Monday Aug 05, 2013

Linux Container (LXC) — Part 2: Working With Containers

Containers by Phil Parker, on Flickr
"Containers" by Phil Parker (CC BY 2.0).

Part 1 of this article series provided an overview about the Linux container technology. This second part intends to give you an impression on how to work with containers, by showing a few practical examples. These can be easily followed and reproduced on an up to date Oracle Linux 6 system. For the first steps, it is recommended to install Oracl Linux inside a virtual environment like Oracle VM VirtualBox. Oracle provides a pre-installed and pre-configured Oracle Linux 6 Virtualbox image for free download from the Oracle Technology Network (OTN).

The administration of Linux containers is performed on the command line; so far, there is no integration or support for this technology in applications like Oracle VM Manager or Oracle Enterprise Manager. However, Oracle has developed several enhancements which are included in the lxc package that's part of Oracle Linux 6.4; these changes were also contributed to the upstream LXC project and are now part of the official LXC releases. The support of Linux containers is also included in the libvirt project, which provides a graphical user interface for the management of virtual machines or containers using virt-manager (and other utilities). Libvirt is also included in Oracle Linux.

The creation of Oracle Linux containers can be accomplished on the command line in a few steps, using the LXC utilities. At first, a dedicated directory should be created to host the container file systems. The default location is /container. Creating this directory on top of a Btrfs file system provides a few additional interesting possibilities, e.g. the option to "freeze" a container file system at a certain point in time, or the fast creation (cloning) of additional containers based on a template. Cloning containers using Btrfs snapshots takes place at an instant, without requiring any additional disk space except for the differences to the original template. The creation and management of Btrfs file systems is explained in detail in the chapter "The Btrfs File System" of the "Oracle Linux Administrator's Solutions Guide for Release 6".

The following example creates a Btrfs file system on the second hard disk drive and mounts it to the directory /container:

# mkfs.btrfs /dev/sdb

WARNING! - see before using

fs created label (null) on /dev/sdb
nodesize 4096 leafsize 4096 sectorsize 4096 size 4.00GB
Btrfs v0.20-rc1

# mdkir -v /container
mkdir: created directory `/container'
# mount -v /dev/sdb /container
mount: you didn't specify a filesystem type for /dev/sdb
I will try type btrfs
/dev/sdb on /container type btrfs (rw)

Now you can create a container of the latest version of Oracle Linux 6 named "ol6cont1" and using the default options by entering the following command. The option "-t" determines the general type of the Linux distribution to be installed (the so-called "template"), e.g. "oracle", "ubuntu" or "fedora". Depending on the template, you can pass template-specific options after the double dashes ("--"). In the case of the Oracle Linux template, you can choose the distribution's version by providing values like "5.8", "6.3" or "6.latest". Further information about the available configuration options can be found in chapter "About the lxc-oracle Template Script" of the Oracle Linux 6 Administrator's Solutions Guide.

# lxc-create -n ol6cont1 -t oracle -- --release=6.latest
/usr/share/lxc/templates/lxc-oracle is /usr/share/lxc/templates/lxc-oracle
Note: Usually the template option is called with a configuration
file option too, mostly to configure the network.
For more information look at lxc.conf (5)

Host is OracleServer 6.4
Create configuration file /container/ol6cont1/config
Downloading release 6.latest for x86_64
Loaded plugins: refresh-packagekit, security
ol6_latest | 1.4 kB 00:00
ol6_latest/primary | 31 MB 01:23
ol6_latest 21879/21879
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package chkconfig.x86_64 0: will be installed
--> Processing Dependency: for package: chkconfig-
--> Processing Dependency: for package: chkconfig-
--> Processing Dependency: pygpgme for package: yum-3.2.29-40.0.1.el6.noarch
--> Processing Dependency: python-iniparse for package: yum-3.2.29-40.0.1.el6.noarch
--> Processing Dependency: rpm-python for package: yum-3.2.29-40.0.1.el6.noarch
--> Running transaction check
---> Package audit-libs.x86_64 0:2.2-2.el6 will be installed
---> Package bash.x86_64 0:4.1.2-15.el6_4 will be installed
---> Package checkpolicy.x86_64 0:2.0.22-1.el6 will be installed
---> Package coreutils.x86_64 0:8.4-19.0.1.el6_4.2 will be installed
--> Processing Dependency: coreutils-libs = 8.4-19.0.1.el6_4.2 for package: coreutils-8.4-19.0.1.el6_4.2.x86_64
---> Package pinentry.x86_64 0:0.7.6-6.el6 will be installed
--> Running transaction check
---> Package groff.x86_64 0: will be installed
--> Finished Dependency Resolution

Dependencies Resolved

Package Arch Version Repository Size
chkconfig x86_64 ol6_latest 158 k
dhclient x86_64 12:4.1.1-34.P1.0.1.el6 ol6_latest 316 k
initscripts x86_64 9.03.38-1.0.1.el6_4.1 ol6_latest 937 k
rootfiles noarch 8.1-6.1.el6 ol6_latest 6.3 k
rsyslog x86_64 5.8.10-6.el6 ol6_latest 648 k
vim-minimal x86_64 2:7.2.411-1.8.el6 ol6_latest 363 k
yum noarch 3.2.29-40.0.1.el6 ol6_latest 995 k
Installing for dependencies:
MAKEDEV x86_64 3.24-6.el6 ol6_latest 88 k
audit-libs x86_64 2.2-2.el6 ol6_latest 60 k
basesystem noarch 10.0-4.0.1.el6 ol6_latest 4.3 k
yum-metadata-parser x86_64 1.1.2-16.el6 ol6_latest 26 k
zlib x86_64 1.2.3-29.el6 ol6_latest 72 k

Transaction Summary
Install 135 Package(s)

