Difference between revisions of "Xen customer information"
(→NTP: Jump's NTP servers)
m (→SpamAssassin: Redundancy)
|Line 25:||Line 25:|
There [[Wikipedia:SpamAssassin|SpamAssassin]] spamd on <tt>18.104.22.168</tt> which you can connect to with spamc or other spamd clients. You will not be able to influence the settings of this spamd, but you may find it useful as running your own spamd tends to eat up a lot of RAM.
Revision as of 13:45, 8 December 2006
This article provides some useful information for customers of Strugglers Xen virtual machine hosting.
- 1 Network settings
- 2 Nameservers
- 3 Shared resources
- 4 Other services
- 5 Referral scheme
- 6 Frequently asked questions
- 6.1 General
- 6.1.1 Are my bandwidth limits outbound or inbound or both?
- 6.1.2 Does my local traffic get counted towards my allowance?
- 6.1.3 Why do my Cacti bandwidth graphs seem to be backwards (i.e. inbound traffic shows as outbound and vice versa)?
- 6.1.4 Why is my Cacti graph empty and the figures read "nan"?
- 6.1.5 Do I need to synchronise my clock like I would on a normal server?
- 6.1.6 Is 64MiB of RAM really enough to do anything useful?
- 6.1.7 IPv6! How do I get that working?
- 6.1.8 Can/should I run my own firewall?
- 6.1.9 Why don't I see a change in my VPS's RAM when I reboot like you told me to?
- 6.2 General Linux
- 6.3 Debian-specific
- 6.1 General
If hosted on curacao or islay your settings should be as follows:
- Address: 212.13.198.x
- Gateway: 22.214.171.124
- Netmask: 255.255.255.192
In CIDR notation the network is 126.96.36.199/26.
You can run your own nameserver, but a resolver is supplied. See Shared resources.
There are recursive DNS servers on 188.8.131.52 and 184.108.40.206. If you aren't running your own nameserver then you can use this IP in your /etc/resolv.conf. If you are, then you can use this IP as a forwarder.
There are publically-available NTP servers on ntp0.strugglers.net and ntp1.strugglers.net. They only use nearby public servers themselves, but using these servers will reduce load on public servers, save you bandwidth and ensure some redundancy. My upstream also has NTP servers for customer use, at ntp-sup-tfm1.jump.net.uk and ntp-sup-tfm4.jump.net.uk.
See the Debian-specific section of the FAQ, below.
There are SpamAssassin spamd servers running on both 220.127.116.11 and 18.104.22.168 which you can connect to with spamc or other spamd clients; the hostname spamd.strugglers.net also resolves to both addresses. You will not be able to influence the settings of this spamd, but you may find it useful as running your own spamd tends to eat up a lot of RAM.
If you're a VPS customer then I am happy to provide a free DNS secondary service provided your DNS traffic is "reasonable" (below several hundred thousand requests per month).
Either you can run your own DNS server and my servers will do zone transfers from it, or else you can just maintain bind-format zone files in your VPS which I will rsync every 15 minutes or so.
I currently have 5 DNS servers; London, Southampton, Boston, Philadelphia and San Jose. I have sole use of the ones in London and Boston whereas the other three are part of a DNS collective.
Please see Setting up secondary DNS for more information.
Backup mail MX
If your primary MX is hosted by me then I am happy to offer a backup MX in the US, with antispam and antivirus setup. This will be free of charge provided you do not receive hundreds of thousands of emails per month.
Bear in mind however that you will not be able to affect the antispam or antivirus settings of this mail server.
6 times daily incremental rsync backups to a local server (in same facility but different hardware, no bandwidth charge) are available for free. You will need to dedicate some of your normal disk space to this, or else purchase more disk space.
Please note that no guarantees are made of the integrity or availability of backups made; they are provided on a best-effort basis.
You will need to allow SSH access to your domain from email@example.com, by adding the rsnapshot SSH public key to your root user's .ssh/authorized_keys file. Please note that this file is PGP signed by key ID 0xBF15490B and the only line from the file that you should use is the one that starts with 'ssh-dss'. If you wish you can restrict this key's command to rsync.
Once you have installed this command, please contact Andy with a list of the paths you want backed up, starting from the root of your filesystem, plus any directories within those that you want excluded. e.g. "Please back up /data except for /data/www/logs."
Backups will then take place every four hours. You will not be charged for the bandwidth this uses, although it will show up on your Cacti graphs.
A similar backup service is available with the data being stored outside the hosting facility. This is available for a small charge, and it will use chargeable bandwidth; please contact Andy for a quote.
A Nagios instance is available to monitor most normal services you run and alert you via email if they become unavailable.
Please note that no guarantees are made of the accuracy of this service; if you have anything critical you may wish to monitor it yourself!
Please contact Andy with the details of any service you would like monitored.
There is a referral scheme in operation to encourage you to bring in new customers. Make sure to get them to quote your VPS name when they make their first payment.
Frequently asked questions
Are my bandwidth limits outbound or inbound or both?
