Feb 02 2014

Migrating from KVM to LXC

Category: LinuxTuxevara @ 18:58

After I had to replace the mainboard of my HTPC, on which also two other virtual machines were running on KVM, the kvm_amd module crashed on every boot on the replacement hardware. Though KVM still worked, I don’t like to see any modules crashing on boot. I began asking myself whether I really need full KVM virtualization or if some kind of container based virtualization would do a good or even better job for me.

After reading into the pros and cons of different solutions, I concluded that LinuX Containers (LXC) should probably first choice for me. As the HTPC is running on Ubuntu 12.04, which also has Apparmor profiles that enhance the security of LXC’s weak security concept, I actually decided to continue with LXC.

I don’t want to explain how to install LXC, because this is already covered by many other sites. The only thing that I found which is not covered well enough, is the conversion of machines from KVM (or similar) to LXC. In my case the KVM guests where using RAW disk images, so I am exclusively focusing on converting such below.

Step 1 – Prepare the rootfs folder

First, the new target folder for the root file system of the LXC guest must be created.

mkdir -p /var/lib/lxc//rootfs

Step 2 – Mount the RAW image

Then the RAW disk image must be mounted to access the files. In my case the disk contained only one partition. Modify the mount command may be necessary.

kpartx -a
mount /dev/mapper/loop0p1 /mnt

Step 3 – Copy files to rootfs

Now that the content of the RAW image can be accessed, the files can be copied into the new rootfs folder created in step 1. I have been using the below command for years, to create more or less exact copies:

cd /mnt
find . -xdev | cpio -pmv /var/lib/lxc//rootfs

Step 4 – Modify the configuration

Now comes the trickiest part: The configuration of the new machine must be modified, otherwise it is unlikely that it will boot successfully. Most required changes can be extracted from the template files in /usr/lib/lxc/templates/, which are typically used for the creation of new machines. Below are the modification for Debian machines, which worked perfectly well for Debian Lenny (shame in me) and Squeeze.


cat < $rootfs/etc/inittab
l0:0:wait:/etc/init.d/rc 0
l1:1:wait:/etc/init.d/rc 1
l2:2:wait:/etc/init.d/rc 2
l3:3:wait:/etc/init.d/rc 3
l4:4:wait:/etc/init.d/rc 4
l5:5:wait:/etc/init.d/rc 5
l6:6:wait:/etc/init.d/rc 6
# Normally not reached, but fallthrough in case of emergency.
1:2345:respawn:/sbin/getty 38400 console
c1:12345:respawn:/sbin/getty 38400 tty1 linux
c2:12345:respawn:/sbin/getty 38400 tty2 linux
c3:12345:respawn:/sbin/getty 38400 tty3 linux
c4:12345:respawn:/sbin/getty 38400 tty4 linux

mkdir -p $rootfs/selinux
echo 0 > $rootfs/selinux/enforce

mknod $rootfs/dev/tty1 c 4 1
mknod $rootfs/dev/tty2 c 4 2
mknod $rootfs/dev/tty3 c 4 3
mknod $rootfs/dev/tty4 c 4 4

# reconfigure some services

locale="$LANG $(echo $LANG | cut -d. -f2)"
chroot $rootfs echo "locales locales/default_environment_locale select $LANG" | chroot $rootfs sh -c "LANG=C debconf-set-selections"
chroot $rootfs echo "locales locales/default_environment_locale seen true" | chroot $rootfs sh -c "LANG=C debconf-set-selections"
chroot $rootfs echo "locales locales/locales_to_be_generated seen true" | chroot $rootfs sh -c "LANG=C debconf-set-selections"
chroot $rootfs sed -i -e "0,/^[# ]*$locale *$/ s/^[# ]*$locale *$/$locale/" /etc/locale.gen
chroot $rootfs sh -c "LANG=C dpkg-reconfigure locales -f noninteractive"

# remove pointless services in a container
chroot $rootfs /usr/sbin/update-rc.d -f checkroot.sh remove # S
chroot $rootfs /usr/sbin/update-rc.d checkroot.sh stop 09 S .

chroot $rootfs /usr/sbin/update-rc.d -f umountfs remove # 0 6
chroot $rootfs /usr/sbin/update-rc.d umountfs start 09 0 6 .

chroot $rootfs /usr/sbin/update-rc.d -f umountroot remove # 0 6
chroot $rootfs /usr/sbin/update-rc.d umountroot start 10 0 6 .

