Tuesday, December 20, 2011

oxygen style for gtk+ applications

GTK+ applications usually dosen't look good under kde. Ever since i'm using kde i always tried to avoid using gtk+ applications under kde. That worked out quite good because i always found a qt application which fullfill my needs. There are just a few applications where kde/qt doesn't have a real competor to the gtk+ version.
A big problem was always the webbrowser. Now we have rekonq which is really good but it's still quite buggy. Another programm is gimp. I couldn't find a real competitor on the qt side (krita is basically a different audience).
Another way is to live with gtk+ applications is to use a widget style which works for both gtk+ and kde/qt, but i actually never liked the qtcurve widget style at all.
Recently i found another widget style which is called oxygen-gtk. This is the official port of kde's widget style to gtk+.
Well this one looks really good and makes my desktop much more "pure kde" :)
In gentoo's case you just have to:

emerge -av x11-themes/oxygen-gtk

Afterwards go into System-Settings --> Application Appearance --> Gtk Config. There you set the Theme to "oxygen-gtk".
The Result looks something like this (in the picture you see Gimp)

Wednesday, December 14, 2011

howto mount qcow2 images

Sometimes you need a way to access a virtual machine without starting it. It might dosn't work anymore and there are still some important files on it or you are simple just to lazy to start, login and change/look whatever you want to change/look for.
In case of lvm it easy: There are "real" partitions on the volume so its dead simple to mount and access the guest harddisk. It's also simple with raw files which works with loop devices thus with losetup.
Another story are qcow2 files.
For them you need qemu-nbd which comes with app-emulation/qemu-kvm and a kernel modul called nbd which you will find under: "Device Drivers --> Block devices --> Network block device support". If you didn't compile it yet (as modul) compile it now.
Next you have to load the modul with following parameters:

modprobe nbd max_part=8

You have to set the max_part because the default is 0 and usually you have more than 1 partition on a guest system. After that you can mount the image with:

qemu-nbd -c /dev/nbd0 guest.img
mount /dev/nbd0p1 /mnt/guest

That's all. With qemu-nbd -d you can disconnect the image finally, though you have to unmount it first.

Sunday, December 11, 2011

btrfs and virtualization

Btrfs - it 's the new and feature-rich filesystem which should be eventually the next standard fs in the linux world. So long it's still in development, but it's already in the linux kernel. That's why i also gave it a try, especially for virtualization.

The feature which i'm most locking forward is snapshots. Making backups of running guests is always a cool thing :) After months of running guests on btrfs i can say I'm both exited and also a bit disappointed of btrfs.

First of all: The default settings in qemu makes the guest extremely slow. I tell you why. Usually if you start a guest, his drive cache settings are set to "writethrough". This setting controls how the host cache is used to access block data. You can choose between between "none", "writeback", "unsafe" and "writethrough" with the last one being the default.
On btrfs this makes the guest extremly slow. I made some benchmarks on lvm, ext4 and btrfs comparing "writeback", "writethrough" and "none". It's a simple comparison of how long it takes to compile dev-vcs/git with the different settings on the different filesystems:

  writeback  merge time: 1 minute and 39 seconds. 
  writethrough merge time: 1 minute and 50 seconds.
  none   merge time: 1 minute and 44 seconds.

  writeback  merge time: 1 minute and 39 seconds.
  writethrough merge time: 1 minute and 55 seconds.
  none    merge time: 1 minute and 46 seconds.

  writeback  merge time: 1 minute and 41 seconds. 
  writethrough merge time: 2 minutes and 37 seconds.
  none    merge time: 1 minute and 48 seconds.

As you can see on btrfs the compilation almost doubles the compilation time with "writethrough". Luckily, that problem is already known and at least for me it's a reason not using btrfs for virtualization.

Another downside is that btrfs still doesn't has a fsck like tool. I've used btrfs for some months now and one of my windows7 guests got corrupted. Gladly it was just a test-system. Anyway i had to delete it and made a new installation.
On the other side, the snapshot feature is really nice. I've wrote a easy backup script for the image files which worked really good.

Right now i moved all my guests to lvm (again) because i think it has still the best performance, even though i need much more space. But at least it's also possible to create live backups.

Saturday, December 10, 2011

alix - logging

As i already mentioned in a previous post, i use my alix as a firewall. Usually a firewall's job is also to log attacks against the firewall.
But logging means writing to a log-file and since the hard-disk is a compact-flash card i tried to avoid that. But syslog-ng is quite powerful and it has the feature to log to another host. That's why i set up my server to receive log's from other host. Right now everything is without encryption, but for example with net-misc/stunnel you could even encrypt your live logging. The setup looks like this right now:

On the firewall i have this in syslog-ng.conf:

source s_local { internal(); unix-stream("/dev/log"); file("/proc/kmsg" log_prefix("kernel: ")); };
destination d_loghost {tcp("$serverip" port(514));};
log { source(s_local); destination(d_loghost); };

Every other log { } event is commented out on the firewall, so that syslog-ng doesn't write anything on the compact-flash card. On the server i had to change the config also a bit. First, it has to accept connections from outside which looks like this:

source src {
    unix-stream("/dev/log" max-connections(256));

Secondly, I've created some filters especially for the firewall rules:

filter f_iptables_drop { match("^iptables: INPUT DROPPED" value("MESSAGE")); };
filter f_iptables_access { match("^iptables: ACCESS*" value("MESSAGE")); };

The first filter, logs all the failed connection against a closed ports. The second one logs all the accepted connections against an open port. To separate them in different files i also have this in my config:

destination d_firewall_drop { file("/var/log/clients/$HOST/$HOST-firewall-drop"); };
destination d_firewall_access { file("/var/log/clients/$HOST/$HOST-firewall-access"); };

The rest goes logged into:

destination d_clients { file("/var/log/clients/$HOST/$FACILITY"); };

To be able to filter the log in such way you also have to mark the dropped and accepted packages so that syslog-ng can differ them. To do that you have to add the following to your firewall:

iptables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "iptables: INPUT DROPPED: "
iptables -t nat -A PREROUTING -i ${NET_ETH} -p ${PROTO} -d ${NET_IP} --dport ${PORT} -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "iptables: ACCESS ${PORT} "

That configuration works well for already some time now. Maybe someone finds the information useful.