Once again I found myself trying to “fix” something that has been bothering me for some time – the Resolution in KVM guests is sometimes poor, as low as 800×600.

As it turns out, one can increase the resolution of the guests much higher by using a custom xorg.conf and the std vga driver.

Save the following in /etc/X11/xorg.conf in the Guest OS.

Direct download – bodhi.zazen’s kvm xorg.conf

As root run:

wget http://bodhizazen.net/adblock/kvm.xorg.conf -O /etc/X11/xorg.conf

xorg.conf

Section "ServerLayout"
Identifier "BodhiZazen’s KVM xorg.conf"
Screen 0 "Screen0" 0 0
InputDevice "Mouse0" "CorePointer"
InputDevice "Keyboard0" "CoreKeyboard"
EndSection

Section "Module"
Load "record"
Load "dri"
Load "extmod"
Load "glx"
Load "dbe"
Load "dri2"
EndSection

Section "InputDevice"
Identifier "Keyboard0"
Driver "kbd"
EndSection

Section "InputDevice"
Identifier "Mouse0"
Driver "vmmouse"
Option "Protocol" "SysMouse"
Option "Device" "/dev/sysmouse"
Option "ZAxisMapping" "4 5 6 7"
EndSection

Section "Monitor"
Identifier "Monitor0"
VendorName "Monitor Vendor"
ModelName "Monitor Model"
HorizSync 20.0 – 50.0
VertRefresh 40.0 – 80.0
Option "DPMS"
EndSection

Section "Device"
Identifier "Card0"
Driver "vesa"
VendorName "Cirrus Logic"
BoardName "GD 5446"
BusID "PCI:0:2:0"
EndSection

Section "Screen"
Identifier "Screen0"
Device "Card0"
Monitor "Monitor0"
SubSection "Display"
Viewport 0 0
Modes "1600×1200"
EndSubSection
EndSection

Note: The vmware mouse driver is installed on most distros by default. If you need to install it use:

# Fedora
yum install xorg-x11-drv-vmmouse

#Debian / Ubuntu
apt-get install xorg-input-vmmouse

If you need a higher/lower resolution, change “1600×1200″ to your desired resolution.

Finally, when we restart KVM use the “std” video driver. The default video driver is cirrus.

kvm -m 512 -vga std -disk file=/path/to/linux.qcow,cache=writeback,media=disk

You may specify vga from Virtmanager or in your guest xml file (if you are using libvirt).

<model type='vga' vram='9216' heads='1'/>

I was looking at iptables / UFW in openvz templates and was able to work through some of the problems with UFW.

In this blog I will outline how to get ufw working.

The issues with UFW and OpenVZ guests are:

1. Openvz has limited options for iptables, and UFW scripts fail when these options are called.

See this link for a discussion (and some hints).

2. The other problem with ufw is that it attempts to load kernel modules via modprobe and change sysctl settings. Since you can not load kernel modules in an openvz guest ufw fails. Because sysctl does not work, we get error messages.

3. Issues with logging. By default Ubuntu (and many distros) use rsyslog, which does not work well in OpenVZ guests.

4. Fix the ufw init script (otherwise we receive errors).

5. ipv6 is not fully functional in openvz guests.

6. Some things are still broken … The ufw scripts for Applications remain broken, specify by port instead (see below).

“Fix” iptables

UFW throws cryptic error messages:


# ufw enable
ERROR: problem running ufw-init

# /lib/ufw/ufw-init restart
iptables-restore: line 66 failed
iptables-restore: line 30 failed

Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/after.rules'


These cryptic error messages are telling us which lines in which config files are failing.

Edit the ufw config files and comment out iptables modules incompatible with ufw.

Edit /etc/ufw/after.rules

# don’t log noisy broadcast
#-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input

Edit /etc/ufw/ufw/before.rules

# if LOCAL, RETURN
#-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
#-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
#-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

“Fix” modprobe

Not really a fix, a work around … we can not really “fix” modprobe, so we will return a success code when modprobe is called by ufw.

rm -f /sbin/modprobe
ln -s /bin/true /sbin/modprobe

“Fix” sysctl

Similar to modprobe, sysctl does not work inside openvz templates (you would set these parameters on the host, but they do not apply per container).


