Installing KVM in Centos, Redhat or Fedora

KVM is available in RHEL 5.4. I finally managed to find the time to play around it over the weekend. I don’t think it is as matured as xen but having said that, I do agree with the approach – Kernel virtualisation. Redhat is promoting kvm very hard and you can see it from their website and mailing list. If you are using redhat systems, better upgrade to kvm as xen might be phased out soon.

Unlike xen, I found installing kvm abit of pain…. I am willing to share what I know and this is what this blog is for.

Check your cpu before you start because kvm only supports full virtualisation, ie your /proc/cpuinfo must have either the vmx (intel) or the svm (amd) tag.

Next, I suggest you do a minimal clean centos/rhel/fedora installation. After rebooting, log in as root and add packages as needed. We will start with the kvm package.

yum groupinstall kvm

I didnt install the virtualisation package because it will bring in the xen hypervisor and stuffs – don’t want it for now.

The pain with kvm is that it doesnt come with a network bridge (xen wins!). we will need to add one if you want your virtual machine be in the same network as your physical machine. Assuming my network card is eth1:

cd /etc/sysconfig/network-scripts/
vim ifcfg-eth1

my eth1 config looks like this

# D-Link System Inc RTL8139 Ethernet
DEVICE=eth1
ONBOOT=yes
HWADDR=00:13:46:3a:14:55
BRIDGE=kvmbr0

now we need to create the kvm bridge

vim ifcfg-kvmbr0

my ifcfg-kvmbr0 looks like this:

DEVICE=kvmbr0
TYPE=Bridge
BOOTPROTO=static
GATEWAY=10.1.1.254
IPADDR=10.1.1.201
NETMASK=255.255.255.0
ONBOOT=yes

Its now time to restart the network

service network restart

my routing information looks like this

[root@home network-scripts]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 kvmbr0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 kvmbr0
0.0.0.0         10.1.1.254      0.0.0.0         UG    0      0        0 kvmbr0

If you have firewall turned on, turn them off for the bridge. In /etc/sysctl.conf, add

net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

reload sysctl and libvirtd and we are ready to go

sysctl -p /etc/sysctl.conf
chkconfig libvirtd on
service libvirtd restart

start the virt-manager gui

virt-manager &

I am lazy to post screen shots. Redhat has done a good job already. Just follow the steps in the
redhat kvm guide. Start from Step 3.

If you have selinux running, remember to read the security guide

If you are using lvm as disk, you need to fix the fcontext. My volume group is named as “vm”. So my selinux command is:

semanage fcontext -a -t virt_image_t "/dev/mapper/vm(.*)?"

That’s it for now. Merry Christmas!!

Setting Up A Secure Linux Authentication Server Quickly (LDAP + TLS + SAMBA)

Just like microsoft active directory, having a centralised authentication server in linux is important especially when you have more than one server or service to manage. Just imagine each service (ssh, samba, httpd…etc) has its own user database… Sooner or later, you will find managing users very difficult. A simple task like deleting a user could be daunting. Ideally, we want to have a common authenticating mechanism for all services and machines in the network. Most importantly, we need to do it securely.

Unfortunately, doing it in linux is far from easy. That is why the task is usually left for the enterprise experts. Linux traditionally uses NIS but there is a strong preference of LDAP over NIS nowsadays because LDAP has better support for encryption, ie the wrong party cannot decipher or decrypt the data send over the network.

There were a few LDAP implementations available in the market but I still find good LDAP documentation lacking in general. The steep learning curve and complicated command line syntax scares people away. Very often, Sys admins have to search high and low to find the right answers. There were good attempts recently to make everything more user friendly though – checkout the Redhat Directory Server (Thank you redhat). Something worth mentioning is another integrated solution – FREEIPA. If you are using Centos, the Directory Server package (centos-ds) is available in the c5-testing repository.