Total download size: 79 M
Installed size: 294 M
Downloading Packages:
(1/135): MAKEDEV-3.24-6.el6.x86_64.rpm | 88 kB 00:00
(2/135): audit-libs-2.2-2.el6.x86_64.rpm | 60 kB 00:00
(3/135): basesystem-10.0-4.0.1.el6.noarch.rpm | 4.3 kB 00:00
(4/135): bash-4.1.2-15.el6_4.x86_64.rpm | 904 kB 00:02
(5/135): binutils- | 2.8 MB 00:07
(131/135): vim-minimal-7.2.411-1.8.el6.x86_64.rpm | 363 kB 00:01
(132/135): xz-libs-4.999.9-0.3.beta.20091007git.el6.x86_ | 89 kB 00:00
(133/135): yum-3.2.29-40.0.1.el6.noarch.rpm | 995 kB 00:03
(134/135): yum-metadata-parser-1.1.2-16.el6.x86_64.rpm | 26 kB 00:00
(135/135): zlib-1.2.3-29.el6.x86_64.rpm | 72 kB 00:00
Total 271 kB/s | 79 MB 04:59
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : libgcc-4.4.7-3.el6.x86_64 1/135
Installing : setup-2.8.14-20.el6.noarch 2/135
Installing : filesystem-2.4.30-3.el6.x86_64 3/135
Installing : basesystem-10.0-4.0.1.el6.noarch 4/135
Installing : ca-certificates-2010.63-3.el6_1.5.noarch 5/135
Installing : rsyslog-5.8.10-6.el6.x86_64 131/135
Installing : yum-3.2.29-40.0.1.el6.noarch 132/135
Installing : passwd-0.77-4.el6_2.2.x86_64 133/135
Installing : 2:vim-minimal-7.2.411-1.8.el6.x86_64 134/135
Installing : rootfiles-8.1-6.1.el6.noarch 135/135
Verifying : gamin-0.1.10-9.el6.x86_64 1/135
Verifying : procps-3.2.8-25.el6.x86_64 2/135
Verifying : 12:dhclient-4.1.1-34.P1.0.1.el6.x86_64 3/135
Verifying : 2:ethtool-3.5-1.el6.x86_64 4/135
Verifying : ncurses-base-5.7-3.20090208.el6.x86_64 5/135
Verifying : ca-certificates-2010.63-3.el6_1.5.noarch 130/135
Verifying : libssh2-1.4.2-1.el6.x86_64 131/135
Verifying : cpio-2.10-11.el6_3.x86_64 132/135
Verifying : mingetty-1.08-5.el6.x86_64 133/135
Verifying : libcurl-7.19.7-37.el6_4.x86_64 134/135
Verifying : 1:findutils-4.4.2-6.el6.x86_64 135/135

chkconfig.x86_64 0:
dhclient.x86_64 12:4.1.1-34.P1.0.1.el6
initscripts.x86_64 0:9.03.38-1.0.1.el6_4.1
openssh-server.x86_64 0:5.3p1-84.1.el6
Dependency Installed:
MAKEDEV.x86_64 0:3.24-6.el6
audit-libs.x86_64 0:2.2-2.el6
basesystem.noarch 0:10.0-4.0.1.el6
bash.x86_64 0:4.1.2-15.el6_4
binutils.x86_64 0:
upstart.x86_64 0:0.6.5-12.el6_4.1
ustr.x86_64 0:1.0.4-9.1.el6
util-linux-ng.x86_64 0:2.17.2-12.9.el6_4.3
xz-libs.x86_64 0:4.999.9-0.3.beta.20091007git.el6
yum-metadata-parser.x86_64 0:1.1.2-16.el6
zlib.x86_64 0:1.2.3-29.el6

Rebuilding rpm database
Configuring container for Oracle Linux 6.4
Added container user:oracle password:oracle
Added container user:root password:root
Container : /container/ol6cont1/rootfs
Config : /container/ol6cont1/config
Network : eth0 () on virbr0
'oracle' template installed
'ol6cont1' created

To prepare a miminal installation of the latest version of Oracle Linux 6 (about 400 MB), the installation script performs a download of the required RPM packages from Oracle's "public-yum" service. The directory structure of the installed container can be found at /container/ol6cont1/rootfs, it can be browsed and evaluated like any other regular directory structure. The script also creates two user accounts "root" and "oracle" and configures a virtual network device, which obtains an IP address via DHCP from the DHCP server provided by the libvirt framework. The container's configuration file created by lxc-create is located at /container/ol6cont1/config and can be adapted and modified using a regular text editor. Before making any changes, it's recommended to create a snapshot of the container first, which can be used to quickly spawn additional containers:

# lxc-clone -o ol6cont1 -n ol6cont2
Tweaking configuration
Copying rootfs...
Create a snapshot of '/container/ol6cont1/rootfs' in '/container/ol6cont2/rootfs'
Updating rootfs...
'ol6cont2' created
# lxc-ls -1

Start the container using the following command:

# lxc-start -n ol6cont1 -d -o /container/ol6cont1/ol6cont1.log
# lxc-info -n ol6cont1
state: RUNNING
pid: 311
# lxc-info -n ol6cont2
state: STOPPED
pid: -1

The container has now been started in the background. Eventual log messages will be redirected to the file ol6cont.log. As you can tell from the output of lxc-info, only the container ol6cont1 has been started, while the clone ol6cont2 remains in stopped state until you boot it up using lxc-start.

Now you can log into the container instance's console using the following command. The container's system configuration can now be modified using the usual tools (e.g. yum or rpm to install additional software).

