Aug 30, 2011

Avira AntiVir Personal on Linux (II)

Once we have installed DazukoFS on the system - Avira AntiVir Personal on Linux (I) -, we are going ahead with the installation of Avira AntiVir 3.1.3.5.

[root@centos tmp]# wget http://dlpe.antivir.com/package/wks_avira/unix/en/pers/antivir_workstation-pers.tar.gz

[root@centos tmp]# tar xvzf antivir_workstation-pers.tar.gz ; cd antivir-workstation-pers-3.1.3.5-0

The installation process is carried out by means of a bash script. After agreeing the license, the installer asks if we want to create a link for avupdate-guard.

[root@centos antivir-workstation-pers-3.1.3.5-0]# ./install
...
Would you like to create a link in /usr/sbin for avupdate-guard ? [y]
linking /usr/sbin/avupdate-guard to /usr/lib/AntiVir/guard/avupdate-guard ... done

Then the script can establish a cron task (/etc/cron.d/avira_updater) for automatic updates.

Would you like to setup Scanner update as cron task ? [y]
...
What time should updates be done [00:15]?
creating Scanner update cronjob ... done

The previous task checks if there is any update related to the scanner, engine or vdf files. On the contrary, if you accept the next request, the Guard module will be also updated periodically.

Would you like to check for Guard updates once a week ? [n]

setup internet updater complete

Next step takes care of installing DazukoFS. Due to this operation was previously accomplished, it will not be necessary to repeat it.

Preinstalled dazukofs module found on your system.

Would you like to reinstall dazukofs now ? [y] n
Dazukofs module is loaded

Through the following question, you can specify what directories must be protected by AntiVir Guard. I have selected the default option. Later, you may change this choice or add more directories by editing the fstab file.

Watch out with this selection, because regardless of the antivirus used, when you set up an on-access daemon, you have to avoid certain directories such as /sys, /proc, /root or directly /.

Guard will automatically protect all directories which are mounted upon dazukofs filesystem.

Please specify at least one directory to be protected by Guard to add in /etc/fstab : [/home]
The following directories will be protected by Guard:
/home

Then the installer verifies if the quarantine directory exists. This directory is used to isolate a suspect or infected file, so as to be able to repair it later.

Would you like to create /home/quarantine ? [y]
creating /home/quarantine ... done

Afterwards, you are asked if you want to make a link to AntiVir Guard and whether it should be automatically activated at system start.

Would you like to create a link in /usr/sbin for avguard ? [y]
linking /usr/sbin/avguard to /usr/lib/AntiVir/guard/avguard ... done

Please specify if boot scripts should be set up.
Set up boot scripts ? [y]

With the last step, we run AntiVir Guard.

Would you like to start AVIRA Guard now? [y]
Starting AVIRA AntiVir Workstation Personal ...
Starting: avguard.bin

After ending up the installation, it is highly recommended to perform a complete update of the application.

[root@centos ~]# avupdate-guard --product=Guard


Aug 22, 2011

Avira AntiVir Personal on Linux (I)

I have always said over and over that the myth about there are no viruses for Linux is absolutely false. Occurs that there are fewer viruses on Linux because it is an open operating system, so many people may contribute quickly to fix its fails. In addition, it is more robust and less used than Windows, thereby hackers have got less interest to break it.

But figure for a moment when you are surfing the net, for instance with Firefox, and it turns out that your browser contains any critical vulnerability, or for example, the web page which you are visiting utilizes Java or Flash, and the versions that you have installed on your Linux system are vulnerable... your computer would be exposed to any attack or malware infection.

Now it is clear that many times, Linux is not really the guilty, but the responsability comes from third-party software. For that reason, I think that it is necessary to have installed a good antivirus on our Linux systems, regardless of the kind of distribution.

There are several good and free antivirus for Linux, such as avast, ClamAV, AVG, but my favourite option is Avira AntiVir. Its main features are:

  • Easy installation through a script.

  • Command Line Scanner: configurable on-demand searches for all malware types (viruses, horms, backdoors, trojans, etc.).

