Using OpenStack images on XenServer – Fedora 22, CentOS 7

For a long time, I’ve been using kickstart scripts (link to GitHub repo) to set up Fedora and CentOS virtual machines on a XenServer host. In the last year or so, the trend of cloud computing has led distributions to release prebuilt “cloud” images in OpenStack-compatible qcow2 or raw disk format, which happen to be broadly compatible with hypervisors. Fedora Cloud’s introduction with F21 prompted me to look into ways of using cloud-init/cloud-config without an entire private cloud infrastructure.

It should no longer be necessary to use a kickstart to install a new VM, because the distribution’s prebuilt images easily work on XenServer with a few conversions.

(Kickstart scripts remain useful for customizing an image, of course; they are often the mechanism with which Linux distros build such images.)

What are prebuilt images?

When I say “prebuilt images”, I mean VM hard disk files released by the Linux distribution. For instance, Fedora 22’s Cloud Base and Atomic Host images are provided in qcow2 and xz’d raw files:

Fedora 22 Cloud Base and Atomic Host images

These releases are designed to work in actual cloud infrastructure—meaning a compute hypervisor (usually KVM), a metadata service that supplies configuration like hostname and networking at boot time, and some APIs that can programmatically affect the virtual machine’s behaviour and configuration. OpenStack is the leading example.

But OpenStack is overkill when you’re just virtualizing a handful of VMs. You don’t need a private cloud when you’re not running a cluster or spinning up machines programmatically. That’s exactly why I found myself running XenServer.

Nonetheless, unless you’re using Xen full paravirtualization (which there are now good reasons to avoid), these images should broadly work with all major hypervisors: QEMU-KVM, VirtualBox, Xen PVHVM, VMware, etc… with minor format tweaks.

How to convert a prebuilt image for use in XenServer

Broadly, there are three steps in the process, the first of which is most important:

  1. Convert qcow2 disk image to VHD.
  2. Import VHD in XenCenter.
  3. Customize imported machine and convert to template.

You can optionally also export the template to an XVA file.

1. Convert qcow2 to VHD

The qemu-img utility can do this. Use your package manager of choice to install (e.g. yum install qemu-img or dnf install qemu-img on F22+). You should do this on another Linux machine (even a VM is okay), because messing with the Xen dom0 is not recommended.

Locate your downloaded *.qcow2 file, which might look something like Fedora-Cloud-Base-22-20150521.x86_64.qcow2. If it’s compressed, like CentOS-Atomic-Host-7.1.2-GenericCloud.qcow2.xz, decompress it first.

Use the command $ qemu-img convert -f qcow2 -O vpc [input file] [output file] to do the conversion. For example,

$ qemu-img convert -f qcow2 -O vpc Fedora-Cloud-Base-22-20150521.x86_64.qcow2 Fedora-Cloud-Base-22-20150521.x86_64.vhd

2. Import the new VHD

If you have XenCenter installed on Windows, use the File -> Import… option to load the VHD. Follow the prompts to set up the VM’s CPU, memory, storage, and networking allocations.

Manual import on command line

Ugh, not using the UI? That means a whole lot more work to import. Are you sure about this???

If you do not have access to XenCenter, it’s a more involved process.

Transfer the newly converted disk image to the hypervisor dom0, such as by copying it into a shared storage location (e.g. NFS image library), and you should be able to use xe vdi-import to load the VHD:

First, get the size of the disk image with $ qemu-img info [VHD file]. Note the size in bytes.

$ qemu-img info Fedora-Cloud-Base-22-20150521.x86_64.vhd
image: Fedora-Cloud-Base-22-20150521.x86_64.vhd
file format: vpc
virtual size: 3.0G (3221471232 bytes)
disk size: 516M
cluster_size: 2097152

Create a VDI in XenServer using the command line tool to hold this new data:

# set SIZE to size in bytes, e.g.
$ SIZE=3221471232
# set SR to the UUID of a storage repository in which to store the VDI
$ SR=$(xe sr-list name-label='NFS virtual disk storage' --minimal)
$ UUID=$(xe vdi-create name-label=Fedora-Cloud-Base-22-20150521.x86_64 virtual-size=$SIZE sr-uuid=$SR type=user)

Then load the VHD:

$ xe vdi-import uuid=$UUID filename=Fedora-Cloud-Base-22-20150521.x86_64.vhd format=vhd --progress

If all has gone well, you get output to the effect of

[|] ######################################################> (100% ETA 00:00:00) 
Total time: 00:00:24

You can check that it’s there by doing

$ xe vdi-list uuid=$UUID

It’s time to make a VM (important: must be PVHVM) to which to attach this VHD. You’ll need to create the CD drive, set up networking, etc, all on the command line. The CD drive should be installed with a cloud-init/cloud-config datasource. (Aren’t you regretting not using the GUI now?)

