Day: November 21, 2006

Today’s fascinating discovery

I’ve mentioned already that I put a system on a local rack, and in order to cut costs I divided it up into three sections using Xen. Well, I had this annoying little problem that the “domU” (user domains – ie. the shares) weren’t able to use iptables. So I’ve gone back to the drawing board by slapping a couple of drives I have kicking around into my Windows box and trying various experiments.

First, I went back to the “step-by-step” how-tos that I’ve been using so far. They’ve updated it for Xen 3.0.3 (I actually installed Xen 3.0.2 using a how-to written for 3.0.1). So I ran through it – no joy. The domU boots, but mounts the ext3 file system as ext2 and won’t do iptables.

Tried again with their instructions on how to compile a kernel, except the instructions say to compile in iptables support, but don’t tell you how to compile in appropriate device driver support so I ended up with no network in my dom0 (the controller domain).

Then I found another “how-to”, this based on the fact that Xen is in the Debian “sid” (aka “unstable”) branch. Updated the test machine to “sid”, then went through the how-to. Initially, couldn’t get xend to start up, but then it turns out that I’d installed xen-hypervisor-3.0-unstable instead of xen-hypervisor-3.0.3. Got that installed, got the domU up and running, but DAMMIT, still the same problem. When I tried to do an “iptables -L”, it would tell me that “QM_MODULES: Function not supported”. Same if I did a “depmod -a” or “lsmod”.

While I was working this angle, I discovered that the Debian Backports project had backported Xen to “sarge”. Hmmm, I thought, if this works out I’ll have to try the Backport to see if I can do this on the rack with minimal hassle and without having to run “unstable” on a “production” server.

That’s when I discovered something interesting – modutils is old, and if you’re going to be using 2.6+ kernels only, people recommend you install module-init-tools instead. Since I’ve been installing Debian “sarge” (aka “stable”) in the domUs, and “sarge” is designed to support 2.4 and 2.6 kernels, it installs modutils instead. I installed module-init-tools, and suddenly everything worked.

Hey, I thought, maybe I don’t have to go through all this pain. I went to my real xen system, installed module-init-tools on the domU, and everything works! No need to go for the Backport. Maybe I will later, but for now I’ve got what I want, and I can install ssh-blacklist on my domU.

Email I just sent

Note: presidents.office is the President’s Office, yup.email.news is the Yale University Press, customer.care is their Customer Care contact email, and opa is the Office of Public Affairs


To: presidents.office@yale.edu
Cc: yup.email.news@yale.edu, customer.care@triliteral.org, opa@yale.edu
Subject: I'm sorry I'm going to have to do this...


The Yale University Press has taken to sending out "spam" (unsolicited commercial email) to email addresses trawled from web sites - I know because they hit addresses that never would have been used for conducting a business relationship. That behaviour is unconscionable. I have no alternative but to block all email from yale.edu to the domains under my control unless and until you cease this practice.


I'm sorry if that makes it harder for you to contact potential and current students, alumni and benefactors, but you should have thought about that before you decided to put the burden for your advertising budget on me and thousands of systems administrator like me instead of yourselves.