The openldap project is a stable LDAP implementation that has been around for a while. I have been using it and like it very much. I know how intimidating LDAP can be for beginners and therefore, I wanted to write a tutorial on it. The recent low-key business period had given me a good chance to come up with something. The objective of this tutorial is to setup a openLDAP authentication server as quickly as possible, I will not go into detail of how LDAP works but will provide the relevant configuration parameters. If you are interested in the details, I have provided some good links at the end of the tutorial. This tutorial does assume that you know a bit of linux and is comfortable with the command line and have basic networking concepts. I am using Centos but the process should be similar across other linux distros. If you have firewall and selinux turned on, I suggest turning them off first during the setup and turn it back on later when you got everything working. If you follow the instructions correctly, you should have a secure authentication server within a short time. Enough of story, let us start.

Scenario

Imagine we have 2 servers, athena.dev and argos.dev. athena.dev is the client and is to athenticate against the LDAP server (argos.dev) via TLS for both ssh and samba (allows sharing from windows). Both machines are running on Centos 5.3. We are going to add a new LDAP user “bernard” from athena.dev. If everything is successful, we should be able to ssh into athena.dev and access bernard’s home directory from windows as well.

Before we start, make sure that athena.dev and argos.dev must resolve to unique IPs. Ideally, you should have a DNS server sitting somewhere in the network. If you find it too complicated to set one up now, just add the ip to your /etc/host file on both machines, ie something like

192.168.1.100 athena.dev
192.168.1.101 argos.dev

Ping the domain and make sure it works.

1. Setup Server (argos.dev)
*As a root user, install from centos base

yum install openldap-servers openldap-clients nss_ldap

* Edit your /etc/openldap/slapd.conf so that it looks like this

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

TLSCACertificateFile /etc/pki/tls/certs/ldap.pem
TLSCertificateFile /etc/pki/tls/certs/ldap.pem
TLSCertificateKeyFile /etc/pki/tls/certs/ldap.pem
TLSClientVerify demand
database        bdb
suffix          "dc=argos,dc=dev"
rootdn          "cn=Manager,dc=argos,dc=dev"
rootpw  {SSHA}3+F6jATchWGLKNtxtc7SlnfVa2NetAWJ
directory       /var/lib/ldap/

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDomainName    eq

* If you are using your own domain name, then your machine must be a FQDN
* Update the rootpw field in /etc/openldap/slapd.conf. Paste the {SSH} encrypted passwd from the command below:

slappasswd

* Use the sample ldap database

cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG

* The next task is to create a quick self signed certificate.

cd /etc/pki/tls/certs/
make ldap.pem
chown ldap:ldap ldap.pem

(Enter defaults for all questions except the common name/hostname. You need to use a FQDN, ie argos.dev in this case.)

* We need to get the client key from ldap.pem

grep -A 100 CERTIFICATE ldap.pem > client.pem

Setup Client (athena.dev)

* As a root user, install the required files. You will need the rpmforge repo for smbldap-tools.

yum install openldap-clients nss_ldap samba smbldap-tools --enablerepo=rpmforge

* In command line, configure the authentication settings

authconfig-tui
// check "use LDAP" and "USE LDAP AUTHENTICATION", then "NEXT"
// check "Use TLS". For server, "ldap://argos.dev/", BASE DN: dc=argos,dc=dev

(The authconfig-tui command actually does a few more things in the backend like configuring the nsswtich.conf and pam settings but we will skip them for now to avoid confusion.)

* copy the client certificate over to athena.dev

scp root@argos.dev:/etc/pki/tls/certs/client.pem /etc/openldap/cacerts

* Edit your /etc/ldap.conf file. Towards the end of file should be something like this:

uri ldap://argos.dev/
tls_cacert /etc/openldap/cacerts/client.pem
ssl start_tls

* Edit /etc/openldap/ldap.conf. Your file should be something like this:

URI ldap://argos.dev/
BASE dc=argos,dc=dev
TLS_CACERT /etc/openldap/cacerts/client.pem

