Stoned-IT

The VPS servers hosted in Germany (ip range 188.40.173.x) now have access to native IPv6 connectivity. The IPv6 connectivity used to be a tunnel to SixXS, but is now native. At this time we only have a single /64 for all vps servers combined, but that should be sufficient. If you want v6 adresses, please let us know, or just use autoconfiguration.

On another note, the vps servers in Rotterdam (range: 193.200.132.x) will notice some network-downtime tonight, due to network-maintenance at the upstream network provider. There will also be some on-site maintenance on the cooling-system, but we do not expect any server-downtime.

The network downtime in Rotterdam will be between 00:00 and 05:00 on July 3rd 2010, CEST.

Some good news for users of the KVM virtual machines. Traffic limits have been increased by at least 100%. The fee for extra traffic will also be lowered in the coming days. The product page has been changed to reflect the new traffic limits.
The prices of various KVM-based virtual machines have also been lowered significantly.

We have recently upgraded the servers that run the VPS’s. New VPS’s will be created on the newer servers, which run quad-core Intel i7 CPU’s. These servers are also housed in a bigger and better-connected datacenter with a largely redundant network and better cooling and power system.

Existing VPS systems can and will be migrated to new systems in the coming weeks, after this has been communicated with the users.

The new datacenter and servers use KVM as a virtualisation platform, which allows us to have virtual machines running other operating systems then Linux, as well as having more flexibility in how virtual machines are configured. We can also use a lot more data-traffic in the new facility, so network traffic limits have been increased significantly for these systems.

If you want your system migrated to the new infrastructure, do not hesitate to contact us at order <at> stoned-it <dot> com

One of the virtual machines from a customer experienced a hack this week. Nothing too serious, but a script kiddie managed to break into a user-account and used this access to install more exploit scanners on our hardware.

I was called by my friendly network-admin to tell me that we were saturating the network-connection, and he kindly told me which machine was the culprit. It then didn’t take too long to find out what the problem was, which was quickly resolved by closing that user-account and killing the attacking processes.

Looking into the files left behind by the attacker gives some nice insight into the typical script-kiddie way of doing business. I’ll try to give a short peek behind the scenes.

First the machine was being scanned by a ssh password scanner. After a while a succesful login was found, and our attacker logged in. This was on May 2nd, and our attacked hung around for about 15 minutes, installing and downloading various attack programs.

He logged in a few more times during the next 2-3 days, but probably had his tools doing their job already, reporting their findings without him having to log-on to check.

The tools installed included:

• A shoutcast server
• Port-scanners
• SSH password scanners
• A list of more then 400000 username/password combinations
• A VNC authentication scanner
• Trojan.Linux.RST.b

I’ve reconfigured the configuration of memory for the guests. You should (if you reboot your system) now see double the amount of memory as you would before. Half of this amount is guaranteed, and is what you are actually paying for. The other half of the memory can be used if it’s available.

So if you have a 512MB machine, you should see about 1GB of memory, of which 512M is guaranteed and reserved for your system. You can use the remaining capacity when it’s available, but this space isn’t guaranteed and your processes using it could be killed by the out-of-memory system.

If you need more guaranteed memory for longer periods, please upgrade your account. If you don’t want to see and be able to use the extra capacity, let me know and I’ll present you with your guaranteed amount permanently.

If you ever used the https sites at stoned-it you might have noticed that the certificate was signed by a Certificate Authority that isn’t included in most browsers (yet). I used to use a CACert.org certificate, which works very well, as long as your browser includes it’s CA certificate.

I now found another Certificate Authority that could provide me with a free server-certificate, and which _IS_ included in the default browser-set (at least with firefox, seems to not be included in IE8). So you should now be presented with a StartSSL signed certificate and no longer be greeted with a certificate warning if you don’t have the CACert.org certificate installed.

The Stoned-IT.com zone, and zones connected to the VPS’s have been moved from ns1.maniac.nl/ns1.nerdnet.nl to the nameservers of openprovider. This should guarantee a better reachability of the DNS records.

Stoned-IT can now also handle domain registrations and ssl-certificate requests.

There is now also a RoundCube installation which you can use as webmail client for any IMAP server. You can find the link under the Links header, or by going to https://vps.stoned-it.com/roundcube/

VPS.Stoned-IT.com uses OpenVZ virtualisation to provide it’s users with Virtual Linux Environments. In this article I will try to describe how OpenVZ works, why we use OpenVZ, and what the advantages and disadvantages of using OpenVZ are.

OpenVZ

OpenVZ is a virtualisation technology that was developed by Parallels, and is the basis for their Virtuozzo platform. OpenVZ consists of the open sourced parts of Virtuozzo.

OpenVZ works somewhat like Solaris Zones or FreeBSD jails, in the aspect that it utilizes a single operating system kernel and creates various user-environments within the single operating system space. The various user-environments are called Virtual Environments, of VE.