# lxc-console -n ol6cont1

Oracle Linux Server release 6.4
Kernel 2.6.39-400.109.4.el6uek.x86_64 on an x86_64

ol6cont1 login: root
[root@ol6cont1 ~]# ps x
1 ? Ss 0:00 /sbin/init
184 ? Ss 0:00 /sbin/dhclient -H ol6cont1 -1 -q -lf /var/lib/dhclien
207 ? Sl 0:00 /sbin/rsyslogd -i /var/run/ -c 5
249 ? Ss 0:00 /usr/sbin/sshd
256 lxc/console Ss+ 0:00 /sbin/mingetty /dev/console
260 ? Ss 0:00 login -- root
262 lxc/tty2 Ss+ 0:00 /sbin/mingetty /dev/tty2
264 lxc/tty3 Ss+ 0:00 /sbin/mingetty /dev/tty3
266 lxc/tty4 Ss+ 0:00 /sbin/mingetty /dev/tty4
267 lxc/tty1 Ss 0:00 -bash
278 lxc/tty1 R+ 0:00 ps x
[root@ol6cont1 ~]# logout
Oracle Linux Server release 6.4
Kernel 2.6.39-400.109.4.el6uek.x86_64 on an x86_64

ol6cont1 login: CTRL-A Q

The key combination CTRL-A, Q terminates the console session. Alternatively, you can also log in to the container using SSH from the host system. All containers have their own IP address and are connected to a virtual bridge device virbr0 by default, which is also reachable from the host system. This way, you can easily set up simple client/server architectures within a host system.

A running container can easily be suspended using the command lxc-freeze at any time. All running processes will be halted and won't consume CPU ressources anymore, until you release them using lxc-unfreeze again. Since Linux containers are based on the Linux Control Groups (Cgroups) framework, it is also possible to precisely limit the resources available to a container.

A container can be shut down using various ways: either by calling lxc-stop from the host, or from within the container using the usual commands like shutdown -h or poweroff. Containers that are no longer needed can be discarded using the lxc-destroy command.

If you'd like to learn more about this topic, there is a dedicated chapter about Linux containers in the Oracle Linux Administrator's Solutions Guide. It covers the creation, configuration and starting/stopping as well as monitoring of containers in detail. It also explains how to prepare the container storage on a Btrfs file system and how existing containers can be quickly cloned.

More links about the topic of Linux containers:

Wednesday Jul 31, 2013

Using Ksplice for diagnostic purposes

laptop and stethoscope by jfcherry, on Flickr
laptop and stethoscope by jfcherry (CC BY-SA 2.0)

We've been emphasizing the benefits of using Oracle Linux with Ksplice rebootless updates several times already. The ability to minimize downtime when applying rebootless patches to the Linux Kernel is a feature unique to Oracle Linux, and a growing number of customers realize the benefits of this technology.

Since we acquired Ksplice two years ago, we've continued to improve and further integrate this functionality in Oracle Linux. For example, we implemented the the Ksplice offline client (which I mentioned in this YouTube whiteboard session some time ago), the Ksplice Inspector, or the RedPatch utility.

But did you know that we use Ksplice for diagnostic purposes, too? As part of our Oracle Linux Premier Support offering, we can make use Ksplice to enable additional debugging functionality on your production system, if we need to track down an issue in your environment. Instead of asking you to reboot into a custom Linux kernel that contains additional debugging code, we now simply create a custom Ksplice patch that helps us to gather the required information, while your system keeps running. Once we've obtained the necessary details, you can simply remove the debug patch with Ksplice at runtime again, without any interruption. The additional debugging information helps our support team to determine the root cause of your issue. In case it turns out to be a genuine bug in the Linux kernel, we will then develop and provide a bug fix for this particular problem in the form of a new Ksplice patch, which you can apply while the system keeps humming along. Bug analyzed and fixed, no reboot was required!

To learn more about his feature and the other advantages of Ksplice, take a look at Wim's recent blog post "The Ksplice differentiator".

Wednesday Jun 26, 2013

Linux-Containers — Part 1: Overview

Containers by Phil Parker, on Flickr
"Containers" by Phil Parker (CC BY 2.0).

Linux Containers (LXC) provide a means to isolate individual services or applications as well as of a complete Linux operating system from other services running on the same host. To accomplish this, each container gets its own directory structure, network devices, IP addresses and process table. The processes running in other containers or the host system are not visible from inside a container. Additionally, Linux Containers allow for fine granular control of resources like RAM, CPU or disk I/O.

Generally speaking, Linux Containers use a completely different approach than "classicial" virtualization technologies like KVM or Xen (on which Oracle VM Server for x86 is based on). An application running inside a container will be executed directly on the operating system kernel of the host system, shielded from all other running processes in a sandbox-like environment. This allows a very direct and fair distribution of CPU and I/O-resources. Linux containers can offer the best possible performance and several possibilities for managing and sharing the resources available.

Similar to Containers (or Zones) on Oracle Solaris or FreeBSD jails, the same kernel version runs on the host as well as in the containers; it is not possible to run different Linux kernel versions or other operating systems like Microsoft Windows or Oracle Solaris for x86 inside a container. However, it is possible to run different Linux distribution versions (e.g. Fedora Linux in a container on top of an Oracle Linux host), provided it supports the version of the Linux kernel that runs on the host. This approach has one caveat, though - if any of the containers causes a kernel crash, it will bring down all other containers (and the host system) as well.

For example, Oracle's Unbreakable Enterprise Kernel Release 2 (2.6.39) is supported for both Oracle Linux 5 and 6. This makes it possible to run Oracle Linux 5 and 6 container instances on top of an Oracle Linux 6 system. Since Linux Containers are fully implemented on the OS level (the Linux kernel), they can be easily combined with other virtualization technologies. It's certainly possible to set up Linux containers within a virtualized Linux instance that runs inside Oracle VM Server for Oracle VM Virtualbox.

Some use cases for Linux Containers include:

  • Consolidation of multiple separate Linux systems on one server: instances of Linux systems that are not performance-critical or only see sporadic use (e.g. a fax or print server or intranet services) do not necessarily need a dedicated server for their operations. These can easily be consolidated to run inside containers on a single server, to preserve energy and rack space.
  • Running multiple instances of an application in parallel, e.g. for different users or customers. Each user receives his "own" application instance, with a defined level of service/performance. This prevents that one user's application could hog the entire system and ensures, that each user only has access to his own data set. It also helps to save main memory — if multiple instances of a same process are running, the Linux kernel can share memory pages that are identical and unchanged across all application instances. This also applies to shared libraries that applications may use, they are generally held in memory once and mapped to multiple processes.
  • Quickly creating sandbox environments for development and testing purposes: containers that have been created and configured once can be archived as templates and can be duplicated (cloned) instantly on demand. After finishing the activity, the clone can safely be discarded. This allows to provide repeatable software builds and test environments, because the system will always be reset to its initial state for each run. Linux Containers also boot significantly faster than "classic" virtual machines, which can save a lot of time when running frequent build or test runs on applications.
  • Safe execution of an individual application: if an application running inside a container has been compromised because of a security vulnerability, the host system and other containers remain unaffected. The potential damage can be minimized, analyzed and resolved directly from the host system.

