Re: [vserver] Hashify Questions

From: Ted Barnes <madogdevelopment_at_gmail.com>
Date: Wed 19 Feb 2014 - 11:57:19 GMT
Message-ID: <53049C1F.6020201@gmail.com>

Thanks Corey - what a great explanation - I so appreciate the time you
put into it. Very much appreciate the "fast tracking" help!

On 02/19/14 00:51, Corey Wright wrote:
> On Tue, 18 Feb 2014 14:00:04 -0500
> Ted Barnes<madogdevelopment@gmail.com> wrote:
>
>
>> Hi All:
>>
>> I'm starting to explore "hashify", and have a number of questions
>> (sorry, this is long but am hoping to gain a good understanding if
>> possible). If there is a link that answers these, please let me know
>> (the links I've found are short and I'm unsure if they are "current")?
>> I'm running Wheezy host and guests, with Mate on the guests. Thanks!
>>
> i'm running a wheezy host with a mix of past and present debian guests and
> have used hashify for years (going back several debian releases on the host).
>
>
>> 1) Hashify advantages
>>
>> Are the advantages of using hashified guests a) saving disk space and b)
>> performance (e.g., restarting a guest will be faster)?
>>
> hashifying guests saves disk (due to hard links) and memory (again, due to
> hard links).
>
> if you have multiple similar guests (eg wheezy), then there will be redundant
> files between them. wouldn't it be great if you could have each guest point
> to a single copy of the file (ie used disk space = size of file), instead of
> each guest having it's own copy (ie used disk space = size of file * number
> of guests). that's what hashifying does for you.
>
> another benefit is that only one copy of files (ie text/code sections of
> executables and shared libraries) need to be loaded into memory, despite the
> same files being used in multiple guests. i have a guest for each web
> application with each of those guests running a supporting web server. if a
> single web server instance (running within a single guest) takes 50 MiB of
> memory, then that web server running in 10 guests will consume 500 MiB without
> hashifying, but only 50 MiB with hashifying. (okay, i admit that's an
> over-simplification as you have to account for each instance's data, stack,
> and heap, not just text/code sections, which won't be shared between
> instances and does consume memory based on number of guests.)
>
> hashifying is what keeps me on linux-vserver and off lxc.
>
> may i recommend you search the web for the following terms to deepen your
> understanding of hashifying by knowing the underlying principles.
> * "posix hard link"
> * "memory page text data copy on write"
>
>
>> 2) Set up steps - are these the "current" right ones to use? Does the
>> error I get matter?
>>
>> Per
>> "http://linux-vserver.org/Frequently_Asked_Questions#What_is_vhashify.3F",
>> I used the following steps.
>>
>> On Host:
>>
>> mkdir /etc/vservers/.defaults/apps/vunify/hash /vservers/.hash
>> ln -s /vservers/.hash /etc/vservers/.defaults/apps/vunify/hash/root
>>
>> On Guest:
>>
>> mkdir /etc/vservers/<vservername>/apps/vunify
>> vserver name-of-guest hashify
>>
> yes, those are the steps for both the host and the guest to enable hashifying
> based on my personal notes.
>
>
>> Note: when I run the hashify command, I get "Duplicate hash-dir entry
>> '00' found" which I do not believe prevents the hashify process from
>> completing, but should I worry about this message?
>>
> see q&a #5 of the vhashify mini faq [1] to help you identify and correct the
> problem.
>
> [1] http://linux-vserver.org/util-vserver:Vhashify#Mini_FAQ
>
>
>> 3) Cloning a hashified guest
>> - If I clone a hashified guest, should the cloning process go faster
>> than "regular" cloning, or should it be roughly the same?
>>
>> - Are the cloning commands the same (e.g., vserver vserver5 build -m
>> clone --hostname vserver5.mydomain.com --interface eth0:192.168.1.14/24
>> -- --source /vservers/vserver4)?
>>
>> - Once the cloning of a hashified guest is complete, is that clone
>> hashified? My take is "no" and I need to run the hashify command
>> against the new clone
>>
> i know nothing about cloning. i don't make many vserver guests, so when i do
> make one, i make it from scratch (ie "vserver<name> build -m debootstrap"),
> hashify, and restart.
>
>
>> - Is there command to show if a guest is hashified or not?
>>
> ls -l /vservers/*/bin/bash
>
> if link count (ie second column between permissions and owner) is greater
> than 1, then they're hashified (unless /bin/bash is directly or indirectly
> excluded by configuration; see below).
>
>
>> - Is there an "undo" short of going in and deleting links? I'm not sure
>> why I'd want this, but was curious.
>>
> hashified files can be unlinked by copying the file, deleting the original,
> and renaming the copy back to the original (or writing the copy to the
> original and deleting the copy). that's a brute force method and there might
> be something smarter.
>
>
>> 4) If hashified guest were compromised...
>>
>> If a hashfied guest were compromised with malware, and the attacker got
>> to root on the guest, would a reboot put the guest's system files back
>> in order? Or could the guest's hashified files still be compromised
>> (assuming the attacker had not seized control of the host)?
>>
> no. hashifying has nothing to do with file persistence within a guest.
>
> even though each guest's files are hard linked to other guests' files, the
> malware's damage would be contained to the compromised guest because of the
> copy-on-write semantics of hashified files. when a vserver's hashified file
> is written to, the kernel makes a copy of the file for that vserver and the
> write applies to that vserver's copy and not the hard link all other vservers
> are pointing to. note: this is a unique feature of linux-vserver and does
> not apply to hard links in general.
>
>
>> 5) I intend to put /home in one Logical Volume, and put "/everything
>> else" in another logical volume. I assume at the end of the day I only
>> want to hashify the "/everthing else". Is that right? Given that the
>> "vserver guestname hashify" command appears to hashify the entire
>> vserver guest, is there a command alternative I could use?
>>
> "vserver<name> hashify" is configured by:
> * /usr/lib/util-vserver/defaults/vunify-exclude (or where ever your
> installation of util-vserver places that file)
> * /etc/vservers/<vserver>/apps/vunify/exclude
>
> i usually start with "cp
> -av /usr/lib/util-vserver/defaults/vunify-exclude /etc/vservers/<vserver>/apps/vunify/exclude"
> and then modify /etc/vservers/<vserver>/apps/vunify/exclude to suit my need.
>
> see q&a #4 of the vhashify mini faq [2] to help you understand the syntax of
> the exclude file.
>
> [2] http://linux-vserver.org/util-vserver:Vhashify#Mini_FAQ
>
>
>> 6) Updates
>>
>> My understanding is after updating each guest, I would need to
>> re-hashify them all - is that correct?
>>
> yes.
>
> i hashify my guests once a day automatically to alleviate me having to
> remember.
>
>
>> Again, apologize this is long - any help appreciated!
>>
> hth.
>
> corey
> --
> undefined@pobox.com
>
Received on Wed Feb 19 11:57:29 2014

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 19 Feb 2014 - 11:57:29 GMT by hypermail 2.1.8