Re: Shorewall and squid transparent proxy problem
May be iptables better ? Error 137 (net::ERR_NAME_RESOLUTION_FAILED): Unknown error. My /etc/shorewall/rules are setup with this ACCEPT and REDIRECT rules: #ACTION SOURCE DEST PROTODEST PORT(S) SOURCE ORIGINAL # PORT(S)DEST REDIRECT loc3128 tcp www - ACCEPT$FWnet tcp www REDIRECT DEST imho have to be an ip-address but you put the port number Is it correct for shorewall ? -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Shorewall and squid transparent proxy problem
Hi all, speaking of gateways and shorewall, I bumped into a problem today with it. I have a 10.04 LTS server setup at a small office running shorewall and squid, clients are configured MANUALLY to use the proxy server, but now I want to make this proxy transparent and let shorewall redirect the proxy requests becuase I need to setup a VPN and cisco VPN client doesnt have an option to manually input a proxy. So I go ahead and configured my squid to be transparent and shorewall to redirect the traffic to it, only thing is, it doesnt work, If I remove the proxy address from a client to test it, I get the following error (I use chromium browser): Error 137 (net::ERR_NAME_RESOLUTION_FAILED): Unknown error. My /etc/shorewall/rules are setup with this ACCEPT and REDIRECT rules: #ACTION SOURCE DEST PROTODEST PORT(S) SOURCE ORIGINAL # PORT(S)DEST REDIRECT loc3128 tcp www - ACCEPT$FWnet tcp www I have also tried putting the ACCEPT rule first but it didnt work also. Squid Is installed on this same system and listening on port 3128 In my squid.conf Im pretty sure the ACL's are configured properly and I also have this line: always_direct allow localhost That tells SQUID to always send traffic from the firewall directly to the internet. IF you need any more info please dont hesitate to ask, im really out of ideas on this one I think everything is setup correctly and have no idea why It doesnt work. thanks in advance -- X1R1 -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Ubuntu Gateway
About hardware... Standart desktop motherboard with vlan support is enough Standart processor core2 or amd k10 with 2 cores is enough Standart 2 SATA harddrives (for software raid 1) is enough Standart DDR2 memory kit 1 or 2 GBytes is enough Standart case is enoght (400 W) I think that the cost of standart non 19-inch's server $500 or less 04.04.2011 10:12, Michael Zoet пишет: In a simple office (one server, one internet connection, 10 clients) I use arno-iptables. In another network I have 3 firewalls managed with FWBuilder (protecting 75 servers reachable on the internet). What software you use depends on your demand. You already got some suggestions ;-). The firewalls do not have a high hardware demand. Normal 19" servers with 1 GB Ram or up and a good modern CPU does the job. But you should use good hardware! ( I mean not the cheap one! Invest some money in the right hardware and you run your router for a long time!) -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: [Oneiric-Topic] Revisit Xen support
Am Mo, 4.04.2011, 13:34 schrieb Soren Hansen: > 2011/4/4 Clint Byrum : >> Maybe we should ask though. Adding Xen back in means less resources >> for KVM, so the KVM users' opinions matter quite a bit. > > The very short version: I'm fine with Ubuntu getting Xen support again, > but I don't think it needs to be in main. > I think most people here think the same. Xen do not need to be in main. Xen is only needed if there is a demand for a feature Xen has and KVM not. And most people will agree in everything else you wrote in your mail. I have several KVM and Xen server up and running and I think KVM will be (or is, if you prefer ;-) ) the virtualisation technology for the future. But sometimes an admin needs Xen for various reasons and then they get driven away from Ubuntu for now. Something that is not so good for the wide deployment of Ubuntu server. Michael -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
[Oneiric-Topic] Tomcat 7
Hi All Apache Tomcat 7 was released in January making the newer versions of the Servlet (3.0) and JSP (2.2) specifications available; Ubuntu currently supports Tomcat 6 in main. It would be great to understand how widely this package is being used and what the appetite to move to Tomcat 7 looks like. Targeting a tomcat7 package at universe for Oneiric might make sense. Cheers James -- James Page Software Engineer, Ubuntu Server Team signature.asc Description: This is a digitally signed message part -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: [Oneiric-Topic] Revisit Xen support