# echo 0 > /proc/sys/net/ipv6/conf/all/accept_redirects
-bash: /proc/sys/net/ipv6/conf/all/accept_redirects: Permission denied
# sysctl -w net.ipv6.conf.all.accept_redirects="1"
error: permission denied on key 'net.ipv6.conf.all.accept_redirects'


Same fix as modprobe:

rm -f /sbin/sysctl
ln -s /bin/true /sbin/sysctl

Fix logging

This fix actually works …

apt-get -y purge rsyslog
apt-get install -y syslog-ng

UFW will now log to /var/log/messages and /var/log/kern.log (but not /var/log/ufw.log )

Edit ufw init

Edit /etc/init/ufw.conf and add the following lines at the end of the file:

start on startup
#console output

ipv6

ipv6 is not fully functional in openvz guests and can cause problems with ufw.

If you are having problem with ufw and ipv6 the only solution I am aware of is to disable ipv6.

This is the cryptic error message I receive when I enable ipv6 in ufw.

w# ufw enable
ERROR: Could not load logging rules

To disable ipv6, edit /etc/default/ufw and change IPV6 to “no” (without quotes)

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to ‘disable’ and then ‘enable’ the firewall for
# the changes to take affect.
IPV6=no

Still broken

The ufw application scripts add iptables rules that are incompatible with iptables in an openZV guest and thus remain broken.

You will need to work around this by specifying ports rather then applications.

Thus use :

ufw allow 80/tcp
ufw allow 443/tcp

But not:

#This does NOT work
ufw allow Apache

#This does NOT work either
ufw allow "Apache Full"

This post is for those wanting to upgrade existing Ubuntu 9.10 openvz templates to Ubuntu 10.04 (Lucid Lynx) which is a LTS release (supported server side for 5 years).

Caution: Back up your data before you upgrade. This upgrade works on a minimal server and you may need to edit (upstart) init scripts (mysql in particular) and I make no guarantees this upgrade procedure will work for you (use at your own risk).

Assuming your template is 101 …

sudo vzctrl enter 101

Update 9.10

Start by updating 9.10:

apt-get update
apt-get dist-upgrade

Upgrade to 10.04

Upgrade – Instructions from This link

apt-get install -y update-manager-core

Edit /etc/update-manager/release-upgrades , make sure Prompt=normal

Prompt=normal

It was normal already on my VPS …

Upgrade to 10.04

do-release-upgrade

Follow the on screen directions, accept the new configuration files.

Continue installing without GURB – answer “yes”

At the end of the upgrade, do not restart (yet)

Post -upgrade

We need some post-upgrade configuration:

Start by removing unnecessary packages

apt-get purge eject kbd laptop-detect linux-generic linux-image-2.6.32-21-generic os-prober ubuntu-keyring update-manager-core
apt-get autoremove

Put mountall and upstart on hold

echo "mountall hold"|dpkg --set-selections
echo "upstart hold"|dpkg --set-selections

Remove / Fix the init scripts.

cd /etc/init
rm -f console* dmesg.conf failsafe* mount* network-interface* openvz.conf plymouth*

The only init scripts I have are:

hostname.conf
networking.conf
rc-sysinit.conf
rc-S.conf
rc.conf

Edit /etc/init/rc.conf and comment out the following lines:

#console output
#env INIT_VERBOSE

Make an openvz.conf (run (copy-paste) the “cat” command):

cat <<EOF > /etc/init/openvz.conf
# OpenVZ - Fix init sequence to have OpenVZ working with upstart

description "Fix OpenVZ"

start on startup

task
pre-start script
mount -t devpts devpts /dev/pts
mount -t tmpfs varrun /var/run
mount -t tmpfs varlock /var/lock
mkdir -p /var/run/network
if [ ! -e /etc/mtab ]; then
cat /proc/mounts > /etc/mtab
fi
touch /var/run/utmp
chmod 664 /var/run/utmp
chown root.utmp /var/run/utmp
if [ "$(find /etc/network/ -name upstart -type f)" ]; then
chmod -x /etc/network/*/upstart || true
fi
end script

script
start networking
initctl emit filesystem --no-wait
initctl emit local-filesystems --no-wait
initctl emit virtual-filesystems --no-wait
init 2
end script
EOF