  • Resident guard: configurable on-access actions (block, delete, repair, move and rename) when malware is detected.

  • Heuristic detection.

  • Automatic update for product, scan engine and virus signature file.

The most important characteristic of Avira with regard to other solutions is the AntiVir Guard module (ClamAV has got it too), which runs as a daemon process and it is permanently monitoring all the accesses to the system (on-access) and saving it against possible viruses.

In addition, the AV-Comparatives organization published in April 2011 the last review about On-demand Detection of Malicious Software, and Avira AntiVir reached excellent results.

Other modules belonging to Avira are AntiVir Command Line Scanner (allows to scan files in search of viruses or suspicious elements, and it can be integrated with scripts) and AntiVir Updater (downloads current updates from the Avira web servers, manually or automatically).

Also say that AntiVir Guard is based on DazukoFS, an open source software that provides a kernel module which lets execute online file access control, by intercepting memory and disk calls and passing the information to an user space application, in this case Avira AntiVir. Other applications are also based on Dazuko, such as ClamAV, Panda Security for Linux, F-Secure, etc.

The AntiVir installation package supplies a DazukoFS version which is automatically configured and installed (in theory). DazukoFS depends on the kernel version; for this purpose it is better to install manually this module.

Therefore let's get going to download the version 3.1.2 of Dazuko (this number of version works fine with a 2.6.32 kernel) and install it on our testing system, CentOS 6.0 (32 bits). To begin with, I will also get some necessary packages.

[root@centos ~]# yum install gcc make kernel-devel file

[root@centos tmp]# wget http://dazuko.dnsalias.org/files/dazukofs-3.1.2.tar.gz

[root@centos tmp]# tar xvzf dazukofs-3.1.2.tar.gz ; cd dazukofs-3.1.2

Now we are ready to compile and install DazukoFS as a module into our Linux system.

[root@centos dazukofs-3.1.2]# make ; make dazukofs_install

[root@centos dazukofs-3.1.2]# modprobe dazukofs

[root@centos dazukofs-3.1.2]# echo "modprobe dazukofs" >> /etc/rc.modules

[root@centos dazukofs-3.1.2]# chmod +x /etc/rc.modules

Lastly, also point out that the license of this antivirus allows you to install it for a personal use, for instance on your own PC or your home server. Note that if you use AntiVir Guard via DazukoFS, you will need to compile this module when you change the kernel. For production environments I always suggest ClamAV.


Aug 15, 2011

Adding a KVM hypervisor to OpenNebula (II)

Once I have finished to configure the KVM computing node, Adding a KVM hypervisor to OpenNebula (I), today I am going to conclude this series of technical articles about OpenNebula by setting a new instance up on kvm01.

First of all, I am going to use for my testing, a ttylinux image, downloaded directly from the OpenNebula website. This sort of Linux distribution is designed to consume fewer resources than a typical operating system such as Debian or CentOS.

oneadmin@frontend01:/tmp$ wget http://dev.opennebula.org/attachments/download/170/ttylinux.tar.gz

oneadmin@frontend01:/tmp$ tar xvzf ttylinux.tar.gz ; cd ~/templates

Next step is to define an image template so as to register it into OpenNebula.

oneadmin@frontend01:~/templates$ cat ttylinux.img
NAME        = "ttylinux"
PATH        = /tmp/ttylinux.img
DESCRIPTION = "Very small Linux distribution based on a 2.6 kernel"

oneadmin@frontend01:~/templates$ oneimage register ttylinux.img

oneadmin@frontend01:~/templates$ oneimage list
ID     USER                 NAME TYPE              REGTIME PUB PER STAT  #VMS
 0 oneadmin   Ubuntu Server 8.04   OS   Jul 02, 2011 10:34  No  No  rdy     0
 1 oneadmin             ttylinux   OS   Aug 07, 2011 18:30  No  No  rdy     0

Now we have a virtual image ready to be used on our KVM nodes, in this case kvm01.