* We now need to copy a the samba LDAP schema over to argos.dev

scp /usr/share/doc/sama-3.0.33/LDAP/samba.schema root@argos.dev:/etc/openldap/schema

* in argos.dev, start ldap if not already done and turn it on by default

service ldap start
chkconfig ldap on

* Back to athena.dev. Next configure /etc/smbldap-tools/smbldap_bind.conf. You can copy and paste this whole lot:

slaveDN="cn=Manager,dc=argos,dc=dev"
slavePw="your_password"
masterDN="cn=Manager,dc=argos,dc=dev"
masterPw="your_password"

* configure /etc/smbldap-tools/smbldap.conf. You can copy and paste this whole lot:

sambaDomain="PDC-SRV"
slaveLDAP="argos.dev"
slavePort="389"
masterLDAP="argos.dev"
masterPort="389"
ldapTLS="1"
ldapSSL="0"
verify="require"
cafile="/etc/openldap/cacerts/client.pem"
suffix="dc=argos,dc=dev"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="999999"
userSmbHome=""
userProfile=""
userHomeDrive="H:"
userScript="%U.bat"
mailDomain="argos.dev"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

(tips: I modified these files from the originals. you might want to make backup first.)

* Do a quick test and check that ldap is working correctly. If it is not working, look at the troubleshoot section near the end of the tutorial.

ldapsearch -x
// You should see an empty db. It shouldn't throw any error.

* If everything looks OK, let us populate the LDAP db using the magic of samba-tools

smbldap-populate
// this command will prompt you enter the root password.

* Now let us add a user called bernard from athena.dev

// add one test user called bernard
smbldap-useradd -a -m bernard
smbldap-passwd bernard
// This is enough to get things working. If interested, you can add more user details using smbldap-userinfo

* configure /etc/samba/smb.conf to something like this. I modified the file from /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smb.conf

[global]
   workgroup = IDEALX-NT
   netbios name = PDC-SRV
   security = user
   enable privileges = yes
   server string = Samba Server %v
   encrypt passwords = Yes
   passdb backend = ldapsam:ldap://argos.dev/
   ldap admin dn = cn=Manager,dc=argos,dc=dev
   ldap ssl = start_tls
   ldap suffix = dc=argos,dc=dev
   ldap group suffix = ou=Groups
   ldap user suffix = ou=Users
   ldap machine suffix = ou=Computers

[homes]
   comment = LAM IT Home Directories
   force create mode = 0660 
   force directory mode = 0770
   writable = yes

* restart samba

service smb restart

Time to check your work

If you have been following everything correctly so far, you should have implemented a secure authenticated system in your network. Congratulations! Time to do some checking:

* In athena.dev, try to login

ssh bernard@localhost

* bernard doesnt exists in athena.dev and it should authenticate against argos.dev – the ldap server. You can check this using tcpdump. Open up a new terminal and run

tcpdump -i eth0 port ldap -v -X

* You should see the data packets exchange between athena.dev and argos.dev. You shouldn’t be able to decipher anything because it has been encrypted with TLS.
* In windows, try mapping it to the samba share, ie \\athena.dev\homes. You should be in bernard’s home directory after logging in.
* In athena.dev, see the user information using

smbldap-usershow bernard

Troubleshooting and Tips

* Use “tcpdump” to check if your passwd is truly encrypted.
* In argos.dev, you can call the ldap daemon directly to provide more debugging information.

service ldap stop
/usr/sbin/slapd -h ldap:/// -u ldap -d9

* “testparm” is good to debug samba config
* To check samba connection using command line. In athena.dev,

smbclient -L localhost -U user

* Finally, don’t forget to look at the logs, ie /var/log/secure, /var/log/messages, /var/log/samba

* ldap uses port 389 and ldaps uses 636. I used TLS over port 389. You can choose to use ldaps, in which case you need to add “ssl on” in /etc/ldap.conf. You can also use firewall to disable port 389 or 636. “netstat” is a good command to check if the correct ports are opened or not.

