Posts Tagged 'Centos'

October 29, 2015

How to measure the performance of striped block storage volumes

To piggyback on the performance specifications of block and file storage offerings, SoftLayer provides a high degree of volume size and performance combinations for your storage needs. But what if your storage performance or size requirements are much more specific than what is currently offered?

In this post, I’ll show you to configure and validate a sample RAID 0 configuration with:

  1. The use of LVM on CentOS to create a RAID 0 array with 3 volumes
  2. The use of FIO to apply IO load to the array
  3. The ability to measure throughput of the array

Without going into potential drawbacks of RAID 0, we should be able to observe the benefits of up to three times the throughput and size of any single volume. For example, if we needed a volume with 60GB and 240IOPS, we should be able to stripe three 20GB volumes each at 4 IOPS/GB. You can also extrapolate the benefits from this example to fit a range of performance and reliability requirements.

To start, we will provision 3x 20GB Endurance volumes at 4 IOPS/GB and make it accessible to our CentOS VM but stop short of creating a file system; e.g., you should stop once you are able to list three volumes with:

# fdisk -l | grep /dev/mapper
Disk /dev/mapper/3600a09803830344f785d46426c37364a: 21.5 GB, 21474836480 bytes, 41943040 sectors
Disk /dev/mapper/3600a09803830344f785d46426c373648: 21.5 GB, 21474836480 bytes, 41943040 sectors
Disk /dev/mapper/3600a09803830344f785d46426c373649: 21.5 GB, 21474836480 bytes, 41943040 sectors

Then proceed to create the three-stripe volume with the following commands:

# pvcreate /dev/mapper/3600a09803830344f785d46426c37364a /dev/mapper/3600a09803830344f785d46426c373648 /dev/mapper/3600a09803830344f785d46426c373649
# vgcreate new_vol_group /dev/mapper/3600a09803830344f785d46426c37364a /dev/mapper/3600a09803830344f785d46426c373648 /dev/mapper/3600a09803830344f785d46426c373649
# lvcreate -i3 -I16 -l100%FREE -nstriped_logical_volume new_vol_group

This creates a logical volume with three stripes (-i) and stripe size (-I) of 16KB with a volume size (-l) of 60GB or 100 percent of the free space.

You can now create the file system on the new logical volume, create a mount point, and mount the volume:

# mkfs.ext3 /dev/new_vol_group/striped_logical_volume
# mkdir /mnt
# mount /dev/mapper/new_vol_group-striped_logical_volume /mnt

Now download, build, and run FIO:

# yum install -y gcc libaio-devel
# cd /tmp
# wget
# tar -xvf 3aa21b8c106cab742bf1f20d60629e3f
# cd fio-2.1.10/
# make
# make install
# cd /mnt
# fio --randrepeat=1 --ioengine=libaio --direct=1 --gtod_reduce=1 --name=test --filename=test --bs=16k --iodepth=64 --size=1G --readwrite=randrw --rwmixread=50

This will execute the benchmark test at 16KB blocks (--bs), random sequence (--readwrite=randrw), at 50 percent read, and 50 percent write (rwmixread=50). This will run 64 threads (--iodepth=64) until the test file of 1GB (--size=1G) is size is completed.

Here is a snippet of output once completed:

read : io=51712KB, bw=1955.8KB/s, iops=122, runt= 26441msec
write: io=50688KB, bw=1917.3KB/s, iops=119, runt= 26441msec

This shows that throughput is rated at 122r + 119w = ~240 IOPS. To validate that it is what we expect, we provisioned 3x 20 GB x 4 IOPS/GB = 3 x 80 IOPS = 240 IOPS.

Here is a table showing how results would differ if we tuned the load with varying block sizes (--bs) :

As you can see from the results, you may not observe the expected 3x throughput (IOPS) in every case, so please be mindful of your logical volume configuration (stripe size) versus your load profile (--bs). Please refer to our FAQ for further details on other possible limits.


April 29, 2013

Web Development - Installing mod_security with OWASP

You want to secure your web application, but you don't know where to start. A number of open-source resources and modules exist, but that variety is more intimidating than it is liberating. If you're going to take the time to implement application security, you don't want to put your eggs in the wrong basket, so you wind up suffering from analysis paralysis as you compare all of the options. You want a powerful, flexible security solution that isn't overly complex, so to save you the headache of making the decision, I'll make it for you: Start with mod_security and OWASP.

ModSecurity (mod_security) is an open-source Apache module that acts as a web application firewall. It is used to help protect your server (and websites) from several methods of attack, most common being brute force. You can think of mod_security as an invisible layer that separates users and the content on your server, quietly monitoring HTTP traffic and other interactions. It's easy to understand and simple to implement.