oneadmin@frontend01:~/templates$ ls -lh ../var/images/8625d68b699fd30e64360471eb2c38fed47fcfb6
-rw-rw---- 1 oneadmin cloud 40M 2011-08-07 20:30 var/images/8625d68b699fd30e64360471eb2c38fed47fcfb6

oneadmin@frontend01:~/templates$ file ../var/images/8625d68b699fd30e64360471eb2c38fed47fcfb6
var/images/8625d68b699fd30e64360471eb2c38fed47fcfb6: x86 boot sector, LInux i386 boot LOader; partition 1: ID=0x83, starthead 1, startsector 63, 81585 sectors, code offset 0xeb

Then we have to make up a virtual network which will be utilized by all virtual machines built on our KVM computing node. Note that the key of this network is the bridge created in the previous article.

oneadmin@frontend01:~/templates$ cat kvm.net
NAME            = "KVM Network"
TYPE            = RANGED
PUBLIC          = NO
BRIDGE          = br0
NETWORK_ADDRESS = 192.168.1.160
NETWORK_SIZE    = 16
NETMASK         = 255.255.255.0
GATEWAY         = 192.168.1.1
DNS             = 194.30.0.1

oneadmin@frontend01:~/templates$ onevnet create kvm.net

oneadmin@frontend01:~/templates$ onevnet list
ID USER     NAME              TYPE BRIDGE P #LEASES
 0 oneadmin KVM Network     Ranged    br0 N       0

And lastly, we just have to set an instance template up where we outline the characteristics of our virtual machine and thus, to be able to run it over kvm01.

oneadmin@frontend01:~/templates$ cat ttylinux01.vm
NAME   = ttylinux01
CPU    = 1
MEMORY = 128

DISK   = [ SOURCE = "/srv/cloud/one/var/images/8625d68b699fd30e64360471eb2c38fed47fcfb6",
           TARGET = "hda" ]

NIC    = [ NETWORK = "KVM Network" ]

oneadmin@frontend01:~/templates$ onevm create ttylinux01.vm

oneadmin@frontend01:~/templates$ onevm list
ID     USER     NAME STAT CPU     MEM        HOSTNAME        TIME
 0 oneadmin ttylinux runn   0      0K           kvm01 00 00:01:03


Aug 9, 2011

Adding a KVM hypervisor to OpenNebula (I)

After ending up how to add a VMware ESXi hypervisor to OpenNebula, now it is turn to configure a KVM node into our cloud infraestructure with OpenNebula.

To begin with, we are going to make up a network bridge on kvm01. For this purpose, we must put the NIC into manual mode and associate it to the bridge (br0). Remember that this new interface has also to have an IP address belonging to the own subnetwork.

root@kvm01:~# cat /etc/network/interfaces
...
auto eth0
   iface eth0 inet manual

auto br0
   iface br0 inet static
   address 192.168.1.12
   netmask 255.255.255.0
   network 192.168.1.0
   broadcast 192.168.1.255
   gateway 192.168.1.1
   dns-nameservers 194.30.0.1
   dns-search opennebula.local
   bridge_ports eth0
   bridge_fd 9
   bridge_hello 2
   bridge_maxage 12
   bridge_stp off

root@kvm01:~# /etc/init.d/networking restart

The reason for creating a bridge is clear: to be able to address the virtual machines built in this node. Otherwise, we would never link them.

Then we have to install the corresponding packages to be able to virtualize machines through KVM. The ruby package will be used to manage the node from OpenNebula and nfs-common to mount the shared area exported by storage01. As you can see, the libvirtd daemon must be put into listening mode without authentication.

root@kvm01:~# aptitude install kvm libvirt-bin ruby nfs-common

root@kvm01:~# cat /etc/libvirt/libvirtd.conf
...
listen_tls = 0
listen_tcp = 1
auth_tcp   = "none"

root@kvm01:~# cat /etc/libvirt/qemu.conf
...
dynamic_ownership = 0

root@kvm01:~# cat /etc/init/libvirt-bin.conf
...
env libvirtd_opts="-d -l"

root@kvm01:~# restart libvirt-bin

Besides, it is necessary to uncomment the line which says "dynamic_ownership = 1" (libvirt should dynamically change file ownership to match the configured user/group) and modify it to 0. Otherwise, you would get an error as follows.

