Re: [GLLUG] Multiple grub installs in xen guest
Hello, On Fri, Oct 11, 2019 at 06:21:43PM +0100, Tim Woodall via GLLUG wrote: > On Fri, 11 Oct 2019, Tim Woodall via GLLUG wrote: > The debian bootloader does the standard look for pvgrub in /boot/xen, > then /xen, and then fall back to /boot/grub/grub.cfg and then > /grub/grub.cfg using the search command. Yeah I have mine set to look for pvgrub and then grub.cfg and then menu.lst and then grub.conf, in /boot and / of every block device, but it would start at the first block device and stop as soon as it found a match, so I think it would do the same. There is probably a way to find all matches and present a menu, instead of stopping at the first one. All the memdisk is doing is building a grub config that chains to another grub binary or loads another valid grub config. Could maybe ask on the grub mailing list? I think it still would involve building a new grub binary though. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] Multiple grub installs in xen guest
On Fri, 11 Oct 2019, Tim Woodall via GLLUG wrote: Does anyone know whether the default debian grub-xen stuff allows you to select the grub root? I have a bootable xen image that uses grub from /dev/xvda2. I also have one that uses grub from /dev/vg-mirror/boot. (the vg is inside the disk I export to the guest, not the vg of dom0) I want to be able to boot the former, but have the latter available to mount. But it is insistent that it will use the vg boot in favour of the raw ext3 one. I've tried extra="(xen/xvda2)" and extra="root=(xen/xvda2)" but neither seem to make a difference and it persists in using lvm/vg--mirror-boot. This weekend I'll have a look at the source for the grub-x86_64-xen.bin bootloader and tweak it if necessary but perhaps someone already knows how to do this? Looks like the extra parameter is completely ignored :-( There appears to be nothing in grub that is passed from xen. The debian bootloader does the standard look for pvgrub in /boot/xen, then /xen, and then fall back to /boot/grub/grub.cfg and then /grub/grub.cfg using the search command. I've built a trivial replacement for grub-x86_64-xen.bin that does the right thing for my particular case. Just a tiny tad annoying that there doesn't seem to be any other way to do this than build a specific file for each guest if there's more than one possible grub to boot. Tim. -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] Multiple grub installs in xen guest
On Fri, 11 Oct 2019 at 14:28, Tim Woodall via GLLUG wrote: > > Does anyone know whether the default debian grub-xen stuff allows you to > select the grub root? > > I have a bootable xen image that uses grub from /dev/xvda2. I also have > one that uses grub from /dev/vg-mirror/boot. (the vg is inside the disk > I export to the guest, not the vg of dom0) > > I want to be able to boot the former, but have the latter available to > mount. But it is insistent that it will use the vg boot in favour of the > raw ext3 one. > I have not used xen in a long time so cannot help there. From my experience with grub, sometimes you have to manually configure what the possible boot devices are. But, have you considered Linux's own VM tech, using KVM and QEMU ? It has a nice option of loading the kernel before starting the VM, thus bypassing the need for grub entirely. virt-manager is an OK GUI to get going with it. There are also various web based tools to manage the VMs also. I have been playing with an AMD Vega GPU passthru on it recently, and fixed a QEMU bug on the way. AMD developers are very easy to get hold of when needed. Works very nicely, and stably now. Kind Regards James -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
[GLLUG] Multiple grub installs in xen guest
Does anyone know whether the default debian grub-xen stuff allows you to select the grub root? I have a bootable xen image that uses grub from /dev/xvda2. I also have one that uses grub from /dev/vg-mirror/boot. (the vg is inside the disk I export to the guest, not the vg of dom0) I want to be able to boot the former, but have the latter available to mount. But it is insistent that it will use the vg boot in favour of the raw ext3 one. I've tried extra="(xen/xvda2)" and extra="root=(xen/xvda2)" but neither seem to make a difference and it persists in using lvm/vg--mirror-boot. This weekend I'll have a look at the source for the grub-x86_64-xen.bin bootloader and tweak it if necessary but perhaps someone already knows how to do this? Tim. -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] Server in London