* Other than smbldap-populate, you can use openldap built in migration scripts to populate the ldap database quickly , ie the scripts in /usr/share/openldap/migration. Personally, I don’t really like it because it brings in many junks (you can configure it of course).

* TLS encrypts the passwd via the network. If you are like, you can install kerberos as well. There are other benefits of using kerberos.

* If you are using firewall, remember to turned it back on and enable port 389. Port 22 should be enabled by default.

What’s Next

* You might have noticed that smbldap-useradd tries to create a user dir, ie /home/bernard on the local machine. This directory will not be accessible from other machine. If this is not something desirable, what we need here is a global user directory accessible from any machine. To do that, we can change the userHome directive in /etc/smbldap-tools/smbldap.conf to “/home/data/%U”, then NFS share /home/data in the network. If you have selinux or firewall turned on, you need to make changes to the booleans and ports.

* There are many good ldap management console out there. Something with a GUI is a good start. I tried phpldapadmin before, not bad.

* If you are using a web-based management console, add ssl to apache so that we encrypt the console as well.

* If you have password protection for certain web dirs, try to get apache authenticate against ldap as well. It is not hard. You just need to install the apache ldap module.

Good LDAP + Samba Resource:

I might have left out some details in this tutorial. These resources might help.

* http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS
* http://www.openldap.org/doc/admin24/index.html
* http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/
* http://download.gna.org/smbldap-tools/docs/smbldap-tools/
* http://www.nomis52.net/?section=docs&page=samldap

Conclusion

It is definitely confidence boosting to be able to setup a secure ldap server. As a caution, the settings I use here is very generic and suits just for this tutorial. If you are doing a live deployment, you will have to tweak the parameters for your own needs. I recommend doing more readings even after getting this work for the first time.

I spend quite abit of time to write this tutorial. If you do find it useful, please leave a comment and tell the whole world about it!!!

Peace out,

Bernard Peh
18 Sept 2009

bash expect: script to handle command line prompts

expect is very useful to automate login process. I thought it is helpful when doing testing as well. A simple login script might work like this:

#!/usr/bin/env expect
eval spawn "/path/program"
expect "^Enter Auth Username:"
send "user\n"
expect "Enter Auth Password:"
send "password\n" 

To install expect, “yum install expect”

bash: passing output from one program to another

sometimes you want to be able to pass output from one program to another, say from bash to php. There is a neat trick to do it. In php, we execute the bash script restartapache.

<?php 
$command="/usr/local/bin/restartapache {$_GET['server']}"; 
exec($command, $output); foreach ($output as $v) 
{ echo "$v <br/>"; } 
?>

then in the bash, we write the output to a file. cat the file, then remove it.

#!/bin/bash
#
# $Id$
# restart apache in a server
# bernard - 29 Jan 2009
#

name=`basename $0`
if [ $# != 1 ]
 then
  cat <&1 /tmp/$$
cat /tmp/$$
rm /tmp/$$
exit 0;

Centos – Implementing a vpn server and client using openvpn

Instead of sshing into your home machine from anywhere, it is actually more secure and convenient to vpn instead. With vpn, you can share different subnets as well. The problem most people find is that setting up a vpn server can be complicated – well, not so with openvpn.

This tutorial is a summarised version of http://openvpn.net/howto.html

I am using Centos 5.3 but the principle should work with any distros. Centos repo doesn’t have the openvpn rpm yet, so we will use the dag repo http://dag.wieers.com/rpm/FAQ.php#B
. Install the repo and we are ready to go.

change to root user and install openvpn

sudo -s
yum install openvpn

get all the necessary files from the sample dir and make them executable

cd /etc/openvpn
cp -r /usr/share/doc/openvpn-xxx/easy-rsa/2.0 ./
cd 2.0
chmod u+x *

change the sample vars

vim vars (change the parameters at the bottom of the file)
source vars

now build all the necessary certificates and keys

./clean-all
./build-ca (when prompted with the questions, you have to explicitly enter the common name)
./build-key-server server
./build-key user1 (this is the client key, you can create keys for any no. of users)
./build-dh

now, setup the config file

cp keys/server.{crt,key} /etc/openvpn
cp keys/ca.crt /etc/openvpn
cp keys/dh1024.pem /etc/openvpn

cp /usr/share/doc/openvpn-xxx/sample-config-files/server.conf /etc/openvpn
cd /etc/openvpn
vim server.conf
(you might want to change the port no, protocol, subnet. You also need to change the remote name.)