2011/4/4 Clint Byrum : > Maybe we should ask though. Adding Xen back in means less resources > for KVM, so the KVM users' opinions matter quite a bit. The very short version: I'm fine with Ubuntu getting Xen support again, but I don't think it needs to be in main. We chose KVM as our preferred, supported hypervisor a long time ago. We've been telling people for years that it's what they should be using, and lots of great effort has been put into the integration work. The arguments against KVM were mostly about the hardware requirements, but if we could live with that in 2007, I'd be surprised if we couldn't today, since the percentage of server hardware that doesn't work with KVM has severely declined. Any decision will have supporters and opponents, and I firmly believe that making a decision is the right thing to do. I believe there's a lot of value (for everyone involved) in having firm answers to even tough questions. Ubuntu, for instance, is a free operating system. No-one has to ask over and over whether it's still free, because we've been very clear from the beginning that that's how we roll. Similarly, you won't find any closed-source applications on an Ubuntu CD. If you're wanting to distribute closed source applications, don't bother asking if you can put it on one of the Ubuntu CD's. No matter how popular your software is, or how many people vote for it on a mailing list or on Ubuntu Brainstorm, it's not going to happen. We're also not going to switch to the FreeBSD kernel on a whim. Every decision we make defines us, whether it's an additive or subtractive one. Every decision we fail to make, weakens us. When we chose KVM as our preferred hypervisor, it wasn't a decision to use it in Hardy and revisit that decision every release following it (that would have made it almost a non-decision). It wasn't a decision to run this or that benchmark every 6 months, and whichever was in the lead would be the preferred, supported hypervisor that we'd go out and praise, and the rest would be deprecated until 6 months later when the numbers would be slightly different. We made the decision even though KVM was still quite young, and none of the other major distros were shipping it. We made the decision to ship it, support it, stand behind it, and help it grow. Ubuntu's hypervisor was KVM. I happily stand by that decision. I believe KVM's design is superior. KVM immediately benefits from improvements made to the Linux kernel. If power management improves in the Linux kernel, your KVM host's power management improves. If the scheduler improves, KVM benefits. If memory management improves, KVM benefits. KVM is part of the Linux kernel, while Xen has its own kernel. I'm not talking about the dom0, I'm talking about the Xen hypervisor on top of which the dom0 and domU's run. This difference means that many improvements in Linux need to be accommodated for or mimicked in Xen before you get the benefits there[1]. To use KVM, you load a module that turns your regular Linux kernel into a hypervisor. To run Xen, you boot a completely different kernel on top of which you run a dom0. For the most part, you don't see the difference, because distributors have put a lot of work into making this change seamless, but effectively, you're not running Linux anymore as your kernel. Anthony Liguori (one of the KVM and QEmu developers) said it quite well[2]: "The whole situation is somewhat absurd though. It's like if the distributions shipped a NetBSD kernel automatically and switched to using it when you wanted to run a LAMP stack." Linux is a fine hypervisor on its own. It may not be perfect, but I'd prefer we focus on identifying and fixing those issues If someone thinks Xen is sufficiently cool, I'd encourage them to put some effort getting it into shape in Ubuntu. I don't think we should divert any of the existing attention on kvm/libvirt/friends to Xen. I don't think we can afford it. [1]: This page on power management with Xen is a good example: http://wiki.xensource.com/xenwiki/xenpm [2]: http://blog.codemonkey.ws/2008/05/truth-about-kvm-and-xen.html -- Soren Hansen | http://linux2go.dk/ Ubuntu Developer | http://www.ubuntu.com/ OpenStack Developer | http://www.openstack.org/ -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: [Oneiric-Topic] Revisit Xen support