Note: Linux Containers on Oracle Linux 6 with the Unbreakable Enterprise Kernel Release 2 (2.6.39) are still marked as Technology Preview - their use is only recommended for testing and evaluation purposes.

The Open-Source project "Linux Containers" (LXC) is driving the development of the technology behind this, which is based on the "Control Groups" (CGroups) and "Name Spaces" functionality of the Linux kernel. Oracle is actively involved in the Linux Containers development and contributes patches to the upstream LXC code base.

Control Groups provide means to manage and monitor the allocation of resources for individual processes or process groups. Among other things, you can restrict the maximum amount of memory, CPU cycles as well as the disk and network throughput (in MB/s or IOP/s) that are available for an application.

Name Spaces help to isolate process groups from each other, e.g. the visibility of other running processes or the exclusive access to a network device. It's also possible to restrict a process group's access and visibility of the entire file system hierarchy (similar to a classic "chroot" environment).

CGroups and Name Spaces provide the foundation on which Linux containers are based on, but they can actually be used independently as well.

A more detailed description of how Linux Containers can be created and managed on Oracle Linux will be explained in the second part of this article.

Additional links related to Linux Containers:

- Lenz Grimmer

Follow me on:
Personal Blog | Facebook | Twitter | Linux Blog |

Thursday Jun 20, 2013

Hands-On Labs + Proctors = Genius

If Albert Einstein (image removed from blog) had attended OTN's virtual sysadmin days, he wouldn't have gotten so old figuring out his Theory of Relativity. Thanks to the relentless advance of technology, you can outsmart Einstein from the comfort of your own office. See below.

OTN Virtual Sysadmin Day - July 2013

It's free - register here

We held our first ever virtual sysadmin day for North America on January 15 of this year. Almost 600 sysadmins attended and over 80% of them remained online for the duration of the event. Which means they found it a good use of their time. If you missed that one, we're doing another one in July. Oddly enough, we chose the same date and time: the 15th at 9:00 am PT. Which is at exact same spot of the Earth's rotation, but on the other side of the sun and closer to our upcoming collision with Adromeda.

That galactic fender-bender aside, we have updated some of the hands-on labs about Oracle Solaris and Oracle Linux that we presented at our in-person sysadmin days, and we added three new labs about Oracle VM:

  • Deploying Infrastructure as a Service
  • How to Virtualize and Deploy Oracle Applications Using Oracle VM Templates
  • Creating an x86 Enterprise Cloud Infrastructure

Details here.

The event is free, but you do need to register. And there's a little homework involved. Nothing too complicated. We just expect you to have VirtualBox installed and the proper images already imported before we begin class. You'll see the instructions after you register.

When was that again?

Monday, July 15 at 9:00 am Pacific Time. (Time converter here.)

Register here

- Rick

Follow me on:
Blog | Facebook | Twitter | YouTube | The Great Peruvian Novel

Wednesday Apr 17, 2013

How the Oracle Linux Update Channels are Structured

Beer Taps by Jamie C2009, on Flickr
"Beer Taps" by Jamie C2009 (CC BY 2.0).

Oracle Linux distribution releases are identified by a major version like "Oracle Linux 6" or "Oracle Linux 5", followed by an update release number, e.g. "Oracle Linux 6 Update 3" or "Oracle Linux 6.3" in short. Every Oracle Linux distribution release is freely available as ISO installation images from the Oracle Software Delivery Cloud (formerly known as E-Delivery), as well as individual RPM packages, broken up by update releases. These are published via "channels" (or "yum repositories") from the Unbreakable Linux Network (ULN) and our public yum repository

Security patches and critical bug fixes (errata) for individual packages that are being released in between update releases are published immediately via the corresponding _latest yum repositories and ULN channels at the same time. If you want to ensure that your system is always up to date and fully patched, make sure to have it subscribed to the _latest channel (e.g. ol6_latest). And you don't even need to purchase a support subscription for that, if you use the public yum repositories!

Update releases of a major distribution version are primarily "checkpoints", an accumulation of all patches that have been published since the last update release has been made available. They help to reduce lengthy patch/update procedures that would have to be performed if you would always have to start a new installation from the very first release of a new major version. Update releases within a major version are binary compatible. An application that was installed and tested on Oracle Linux 6.1 will still run on Oracle Linux 6.4.

In addition to the _latest channel, ULN also provides so-called _patch channels, one per update release (e.g. ol6_u4_x86_64_patch for Oracle Linux 6.4 on x86_64). These _patch channels contain all RPM updates that have been published after a new update release (e.g. 6.4) has been released. They are kept up to date with each new update package that is made available. So they allow you to keep a certain update level of the distribution up to date without risking rolling forward to a new update release version automatically (which is what happens when your system is subscribed to the _latest repository).

However, one thing to keep in mind is that these channels actually stop receiving updates once a new update release (e.g. 6.4) has been made available. At this point you need to "go with the flow" and plan your update to the next update release (and its associated _patch channel), if you don't want to risk running an un-patched system.

I'd like to give you an alternative explanation of this channel structure, using software development and source code version control as an analogy. In revision control terms, you could consider the _latest channel the "trunk" of the distribution, a stream of packages that is always up to date and also rolls forward the distribution's update version in regular intervals. The _base channels could be considered "tags" or "snapshots" of the _latest package stream. They represent the state of a major distribution version (e.g. Oracle Linux 6) at a certain point in time, identified by a minor version number (e.g. 6.3). They are being packaged and released in the form of an ISO image as well. The _patch channels could be considered "branches" that are branched off a certain tag and are being kept up to date with the "trunk" until a new update release has been tagged.