Fix ssh

sed -i -e 's_oom never_#oom never_g' /etc/init/ssh.conf

Fix mysql

Edit /etc/init/mysql.conf , change the start line to

start on start on runlevel [2345]

I advise you replace rsyslog with syslog-ng (rsyslog is default in Ubuntu, but IMO does not work well in Openvz VPS).

apt-get purge rsyslog
apt-get -y install syslog-ng

That’s it, exit and restart your VPS.

If all went well you should have a fully functional Ubuntu 10.04 VPS. If you broke it, you get to keep both pieces.

When posting code , wordpress often changes text into gibbersih making code boxes hard to read and copy-paste of code difficult or impossible.

Examples two – show up as — (one).

To fix this, use html code.

Single quote  ‘  = &#39; yields '

Double quote ” = &#34; yields "

Single dash – = &#45; Yields -

Double dash — = &#45;&#45; yields --

> = &gt; yields >

< = &lt; yields <

The result is “code” that people who follow your blog can copy-paste into their terminals.

Alternately you may use a wordpress plugin. Here is a nice option with links to to other plugins.

I recently upgraded from Ubuntu 8.04.3 to Ubuntu 10.04 and things went well, except a few broken packages.

Apt-get / synaptic was very broken due to the flashplugin-nonfree.

sudo apt-get -f
[clip]
dpkg: error processing flashplugin-nonfree (--remove):
Package is in a very bad inconsistent state – you should
reinstall it before attempting a removal.
Errors were encountered while processing:
flashplugin-nonfree
E: Sub-process /usr/bin/dpkg returned an error code (1)

sudo dpkg --configure -a
dpkg: dependency problems prevent configuration of realplayer:
realplayer depends on libstdc++5 (>= 1:3.3.4-1); however:
Package libstdc++5 is not installed.
dpkg: error processing realplayer (--configure):
dependency problems - leaving unconfigured
Errors were encountered while processing:
realplayer

Not looking very good … and forcing things did not help (same results with --remove --force-remove-reinstreq.


dpkg --remove --force-all flashplugin-nonfree
dpkg: warning: overriding problem because --force enabled:
Package is in a very bad inconsistent state - you should
reinstall it before attempting a removal.
(Reading database ... 239938 files and directories currently installed.)
Removing flashplugin-nonfree ...
update-alternatives: error: no alternatives for iceape-flashplugin.
update-alternatives: error: no alternatives for iceape-flashplugin.
dpkg: error processing flashplugin-nonfree (--remove):
subprocess installed pre-removal script returned error exit status 2
postinst called with argument `abort-remove'
dpkg: error while cleaning up:
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
flashplugin-nonfree

To fix the problem I needed to manually remove the package.

cd /var/lib/dpkg/info
sudo rm flashplugin-nonfree.*

Now remove the offending packages:

sudo dpkg --remove --force-remove-reinstreq flashplugin-nonfree
sudo dpkg --remove --force-remove-reinstreq realplayer

Voilà – apt-get is now fixed =)

This is in follow up to my previous post on Ubuntu OpenVZ templates .

I have made a set of Ubuntu 10.04 openvz templates available for download HERE .

The templates *should* be compatible with the Proxmox Web Interface (thus the seemingly odd names) as well as any other OpenVZ host (Centos / Debian).

There are both 32 and 64 bit templates.

Minimal templates

The “minimal” templates are approximately 85 Mb and are, as the name implies, minimal.

lamp

As the name implies, these templates include Apache and MySQL and PHP5.

Both Apache and MySQL have been optimized for use with openvz and use signifigantly less ram then the defaults.