neadmin@frontend01:~/templates$ tail -f ../var/oned.log
...
Sat Aug 13 20:32:11 2011 [TM][D]: Message received: TRANSFER SUCCESS 1 -
Sat Aug 13 20:32:12 2011 [VMM][D]: Message received: LOG - 1 Command execution fail: 'if [ -x "/var/tmp/one/vmm/kvm/deploy" ]; then /var/tmp/one/vmm/kvm/deploy /srv/cloud/one/var//1/images/deployment.0; else                              exit 42; fi'
Sat Aug 13 20:32:12 2011 [VMM][D]: Message received: LOG - 1 STDERR follows.
Sat Aug 13 20:32:12 2011 [VMM][D]: Message received: LOG - 1 error: Failed to create domain from /srv/cloud/one/var//1/images/deployment.0
Sat Aug 13 20:32:12 2011 [VMM][D]: Message received: LOG - 1 error: unable to set user and group to '104:112' on '/srv/cloud/one/var//1/images/disk.0': Invalid argument
Sat Aug 13 20:32:12 2011 [VMM][D]: Message received: LOG - 1 ExitCode: 255

Next step is to add a new user called oneadmin (with ID 1001, the same that in the rest of computers). I prefer to set a password up for this user because later, you have to copy the frontend01's public key in this machine.

root@kvm01:~# mkdir -p /srv/cloud/one/var

root@kvm01:~# groupadd --gid 1001 cloud

root@kvm01:~# useradd --uid 1001 -s /bin/bash -d /srv/cloud/one -g cloud -G kvm,libvirtd oneadmin

root@kvm01:~# passwd oneadmin

root@kvm01:~# chown -R oneadmin:cloud /srv/cloud

root@kvm01:~# id oneadmin
uid=1001(oneadmin) gid=1001(cloud) groups=1001(cloud),112(kvm),113(libvirtd)

root@kvm01:~# cat /etc/fstab
...
storage01:/srv/cloud/one/var /srv/cloud/one/var      nfs4    _netdev,auto    0       0

root@kvm01:~# mount -a

In addition, the node must be synchronized with all the machines of the cluster.

root@kvm01:~# crontab -e
...
0 * * * * ntpdate pool.ntp.org

And finally, we have to copy the public key from frontend01, so that this computer can be remotely handled by OpenNebula.

oneadmin@frontend01:~$ ssh-copy-id -i .ssh/id_rsa.pub oneadmin@kvm01

So as to check the installation, we can execute the next order from frontend01.

oneadmin@frontend01:~$ lib/remotes/im/run_probes kvm kvm01
ARCH=x86_64 MODELNAME="Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz"

Now we are ready to use the new KVM node in our cloud computing architecture.

oneadmin@frontend01:~$ onehost create kvm01 im_kvm vmm_kvm tm_nfs

oneadmin@frontend01:~$ onehost list
ID NAME              CLUSTER  RVM   TCPU   FCPU   ACPU    TMEM    FMEM STAT
 0 kvm01             default    0    100    100    100      2G    1.9G   on


Aug 1, 2011

Tuning Zabbix to improve its performance (II)

Let's continue with the last article about tuning Zabbix to improve its performance. First of all, I am going to set the suitable kernel parameters into the sysctl.conf file.

root@zbx01:~# cat /etc/sysctl.conf
...
# Maximum percentage of physical memory usage before going to swap
vm.swappiness = 10

# Number of open files for all processes
fs.file-max = 407020

# Minimum, default and maximum size of the send/receive buffer used by each TCP socket
net.ipv4.tcp_wmem = 8192        87380   16777216
net.ipv4.tcp_rmem = 8192        87380   16777216

# Maximum number of queued connection requests which have still not received an ACK (three-way handshake)
net.ipv4.tcp_max_syn_backlog = 2048