I hope this explanation helps understanding the various channels and their purposes!

- Lenz Grimmer

Follow me on:
Personal Blog | Facebook | Twitter | Linux Blog |

Tuesday Apr 16, 2013

Evaluating Oracle Solaris and Oracle Linux From Your Laptop

Evaluating Oracle Linux From Inside VirtualBox

After importing your Oracle Linux virtual image, you can use the yum install command to download additional packages into your Linux environment. Yuli explains how.

But what's really cool about evaluating an OS from inside VirtualBox is that you can assign each virtual image a unique IP address, and have it communicate with the outside world as if it were its own physical machine on the network. Yuli describes how to do this, and also how to install guest additions to, for instance, share files between the guest and host systems.

Evaluating Oracle Solaris 11 From Inside VirtualBox

In this article Yuli shows you how to create and manage user accounts with either the GUI or the CLI, how to set up networking, and how to use the Service Management Facility (SMF) to, for instance, control SSH connections to the outside world.

Both article cover the basics to get you started, but also very valuable are the links that Yuli provides to help you move further along in your evaluation.

- Rick

Follow me on:
Blog | Facebook | Twitter | YouTube | The Great Peruvian Novel

Monday Apr 15, 2013

Eight Cylinders of Virtualization

source made freely available by desktop machine

I've been on the lookout for a quick techie overview of Oracle's virtualization offerings. Detlef Drewanz, Matthias Pfützner, and Elke Freymann had strung together a series of articles doing just that. Lenz Grimmer jumped in with some context on Linux, and the result was this 8-part series for OTN.

1 - The Role of Oracle VM Server for SPARC in a Virtualization Strategy

by Matthias Pfützner

Overview of hardware and software virtualization basics, including a breakdown of different types and styles of virtualization, and where Oracle VM Server for SPARC fits into a virtualization strategy.

2- The Role of Oracle VM Server for x86 in a Virtualization Strategy

by Matthias Pfützner

Oracle VM Server for x86 is an Oracle technology that existed before Oracle acquired Sun. It is a virtualization product based on the Xen hypervisor and like its SPARC counterpart, Oracle VM Server for SPARC, it is a thin Type 1 hypervisor that performs hardware virtualization and uses paravirtualization.

3 - The Role of Oracle Solaris Zones and Linux Containers in a Virtualization Strategy

by Detlef Drewanz and Lenz Grimmer

Oracle Solaris zones are referred to as lightweight virtualization because they impose no overhead on the virtualization layer and the applications running in the non-global zones. As a result, they are a perfect choice for high performance applications. Instead of retrofitting efficiency onto full isolation, Linux Containers started out with an efficient mechanism and added isolation, resulting in a system virtualization mechanism as scalable and portable as chroot.

4 - Resource Management As an Enabling Technology for Virtualization

by Detlef Drewanz

When you have one person in one phone booth, life is simple. But when you fit 25 college students into one phone booth, you have resource management challenges. Not to mention security risks. Same goes for virtualization. Detlef explains how resource management can help.

5 - Network Virtualization and Network Resource Management

by Detlef Drewanz

Using hypervisor-based virtualization and Oracle Solaris Zones with network virtualization plus network resource management enables a whole range of network-based architectures. This article describes what's involved in using network resource management in conjunction with hypervisors, containers, and zones in an internal virtual network.

6 - Oracle VM VirtualBox: Personal Desktop Virtualization

by Detlef Drewanz

Oracle VM VirtualBox consists of a base software package that is available for each supported host OS; guest additions that add support for shared folders, seamless window integration, and 3D; and extension packs.

7 - The Role of Oracle Virtual Desktop Infrastructure in a Virtualization Strategy

by Matthias Pfützner

This technology is no longer available.

Virtual desktop infrastructure (VDI) is the practice of hosting a desktop operating system within a virtual machine (VM) running on a hosted, centralized or remote server. Matthias Pfützner explains.

8 - Oracle Enterprise Manager Ops Center as a Management Tool for Virtualization

by Elke Freymann

Oracle Enterprise Manager Ops Center offers complete infrastructure management with a focus on Oracle hardware (servers, switches, storage appliances) and Oracle operating systems, plus non-Oracle Linux variants that are supported on Oracle servers. Although Oracle VM VirtualBox and Oracle VDI include management capabilities, Ops Center has the best overall toolset for central virtualization management.

- Rick

Follow me on:
Blog | Facebook | Twitter | YouTube | The Great Peruvian Novel

Friday Apr 05, 2013

Migrating to Oracle Linux: How to Identify Applications To Move


One of the first things you need to make when migrating from SUSE Linux to Oracle Linux is an inventory of your applications. A package management tool such as Yet Another Setup Tool (YAST) is a big help here. So is the rpm command. Here are some ways to use it.

To List All The Installed Packages

Use the -qa option.

# rpm –qa

To Save the Output in a File

You can move that file to any location and, anytime later,search through the package list saved there to look for a package of interest:

# rpm –qa > rpmlist.txt

To Sort the Packages

To see the installed packages sorted by install time, use --last. The packages installed most recently will appear at the top of the list, followed by the standard packages installed during the original installation:

# rpm –qa --last

To Find Out If A Particular Component Is Installed

To find out whether a particular component is installed and what version it is, use the name option. For example:

# rpm –qa python

To Find Out What Dependencies a Package Has

Use the -qR option:

# rpm –qR python-2.6.0-8.12.2
python-base = 2.6.0
rpmlib(VersionedDependencies) <= 3.0.3-1

The Linux Migration Guide

You can find out more about migration steps with either rpm or YaST, including the benefits of migrating to Oracle Linux, by downloading the white paper from here:

Download the Oracle Linux Migration Guide

- Rick

Follow me on:
Blog | Facebook | Twitter | YouTube | The Great Peruvian Novel

Friday Feb 22, 2013

How to Configure the Linux Kernel's Out of Memory Killer


Operating systems sometimes behave like airlines. Since the airlines know that a certain percentage of the passengers won't show up for their flight, they overbook the flights. As anyone who has been to an airport in the last 10 years knows, they usually get it wrong and have to bribe some of us to get on the next flight. If the next flight is the next morning, we get to stay in a nice hotel and have a great meal, courtesy of the airline.