Now you need to modify the firewall to accomodate whatever port you are using for the vpn. If you have selinux turned on, you need to turn the boolean on

semanage port -a -t openvpn_port_t -p tcp_or_udp your_port_no

restart openvpn and try to connect it up with a client which we will talk about soon.

service openvpn restart

——–
Now let us try to setup a vpn client using centos and connect with the server.

In the client machine, become a root user and

yum install openvpn

copy the sample config over

cd /etc/openvpn
cp /usr/share/doc/openvpn-xxx/sample-config-file/client.conf ./

(now you need to copy the client keys from the server to this directory. Remember the /etc/openvpn/2.0/keys dir that you created in the server? You will need to get the ca.crt, user1.key, user1.crt from there. Instead of putting the config and keys in /etc/openvpn, you can put it in ~/openvpn as well but then you will need root privilleges when executing the openvpn command.)

edit the config file

vim client.conf
(change the remote name, port, ca and keys path. Depending on the server settings, you might need to change the protocol as well.)

modify firewall settings if need be. when ready for testing, start the openvpn connection

openvpn client.conf

You can also setup a windows openvpn client. The details are documented in the openvpn.net how to page as well.

Creating Xen Redundant Virtual Machines with Backup Procedures

It is a good idea to backup the whole virtual machine to a separate machine to achieve redundancy. 99% uptime and full redundancy can be achieved using on-the-fly mirroring, ie network raid 1. Hardware and network performance will determine if this method will work or not. There are a few software that can achieve this. Many linux administrators use drbd and heartbeat.

An alternative approach is to do a full nightly backup and incremental hourly backup in the day. This is less write intensive and there is a chance of losing an hour’s worth of work if the actual server goes down. But still, it is a decent solution if there are hardware constraints. I will focus more on this method.

Here is the idea. Imagine we have 2 real machines, machine 1 and 2. lvphp4 is a php4 logical volume running in machine2. It has a backup in machine1. In machine2, write a cron script that runs every hour to ssh into machine1 to mount the lvphp4 data partition (say partition 2). Then sync the data over to machine1. Once done, umount and send an email to the administrator if you want. Do the same for machine2. Assuming that there will not be any base OS changes in the day, we will sync the data only.

# mount the required partition
kpartx -a /dev/vg/lvphp4
mount /dev/mapper/lvphp4p2 /mnt/lvphp4p2
ssh root@machine1 "kpartx -a /dev/vg/lvphp4;mount /dev/mapper/lvphp4p2 /mnt/lvphp4p2;"
rsync -var -e ssh --delete --stats --progress /mnt/lvphp4p2 root@machine1:/mnt/
# now umount and cleanup everything
ssh root@machine1 "umount /mnt/lvphp4p2;kpartx -d /dev/vg/lvphp4;"
umount /mnt/lvphp4p2
kpartx -d /dev/vg/lvphp4

If the virtual machine lvphp4 in machine2 fails for whatever reason, we can bring the backup in machine1 up really quickly by sshing into machine1 and run

xm create /etc/xen/lvphp4

I believe this part can be integrated into a monitoring software (nagios for example) to achieve redundancy.

The reason why lvphp4 fails in machine2 is most likely due to hardware failure in machine2. Do not autostart lvphp4 so that when machine2 boots up, lvphp4 doesn’t start by itself. Once machine2 is repaired, choose one night to transfer the backup over from machine1 to machine2. in machine1,

xm shutdown /etc/xen/lvphp4
dd if=/dev/vg/lvphp4 | ssh root@machine2 "dd of=/dev/vg/lvphp4"

I am using this method in the live environment and it works perfectly. rsync does it’s job really well.