The challenge is that without some advanced configuration, mod_security isn't very functional, and that advanced configuration can get complex pretty quickly. You need to determine and set additional rules so that mod_security knows how to respond when approached with a potential threat. That's where Open Web Application Security Project (OWASP) comes in. You can think of the OWASP as an enhanced core ruleset that the mod_security module will follow to prevent attacks on your server.

The process of getting started with mod_security and OWASP might seem like a lot of work, but it's actually quite simple. Let's look at the installation and configuration process in a CentOS environment. First, we want to install the dependencies that mod_security needs:

## Install the GCC compiler and mod_security dependencies ##
$ sudo yum install gcc make
$ sudo yum install libxml2 libxml2-devel httpd-devel pcre-devel curl-devel

Now that we have the dependencies in place, let's install mod_security. Unfortunately, there is no yum for mod_security because it is not a maintained package, so you'll have to install it directly from the source:

## Get mod_security from its source ##
$ cd /usr/src
$ git clone

Now that we have mod_security on our server, we'll install it:

## Install mod_security ##
$ cd ModSecurity
$ ./configure
$ make install

And we'll copy over the default mod_security configuration file into the necessary Apache directory:

## Copy configuration file ##
$ cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf

We've got mod_security installed now, so we need to tell Apache about it ... It's no use having mod_security installed if our server doesn't know it's supposed to be using it:

## Apache configuration for mod_security ##
$ vi /etc/httpd/conf/httpd.conf

We'll need to load our Apache config file to include our dependencies (BEFORE the mod_security module) and the mod_security file module itself:

## Load dependencies ##
LoadFile /usr/lib/
LoadFile /usr/lib/
## Load mod_security ##
LoadModule security2_module modules/

We'll save our configuration changes and restart Apache:

## Restart Apache! ##
$ sudo /etc/init.d/httpd restart

As I mentioned at the top of this post, our installation of mod_security is good, but we want to enhance our ruleset with the help of OWASP. If you've made it this far, you won't have a problem following a similar process to install OWASP:

## OWASP ##
$ cd /etc/httpd/
$ git clone
$ mv owasp-modsecurity-crs modsecurity-crs

Just like with mod_security, we'll set up our configuration file:

## OWASP configuration file ##
$ cd modsecurity-crs
$ cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf

Now we have mod_security and the OWASP core ruleset ready to go! The last step we need to take is to update the Apache config file to set up our basic ruleset:

## Apache configuration ##
$ vi /etc/httpd/conf/httpd.conf

We'll add an IfModule and point it to our new OWASP rule set at the end of the file:

<IfModule security2_module>
    Include modsecurity-crs/modsecurity_crs_10_config.conf
    Include modsecurity-crs/base_rules/*.conf

And to complete the installation, we save the config file and restart Apache:

## Restart Apache! ##
$ sudo /etc/init.d/httpd restart

And we've got mod_security installed with the OWASP core ruleset! With this default installation, we're leveraging the rules the OWASP open source community has come up with, and we have the flexibility to tweak and enhance those rules as our needs dictate. If you have any questions about this installation or you have any other technical blog topics you'd like to hear from us about, please let us know!


January 24, 2011

5 Steps to Start Using IPv6 (not IPv5)

As Kevin mentioned on Friday, we are less than 45 days from "doomsday." The IANA only has about 3% of the resources required to sustain our current way of life. 6.8 billion people with only 4.3 billion addresses in existence. It's the 2012 saga in 2011: The exhaustion of the Internet's available IP version 4 (IPv4) addresses. What are we going to do?!

Luckily, a lot of people have been hard at work to mitigate the impending Internet crisis. IP version 6 (IPv6) is on the horizon and is already supported by most modern internet enabled devices. If you're like me, the fact that we went from IPv4 to IPv6 might make you wonder, "What happened to IPv5?"

The powers that be didn't decide to rid the number system of the number five because of its mixture of curves and right angles, and it wasn't because they only wanted to use round numbers. IP version 5 (IPv5) was a work in progress and part of a family of experimental protocols by the name of ST (Internet Stream Protocol). ST and later ST-II were connection-oriented protocols that were intended to support the efficient delivery of data streams to applications that required guaranteed data throughput.

An ST packet looks very similar to its IPv4 sibling, and both use the first 8 bits to identify a version number. IPv4 uses those 8 bits to identify IPv4 packets, and ST used the same 8 bits to identify IPv5 packets. Since "version 5" was spoken for, the next iteration in IP advancement became version 6.