# The following initscripts don't provide an empty start or stop block.
# To prevent them being enabled on upgrades, we leave a start link on
# runlevel 3.
chroot $rootfs /usr/sbin/update-rc.d -f hwclock.sh remove # S 0 6
chroot $rootfs /usr/sbin/update-rc.d hwclock.sh start 10 3 .

chroot $rootfs /usr/sbin/update-rc.d -f hwclockfirst.sh remove # S
chroot $rootfs /usr/sbin/update-rc.d hwclockfirst start 08 3 .

chroot $rootfs /usr/sbin/update-rc.d -f module-init-tools remove # S
chroot $rootfs /usr/sbin/update-rc.d module-init-tools start 10 3 .

rm $rootfs/etc/udev/rules.d/70-persistent-net.rules

Step 5 – Create LXC config

Finally we have to create a LXC configuration file for the new machine. Lazy as I am, I have copied an existing config file into /var/lib/lxc// and modified the paths and network configuration accordingly.

After that the machine can be started with

lxc-start -n

Keep in mind that you won’t be able to detach from that console again. But to debug boot problems it is essential to not launch the machine in background mode (-d).

Tags: , , ,


Dec 13 2013

Vdr-sxfe audio output issues over and over again

Category: Computer,LinuxTuxevara @ 20:53

And after fixing them for the hundredth time in the last ten years, I finally decided to write down what I seem to always forget. Isn’t this what tech blogs are for?!

So what was happening this time: After some years without any major issues, our media center PC decided to reboot in circles, which turned out to be caused be a defective motherboard. After replacing it with the one from my gaming PC everything worked fine, except that I had to use the onboard graphics card as the passive cooler of the former PC-Express graphics card wouldn’t allow me to use the DVB-S card in the upper PCI slot.

In my vdr-sxfe startup script I’ve set the audio parameter to alsa:plug:'hdmi:CARD=NVidia,DEV=0'. But the only results I get is either no sound at all or vdr-sxfe restarting every few seconds. At some point I managed to set the audio channel in VDR to stereo instead of AC3. Guess what happened? Immediately vdr-sxfe stopped restarting and sound was coming from the left and right speakers.

Conclusion: Something must be terribly wrong with the AC3 passthrough. But what? And who controls which device is used for the AC3 passthrough? I know that I should have asked myself this questions earlier, but trial and error worked perfectly well in the past ;)

After trying to remember which files I modified several times before to optimize vdr-sxfe audio and video output, I came to the point where I felt certain that the whole magic must only happen in ~/.xine/config_xineliboutput. As vdr-sxfe is based on Xine this seems to make sense.

Some tests later it was proven, that the audio parameter of vdr-sxfe never affects the value of audio.device.alsa_passthrough_device in the config file.

So the solution to my AC3 passthrough problem is setting the audio.device.alsa_passthrough_device value in the config file to plug:'hdmi:CARD=NVidia,DEV=0'.

Today the new PCI-Express graphics card arrived and all I had to do is changing the vdr-sxfe audio parameter and the audio.device.alsa_passthrough_device value in the config file to plug:'hdmi:CARD=NVidia_1,DEV=0'.

For the sake of completeness, here are all non-default values from my ~/.xine/config_xineliboutput

audio.output.speaker_arrangement:Pass Through

Tags: , , , , ,


Nov 21 2013

Sophos UTM 9.1 Changlog Fun

Category: Computer,FunTuxevara @ 22:47

While reading through Sophos’ UTM 9.2 Beta overview is stumbled across the following:


Thumbs up, guys! Though I’m more the LOTRO kind of MMORPG player I love your sense of humor.