Resizing file based xen virtual machine

You can create file based xen instances (eg, blarblar.img). If you have partitions in the file and want to increase the disk space, you cannot use resize2fs straight away on it. So you need to create a new larger file, then transfer the old file data onto it:

say I want the new filesize to be 4Mb,

dd if=/dev/zeo of=newImage.img count=4000 bs=1M

now, transfer the files over. Note that notrunc is important because we still want the output file to be 4 Mb.

xm shutdown oldImage.img
dd if=oldImage.img of=newImage.img conv=notrunc

Next, rename the images and boot up!

mv oldImage.img oldImage-dd-mm-yyyy.img
mv newImage.img oldImage.img
xm create /etc/xen/newImage

you can then do resizefs once the vm is booted up. You can copy the files even if the vm is up but then there is a danger of data inconsistency. Easier to manage than using LV.

How to resize LVM running Xen part 1 – increase disk size

Resizing a lvm partition is straight forward if it doesn’t contain a partition table. Simply do a:

lvresize -L disksize /dev/vg/lv
resize2fs /dev/vg/lv

If it is running a virtual machine like xen with a partition table, how to resize the domU, whether to shutdown domU or not depends largely on the partiton structure. In centos, if you do a default install, the default installation uses lvm without doing any proper partitioning, as in unlike traditional partitioning, there is no home, usr, tmp partions..etc. In a virtualised environment and with the default partitioning scheme, if you want to resize the home partition, you have to resize the root (/) partition. It is not easy to do it in domU so the best way is to do it is from domO.

Resizing domU from dom0 is more involved. So do yourself a favour by having a proper partition scheme like:

/boot
/
/usr
/var
/tmp
swap space which is 2 times your ram

Having partitioning scheme like this means that you don’t need to touch / when resizing ‘/home’ or ‘/usr’ which is quite common.

Ok, its time to do the dirty job. This article is to show how to resize domU from dom0 in case you need to do it. Shutdown my domU first.

[root@bpehhome2 mapper]# xm shutdown web

This is a quick overview of my web domU.

[root@bpehhome2 mapper]# fdisk -l /dev/xenvg/XenWeb

Disk /dev/xenvg/XenWeb: 10.5 GB, 10502537216 bytes
255 heads, 63 sectors/track, 1276 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

            Device Boot      Start         End      Blocks   Id  System
/dev/xenvg/XenWeb1   *           1          13      104391   83  Linux
/dev/xenvg/XenWeb2              47        1276     9879975   83  Linux
/dev/xenvg/XenWeb3              14          46      265072+  82  Linux swap / Solaris

If you try to resizefs /dev/xenvg/XenWeb straight away, resize2fs doesn’t like the MBR and will throw out error like so:

resize2fs: Bad magic number in super-block while trying to open /dev/xenvg/XenWeb
Couldn't find valid filesystem superblock.

To overcome that, we need to split the partition up and resizefs them separately. Let us go through the steps in detail.

1) In domO, check that you have enough disk space. In this example, I have about 3G more. I will add 1G to the xenweb logical volume

[root@bpehhome2 mapper]# vgdisplay
--- Volume group ---
VG Name               xenvg
System ID
Format                lvm2
Metadata Areas        1
Metadata Sequence No  90
VG Access             read/write
VG Status             resizable
MAX LV                0
Cur LV                7
Open LV               3
Max PV                0
Cur PV                1
Act PV                1
VG Size               37.16 GB
PE Size               32.00 MB
Total PE              1189
Alloc PE / Size       1066 / 33.31 GB
Free  PE / Size       123 / 3.84 GB
VG UUID               3vcgz5-1O2N-Oj89-o7KK-Tl51-wZbT-z32pgQ

