

Related Articles

• Maxmind’s GeoIP.dat.gz location change
• Change console font in Fedora
• Assign Virtual IPs to your NIC
• How to Disable IPv6 in Fedora and CentOS
• How to change the expiration date of a GPG key

While I was performing the operating system installations, everything seemed to work as expected. Each virtual machine obtained a dynamic IP address and the DNS records were updated correctly. Glad that things work, I turned off Dom0 after the tests.

At a later time, when I switched Dom0 on again, I noticed that I could not reach any of the virtual machines. Their fully qualified domain names that had been allocated to them by the DHCP service would not resolve to the proper IP. To make it worse, it seemed that the virtual machines had no active leases at all!

Soon I discovered that xendomains, the service responsible for starting and stopping the unprivileged Xen domains (DomU), whenever Domain Zero was shut down, it just saved the domain U’s state for later restoration instead of initiating the DomU’s shutdown procedure. When Dom0 was brought up again, xendomains restored the saved DomU states instead of forcing the domains to boot up normally.

I assume this is like suspending a laptop, which has obtained its IP automatically from a DHCP service within LAN A, moving it to a LAN B, and then bringing it up again within that LAN. It is almost certain that for an arbitrary amount of time you would experience connectivity problems.

In both cases above, at the time the machine resumes operations, the dhclient script (or any other similar script) is not run in order to renew the machine’s IP address.

Fortunately, this behaviour of the xendomains service is configurable. In order to force all DomUs to shutdown, instead of suspending, during Domain 0′s shutdown, all you have to do is make following changes in /etc/sysconfig/xendomains:

Leave empty the XENDOMAINS_SAVE variable. By default, it uses /var/lib/xen/save as the directory where the states of the DomUs are saved. By leaving it empty, the states of the virtual machines are not saved, but they are shut down as usual.

XENDOMAINS_SAVE=""

The second modification involves setting the XENDOMAINS_RESTORE variable to false. This determines whether saved domains will be restored from the directory set in the XENDOMAINS_SAVE variable during the Dom0 startup:

XENDOMAINS_RESTORE=false

From now on, whenever Dom0 starts up, it will force all U domains to boot up normally. Contrariwise, whenever Dom0 shuts down, it will force all DomU to shut down as well. No domain state saving or restoration happens any more.

This means that the network service on each DomU, hence the dhclient script, will run every time the domain U starts up or shuts down, ensuring proper allocation of dynamic IP addresses and hostnames by the DHCP service. Of course, this adds much overhead to both the boot and power off process of Domain Zero (Dom0), but it seems that there is no other way to overcome this problem. If you know of a better way, please let me know.

Related Articles

• Howto: DHCP Server (dhcpd) Configuration
• Assign Virtual IPs to your NIC
• Set up the VNC Server in Fedora
• Partition images with Partimage and Partimaged
• Almost saying goodbye to innovation