That's going to be my lodging strategy if I'm ever homeless.

Linux kernel does something similar. It allocates memory to its processes ahead of time. Since it knows that most of the processes won't use all the memory allocated to them, it over-commits. In other words, it allocates a sum total of memory that is more than it actually has. Once in a while too many processes claim the memory that the kernel promised them at the same time. When that happens, the Linux kernel resorts to an option that the airlines wish they had: it kills off processes one at a time. In fact, it actually has a name for this function: the out-of-memory killer.

Robert Chase explains.

How to Configure the Out of Memory Killer

Robert Chase describes how to examine your syslog and how to use the vmstat command for clues about which processes were killed, and why. He then shows you how to configure the OOM killer to behave the way you prefer. For instance, you can make certain processes less likely to be killed than others. Or more. Or you can instruct the kernel to reboot instead of killing processes.

More Oracle Linux Resources

- Rick

Follow me on:
Blog | Facebook | Twitter | YouTube

(psst! and don't forget to follow the Great Peruvian Novel!)

Thursday Feb 21, 2013

Can You Figure Out Which Teenager Took the Cash?


Dads like me are familiar with a phenomenon known as Silent Dollar Disappearance. This tends to occur when there is a confluence of money in your wallet and teenage children in your home. You never actually see it happen, but if you are paying attention, you might detect that it has happened. As when, for instance, you try to pay for beer and brats at the grocer. It becomes difficult to know for sure whether it was the teenagers. What if you already spent the money on something else? That's what my teenage daughters always said. Or perhaps you had a wallet malfunction, and it flew out. So difficult to pin-point the actual cause.

Linux, like any OS, is vulnerable to a similar phenomenon. It's called silent data corruption. It can be caused by faulty components, such as memory modules or storage systems. It can also be caused by -God forbid- administrative error. As with Silent Dollar Disappearance, it's difficult to detect when data corruption is actually happening. Or what the exact cause was. But, as with Dads and teenagers, you eventually figure out that it has happened.

It may be impossible to identify the culprit after the data has been corrupted, but it's not impossible to stop the culprit ahead of time. Oracle partnered with EMC and Emulex to do just that. And they were kind enough to explain how the did it and how you can benefit. In this article:

Preventing Silent Data Corruption in Oracle Linux

An excerpt ...

"Data integrity protection is not new. ECC and CRC are available on most, if not all, servers, storage arrays, and Fibre Channel host bus adapters (HBAs). But these checks protect the data only temporarily within a single component. They do not ensure that the data you intended to write does not become corrupt as it travels down the data path from the application running in the server to the HBA, the switch, the storage array, and then the physical disk drive. When data corruption occurs, most applications are unaware that the data that was stored on the disk is not the data that was intended to be stored.

"Over the last several years, EMC, Emulex, and Oracle have worked together to drive and implement the Protection Information additions to the T10 SBC standard, which enables the validation of data as it moves through the data path to ensure that silent data corruption does not occur."

Interesting stuff. Give it a read.

- Rick

Follow us on:
Blog | Facebook | Twitter | YouTube

(psst! and don't forget to follow the Great Peruvian Novel!)

Wednesday Jan 09, 2013

How to Treat an NFS File As a Block Storage Device


Wim actually beat me in blogging about this feature while I was on vacation, but I'd like to add a little more background about dm-nfs, which I gathered from our kernel developers:

What is dm-nfs?

The dm-nfs kernel module provides a device-mapper target that allows you to treat an NFS file as a block device. It provides loopback-style emulation of a block device using a regular file as backing storage. The backing file resides on a remote system and is accessed via the NFS protocol.

The general idea is to have a more-efficient-than-loop access to files on NFS. The device mapper module directly converts requests to the dm device into NFS RPC calls.

dm-nfs is used transparently by Oracle VM's Dom0 when mounting NFS-backed virtual disks. It essentially allows for asynchronous and direct I/O to an NFS-backed block device, which is a lot faster than normal NFS for virtual disks. The Xen block hotplug script has been modified on OVM to look for files which are on NFS filesystems. If the file is on NFS, OVM uses dm-nfs automatically, otherwise it falls back to using the regular (but slower) loop mount method.

The original dm-nfs module was written by Chuck Lever. It has been supported and used by Oracle VM since version 2.2 and is also included in the Unbreakable Enterprise Kernel for Oracle Linux.

Why this feature matters

This feature creates virtual disk devices (LUNs) where the data is stored in an NFS file instead of on local storage. Managed networked storage has many benefits over keeping virtual devices on a disk local to the physical host.

A sample use case is the fast migration of guest VMs for load balancing or if a physical host requires maintenance. This functionality is also possible using iSCSI LUNs, but the advantage of dm-nfs is that you can manage new virtual drives on a local host system, rather than requiring a storage administrator to initialize new LUNs on the storage subsystem. Host administrators can handle their own virtual disk provisioning.

For durability and performance, dm-nfs uses asynchronous and direct I/O so all I/O operations are performed efficiently and coherently. Guest disk data is not double cached on the underlying host. If the underlying host crashes, there's a lower probability of data corruption. If the guest is frozen, a clean backup can be taken of the virtual disk, as you can be certain that its data has been fully written out.

How to use it

You use dm-nfs by first loading the kernel module, then using dmsetup to create a device mapper device on your file. The syntax is very similar to the dm-linear module.

The following sample code demonstrates how to use dmsetup to create a mapped device (/dev/mapper/$dm_nfsdev) for the file $filename that is accessible on a mounted NFS file system:

nblks=`stat -c '%s' $filename`
echo -n "0 $nblks nfs $filename 0" | dmsetup create $dm_nfsdev

Now you can mount /dev/mapper/$dm_nfsdev like any other filesystem image.

