It’s been a very busy start to 2010 but I have finally managed to get myself into gear with use of Emacs. I’m using it in console-only guise as far as I can, simply to learn the keystrokes as quickly as possible.
One feature that I’ve been very happy to stumble across is this weblogger.el extension. It means you can simply open a new buffer in Emacs, blog and save – all in minutes, if not seconds! Much better than opening a web page every time you want to blog about something.
The inspiration to really use Emacs in earnest comes from my new hero(in): Sacha Chua. A hugely popular and influential personality, Sacha is a true geek (in the best possible sense, of course) and a rising star for 2010 and beyond. I highly recommend reading Sacha’s blog at sachachua.com.
The problem: you cannot boot a paravirtualised machine from a CD-ROM for the purposes of installing a virtual machine. You may also be on a wireless link set up by NetworkManager and WLAN0 isn’t a bridged interface.
Here’s the solution:
Download the ISO of your favourite distro and burn to DVD, then mount on your machine (this will probably happen just by inserting the disc on your drive). If a window opens in your desktop, highlight the path in the address bar and copy it to the system clipboard (CTRL-C).
Install Apache and start the apache/httpd service
In /var/www/html (/var/www on debian, I believe) simply create a symbolic link to the directory where the DVD is mounted. In this example, I am using CentOS: # ln -s /media/CentOS_5.4_Final/ centos
Now create the virtual machine, by starting up virt-manager, ensuring that it can connect to Dom0 and select New…
In the Installation Source section of the virtual machine creation dialog, specify the following parameter:Installation media URL: http://localhost/centos (the path to the installer repository)
In the “type of network” selection, select Virtual Interface.
Click through the rest of the set up – but BEFORE YOU COMPLETE IT, GET READY TO PAUSE THE VM. The virtual machine will start up automatically when you finish the set-up steps.
As soon as you start the VM, the initial bootstrapping files should load and the distribution’s kernel should start up. Only when the console window opens should you pause it!
If you are using CentOS, you now need to modify the configuration file that’s been created, following these steps:
Download the Xen kernel and initial ramdisk from here: http://mirror.centos.org/centos/5/os/x86_64/images/xen/ (change the path if you’re using an i386 host)
Save them somewhere sensible: I made /var/lib/xen/boot and put them in there.
Un-pause and Shutdown the virtual machine.
Modify the config file, to include the paths to the xen-aware kernel and initrd (put these entries at the top, adjusting for your path as necessary):
IMPORTANT – also comment out the line for pygrub, so:#bootloader = “/usr/bin/pygrub”
Save the config and run the virtual machine. Nearly there! Now open up the console to the virtual machine…
If you are prompted for a network address or DHCP, try DHCP.
If you are prompted for an installation path, stick to http.In a network interface dialog that may appear, choose a manual address that doesn’t conflict with other hosts on your real network (but make sure it’s valid for your network!!)
Because the VM now has a virtual network interface, http://localhost/centos is a meaningless path. If the installer identifies this and prompts for an alternative path to the stage2.img file [true in CentOS, at least], then do the following on your host (real) machine: # ifconfig wlan0(substistute eth0 for wlan0 if you’re using a wired ethernet connection)
Paste/type the IP address from the output of ifconfig into the path dialog of the halted installer, but keep the /centos/ directory.
The installer should then run through the rest of the motions and voila – a paravirtualized virtual machine installed from local CD/DVD-ROM.
When the installer has finished running, uncomment the pygrub line in the config file.
If you spot any errors with this process, please let me know so I can correct the procedure.
The full title of this blog should really be ‘SELinux is preventing mysqld (mysqld_t) “search” to ./tmp (public_content_rw_t)’ as that is the problem I’ve been having with CentOS recently (and hence my searches on the web for a solution).
The cause of the problem
I use SugarCRM for customer and project management data – and very good it is too! (Gratuitous plug – I can help your company install and use this fine software ). Except that recently, when listing my Accounts within Sugar, I would not see all of the account context. Only the account data itself would be displayed and none of the subpanels/links.
The query to retrieve more data was failing, with this error message displayed in the browser window: mysqld: Can't create/write to file '/tmp/#08y2jw' (Errcode: 13) In my system log (/var/log/messages), I also got multiple SELinux errors like this: Oct 13 09:07:50 server setroubleshoot: SELinux is preventing mysqld (mysqld_t) "read" to ./tmp (public_content_rw_t). For complete SELinux messages. run sealert -l 1762c478-f3a2-4eeb-be09-bd3dc037d945 Clearly, the reason for “Errcode: 13″ was due to SELinux.