Here is what the 32 bit LAMP template looks like:

root@ubuntu-minimal:/# free -m
                      total     used    free    shared    buffers    cached
Mem:                   256       69     186       0         0          0
-/+ buffers/cache:     69        186
Swap:                  0         0      0
root@ubuntu-minimal:/# ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.1  0.6  23432  1644 ?        Ss   06:50   0:00 init
root        21  0.0  0.0    100    16 ?        S    06:50   0:00 [init-logger]
root        86  0.0  0.3  49256  1044 ?        Ss   06:50   0:00 /usr/sbin/sshd
mysql       90  0.1  4.3  83420 11280 ?        Ssl  06:50   0:00 /usr/sbin/mysqld
root       120  0.0  2.7 119440  7280 ?        Ss   06:50   0:00 /usr/sbin/apache2 -k start
www-data   124  0.0  1.7 119440  4636 ?        S    06:50   0:00 /usr/sbin/apache2 -k start
www-data   126  0.0  1.7 119440  4636 ?        S    06:50   0:00 /usr/sbin/apache2 -k start
www-data   127  0.0  1.7 119440  4636 ?        S    06:50   0:00 /usr/sbin/apache2 -k start
www-data   128  0.0  1.7 119440  4636 ?        S    06:50   0:00 /usr/sbin/apache2 -k start
www-data   129  0.0  1.7 119440  4636 ?        S    06:50   0:00 /usr/sbin/apache2 -k start
root       182  0.0  0.1  18552   520 ?        Ss   06:51   0:00 vzctl: pts/0
root       183  0.0  0.7  17860  1904 pts/0    Rs   06:51   0:00 -bash

Note: mysql has no set root password, I would advise you set one ;)

mysql -u root

SET PASSWORD FOR 'root'@'localhost' = PASSWORD('your_new_root_password_here'); FLUSH PRIVILEGES; exit;

service mysql restart

Feedback welcome

If you have suggestions or experience any difficulties with these templates, please let me know and I will try my best to fix/update them.

OpenVZ is used for Virtualization and is both light weight (minimal software on the host, guests have small footprints on the hard drive, and minimal use of RAM) and fast (native speed).

I know there are some fans of Openvz out there who wish to use Ubuntu templates (you know who you are).

Cautionary note: The init scripts in Ubuntu 10.04 are problematic and you may have problems starting servers. For example , mysql will not start on boot unless you edit /etc/init/mysql.conf . Updates (to upstart and or the boot scripts [ mountall ] ) may break any fixes you add.

Because of these issues, I would hold off on using Ubuntu 10.04 on a “Production” server.

In this post I will walk you through how I create Ubuntu Lucid (10.04) Templates. There have been a few glitches along the way, and I would like to especially thank Stéphane Graber for the Openvz init scripts.

This walk through is loosely based on OpenVZ Debian Template and assumes you have OpenVZ set up and that you know the basics of chroot, debootstrap, and openvz commands.

To make a template, use Debootstrap. for this how-to the chroot (location to build the template) is /vz/private/777.

Note: On Debian / Ubuntu hosts I mount /var/lib/vz at /vz by adding this line in /etc/fstab :

/var/lib/vz /vz bind bind 0 0

To create a template, follow the Ubuntu wiki Debootstrap page.

Debootstrap

I assume you were able to create what will be a chroot at /vz/private/777 via deboostrtap.

sudo mkdir -p /vz/private/777
sudo debootstrap --variant=minbase --arch i386 lucid /vz/private/777 http://archive.ubuntu.com/ubuntu/

Change --arch i386 to --arch amd64 for a 64 bit template.