- Lenz Grimmer (Oracle Linux Blog)

Website Newsletter Facebook Twitter

Wednesday Aug 15, 2012

It's Better with Btrfs


Two recently published articles to help you become proficient with the Btrfs file system in Oracle Linux:

How I Got Started with the Btrfs File System in Oracle Linux

By Margaret Bierman

Scalability and volume management. Write methodology and access. Tunables. Margaret describes these capabilities of the Btrfs file system, plus how it deals with redundant configurations, checksums, fault isolation and much more. She also walks you through the steps to create and set up a Btrfs file system so you can become familiar with it.

How I Use the Advanced Features of the Btrfs File System

By Margaret Bierman

How to create and mount a Btrfs file system. How to copy and delete files. How to create and manage a redundant file system configuration. How to check the integrity of the file system and its remaining capacity. How to take snapshots. How to clone. And more. In this article Margaret explores the more advanced features of the Btrfs file system.

Let us know what you think, and what you'd like to see Margaret write about in the future.

- Rick

Website Newsletter Facebook Twitter

Tuesday Jul 17, 2012

How to Protect Your Oracle Linux System from the Higgs Boson

Now that the Higgs Boson particle has been gently coaxed out of hiding, you know what's gonna happen, don't you? Your boss is gonna walk into your office and demand a plan for protecting your Oracle Linux system against it.

You could act like a smart aleck sysadmin and inform him or her that it took a team of scientists 10 years and 500 trillion collisions to get conclusive evidence of its existence, and let's not even talk about how difficult it was for God to create the elusive thing, but that would violate the first law of corporate survival:

Never, ever make your boss look stupid

Instead, jump out of your chair and say "OMG! I hadn't though of that!" Then read our latest article and use what you learn to write up a plan that will make your boss look real good to his or her boss. (Just make sure your name appears nowhere.)

Tips for Hardening an Oracle Linux Server

Lenz Grimmer and James Morris provide guidelines for:

  • Minimizing the software footprint
  • Minimizing active services
  • Locking down network services
  • Disabling or tightening use of SSH
  • Configuring mounts, file permissions, and ownerships
  • Managing Users and Authentication
  • Other Security Features and Tools
  • Cryptography
I hope you enjoy reading the article as much as I did. And good luck with your career.

- Rick

Website Newsletter Facebook Twitter

Friday Mar 23, 2012

How to subscribe to the free Oracle Linux errata yum repositories

Now that updates and errata for Oracle Linux are available for free (both as in beer and freedom), here's a quick HOWTO on how to subscribe your Oracle Linux system to the newly added yum repositories on our public yum server, assuming that you just installed Oracle Linux from scratch, e.g. by using the installation media (ISO images) available from the Oracle Software Delivery Cloud

You need to download the appropriate yum repository configuration file from the public yum server and install it in the yum repository directory. For Oracle Linux 6, the process would look as follows: as the root user, run the following command:

[root@oraclelinux62 ~]# wget \
-P /etc/yum.repos.d/
--2012-03-23 00:18:25--
Connecting to||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1461 (1.4K) [text/plain]
Saving to: “/etc/yum.repos.d/public-yum-ol6.repo”

100%[=================================================>] 1,461       --.-K/s   in 0s      

2012-03-23 00:18:26 (37.1 MB/s) - “/etc/yum.repos.d/public-yum-ol6.repo” saved [1461/1461]
For Oracle Linux 5, the file name would be public-yum-ol5.repo in the URL above instead. The "_latest" repositories that contain the errata packages are already enabled by default — you can simply pull in all available updates by running "yum update" next:
[root@oraclelinux62 ~]# yum update
Loaded plugins: refresh-packagekit, security
ol6_latest                                                    | 1.1 kB     00:00     
ol6_latest/primary                                            |  15 MB     00:42     
ol6_latest                                                               14643/14643
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package at.x86_64 0:3.1.10-43.el6 will be updated
---> Package at.x86_64 0:3.1.10-43.el6_2.1 will be an update
---> Package autofs.x86_64 1:5.0.5-39.el6 will be updated
---> Package autofs.x86_64 1:5.0.5-39.el6_2.1 will be an update
---> Package bind-libs.x86_64 32:9.7.3-8.P3.el6 will be updated
---> Package bind-libs.x86_64 32:9.7.3-8.P3.el6_2.2 will be an update
---> Package bind-utils.x86_64 32:9.7.3-8.P3.el6 will be updated
---> Package bind-utils.x86_64 32:9.7.3-8.P3.el6_2.2 will be an update
---> Package cvs.x86_64 0:1.11.23-11.el6_0.1 will be updated
---> Package cvs.x86_64 0:1.11.23-11.el6_2.1 will be an update


---> Package yum.noarch 0:3.2.29-22.0.1.el6 will be updated
---> Package yum.noarch 0:3.2.29-22.0.2.el6_2.2 will be an update
---> Package yum-plugin-security.noarch 0:1.1.30-10.el6 will be updated
---> Package yum-plugin-security.noarch 0:1.1.30-10.0.1.el6 will be an update
---> Package yum-utils.noarch 0:1.1.30-10.el6 will be updated
---> Package yum-utils.noarch 0:1.1.30-10.0.1.el6 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