Users in a VE will have their own view on the available resources in the system. They are only able to see and interact with processes running in the same VE, they only have access to files and diskspace assigned to the VE and can only see network-traffic destined to the IP address assigned to the VE.

Advantages and disadvantages

Due to the fact that OpenVZ uses a single operating system kernel to provide various Virtual Environments the overhead of OpenVZ is very low. No memory is wasted by loading copies of the kernel for every VE, no translation is needed for I/O going to the storage or network.

This allows for very lightweight VE’s, with some environments taking less then 8MB of memory and only a few megabytes of diskspace.

Another advantage of OpenVZ is that it doesn’t require any hardware-assisted virtualisation on the system and it doesn’t need to ‘emulate’ any cpu or I/O instructions, which would put a large strain on the resources.

A disadvantage of the OpenVZ VE’s is that only Linux environments are possible, since the kernel is shared between all environments it’s not possible for a VE to make modifications to the kernel. It’s also not allowed for the VE’s to change their IP-configuration, to act as NFS servers or to mount filesystems, as this would have an impact on the host’s security system.

Your files and processes are visible on the host-system, but hidden from other users of the system. Only the root-user on the host can access your resources. This access is also used to make backups of all your files, so we can help you with a restore in case you accidentally erase some files.

It is possible to mount iso images and use sshfs systems using fuse, but kernel-mode mounting is not available.

Why OpenVZ

For VPS.Stoned-IT.com we decided to use OpenVZ, since it allowed us to use available hardware (without hardware assisted virtualisation) and provide cheap and fast Virtual Environments. The low memory usage and high throughput allows us to provide the users with more memory and I/O speed than would be possible using other techniques.

The VPS hosts at Stoned-IT.com are now IPv6 enabled, and all hosts have been given a IPv6 address.
More addresses are available on request. If you can’t reach the outside world, you need to create a default-route in your VPS to the venet0 interface:

ip -6 route add default dev venet0

The smaller VPS’s might be a bit limited in memory if you want to run more advanced web-setups. In this post I’ll try to give some pointers on reducing memory usage, so you can have a more feature-full environment without running out of memory:
Looking at the memory usage in a smaller VPS a few things are obvious:

• sshd
• mysql-server
• apache

These processes are essential to the functioning of a VPS, but they can be tuned a lot. I’ve tuned a 80MB VPS from 4MB free back to 30MB free by making a few small modifications:

1. Replace openssh-server and clients with dropbear, dropbear only uses 900K vs more than 3MB for OpenSSH
2. Configure mysql for low-memory systems, by using the my.cnf recommended by vpslink
3. Run apache’s prefork-mpm with the following settings:

   • StartServers 1

   • MinSpareServers 1

   • MaxSpareServers 5

   • ServerLimit 50

   • MaxClients 50

   • MaxRequestsPerChild 5000

4. Disable any apache-module that you don’t really need with:
   • a2dismod <module>

Using ‘top’, and sorting on the “RES” column you can easily spot the memory hogs. Try looking for smaller or simpler alternatives for large processes.

Also consider if you need various services, or that you could possibly do without.

Update 2008/11/04: Some more pointers for reducing your memory footprint (from the perspective of a debian etch install):

• Install ‘dash’ and make that the default shell (saves 2MB per shell)
• Install ‘runit’ to replace init and ‘runit-run’ to replace sysv-rc
• Install ’socklog-run’ to replace sysklogd/syslog
• Remove the getty’s (as you only login over ssh anyway) from /var/service and /etc/sv, then reload runit.

This resulted in (on an otherwise idle and default debian-etch minimal install) in a memory-usage of 2564kb, with the following processes running:

root 1 0.0 0.0 104 20 ? Ss 10:38 0:00 runit
root 2930 0.0 0.7 2736 564 pts/0 Ss 10:48 0:00 dash
root 3429 0.0 0.0 132 32 ? Ss 10:57 0:00 runsvdir -P /var/service log:
root 3431 0.0 0.0 108 28 ? Ss 10:57 0:00 runsv socklog-unix
log 3432 0.0 0.0 160 76 ? S 10:57 0:00 svlogd main/main main/auth main/cron main/daemon main/debug main/ftp main
root 3433 0.0 0.0 108 32 ? Ss 10:57 0:00 runsv socklog-klog
log 3434 0.0 0.0 128 40 ? S 10:57 0:00 svlogd -tt main/main
nobody 3435 0.0 0.4 2528 332 ? S 10:57 0:00 socklog unix /dev/log
root 3436 0.0 0.3 2528 300 ? S 10:57 0:00 socklog ucspi

You still have all the features, and can still use bash for your interactive shells, but you can have the memory resources free when you need them, and also still have cron, syslog and sysv-rc functionality.
You can limit diskspace usage (not mentioned up to here) by using busybox and friends and uninstalling some packages busybox replaces. However, in my experience, diskspace is less an issue than memory.