Bitfolk +1 from me. Great customer service also. I help admin a server hosted by bitfolk. James On Fri, 11 Oct 2019, 11:50 Alan Pope via GLLUG, wrote: > Hi Dr Alex, > > On Fri, 11 Oct 2019 at 10:22, Dr. Axel Stammler via GLLUG < > gllug@mailman.lug.org.uk> wrote: > >> Thank you very much for making me aware of all those options. I have >> started looking into several of them, which may obviously take a minute or >> two. OTOH, I feel rather disinclined to work with any but the smallest >> companies as large companies bring their own agenda which is usually quite >> different from mine. >> >> > I don't think I'm maligning them by saying this, but Bitfolk certainly > falls into the "smallest companies" bracket. Also, another +1 from me as a > long-term (~12 years) happy customer. > > >> I have once tried a virtual server, with some extremely pleasant and some >> not so pleasant results. If the GLLUG has a meeting at the beginning of >> next week, it might be best to just have a chat there. >> > > I have had no problems with bitfolk which weren't my own incompetence or a > system wide issue that was resolved and detailed fully by Andy. > > Cheers, > Al. > -- > GLLUG mailing list > GLLUG@mailman.lug.org.uk > https://mailman.lug.org.uk/mailman/listinfo/gllug -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] Server in London
Hi Dr Alex, On Fri, 11 Oct 2019 at 10:22, Dr. Axel Stammler via GLLUG < gllug@mailman.lug.org.uk> wrote: > Thank you very much for making me aware of all those options. I have > started looking into several of them, which may obviously take a minute or > two. OTOH, I feel rather disinclined to work with any but the smallest > companies as large companies bring their own agenda which is usually quite > different from mine. > > I don't think I'm maligning them by saying this, but Bitfolk certainly falls into the "smallest companies" bracket. Also, another +1 from me as a long-term (~12 years) happy customer. > I have once tried a virtual server, with some extremely pleasant and some > not so pleasant results. If the GLLUG has a meeting at the beginning of > next week, it might be best to just have a chat there. > I have had no problems with bitfolk which weren't my own incompetence or a system wide issue that was resolved and detailed fully by Andy. Cheers, Al. -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] Server in London
Thank you very much for making me aware of all those options. I have started looking into several of them, which may obviously take a minute or two. OTOH, I feel rather disinclined to work with any but the smallest companies as large companies bring their own agenda which is usually quite different from mine. I have once tried a virtual server, with some extremely pleasant and some not so pleasant results. If the GLLUG has a meeting at the beginning of next week, it might be best to just have a chat there. Moreover, I have unwisely already set up a tiny box to connect somewhere, so I feel a bit reluctant to give up on it. signature.asc Description: PGP signature -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] Server in London
On Fri, Oct 11, 2019 at 08:54:29AM +, Andy Smith via GLLUG wrote: > Here is an example of doing it with the virtualisation stack called > KVM (not the remote access kind of KVM you mentioned): > > > https://blog.appsecco.com/breaking-full-disk-encryption-from-a-memory-dump-5a868c4fc81e Apologies, that example was with VirtualBox. I just did a quick search; the previous one I read was for KVM and so I thought that was it. The virt stack doesn't really matter though; in all cases the bare metal host can read guest memory. There are some CPU features coming which can encrypt memory though. I am not aware of these being deployed in any public provider yet. Cheers, Andy -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] Server in London
Hi Marco, On Fri, Oct 11, 2019 at 09:46:13AM +0100, Marco van Beek via GLLUG wrote: > On some VM offerings you get a remote KVM, which would allow you to get > "physical" console access, and then you could encrypt the whole OS and use > the KVM to enter the key on reboot. That should prevent anyone in the data > centre from using the disk image without your key. I don't think you read the entirety of the email you replied to, which is possibly not surprising as it was large. The hosting company can read guest memory to obtain the LUKS key. Here is an example of doing it with the virtualisation stack called KVM (not the remote access kind of KVM you mentioned): https://blog.appsecco.com/breaking-full-disk-encryption-from-a-memory-dump-5a868c4fc81e Disk encryption will not stop an attacker who has a dump of both your memory and your block device. It will however exclude most attackers, and even state attackers can be put off by the extra hassle. For example, as I mentioned, the UK security services have asked me for disk snapshots of customers but even me saying I required a court order made them go away in 100% of cases. For them to proceed to ask me for a memory dump as well, so that they could try to sift through it and find the LUKS keys, would presumably require the customer to be of very great interest to them. A bored and unethical hosting company employee may be more willing to expend effort. Either way, it's clearly possible. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] Server in London
Hi, On some VM offerings you get a remote KVM, which would allow you to get "physical" console access, and then you could encrypt the whole OS and use the KVM to enter the key on reboot. That should prevent anyone in the data centre from using the disk image without your key. Regards, Marco On 11/10/2019 09:19, Andy Smith via GLLUG wrote: You hint at not wanting to go the virtual server route because of concern for the safety of your data. I think that looking at it this way is a bit of a mistake; the correct response to concern over your data is to have good backups of your data. -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] Server in London