Looking forward to the release.


Nov 11 2013

FOTD: Windows driven water dispenser

Category: ComputerTuxevara @ 19:36

Let’s call it Fail Of The Day! I am just back from the the gym and here is what happened while checking out at the counter: The boss was typing with a pen on the water dispenser’s touch screen as the normal touch screen interface obviously crashed. Of cause this attracted by immediate interest and I went over to him to figure out what operating system is running on that device. And now comes the part which really hurts: IT’S WINDtOWS, W-I-N-D-O-W-S!!! Get down everybody and search for cover, we are doomed! The human race has really made it this far: We are building water dispensers driven by a too insecure, probably never receiving patches, unstable operating system.

Not that I would feel much more comfortable with any other operating systems on water dispensers, but at least you could strip down Linux so far, that nearly no services are running and use framebuffer output instead of a X-Sserver which would minimize any attack vector nearly to zero.

But hey, if that is the way we let technology take control over our lives…


Nov 11 2013

Open Rhein Ruhr 2013

Category: Allgemein,Computer,LinuxTuxevara @ 14:50

Wieder ist ein spannendes Open Rhein Ruhr Wochenende vorueber. Fuer mich war es diesmal etwas Besonderes, da ich nicht als Helfer sondern als Orga dabei und auf der Veranstaltung fuer das Netzwerk verantwortlich war. Ausser zwei nicht so ganz sauberen DSL-Leitungen gab es jedoch keine groesseren Probleme, weshalb mir genug Zeit blieb mich unter die Besucher zu mischen und interessante Gespraeche an den Staenden zu fuehren.

ORR Social Event

Auch das Social Event war wie in der Vergangenheit eine tolle Sache, nicht zuletzt wegen der Location.

Was mich aber wirklich jedesmal auf solchen Linux und Open Source Events begeistert, ist der Umgang miteinander. Es fuehlt sich eigentlich immer so an, ob als ob es kein oben oder unten gibt, kein gut oder schlecht gibt und jeder ist in irgendeiner Weise Anbieter und Konsument zugleich. Alle packen mit an wo Haende gebraucht werden. Ich hoffe, dass mich mein Eindruck nicht taeuscht und dass all diese Menschen im Alltag genau so einen offenen Umgang miteinander pflegen.

Mein besonderer Dank gilt natuerlich allen Helfern und vor allem den Freifunkern, welche durch Bereitstellen von weiterer Hardware sowohl das ORR eigene WLAN verbessert haben, als auch zusaetzlich noch Ihr eigenes Freifunk Mesh bereitgestellt haben.

Bis zum naechsten Jahr,wenn es wieder heisst: “Ein Pott voll Software”.

Tags: , ,


Oct 31 2013

Setting IMAP INTERNALDATE to header date

Category: Computer,LinuxTuxevara @ 11:02

While setting up a self refilling test mail server, I came across the problem that I need other IMAP INTERNALDATEs (aka arrival date) than the create/modify time of the email file.
As my email generator script creates random dates for the email headers that are between 10 years back and today, it would make perfect sense to also use them as the arrival date of the message.

Five minutes later the following little script was finished, which I think could be pretty useful for anyone who has to update the arrival date in his IMAP server that uses Maildir format or similar. This could for instance become quite handy after an email migration where the IMAP INTERNALDATE could not be retained.


for FILE in `find $1 -type f`
    DATE=`grep "Date" $FILE | cut -d ":" -f 2- | sed -e 's/^ *//g' -e 's/ *$//g'`
    if [ -n "$DATE" ]
        echo "Setting modified time of \"$FILE\" to \"$DATE\"."
        touch -c $FILE --date="$DATE"
        echo "No date found in \"$FILE\"."

Tags: , , ,


Jul 04 2013

NRPE on Centos or RHEL6

Category: LinuxTuxevara @ 16:52

If you are running NRPE on Centos or RHEL 6 and wonder why check commands that are prepended with a sudo command always fail: remove the “requiretty” option from your /etc/sudoers and everything will work fine again. It’s a shame that it takes strace to get the initial error message our of nrpe-server.

