Yet Another Linux Blog

I’ve been spending more time testing out Xen and installing various web-based software, and I think that’s my conclusion. Putting more than one web application in a VM is the same as putting multiple web applications on one machine; eventually you’ll run into problems with the exact versions of the various components of the stack, or the various required auxiliary modules. Perhaps it’s not much of a problem when one webapp depends on Perl::DBI and PostgreSQL and the other on PHP/MySQL. Perhaps it’s OK to run

The “one webapp per VM” policy has its advantages:

• you’ll never get into trouble when you upgrade your CPAN modules for one app and break something in another app
• you’ll never get into trouble when you upgrade your PHP pear modules for one app and break something in another app
• you’ll never get into trouble when you upgrade your Ruby gems for one app and break something in another app
• restarting apache because of one app won’t affect the others

Of course, there are disadvantages:

• you suddenly have a whole computer to manage for each app
• that’s it, I think

The one thing I’m not yet sure about is the database backends. It sure sucks to have a MySQL install on all the machines, requiring separate maintenance and backups. I’m more of a fan of a single db machine that all the different webapps can point to. The webapps tend to care much less about the database version compared to the various module versions.

I just moved my blog from LeafyHost to uofr.net because leafyhost sucks. Google can tell you more.

I’ve been using CentOS5 for all my testing since it became available just a few weeks ago. For my CentOS4.4 installs I used to just disable SELinux during the install to save some hassle, but for CentOS5 I decided it’s really time to make use of the SELinux security framework. Of course, now I bang my head against the wall much more often when things fail to work as they should. Example: I install and configure vsftpd and configure it, then make a new LV and mount it under /var/ftp. vstftpd starts but doesn’t work properly. Solution: run restorecon -R on /var/ftp.

Another example: I want to run [root@h0 ~]# virt-install –name=guest01 –ram=256 –file=/dev/vg0/test01 –nographics -p –location=”ftp://repo.bioinformatics.upenn.edu/pub/CentOS/5.0/os/i386/” -x “ks=/root/anaconda-ks.cfg” –debug
and it fails with a cryptic Python traceback which basically doesn’t say anything beyond “this didn’t work”. Of course, /var/log/messages has May 12 18:56:33 h0 kernel: audit(1179010593.257:10): avc: denied { write } for pid=5235 comm="lvm" name=".cache" dev=dm-0 ino=459835 scontext=root:system_r:lvm_t:s0-s0:c0.c1023 tcontext=root:object_r:lvm_etc_t:s0 tclass=file
May 12 18:56:38 h0 kernel: audit(1179010598.690:11): avc: denied { write } for pid=5236 comm="lvscan" name=".cache" dev=dm-0 ino=459835 scontext=root:system_r:lvm_t:s0-s0:c0.c1023 tcontext=root:object_r:lvm_etc_t:s0 tclass=file
May 12 18:57:00 h0 kernel: audit(1179010620.375:12): avc: denied { write } for pid=5237 comm="lvcreate" name=".cache" dev=dm-0 ino=459835 scontext=root:system_r:lvm_t:s0-s0:c0.c1023 tcontext=root:object_r:lvm_etc_t:s0 tclass=file

Ok, what am I supposed to do? The older manual says to run something like audit2allow -i /var/log/messages -o ./test.rules The newer manual wants me to build a new policy module and load it.

The simplest solution is of course to temporarily disable selinux, do your thing, then enable it again. Here’s a very nice page describing how to do that.