 Package                     Arch    Version                       Repository   Size
 kernel                      x86_64  2.6.32-220.7.1.el6            ol6_latest   24 M
 kernel-uek                  x86_64  2.6.32-300.11.1.el6uek        ol6_latest   21 M
 kernel-uek-devel            x86_64  2.6.32-300.11.1.el6uek        ol6_latest  6.3 M
 at                          x86_64  3.1.10-43.el6_2.1             ol6_latest   60 k
 autofs                      x86_64  1:5.0.5-39.el6_2.1            ol6_latest  470 k
 bind-libs                   x86_64  32:9.7.3-8.P3.el6_2.2         ol6_latest  839 k
 bind-utils                  x86_64  32:9.7.3-8.P3.el6_2.2         ol6_latest  178 k
 cvs                         x86_64  1.11.23-11.el6_2.1            ol6_latest  711 k


 xulrunner                   x86_64  10.0.3-1.0.1.el6_2            ol6_latest   12 M
 yelp                        x86_64  2.28.1-13.el6_2               ol6_latest  778 k
 yum                         noarch  3.2.29-22.0.2.el6_2.2         ol6_latest  987 k
 yum-plugin-security         noarch  1.1.30-10.0.1.el6             ol6_latest   36 k
 yum-utils                   noarch  1.1.30-10.0.1.el6             ol6_latest   94 k

Transaction Summary
Install       3 Package(s)
Upgrade      96 Package(s)

Total download size: 173 M
Is this ok [y/N]: y
Downloading Packages:
(1/99): at-3.1.10-43.el6_2.1.x86_64.rpm                       |  60 kB     00:00     
(2/99): autofs-5.0.5-39.el6_2.1.x86_64.rpm                    | 470 kB     00:01     
(3/99): bind-libs-9.7.3-8.P3.el6_2.2.x86_64.rpm               | 839 kB     00:02     
(4/99): bind-utils-9.7.3-8.P3.el6_2.2.x86_64.rpm              | 178 kB     00:00     


(96/99): yelp-2.28.1-13.el6_2.x86_64.rpm                      | 778 kB     00:02     
(97/99): yum-3.2.29-22.0.2.el6_2.2.noarch.rpm                 | 987 kB     00:03     
(98/99): yum-plugin-security-1.1.30-10.0.1.el6.noarch.rpm     |  36 kB     00:00     
(99/99): yum-utils-1.1.30-10.0.1.el6.noarch.rpm               |  94 kB     00:00     
Total                                                306 kB/s | 173 MB     09:38     
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY
Retrieving key from
Importing GPG key 0xEC551F03:
 Userid: "Oracle OSS group (Open Source Software group) "
 From  :
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : yum-3.2.29-22.0.2.el6_2.2.noarch                                1/195 
  Updating   : xorg-x11-server-common-1.10.4-6.el6_2.3.x86_64                  2/195 
  Updating   : kernel-uek-headers-2.6.32-300.11.1.el6uek.x86_64                3/195 
  Updating   : 12:dhcp-common-4.1.1-25.P1.el6_2.1.x86_64                       4/195 
  Updating   : tzdata-java-2011n-2.el6.noarch                                  5/195 
  Updating   : tzdata-2011n-2.el6.noarch                                       6/195 
  Updating   : glibc-common-2.12-1.47.el6_2.9.x86_64                           7/195 
  Updating   : glibc-2.12-1.47.el6_2.9.x86_64                                  8/195 


  Cleanup    : kernel-firmware-2.6.32-220.el6.noarch                         191/195 
  Cleanup    : kernel-uek-firmware-2.6.32-300.3.1.el6uek.noarch              192/195 
  Cleanup    : glibc-common-2.12-1.47.el6.x86_64                             193/195 
  Cleanup    : glibc-2.12-1.47.el6.x86_64                                    194/195 
  Cleanup    : tzdata-2011l-4.el6.noarch                                     195/195 

  kernel.x86_64 0:2.6.32-220.7.1.el6                                                 
  kernel-uek.x86_64 0:2.6.32-300.11.1.el6uek                                         
  kernel-uek-devel.x86_64 0:2.6.32-300.11.1.el6uek                                   

  at.x86_64 0:3.1.10-43.el6_2.1                                                      
  autofs.x86_64 1:5.0.5-39.el6_2.1                                                   
  bind-libs.x86_64 32:9.7.3-8.P3.el6_2.2                                             
  bind-utils.x86_64 32:9.7.3-8.P3.el6_2.2                                            
  cvs.x86_64 0:1.11.23-11.el6_2.1                                                    
  dhclient.x86_64 12:4.1.1-25.P1.el6_2.1                                             


  xorg-x11-server-common.x86_64 0:1.10.4-6.el6_2.3                                   
  xulrunner.x86_64 0:10.0.3-1.0.1.el6_2                                              
  yelp.x86_64 0:2.28.1-13.el6_2                                                      
  yum.noarch 0:3.2.29-22.0.2.el6_2.2                                                 
  yum-plugin-security.noarch 0:1.1.30-10.0.1.el6                                     
  yum-utils.noarch 0:1.1.30-10.0.1.el6                                               


At this point, your system is fully up to date. As the kernel was updated as well, a reboot is the recommended next action.

If you want to install the latest release of the Unbreakable Enterprise Kernel Release 2 as well, you need to edit the .repo file and enable the respective yum repository (e.g. "ol6_UEK_latest" for Oracle Linux 6 and "ol5_UEK_latest" for Oracle Linux 5) manually, by setting enabled to "1". The next yum update run will download and install the second release of the Unbreakable Enterprise Kernel, which will be enabled after the next reboot.






Wednesday Mar 21, 2012

Want to Patch your Red Hat Linux Kernel Without Rebooting?

Patched Tube by Morten Liebach
Patched Tube by Morten Liebach (CC BY 2.0)

Are you running Red Hat Enterprise Linux? Take back your weekend and say goodbye to lengthy maintenance windows for kernel updates! With Ksplice, you can install kernel updates while the system is running. Stay secure and compliant without the hassle.

To give you a taste of one of the many features that are included in Oracle Linux Premier Support, we now offer a free 30-day Ksplice trial for RHEL systems. Give it a try and bring your Linux kernel up to date without rebooting (not even once to install it)!

For more information on this exciting technology, read Wim's OTN article on using Oracle Ksplice to update Oracle Linux systems without rebooting.

Watch Waseem Daher (one of the Ksplice founders) telling you more about Ksplice zero downtime updates in this screencast "Zero Downtime OS Updates with Ksplice"

- Lenz


Logan Rosenstein
and members of the OTN community


« November 2015
Blogs We Like