On 4 April 2011 13:08, Michael Zoet wrote: > > Maybe we should ask though. Adding Xen back in means less resources for > > KVM, so the KVM users' opinions matter quite a bit. > > In my opinion asking "is some software better than another software" is > the wrong approach. KVM has advantages over Xen and Xen has advantages > over KVM. It depends on a lot of factors which is an appropriate solution > for a given task. Sometimes KVM wins and sometimes Xen and sometimes > VMware and so on. > Ack. +1 KVM should not degraded in favor of Xen. Never! > At least not in the current state of things. One of the major advatages of KVM is its stimplicity, and the fact it's in streamline Linux. As I understood, as well in Debian as In ubuntu, the problem with Xen was keeping it supported in more recent kernels, and managing the whole thing. What SysAdmins need are options to choose from to fit the best in their > networks. If Xen is available in the vanilla kernel a Xen kernel should be > available. But never in favor of a good KVM support. > When Xen gets vanilla support for Dom0, it definitely could get some renewed attention, and things need to be evaluated again. It is the same for MTAs: we have among postfix exim, sendmail, qmail and a > lot of other MTAs in the package repository. One MTA might work better for > a given situation than the others. -- Met vriendelijke groet, Serge van Ginderachter -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: [Oneiric-Topic] Revisit Xen support
On Mon, 04 Apr 2011 02:40:25 -0700 Clint Byrum wrote: > Excerpts from Soren Hansen's message of Mon Apr 04 01:40:39 -0700 > 2011: > > 2011/4/3 Clint Byrum : > > > Excerpts from Clint Byrum's message of Fri Apr 01 16:51:04 -0700 > > > 2011: > > >> Other than people already having familiarity with Xen, what is a > > >> compelling reason to support it in favor of, or in addition to, > > >> KVM? > > > Not one person has stood up and said that KVM blows Xen away, or > > > is even "better". > > > > Um, no... because you didn't ask. > > > > Fair enough. > > Maybe we should ask though. Adding Xen back in means less resources > for KVM, so the KVM users' opinions matter quite a bit. > I totally disagree with this. Adding Xen back would take little effort to do so. Regards chuck -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: [Oneiric-Topic] Revisit Xen support
On 4 April 2011 12:31, Soren Hansen wrote: > 2011/4/2 Serge van Ginderachter : > > On 2 April 2011 16:58, Clint Byrum wrote: > >> Serge, would you mind elaborating on that? I'm looking for facts. > > > > I tested several virtualisation technologies last year. > > I'm terribly sorry, but this information is practically useless. There > Yes, I very well realise that. I only gave some general concusions to give an idea of what we were looking at. I was only trying to slightly elaborate on the matter as an answer to an earlier question on the list. Unfortunately, the reports of those tests are private and not published, and I'm not allowed to do that (don't ask), so I can't fully disclose them. > are no version numbers, no information about configuration, about > backing stores, disk image formats, cache settings, and very little > about hardware, etc. I can't e.g. tell if your factor 8 drop i > performance on Ubuntu for small writes is due to the virtual disk > being backed by a qcow2 on ext4, for instance, and as such, I can't > use the data (and much less the conclusions) for anything. > Yes, lots of things could be optimised, that's for sure. But the main aim of the tests were primarily about comparing Xen and KVM, and as such, similar setups (LVM backed disks, Virtio/HVM hardware, using the same startup scripts on all platforms, ... ) and pretty much most default settings were used. The VM images were all identical, Debian Lenny with ext3. So, while different settings might not be fully optimized in those tests - at the time we were pretty new with this stuff - we did made several tests which could compare different platforms. And our conclusion to that was that KVM in general was less performant than Xen. That is the only point I wanted to make. Obviously, YMMV. Also note that these conclusions don't stop me from still using Ubuntu+KVM for lots of setups, but more because of ease of use than performance. -- Met vriendelijke groet, Serge van Ginderachter -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: [Oneiric-Topic] Revisit Xen support