If you've been around the SoftLayer blog for a while, you already know a fair bit about IPv6, but you're probably wondering, "What’s next?" How do you actually start using IPv6 yourself?

1. Get a Block of IPv6 Addresses

Lucky for you, the SoftLayer platform is IPv6 ready, and we're already issuing and routing IPv6 traffic. Obtaining a block of public IPs from us is as easy as logging into the portal, pulling up the hardware page of a server and ordering a /64 block of IPv6 IPs for $4/mo per subnet ($10 if you want a portable subnet)!

For those of you that have ordered IPs from us in the past, IPv4 addresses are usually $0.50-$1.00 each. To get a /64 of public static IPv6 addresses, it’s a whopping $0.00 for the entire range. So just how many IPs is in a /64? 256? Try again. 512? Keep going. 1 Million? You’re still cold. Let's try 18.4 quintillion. For those that understand scientific notation better, that is 1.84 x 1019. If you just want to see the number written in long form, it's 18,446,744,073,709,551,616 IP addresses. That allocation should probably tide you over for a little while.

2. Make Sure Your Server is IPv6 Ready

Most current server operating systems are ready to take the IPv6 leap. This includes Windows 2003 SP1 and most Linux OSes with 2.6.x Linux kernels. We'll focus on Windows and RedHat/CentOS here.

To ready your Windows 2003 server for IPv6, do this:

  1. In Control Panel, double-click Network Connections.
  2. Right-click any local area connection, and then click Properties.
  3. Click Install.
  4. In the "Select Network Component Type" dialog box, click Protocol, then Add.
  5. In the "Select Network Protocol" dialog box, click Microsoft TCP/IP version 6, then OK.
  6. Click Close to save changes to your network connection.

Once IPv6 is installed, IIS will automatically support IPv6 on your web server. If a website was running when you installed the IPv6 stack, you must restart the IIS service before the site begins to listen for IPv6 requests. Sites that you create after you enable IPv6 automatically listen for IPv6. Windows 2008 server should have IPv6 enabled by default.

When your Windows server is ready for IPv6, you will add IPv6 addresses to the server just as you'd add IPv4 addresses ... The only difference is you will edit the properties to the Internet Protocol Version 6 (TCP/IPv6) network protocol.

To ready your RedHat/CentOS servers, do this:

  1. Using your favorite editor, edit /etc/sysconfig/network and enable NETWORKING_IPV6 by changing the "no" to a "yes."


  2. Next edit /etc/sysconfig/network-scripts/ifcfg-eth1 to add IPv6 parameters.

    Add the following to end of the file:



  3. Once you have successfully added your assigned IP addresses, you must restart networking with this command:
    [root@ipv6test /]# service network restart

Once you have completed these steps on your respective OS, you should be able to communicate over the IPv6 stack. To test, you can ping and see if it works.

3. Bind Your New IPv6 Address to Apache/IIS

Now that you have more IPv6 addresses for your server(s) than what's available to the entire world in IPv4 space, you must bind them to IIS or Apache. This is done the similarly to the way you bind IPv4 addresses.

In IIS, all IPs that have been added to the system will now be available for use in the website properties. Within Apache, you will add a few directives to ensure your web servers is listening on the IPv6 stack ... which brings us to a very important point when it comes to discussing IPv6. Due to the fact that it's full of colons (:), you can’t just write out the IP as you would a 32-bit address.

IPv6 addresses must be specified in square brackets or the optional port number could not be determined. To enable Apache to listen to both stacks on separate sockets you will need to add a new "Listen" directive:

Listen [::]:80

And for your Virtual Hosts, the will look like this:

<VirtualHost [2101:db8::a00:200f:fda7:00ea]>
DocumentRoot /www/docs/
ErrorLog logs/
TransferLog logs/

4. Add Addresses to DNS

The final step in getting up and running is to add your new IPv6 addresses to your DNS server. If you're using a IPv6 enabled DNS server, you will simply insert an 'AAAA' resource record (aka quad-A record) for your host.

5. Test Your Server's IPv6 Accessibility

While your DNS is propagating, you can still test your webserver to see if it responds to the IP you assigned by using square brackets in your browser: http://[2101:db8::a00:200f:fda7:00ea]

This test, of course, will only work if your computer is on a IPv6 network. If you are limited to IPv4, you will need sign up with a tunnel broker or switch to an ISP that offers IPv6 connectivity.

After about 24 hours, your server and new host should be ready to serve websites on the IPv6 stack.

Good luck!


Subscribe to centos