Saturday, July 23, 2005

OceanStore

OceanStore

OceanStore is a global persistent data store designed to scale to billions of users. It provides a consistent, highly-available, and durable storage utility atop an infrastructure comprised of untrusted servers.

Any computer can join the infrastructure, contributing storage or providing local user access in exchange for economic compensation. Users need only subscribe to a single OceanStore service provider, although they may consume storage and bandwidth from many different providers. The providers automatically buy and sell capacity and coverage among themselves, transparently to the users. The utility model thus combines the resources from federated systems to provide a quality of service higher than that achievable by any single company.

OceanStore caches data promiscuously; any server may create a local replica of any data object. These local replicas provide faster access and robustness to network partitions. They also reduce network congestion by localizing access traffic.

We must assume that any server in the infrastructure may crash, leak information, or become compromised. Promiscuous caching therefore requires redundancy and cryptographic techniques to protect the data from the servers upon which it resides.

OceanStore employs a Byzantine-fault tolerant commit protocol to provide strong consistency across replicas. The OceanStore API also allows applications to weaken their consistency restrictions in exchange for higher performance and availability.

Monday, July 11, 2005

Firewall script on Virtuozzo VPS

http://vpsinfo.nixhost.net/firewall.htm lists some good IPTables firewall script to be used on Virtuozzo VPS.

Monday, July 04, 2005

cPanel + Trustix for Hosting

This is a log of Trustix+cPanel additional configuration. Trustix+cPanel has a few broken configurations needed to be fixed before production deployment.
  • Logrotate:
Add extra /etc/logrotate.d/httpd

/usr/local/apache/logs/error_log /usr/local/apache/logs/access_log /usr/local/apache/logs/suexec_log {
postrotate
/usr/bin/killall -HUP httpd
endscript
}
Add these few lines to /etc/logrotate.d/syslog and remove duplicated values from old file
/var/log/messages /var/log/secure /var/log/maillog /var/log/boot.log {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
- comment out named stuff from /etc/syslog.conf and change local2.* to /var/log/message
- add this to /etc/cron.daily/logrotate
export TMPDIR=/var/log/tmp
- additional stuff
cd /var/log
rm -rf named
mkdir tmp # our /tmp is mounted suexec, hence we need this
chmod 755 tmp
chown syslog:syslog tmp message message.* maillog maillog.* secure secure.*
export TMPDIR=/var/log/tmp
  • swup --install glibc-locales (so a couple pkg that needs locale data will work correctly--such as squirrelmail or autoresponder in cPanel)
  • swup --install uw-imap-devel libimap (need this to make php-imap compile)
  • To update clamav -- installed with exisscan --> GOT to config exim first, look from current servers
cd /root/src
wget http://umn.dl.sourceforge.net/sourceforge/clamav/clamav-0.82.tar.gz
tar -xvzf clamav-0.82.tar.gz
cd clamav-0.82
./configure --prefix=/usr --sysconfdir=/etc; make; make install
cp /etc/clamav.conf /etc/clamd.conf
service exim restart
  • add RBL to /etc/exim.conf (Edit: this is now outdated. I'll write about exim+SA+clam later.)

#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.

accept hosts = +relay_hosts
endpass

accept authenticated = *

drop dnslists = sbl.spamhaus.org: relays.ordb.org: list.dsbl.org: bl.spamcop.net: xbl.spamhaus.org

message = your mail server $sender_host_address is in a black list at $dnslist_domain ($dnslist_text)
  • Then to prevent cPanel from overwriting this modified config; chattr +i /etc/exim.conf
  • To further prevent spam, this is real cool .. http://forums.cpanel.net/showthread.php?t=31710 it contains the instruction on how to setup exim to prevent spam using the list of domains that are found in the body of spam messages.
  • cPanel's mod_gzip installation is really dangerous. You better change these lines in httpd.conf:
# change max file size from unlimited to 500k to prevent overcommitted /tmp partition
mod_gzip_maximum_file_size 500000
# and add these lines to ignore graphic & compressed files
mod_gzip_item_exclude mime ^image/
mod_gzip_item_exclude file \.bz2$
mod_gzip_item_exclude file \.tbz2$
mod_gzip_item_exclude file \.gz$

Update 2005/08/03:
  • Install exim+clamav
  • Also config like ours
Update 2006/02/03:
  • Since cPanel does not support Trustix any more, and also Trustix has stopped being a good guy, I decided it's not worth it to pursue another good distro and focus only on RHES, CentOS, and Gentoo.