Am Mo, 4.04.2011, 11:40 schrieb Clint Byrum: > Excerpts from Soren Hansen's message of Mon Apr 04 01:40:39 -0700 2011: >> 2011/4/3 Clint Byrum : >> > Excerpts from Clint Byrum's message of Fri Apr 01 16:51:04 -0700 2011: >> >> Other than people already having familiarity with Xen, what is a >> >> compelling reason to support it in favor of, or in addition to, KVM? >> > Not one person has stood up and said that KVM blows Xen away, or is >> even >> > "better". >> >> Um, no... because you didn't ask. >> > > Fair enough. > > Maybe we should ask though. Adding Xen back in means less resources for > KVM, so the KVM users' opinions matter quite a bit. > In my opinion asking "is some software better than another software" is the wrong approach. KVM has advantages over Xen and Xen has advantages over KVM. It depends on a lot of factors which is an appropriate solution for a given task. Sometimes KVM wins and sometimes Xen and sometimes VMware and so on. KVM should not degraded in favor of Xen. Never! What SysAdmins need are options to choose from to fit the best in their networks. If Xen is available in the vanilla kernel a Xen kernel should be available. But never in favor of a good KVM support. It is the same for MTAs: we have among postfix exim, sendmail, qmail and a lot of other MTAs in the package repository. One MTA might work better for a given situation than the others. Michael -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: [Oneiric-Topic] Revisit Xen support
2011/4/2 Serge van Ginderachter : > On 2 April 2011 16:58, Clint Byrum wrote: >> Serge, would you mind elaborating on that? I'm looking for facts. > > I tested several virtualisation technologies last year. I'm terribly sorry, but this information is practically useless. There are no version numbers, no information about configuration, about backing stores, disk image formats, cache settings, and very little about hardware, etc. I can't e.g. tell if your factor 8 drop i performance on Ubuntu for small writes is due to the virtual disk being backed by a qcow2 on ext4, for instance, and as such, I can't use the data (and much less the conclusions) for anything. -- Soren Hansen | http://linux2go.dk/ Ubuntu Developer | http://www.ubuntu.com/ OpenStack Developer | http://www.openstack.org/ -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: [Oneiric-Topic] Revisit Xen support
Excerpts from Soren Hansen's message of Mon Apr 04 01:40:39 -0700 2011: > 2011/4/3 Clint Byrum : > > Excerpts from Clint Byrum's message of Fri Apr 01 16:51:04 -0700 2011: > >> Other than people already having familiarity with Xen, what is a > >> compelling reason to support it in favor of, or in addition to, KVM? > > Not one person has stood up and said that KVM blows Xen away, or is even > > "better". > > Um, no... because you didn't ask. > Fair enough. Maybe we should ask though. Adding Xen back in means less resources for KVM, so the KVM users' opinions matter quite a bit. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: [Oneiric-Topic] Revisit Xen support
2011/4/3 Clint Byrum : > Excerpts from Clint Byrum's message of Fri Apr 01 16:51:04 -0700 2011: >> Other than people already having familiarity with Xen, what is a >> compelling reason to support it in favor of, or in addition to, KVM? > Not one person has stood up and said that KVM blows Xen away, or is even > "better". Um, no... because you didn't ask. -- Soren Hansen | http://linux2go.dk/ Ubuntu Developer | http://www.ubuntu.com/ OpenStack Developer | http://www.openstack.org/ -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Ubuntu Gateway
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 04.04.2011 08:31, schrieb Kaushal Shriyan: > Hi > I have a 5 Mbps Internet Connection with 100 Users in office.I have > already a shorewall running on 9.04. Since 9.04 is EOL i am planning > to upgrade it to 10.04 LTS Please suggest me the best practices of > setting up gateway/firewall. Since we do not know your network we can give you only generic advice. It really depends what is also running on the firewall. If it is only shorewall than an upgrade should run smothly from 9.04 to 10.04. But maybe you have to do the update to 9.10 first! On the shell you can do it with the command do-release-upgrade The programm takes you through the update process until you arive on 10.04. I have done this several times since do-release-upgrade was available. If you have some complex software (things like LDAP) running on the router, you should plan your update carefully. And inform your users that you update! For such updates I take a weekend time, so the office can work on mondays ;-). And I always have a rescue plan if something went wrong. But this heavily depends on the network and the software used in it. Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2Zbd8ACgkQBvfZ5167qr8vZgCguUfYBVSuko3mUGmyJnkXBK5N 6F8AnRQX+zviTJ+i/rNq572C8KVmPS/O =5Gyf -END PGP SIGNATURE- -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