Tags: , , , ,


Jun 04 2013

Windows 8 really sucks hard

Category: ComputerTuxevara @ 16:55

I had the chance to spend some time playing around with Windows 8 for couple of hours today. And shall I tell you something: It sucks even harder than I ever thought it would after catching just quick glimpses in the last months. The whole language and keyboard logic looks completely broken to me. I ended up in so many annoying situations that I stopped counting after a while. How about user management? Using the new shiny interface enforces the creation of a hotmail.com, outlook.com or live.com account. Sorry guys, don’t need and want that. Especially not when only setting up a test machine. At least using the old Computer Management tool allowed me to get past that step.

I still think the usability of the new interface is horrible with keyboard and mouse. It’s getting even worse when connecting to such a machine through VMWare or RDP, where the mouse isn’t trapped inside the window. It’s mostly the same reasons for which I blame Ubuntu’s Unity that I dislike about the new Windows 8 UI.

Tags: ,


Mar 17 2013

Bitte nochmal zurueck auf Los

Category: Computer,HardwareTuxevara @ 13:40

Wann hat die IT-Branche eigentlich diese unglaublich dumme Entscheidung getroffen, dass jede Soft- und Hardware immer wieder zu Hause anrufen muss um ggf. irgendetwas nachzuladen? Leute, das ist nicht sicher! Zumindest ist mir kein Fall bekannt, bei dem wirklich mal alle Sicherheitsexperten gesagt haben: Jo, so geht’s richtig.

Huwai Hardware steht ja eh im Ruf ein moegliches Einfalltor fuer chinesische Hacker zu sein. Da ist das worueber Heise berichtet ja schon fast zu offensichtlich schlampig. Mit der Aussage “.., dass sie (Huawai Vertreter) davon ausgingen, dass der Update-Server fachgerecht gesichert sei.” (I LOLED!) wird fuer mich nur noch einmal untermauert, wie gering das Gespuer fuer das moegliche Angriffspotential in solch einem Setup ist.

Ach ja noch was: Standardmaessig web-based Provisioning von VoIP-Telefonen anhand der MAC-Adresse zu machen, so wie es SNOM anscheinend tut, ist auch eine saudumme Idee. Hab vor zwei Wochen viel Spass mit einem neuen SNOM-Telefon gehabt, fuer welches es aus unbekanntem Grund schon eine Konfiguration auf dem Provisioning-System gab.


Mar 16 2013

My new RSS reader

Category: Android,Computer,LinuxTuxevara @ 16:49

Unnecessary to tell, that I am one of the million Google reader users that is very disappointed about Google’s announcement to shut down Google Reader in a few months. Recalling WHY I love Google reader, it turns out that it’s mainly for one reason: synchronization. I’m used to access an always in-sync list of my feeds from my phone, tablet, laptop or home/work desktop computers. I remember that I tried TTRSS back in the days where I was naively thinking I could live without all the Google services that are so addictive.

After checking Google Play for a TTRSS app and getting a positive response – the TTRSS developer offers an app himself – this seems to become really satisfying. Having some free time today between talks at the Chemnitzer Linux Days, I re-installed TTRSS on my webserver to see if that’s still an option. And let me tell you: IT IS!!!

Installation is smooth if you read the config.php file carefully. I missed that the database server was set ‘pgsql’ by default, which cost me a few minutes wondering about an empty page and no error messages in the logs. After creating a new user and importing my RSS subscriptions exported via Google Takeout I installed the Android app as well. I have to say that to me, the TTRSS app looks even better than Google Reader. BTW: The app is a seven day trial and the unlock costs 1.59 EUR. I think think it’s a fair price for such a good app (Have seen lots of crappy ones for more).

In case I change my mind about TTRSS, I’ll let you know.

UPDATE: Installed the app on my Galaxy Tab 10.1N. It’s awesome!

Tags: , ,


Next Page »