xgrr.de – the whole not the half

In professional areas virtualization of servers and workstations enables us to evaluate operating systems and software packages in an isolated environment and without great costs. But this is still the starting point of virtualization. As our current internet topology and software applications ask for integration – the Cloud is a good keyword here – we have to be not only able to virtualize physical PC hardware but also provide network environments which are abstracted from our current internet.

This would enable network engineers, system administrators and of course scientists to easily develop new network infrastructures, test distributed deployments or invent new protocols on top of the network stack. The impact of a commercial virtualization technology for networks would have a huge impact of the way we currently build networks.

With the development of NGN (Next Generation Networks) this idea is pushed by a few selected but until now it did not surface to the broad public.

Update: I made a bit of research on the topic. Nothing deep really but I still found some interesting material:

• Network Virtualization: a strategy for de-ossifying the internet
• Cisco gives virtual servers virtual networking

I also found a lot of sites talking about network virtualization in connection with classic computer virtualization. This is only a part of what is meant. Network virtualization should be an end to end implementation with virtual nodes on the end points itself in the form of a software or firmware on the NIC and also on the nodes in between. It has not necessarily be linked to virtualized servers although this would of course make a lot of sense.

I really love this internship! Three weeks in the job and I had access to the datacenter of Vodafone D2 one of the Big Three in germany. THE datacenter where almost every call is routed, every SMS is processed. This was just impressive. Unfortunately I’m not allowed to tell otherwise they have to kill me

For my new VMware environment I wanted to make the harddisks faster because it is the only thing which slows down the whole system. For the running virtual machines I enabled the “noatime” function for the ext3 partitions and put the ext3 journal in writeback mode which speeds up things even more.

Important was the noatime function which stores the time every time a file is accessed. For a webserver with a gallery or a lot static files this is a huge performance hit of course.

Vorletzte Woche musste ich meinen Mailserver neu aufsetzen, da ich auf einen neuen Server umgezogen bin. Dabei habe ich den Spamassassin diesmal nicht aus dem apt von Debian installiert sondern einfach über die CPAN Shell. Dabei kompiliert sich das ganze automatisch. Leider bekommt man dann keine Start-Stop-Scripte, wie man sie von Debian gewöhnt sind. Macht nix dachte ich mir. Lass ich den Spamassassin einfach unter daemontools laufen die eh meinen qmail antreiben.

War eine gute Entscheidung. Performance und Stabilität haben meines erachtens zugenommen. Bis jetzt noch keine Probleme mit gehabt. Ein bisschen getunt habe ich auch noch. Einige Rules für den Spamassassin lassen sich compilieren über ein bistimmtes Plugin – das macht die ganze Sache natürlich noch schneller.

When I couldn’t sleep last night I had to think about my new mailserver installation and the load of measurements I’ve undertaken to prevent my customers getting spam or to allow anybody to relay spam through my server. Then I realized that there might be the chance of a new method how good spam-filter techniques could be used as a spam drone.

Get the situation: I’m John the bad spammer and want to deliver my mails to a lot of boxes around the world. I connect to a mailserver and deliver all my mails with a faked envelope. The to address has to contain an mailinglist or something like that which bounces emails for people who are not listed and the return address should be the person where the spam has to go. The mailserver (when configured to comply with RFC) should send the bounce directly to the person who should recieve the spam. This is only working if the spamfilter like spamassassin doesn’t act after the SMTP dialog has finished.

I didn’t try it but it could be exploited at some point. Due to the fact that there are many hosts who doesn’t send bounces anymore (in Germany some of the government servers has bounces off) or has the spamfilter integrated in the smtp dialog which scans the mail while delivering it shouldn’t be a big problem. But it could…

When I built my new webserver I had to decide if I gonna use lighttpd or apache2. I wanted to use lighttpd because in fact it is faster than apache2. But then I discovered that it doesn’t support .htaccess files heavily used by my customers. So I had to throw away my flowery plans and use apache2 again. (Not that I’m really sad about it – the configuration was easy beacause I’m using it since… a long time ago )

But I figured there has to be something to make the apache2 faster that it is out-of-the-box on a Debian Etch system. I wanted to use mod_fastcgi to link PHP and use mpm-worker for apache2 but due to a lack of time I failed. Later I discovered it was only a matter of permission which prevented this. Due to mod-php5 I couldn’t use mpm-worker but had to use mpm-prefork the slower variant.

With this in mind I thought “lets check the apache2 docs and check if there is something we can do about this”. So I discovered the following directives which can fasten up things a little bit:

BufferedLogs On
EnableSendfile On
HostnameLookups Off

BufferedLogs is an experimental directive which prevents Apache2 to write logs directly to the disk but keeps them in memory and write them in a bunch. This should minimize the write overhead for each access so the access itself is faster.
With EnableSendfile you tell apache2 to use the sendfile method from the Kernel for static files which should prevent apache2 to read the file itself so reducing the readoverhead for static content.
HostnameLookups is off by default on Debian Etch. I don’t know how it is on other distributions. The command prevents apache2 to make an lookup for the ip from the visitor. When your nameserver is slow or no hostname can be resolved this could slow your system down incredibly. (In my expirience 70% all the problems with databases or webserver are DNS problems).