Template Configuration

Fix openvz – we need an init script for openvz to start

sudo nano /vz/private/777/etc/init/openvz.conf

Add these lines:

# OpenVZ - Fix init sequence to have OpenVZ working with upstart

description "Fix OpenVZ"

start on startup

task
pre-start script
mount -t devpts devpts /dev/pts
mount -t tmpfs varrun /var/run
mount -t tmpfs varlock /var/lock
mkdir -p /var/run/network
if [ ! -e /etc/mtab ]; then
cat /proc/mounts > /etc/mtab
fi
touch /var/run/utmp
chmod 664 /var/run/utmp
chown root.utmp /var/run/utmp
if [ "$(find /etc/network/ -name upstart -type f)" ]; then
chmod -x /etc/network/*/upstart || true
fi
end script

script
start networking
initctl emit filesystem --no-wait
initctl emit local-filesystems --no-wait
initctl emit virtual-filesystems --no-wait
init 2
end script

Init script from Stéphane Graber modified by bodhi.zazen to work with Proxmox

Fix /etc/init/rc.conf . This fix was submitted by Jean-Michel Dault and Tomoiaga (see the comments below).

Open etc/init/rc.conf and comment out the line “console output”

#console output
#env INIT_VERBOSE

Now remove init scripts we do not need (these scripts are not relevant to openvz guests).

cd /vz/private/777/etc/init/
sudo rm -f console* control* hwclock* module* mount* network-interface* plymouth* procps* tty* udev* upstart*

Note: The final init scripts I have (on a template with ssh-server, mysql, and apache) are :

cron.conf
hostname.conf
mysql.conf
networking.conf
openvz.conf
rc-sysinit.conf
rcS.conf
rc.conf
ssh.conf

You can likely remove rcS.conf and rc-sysinit.conf if you wish. cron.conf will fill your logs, so if you do not run cron scripts / jobs you can remove this script as well.

Configure the template (openvz configuration)

sudo vzctl set 777 --applyconfig vps.basic --save
sudo sh -c 'echo "OSTEMPLATE=ubuntu-10.04-i386-minimal" >> /etc/vz/conf/777.conf'

# Set an ipaddress on the guest (adjust for your network)
sudo vzctl set 777 --ipadd 192.168.0.77 --nameserver 192.168.0.1 --save

Start the template and perform additional configuration

Start the template

sudo vzctl start 777

The next series of steps will configure your template. DO NOT RUN THESE COMMANDS ON THE HOST !!!

Enter into the template

sudo vzctl enter 777

Install some additional packages (you need quota, vim/nano are optional).

apt-get install --force-yes -y gpgv
apt-get update

apt-get install -y adduser apt-utils console-setup iproute netbase nano openssh-blacklist openssh-blacklist-extra openssh-server quota ping sudo vim

Put upstart and mountall on hold (these packages will not be upgraded with apt-get upgrade).

echo "mountall hold"|dpkg --set-selections
echo "upstart hold"|dpkg --set-selections

Replace rsyslog with syslog-ng.

rsyslog is the default in Ubuntu, but, IMO, rsyslog does not work well in an OpenVZ VPS, so I suggest you replace it with syslog-ng.

apt-get purge rsyslog
apt-get -y install syslog-ng

“Fix” Modprobe -

modprobe does not work inside openvz templates, and any script/binary which call modprobe will fail. As a potential fix you can remove modprobe and link to /bin/true

rm /sbin/modprobe
ln -s /bin/true /sbin/modprobe

Depending on the script this may or may not help. For example it helps with ufw, but does not fix all the problems with ufw :

See this discussion on the openVZ forums .

Lock down the root account. If you lock the root account, and wish to access the guest via ssh, you will need to create additional user accounts and configure sudo (in the template). I do this after bringing up a guest and so it is not part of template configuration.

chmod 700 /root
usermod -p '!' root

Fix ssh

sed -i -e 's_oom never_#oom never_g' /etc/init/ssh.conf

Edit /etc/apt/sources.list, add these repositories (if you so desire).

deb http://us.archive.ubuntu.com/ubuntu/ lucid main universe multiverse
deb http://us.archive.ubuntu.com/ubuntu/ lucid-security main universe multiverse

Set a few aliases. This is optional, but I set these in /root/.bashrc .

alias ll="ls -l"
alias la="ls -A"
alias nano="nano -w"
alias cp="cp -i"
alias mv="mv -i"
alias rm="rm -i"

Set locale (adjust your language accordingly).

apt-get update
apt-get -y install language-pack-en
locale-gen en_US.UTF-8
/usr/sbin/update-locale LANG="en_US.UTF-8" LANGUAGE="en_US.UTF-8" LC_ALL="en_US.UTF-8" LC_CTYPE="C"

Next edit /etc/environment and define your environmental variables:

LANG="en_US.UTF-8"
LANGUAGE="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
LC_CTYPE="C"

Package the template

I strongly suggest you use the “S15ssh_gen_host_keys” script to automatically generate a unique set of ssh host keys for each openvz template.