2. I checked my current logical volume and resize xenweb to 1000M.

[root@bpehhome2 mapper]# lvscan
ACTIVE            '/dev/xenvg/root' [4.50 GB] inherit
ACTIVE            '/dev/xenvg/XenAuth' [8.00 GB] inherit
ACTIVE            '/dev/xenvg/XenDebianDefault' [2.00 GB] inherit
ACTIVE            '/dev/xenvg/swap' [1.00 GB] inherit
ACTIVE            '/dev/xenvg/XenCentOSInstall' [3.00 GB] inherit
ACTIVE            '/dev/xenvg/XenWeb1' [5.03 GB] inherit
ACTIVE            '/dev/xenvg/XenWeb' [9.78 GB] inherit

[root@bpehhome2 ~]# lvresize -L 10000M /dev/xenvg/XenWeb
  Rounding up size to full physical extent 9.78 GB
  Extending logical volume XenWeb to 9.78 GB
  Logical volume XenWeb successfully resized

3. Now I resize the partition in XenWeb2 in /dev/xenvg/XenWeb

[root@bpehhome2 mapper]# fdisk /dev/xenvg/XenWeb

The number of cylinders for this disk is set to 1276.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
   (e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): p

Disk xenvg-XenWeb: 10.5 GB, 10502537216 bytes
255 heads, 63 sectors/track, 1276 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

       Device Boot      Start         End      Blocks   Id  System
xenvg-XenWeb1   *           1          13      104391   83  Linux
xenvg-XenWeb2              47        1150     8867880   83  Linux
xenvg-XenWeb3              14          46      265072+  82  Linux swap / Solaris

Partition table entries are not in disk order

Command (m for help): d
Partition number (1-4): 2

Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
p
Partition number (1-4): 2
First cylinder (47-1276, default 47):
Using default value 47
Last cylinder or +size or +sizeM or +sizeK (47-1276, default 1276):
Using default value 1276

Command (m for help): p

Disk xenvg-XenWeb: 10.5 GB, 10502537216 bytes
255 heads, 63 sectors/track, 1276 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

       Device Boot      Start         End      Blocks   Id  System
xenvg-XenWeb1   *           1          13      104391   83  Linux
xenvg-XenWeb2              47        1276     9879975   83  Linux
xenvg-XenWeb3              14          46      265072+  82  Linux swap / Solaris

Partition table entries are not in disk order

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: Re-reading the partition table failed with error 22: Invalid argument.
The kernel still uses the old table.
The new table will be used at the next reboot.
Syncing disks.

4. Now, its time to split the partition up. The partitions can be viewed in /dev/mapper. I want to resize2fs partition 2 only.

[root@bpehhome2 mapper]# kpartx -a /dev/xenvg/XenWeb
[root@bpehhome2 ~]# cd /dev/mapper
[root@bpehhome2 mapper]# ls
control     xenvg-XenAuth           xenvg-XenWeb    xenvg-XenWebp2  XenWeb2
xenvg-root  xenvg-XenCentOSInstall  xenvg-XenWeb1   xenvg-XenWebp3  XenWeb3
xenvg-swap  xenvg-XenDebianDefault  xenvg-XenWebp1  XenWeb1

[root@bpehhome2 mapper]# resize2fs XenWeb2
resize2fs 1.39 (29-May-2006)
Please run 'e2fsck -f XenWeb2' first.

[root@bpehhome2 mapper]# e2fsck -f XenWeb2
e2fsck 1.39 (29-May-2006)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information

/: ***** FILE SYSTEM WAS MODIFIED *****
/: 246443/2143360 files (1.0% non-contiguous), 1037188/2216970 blocks

5. Do some cleaning up.

[root@bpehhome2 mapper]# kpartx -d /dev/xenvg/XenWeb

6. boot up domU and check if everything is working

[root@bpehhome2 mapper]# xm create /etc/xen/web.cfg

I will blog about shrinking lvm with partition next which is slightly more complex.