# Number of seconds to wait for a final FIN packet before the socket is forcibly closed
net.ipv4.tcp_fin_timeout = 25

# Number of seconds a connection needs to be idle before TCP begins sending out keep-alive probes
net.ipv4.tcp_keepalive_time = 1200

# Maximum TCP send window
net.core.wmem_max = 16777216

# Maximum TCP receive window
net.core.rmem_max = 16777216

# Maximum size in bytes of a message queue
kernel.msgmnb = 65536

# Maximum size for a message text
kernel.msgmax = 65536

# Maximum size in bytes for a shared memory segment
kernel.shmmax = 68719476736

# System wide maximum of shared memory pages
kernel.shmall = 4294967296

Then I am going to fit the values of MySQL by means of its configuration file. This part is really important if you want to achieve a good performance.

In order to adjust them, I have been following the status of the database throughout several weeks, by using tuning tools such as MySQL Performance Tuning Primer Script or MySQLTuner.

root@zbx01:~# cat /etc/mysql/my.cnf
...
# Size of the buffer used for index blocks
key_buffer = 16M

# Maximum size of one packet or any generated/intermediate string
max_allowed_packet = 16M

# Number of threads the server should cache for reuse
thread_cache_size = 64

# Maximum allowed number of simultaneous client connections
max_connections = 256

# Number of open tables for all threads
table_cache = 1024

# Number of table definitions that can be stored in the definition cache
table_definition_cache = 1024

# Do not cache results that are larger than this number of bytes
query_cache_limit = 16M

# Amount of memory allocated for caching query results
query_cache_size = 1024M

# Minimum size (in bytes) for blocks allocated by the query cache
query_cache_min_res_unit = 512

# 0: do not cache
# 1: cache all cacheable query results except for those that begin with SELECT SQL_NO_CACHE
# 2: cache results only for cacheable queries that begin with SELECT SQL_CACHE
query_cache_type = 1

# Slow queries are logged
log_slow_queries = /var/log/mysql/mysql-slow.log

# If a query takes longer than this value (seconds), the server logs the query
long_query_time = 5

# Queries that are expected to retrieve all rows are logged
log-queries-not-using-indexes

# Size in bytes of the memory buffer that InnoDB uses to cache data and indexes of its tables
innodb_buffer_pool_size = 4096M

With respect to MySQL, stand out that it is also important to defragment the query cache to enhance its utilization, by carrying out a "flush query cache" on the database. In my installation, I have seen that the optimum period is every hour.

root@zbx01:~# crontab -e
...
0 */1 * * * mysql -u root -pxxxxxx -e "flush query cache"

And finally, I have changed certain parameters from the Zabbix configuration file. The most important variable is related to the pre-forked pollers.

If this number is not enough, your Zabbix server will not be able to save all monitored data and you will find lack of many values. This is due to if the server runs out of sufficient processes to attend the requests, they will be ruled out and not registered.

root@zbx01:~# cat /etc/zabbix/zabbix_server.conf
...
# Number of pre-forked instances of pollers
StartPollers=96

# Shared memory size for storing hosts and items data
CacheSize=64M

# Shared memory size for storing history data
HistoryCacheSize=8M

# Shared memory size for storing trends data.
TrendCacheSize=8M

# Shared memory size for storing character, text or log history data
HistoryTextCacheSize=8M

Regarding Housekeeping, I have not modified any default parameter. In this way, the housekeeping procedure runs every hour and deletes all unnecessary values into the database.

If you note that your server does not work properly because it is using up lots of resources (CPU, memory, I/O) in this task, you will have to fit these options.

root@zbx01:~# cat /etc/zabbix/zabbix_server.conf
...
# Housekeeping is removing unnecessary information from history, alert, and alarm tables
# HousekeepingFrequency=1

# No more than MaxHousekeeperDelete rows will be deleted per one task in one housekeeping cycle
# MaxHousekeeperDelete=500

# Enable/disable housekeeping
# DisableHousekeeping=0