Run these commands in the TEMPLATE , not the host.

# clean your packages
apt-get clean
apt-get autoremove

#Generate a unique set of ssh (host) keys.
rm -f /etc/ssh/ssh_host_*

cat << EOF > /etc/rc2.d/S15ssh_gen_host_keys
#!/bin/sh
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ''
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ''
rm -f \$0
EOF

chmod a+x /etc/rc2.d/S15ssh_gen_host_keys

# disable some unnecessary boot scripts
update-rc.d -f ondemand remove

# Clear log files
> /etc/resolv.conf \
echo localhost > /etc/hostname \
> /var/log/messages; > /var/log/auth.log; > /var/log/kern.log; > /var/log/bootstrap.log; \
> /var/log/dpkg.log; > /var/log/syslog; > /var/log/daemon.log; > /var/log/apt/term.log; rm -f /var/log/*.0 /var/log/*.1

Exit the template.

exit

On the HOST stop the template and package.

vzctl set 777 --ipdel all --nameserver ' ' --save
vzctl stop 777

Package with tar

cd /vz/private/777
tar --numeric-owner -vzcf /vz/template/cache/ubuntu-10.04-i386-minimal.tar.gz .

Test the template

sudo vzctl create 888 --ostemplate ubuntu-10.04-i386-minimal
sudo vzctl set 888 --ipadd 192.168.0.88 --nameserver 192.168.0.1 --hostname ubuntu-minimal --save
sudo vzctl start 888

If all went well you should have a working Ubuntu template.

I am always looking for comments or feedback on my templates.

I will post Ubuntu 10.04 templates for others to download in the near future.

I cam across an interesting command – faillog

With faillog you can lock a user’s account after x number of failed log in attempts.

HOWEVER – it is not so straight forward – see man pam_tally

In order to enable this option you need to edit a few of the pam configuration files located in /etc/pam.d

What makes this confusing, as with sudo, THE ORDER OF RULES IS CRITICAL.

So, we can not just add a few lines at the bottom of the file, we need to add them in order

In particular, using any editor, open /etc/pam.d/common-auth and add the line AT THE TOP OF THE FILE:

auth required pam_tally.so per_user magic_root onerr=fail

Use the silent option if you do not want pam_tally to give error messages.

auth required pam_tally.so per_user magic_root onerr=fail silent

You may set the number of failed log in attempts and lock out time by either adding additional options to the above line or using faillog

sudo faillog -m 3

To unlock an account use

faillog -u login_name -r

Or set a time with the fail log command, the -l option sets the lock time.

faillog -m 3 -l 3600

Using faillog with ssh

Now to use this with ssh we need to also edit both /etc/pam.d/sshd and /etc/ssh/sshd_config

First, using any editor, open /etc/pam.d/sshd

Look for the line “@include common-auth” , we need to add auth required tam_tally.so per_user onerr=fail

auth required tam_tally.so per_user onerr=fail
@include common-auth

By adding this line before include common-auth we over ride the “magic_root” setting in common-auth.

Once a user is logged in, we need the magic_root option so that failed sudo attempts do not lock us out of root access. But because sshd runs as root, we need to over ride this option in /etc/pam.d/sshd – clear as mud ?

If it does not make sense, read the man pages, open a shell, and log in as root (so you do not loose root access), and test these options, see what happens when as your admin user you try sudo -i and ssh localhost.

Next, using any editor, open /etc/ssh/sshd_config

Change the “ChallengeResponseAuthentication no” to yes (in Ubuntu UsePAM yes was default).

ChallengeResponseAuthentication yes
UsePAM yes

If the pam_tally module locks your account, you will still be able to log in with ssh keys.