Incidentally. if you have seen a similar error on your web site, but with (Errcode: 28) instead, this is likely due to shortage of disk space. A great way of determining operating system errors like this, is to use ‘PError’, thus: # perror 28 OS error code 28: No space left on device # perror 13 OS error code 13: Permission denied
So there we are – two distinct and different issues.
With SELinux, resolving the permission issue can be difficult. By issuing # sealert -l 1762c478-f3a2-4eeb-be09-bd3dc037d945, as suggested above, I got the following output (trimmed and highlighted for clarity):
Summary: SELinux is preventing mysqld (mysqld_t) “search” to ./tmp (public_content_rw_t). Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./tmp, restorecon -v ‘./tmp’ Additional Information: Source Context root:system_r:mysqld_t Target Context system_u:object_r:public_content_rw_t
First things first: issuing # restorecon -v './tmp' didn’t fix it for me. I was also surprised to see that the path to /tmp was relative to the current working directory, so I tried a slightly modified # restorecon -v '/tmp', but to no avail. After restarting mysqld, the problem persisted: MySQL was simply being refused access to /tmp. Somewhere, a policy is disallowing this.
It’s a mistake to assume the the source context and target context should be the same; they don’t have to be, as it’s entirely policy-driven. I made bold those aspects (the file Type) above to highlight this incorrect assumption (that I previously held).
Find and fix a policy?
Although finding the troublesome policy and analysing it is a Good Thing, it’s also time-consuming and requires significant knowledge of SELinux, chiefly to avoid creating security holes. A better way, I found, was simply to relocate where mysqld tries to store temporary data.
Thanks to Surachart Opun’s blog, I learned that you can specify a new location for temporary files. In /etc/my.cnf, add or edit the following: [mysqld] tmpdir=/tmp # # e.g. tmpdir=/var/lib/mysql/tmp
Now do the legwork to set up the directory properly:
First, create directory with appropriate permissions # cd /var/lib/mysql # mkdir tmp # chown mysql:mysql tmp # chmod 1750 tmp
Now set the SELinux context up: # chcon --reference /var/lib/mysql tmp
and make the SELinuiux context permanent: # semanage fcontext -a -t mysql_db_t "/var/lib/mysql/tmp(/.*)?"
Finally, restart mysql: # service mysqld restart
Closing thoughts: optimisation
The methods above fixed the particular problem I was having. They didn’t, however, actually pinpoint the cause. This is one of the good things about Linux and SELinux in particular: you are forced to rethink what the system is doing and work out a solution that sits within the predefined security context – or learn how to write SELinux policies. Personally, I prefer the former
There is an additional benefit to the solution above – namely, optimisation. Because we have specified the security context with semanage, we are free to mount an external file system and use that instead for MySQL’s temporary files. In other words, we can maintain the security but increase the performance. One such filesystem could be tmpfs. tmpfs is actually a RAM Disk, uses a fixed amount of RAM to provide file storage. It is much quicker than an on-disk filesystem and thus perfectly optimised for storing temporary, caching data. There are many resources about tmpfs on the web. A good introduction to tmpfs can be at Planet Admon.
That’s right. Your old tat (or, you could say, my old tat) is just about as worthless to everyone else as it is to me. I’ve spent ages on ebay and sold almost nothing. And what I have sold, I sold for 99p.
Give to charity instead, that’s what I should have done! Pah!
So… sometimes I wonder, what’s the point? I add a bookmark, and the Firefox plug-in asks me if I want to add it to delicious, so generally I say yes as I think it’s probably useful to others. But, syncing with delicious doesn’t seem to retain the organisation I give to my bookmarks (they are my bookmarks, after all).
I have installed xMarks to Firefox, which is great. Delicious, on the other hand… it’s not Digg… what is it?
When most of us talk digital cameras, we talk megapixels, ISO, image noise, shot-per-second speed and image processing. We’re tech geeks. But really, none of that stuff matters as much as your camera’s lens.
No doubt open-source proponents will rejoice over this news: The British government has decided to increase its use of open-source software in the public services field. It will be adopted over Windows whenever it delivers the best value for the money. Schools, govenment offices and public agencies will all give open source a new look.