Currently since there is an excess of inbound bandwidth, you can have twice as much inbound as outbound. e.g. if your plan allows 50GB data transfer then this corresponds to 50GB out (people downloading from your domain) and 100GB in (people uploading to your domain). Excess data transfer is still charged the same.
Does my local traffic get counted towards my allowance?
No. Only traffic destined for or coming from outside of 22.214.171.124/26 will be counted. This is great incentive for you to make use of the shared resources on offer such as an APT cache and recursive DNS.
Why do my Cacti bandwidth graphs seem to be backwards (i.e. inbound traffic shows as outbound and vice versa)?
The graphs are plotted from the point of view of the host machine where each Xen domain has a network interface going to it. Therefore traffic going to your server is going out from the host, and data coming from your server is coming in to the host.
Just reverse the directions if you want to think about from the point of view of your own server.
Why is my Cacti graph empty and the figures read "nan"?
"nan" stands for "not a number" i.e. "no results". If your domain has only just been provisioned then this is completely normal - 3 readings are necessary to draw the initial graph, and as readings are done every 5 minutes the daily graph will remain empty for at least the first 15 minutes.
The weekly, monthly and yearly graphs are built from the daily one and will stay empty until the daily graph has the required amount of data: 30 minutes, 2 hours and one day respectively.
If your domain has been in use for some time and the graphs are empty then there is possibly a problem; please contact Andy.
Do I need to synchronise my clock like I would on a normal server?
Yes. In theory each domain's clock is supposed to be locked to that of the real host but in practice this seems not to be very reliable. Therefore you should arrange for the following to be executed at each boot:
# echo 1 > /proc/sys/xen/independent_wallclock
and then set up some means of keeping your clock in sync, such as NTP.
I recommend using at least the following NTP servers:
ntp0.strugglers.net ntp1.strugglers.net 0.uk.pool.ntp.org 1.uk.pool.ntp.org 2.uk.pool.ntp.org
Is 64MiB of RAM really enough to do anything useful?
Sure. It's not a great deal, but it's not like trying to run an entire machine in 64MiB either. A Xen user domain kernel is very stripped-down and you probably don't need to run many daemons.
Here's some top output from one of my own user domains which at the time had 128MiB RAM. It's the one hosting this web site, and it runs Apache 2 with PHP, Exim 4 and BIND 9:
top - 05:28:03 up 12 days, 14:07, 3 users, load average: 0.01, 0.01, 0.00 Tasks: 57 total, 2 running, 52 sleeping, 3 stopped, 0 zombie Cpu(s): 0.0% us, 0.0% sy, 0.0% ni, 100.0% id, 0.0% wa, 0.0% hi, 0.0% si Mem: 126388k total, 122148k used, 4240k free, 27288k buffers Swap: 262136k total, 4k used, 262132k free, 62016k cached
Note that a large amount of memory is being used for buffer and disk cache anyway.
If you find you're running out then you can purchase more RAM and it will be quickly provisioned.
IPv6! How do I get that working?
It probably will "just work". Bring up a network interface that is configured to listen to router advertisements and it should get an IPv6 address based on the MAC address of the interface. On linux domains that happens automatically when eth0 comes up.
Some hosts to talk to to see if it works:
$ ping6 noc.sixxs.net PING noc.sixxs.net(noc.sixxs.net) 56 data bytes 64 bytes from noc.sixxs.net: icmp_seq=1 ttl=45 time=308 ms 64 bytes from noc.sixxs.net: icmp_seq=2 ttl=45 time=305 ms 64 bytes from noc.sixxs.net: icmp_seq=3 ttl=45 time=306 ms 64 bytes from noc.sixxs.net: icmp_seq=4 ttl=45 time=307 ms 64 bytes from noc.sixxs.net: icmp_seq=5 ttl=46 time=305 ms --- noc.sixxs.net ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4040ms rtt min/avg/max/mdev = 305.660/306.595/308.063/0.894 ms $ traceroute6 mx1.blitzed.org traceroute to mx1.blitzed.org (2001:1b50:1::2) from 2001:ba8:0:1f1:a800:ff:fe0a:dd6a, 30 hops max, 16 byte packets 1 2001:ba8:0:1f1::1 (2001:ba8:0:1f1::1) 0.553 ms 0.402 ms 0.419 ms 2 netservices-uk6x.ipv6.btexact.com (2001:7f8:2:1::11) 1.236 ms * 1.294 ms 3 2001:7f8:3::cb9:0:1 (2001:7f8:3::cb9:0:1) 239.865 ms 240.162 ms 359.628 ms 4 so-6-0-0.lon11.ip6.tiscali.net (2001:668:0:2::521) 277.956 ms 242.203 ms 242.088 ms 5 so-1-0-0.lon22.ip6.tiscali.net (2001:668:0:2::450) 242.058 ms 241.987 ms 241.816 ms 6 so-2-0-0.par22.ip6.tiscali.net (2001:668:0:2::b0) 249.595 ms 256.884 ms 248.958 ms 7 so-2-0-0.par30.ip6.tiscali.net (2001:668:0:2::a0) 249.363 ms 249.146 ms 249.324 ms 8 so-1-0-0.par31.ip6.tiscali.net (2001:668:0:2::4c0) 249.207 ms 249.379 ms 249.467 ms 9 so-1-0-2.fra10.ip6.tiscali.net (2001:668:0:2::3a1) 257.856 ms 326.85 ms 257.824 ms 10 so-1-0-0.fra20.ip6.tiscali.net (2001:668:0:2::3f1) 355.383 ms 411.456 ms 257.812 ms 11 so-0-0-0.bsl10.ip6.tiscali.net (2001:668:0:2::261) 262.815 ms 262.686 ms 262.569 ms 12 genotec-gw.ip6.tiscali.net (2001:668:0:3::5000:2) 24.306 ms 24.058 ms 24. 197 ms 13 gic-rou-01-all-pos4-0.as16215.net (2001:1b50::1565) 23.847 ms 24.346 ms 24.15 ms 14 2001:1b50:1::2 (2001:1b50:1::2) 24.501 ms 24.077 ms 24.12 ms
Can/should I run my own firewall?