So it may be a good idea to make sure you have a working set of ssh keys before you enable this option ;)

I have been playing with psad and fwsnort as a NIDS tool. They are light weight and very capable tools and I highly recommend both of them.

I was going to post a blog about these tools, but it kept growing longer and longer and involved init scripts, selinux policies, and apparmor profiles.

Rather then spamming the Ubuntu planet with all the details, I made a web page.

Nids – psad & fwsnort

Sorry this blog is brief, but the above link will get you started using psad / fwsnort on Debian (squeeze) , Fedora 13 , or Ubuntu 10.04.

Feel free to post any feedback or comments here.

In this post I would like to share two tips I have found that greatly improve the performance of KVM guests. Both tips work with Linux guests, although only the second tip will work with windows or BSD guests.

With these tips you should notice an immediate improvement in performance including boot times, general performance, and responsiveness to inputs (mouse / keyboard).

Kernel option noop

With this tip we will use the kernel (boot) option elevator=noop to optimize your virtual hard drive I/O.

For a technical discussion of this option, see this link . If you want a more detailed discussion see this second link.

Grub 2

Using any editor, open /etc/default/grub

sudo -e /etc/default/grub

Look for the line :

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"

Add elevator=noop at the end of the line

GRUB_CMDLINE_LINUX_DEFAULT=”quiet splash elevator=noop”

Save your changes and exit your editor.

update grub

sudo update-grub

Reboot – One of the few times you will need to reboot.

Grub 1

With most distros you edit /boot/grub/menu.lst

Using any editor, open Using any editor, open /boot/grub/menu.lst

Look for the kopts line:

# kopt=root=/dev/sda1 ro

Just add this option to the end of the line.

# kopt=root=/dev/sda1 ro elevator=noop

Note: DO NOT remove the # in the front of the line !!!

Then update grub

sudo update-grub

Reboot – One of the few times you will need to reboot.

Fedora is an exception

Fedora is a bit odd about this. Fedora uses /boot/grub/grub.conf , and /boot/grub/menu.lst is a symbolic link to grub.conf .

Specify the noop kernel option at installation

You may specify grub options at installation : Fedora Wiki Installation Options

Adding the noop kernel option post installation

As far as I can see, this is a manual edit. You will need to manually edit the file /etc/grub/grub.conf and add elevator=noop to the end of the kernel line.

Fedora wiki boot options

Save your changes and reboot – One of the few times you will need to reboot.

Cache writeback option

Ibuclaw pointed this option out to me on IRC, and discusses in ibuclaw’s blog.

From man qemu :

By default, writethrough caching is used for all block device.
This means that the host page cache will be used to read and write
data but write notification will be sent to the guest only when the
data has been reported as written by the storage subsystem.

Writeback caching will report data writes as completed as soon as
the data is present in the host page cache. This is safe as long
as you trust your host. If your host crashes or loses power, then
the guest may experience data corruption. When using the -snapshot
option, writeback caching is used by default.

The host page can be avoided entirely with cache=none. This will
attempt to do disk IO directly to the guests memory. QEMU may
still perform an internal copy of the data.

Some block drivers perform badly with cache=writethrough, most
notably, qcow2. If performance is more important than correctness,
cache=writeback should be used with qcow2. By default, if no
explicit caching is specified for a qcow2 disk image,
cache=writeback will be used. For all other disk types,
cache=writethrough is the default.

So either using writethrough or disabling the cache will improve performance.

To use this option, rather then specifying a drive with -hda image.qcow we need to use the -drive option

kvm -m 512 -drive file=image.qcow,cache=writeback,media=disk

This option can be used with .iso as well ( note the media=cdrom )

kvm -m 512 -drive file=fedora.iso,cache=writeback,media=cdrom

Warning: Please note that in the event the host node crashes, data loss can result from this option.

KSM

This tip was added by morgan cox (see comments). KSM == Kernel SamePage Merging and was enabled by default on Fedora 12.

See This KVM page from the Arch Wiki.

For a more detailed description of KSM see IBM – Anatomy of Linux Kernel Shared Memory.