Hi Axel, I run a hosting company that has already been mentioned in this thread, so there may be bias, but I will try to be objective. The main issues with colocation in your situation are: - It's overkill for your needs. You can't easily rent less than 1 rack unit (https://en.wikipedia.org/wiki/Rack_unit) but the amount of compute that you can fit into 1RU is immensely more than what you need based on your comments here. That makes it a waste of money and power. - It leaves you with some hardware whose life cycle you need to manage. That is, it can break, it will become obsolete after less than 10 years, so you've got to replace it or bits of it, which needs human interaction, which is expensive. - Maybe the physical management of pieces of computer hardware at a distance is a new skill you'll need to learn, which possibly won't be that useful for any other area of your life. You say that you need the hardware to be in London, but almost anywhere in Western Europe is only a few ms away from London, and even East coast USA is only 60–70ms (round trip time). I love London, I live in London, I run a hosting company based in London, but London is not necessarily always the best place to host servers in. It's expensive compared to a lot of other places, and Brexit may leave you in a difficult position with regard to the storage of personal data. So, first of all I would never recommend colo for your uses. You are too small a player for it to make sense. You should only do it if you need absolute control over the specification and ownership of the hardware, and possibly if you have some security objections to the other options. Renting the hardware from the hosting company will be a lot cheaper, gets around several of the issues above, and may be viable for what you want. This is called a "dedicated server". You could rent one in Germany from the likes of Hetzner, and that would be astoundingly cheap, and I expect it would work fine for you from anywhere in Western Europe. Hetzner has a bit of a spam problem so if you intend to send email to third parties then you may wish to rethink that one due to aggressive blocking. It may be tempting to go even cheaper and rent from the likes of OVH (probably have a location in London, certainly multiple in Europe). Unfortunately OVH have a huge spam problem that they don't appear to be bothered about, so this is anti-recommendation for OVH for any purpose, for this reason. If you don't care that they deliberately choose to not tackle their spammer problem, and you yourself don't need to send email, they will probably work out just fine for you. I know that Mythic Beasts is a good quality hosting company based in Cambridge but hosting out of London for a good while now. They'll sell you colo or dedicated servers or virtual servers but it won't be bargain basement. Virtual servers could be just what you need. You get full control of your OS, but you're sharing hardware and the hardware is someone else's problem. Good London-based virtual server providers include Mythic Beasts and Portfast. I'd have previously included Bytemark, but they were recently sold to iomart group. I have no personal experience of any of those, that's just what I've heard from others. Linode is a really big name in virtual servers and they have a datacentre in London. If they do what you want then they are a decent offering, but you will be one customer amongst millions so the customer service can sometimes be lacking. That is from personal experience as despite them being a competitor to me, I do use Linode for some out-of-UK things. Digital Ocean is also a big name in virtual servers and likewise have a London datacentre, I also have to give an anti-recommendation here though, as they too have a huge spammer problem that they have no interest in resolving. You hint at not wanting to go the virtual server route because of concern for the safety of your data. I think that looking at it this way is a bit of a mistake; the correct response to concern over your data is to have good backups of your data. If your data is on a physical machine that you own, it can still be stolen or destroyed. You can make an error, your software can make an error, the hosting company can make an error, it can all go up in flames. The hosting company can go bankrupt and leave you with no easy physical access to your property. That would get resolved eventually, but that would be small comfort in the intervening time. No, even with colo, you need good off-site backups. Treat that as an absolute requirement and then it influences your other choices. As far as security goes, there are some weaknesses with dedicated servers and with virtual servers. With dedicated servers, since it's not your hardware you don't know if it has some malicious gadget attached to it that allows someone to snoop on your data. Of course, technically you don't know if the hardware you buy off the shelf has that