You can, and you probably should. Whatever you normally use should work. iptables works fine for Linux, for example.
Why don't I see a change in my VPS's RAM when I reboot like you told me to?
What you will have been told to do is shutdown and then boot from the Xen console. If you only do reboot (either from your VPS or in the Xen console) then the domain will never be destroyed and so will never read the new settings.
When updating libc, the update fails and I get messages regarding /lib/tls
/lib/tls is a directory of libraries (usually owned by the libc package) which are incompatible with Xen.
When your VPS is provisioned these will be moved to /lib/tls.disabled, an empty file created at /lib/tls and then made unreadable and immutable. This is what probably causes your upgrade procedure to fail, but it is necessary because otherwise an update to libc would replace the incompatible TLS libraries.
The easiest way to deal with this is probably to remove everything to do with /lib/tls:
$ sudo chattr -i /lib/tls $ sudo rm -fr /lib/tls /lib/tls.disabled
Now do your update as normal, and then take care to disable the TLS libraries afterwards:
$ sudo mv /lib/tls /lib/tls.disabled $ sudo touch /lib/tls $ sudo chmod 0 /lib/tls $ sudo chattr +i /lib/tls
Fortunately libc updates are rare.
Can I compile my own kernel?
Unfortunately at the moment the user domain's kernel must be stored outside the domain itself, in dom0. A facility for user domains to provide their own kernel may be provided in a later version of Xen but until then, if you feel you need a custom kernel, just let me know.
Bear in mind that Xen itself is currently a patch to the Linux kernel, so the range of kernels I can run is rather limited and adding additional patches can be problematic.
You may be interested in the config file for my user domain kernel.
What should I put in my /etc/apt/sources.list file?
I've set up a local apt-cacher so that packages only need to be downloaded once. Assuming you're using Debian Sarge (stable) then you will want something like:
deb http://apt-cacher.strugglers.net/cache/ftp.uk.debian.org/debian/ sarge main contrib deb-src http://apt-cacher.strugglers.net/cache/ftp.uk.debian.org/debian/ sarge main contrib deb http://apt-cacher.strugglers.net/cache/security.debian.org/ sarge/updates main contrib # Uncomment for debian-volatile (see http://www.debian.org/devel/debian-volatile/) #deb http://apt-cacher.strugglers.net/cache/ftp.uk.debian.org/debian-volatile/ sarge/volatile main contrib # Uncoment if you need to use some sarge backports # (but read http://backports.org/dokuwiki/doku.php?id=instructions first!) #deb http://apt-cacher.strugglers.net/cache/www.backports.org/debian/ sarge-backports main contrib
The apt-cacher works only for http:// URLs and currently should work for all sources on the following sites:
If you use other sites in your sources.list then please let me know and I will consider whether to add them.
Keeping your VPS up to date
Your VPS is effectively its own separate server system and as such it is important that you keep all software running on it patched and up to date. For Debian Sarge-based servers with all software installed from Debian packages this is very simple.
First you need to make sure that you have the sarge/updates line from above in your /etc/apt/sources.list. Now all you need to do is arrange for the following commands to be run as root however often you wish to check for updates (I suggest daily):
# apt-get update # apt-get upgrade
There are a few methods for automating this; you can probably come up with some yourself. If you like though you can use the same script that I use which can be found at https://svn.strugglers.net/repos/local-apt/trunk/. Copy local-apt.pl to /usr/local/sbin/ and make it executable. Copy local-apt.sh to /etc/cron.daily/local-apt. You will now get a nicely-formatted email each day telling you what needs upgrading. You still need to do the apt-get upgrade manually.
You may also find it useful to install apt-listchanges which will mail you regarding the changes introduced by each upgrade.
The above method also works for Etch although you will find you have updates almost every day, and the /updates line would not be relevant in your sources.list.