$ VM=$(xe vm-install new-name-label=Fedora-Cloud-Base-22-20150521 template='Other install media')
# make an optical drive, which you might need for cloud-init
$ xe vm-cd-add cd-name='cloud-init-example.iso' vm=$VM device=3

# get the list of networks and their UUIDs; select one
$ xe network-list
# the following line is an example
$ xe vif-create network-uuid=b4187ad6-916e-d1d4-90a7-2b7f1353bca2 vm-uuid=$VM device=0

Now, create the virtual block device (VBD) that associates the VHD disk image with the VM.

$ VBD=$(xe vbd-create vm-uuid=$VM device=0 vdi-uuid=$UUID bootable=true mode=RW type=Disk)

 

The VM is now ready (although you’ll need to adjust CPU and RAM, which is outside the scope of this guide), either to be booted or to be stored as a template!

3. Customize and convert to template

I like to convert the now-ready VM to a template before using it for anything. This makes it a lot easier to deploy from this point onward. It’s also helpful to tweak the default CPU/memory parameters if desired.

When it’s ready, you can select a halted VM, and choose VM -> Convert to Template… in XenCenter. The equivalent for the xe CLI is something I haven’t figured out yet; the process might require taking a snapshot, and copying the snapshot to become a template.

 

Avoid flying domestic in China

Xi'an Xianyang International Airport (XIY) departure hall

I originally intended to blog about each city I visited during this vacation in Hong Kong & mainland China, but I got so busy with the actual tourism that I didn’t end up writing anything except for Hong Kong.

However, recent experiences flying (first from Xi’an to Shanghai Pudong, and then from Beijing to my birthplace) have been sufficiently dissatisfactory to warrant a rant about the state of domestic air travel in China.

1. China Southern Airlines problems

Supposedly this is one of the 10 worst airlines in the world, according to Business Insider/Zagat.

Xi’an to Shanghai

Our flight from Xi’an to Shanghai was delayed by about 3 hours. The incoming flight was late supposedly due to weather in Shanghai, so it wasn’t necessarily the airline’s fault. However, communication about the matter was rather poor (see complaints below about the XIY airport) and the delay estimates didn’t seem to be updated in the airline’s electronic systems, even though they knew pretty early on that our flight wouldn’t be able to leave til nearly midnight. China Southern’s website, Google, and (I think) FlightAware, were all providing inaccurate information as a consequence.

Meanwhile, multiple other airlines seemed to have no problem getting planes to fly the same route on time.

Beijing to my hometown

The flight left on time.

Curious observation, not so much a complaint: why did they think it necessary to serve food on a 1.5 hour short haul flight that left at 11 pm? It was a sausage bun of the sort you’d find at an Asian bakery for very cheap… not that one should expect very much of economy class airline food.

I did have an issue with the no mobile phone policy; mobile phone use is prohibited, even in airplane mode. Supposedly this is a Chinese government regulation for which foreigners have been detained for violating. I’m sure older planes with unshielded wiring could be affected by the cumulative effects of everyone’s EM interference—and that’s probably part of why China’s rules haven’t caught up to Europe’s or the US’s—but I really doubt the A320 would have faced much risk from smartphones in airplane mode. A flight attendant actually came around to enforce the rule. Oh well. I suppose we’ll have to blame the government for this obsolete rule.

Deplaning on the tarmac
Deplaning on the tarmac toward a bus to the gate. Sorry for the blur; I took the picture in a hurry.

2. Airport problems

Xi’an Xianyang International Airport (XIY)

The airport was grand and modern—far bigger than was necessary given the remoteness of and air traffic to that city. When we arrived from Hong Kong by Dragonair, we were basically the only arriving international flight; all the other gates seemed to be empty, and our flight’s baggage came on the only active conveyor belt, right next to a sign with such bad Engrish that it substituted an f for what have been a t in “tag”.

The departure hall, too, was much bigger than this city needed. There were other more serious problems, though.

Xi'an Xianyang International Airport (XIY) departure hall
Xi’an Xianyang International Airport (XIY) departure hall

For one, the technology seemed to outpace the capabilities of the people—a recurring observation on this trip. Airport employees made simultaneous, overlapping announcements on the PA system, talking over each other. They also made that gross blowing sound into the microphone each time before starting an announcement, as a mic check. For comparison, I’m told that at many Western airports, announcements are recorded and placed into an automated, prioritized queue (e.g. see Phonetica).

Second, the departure hall featured at least one smoking chamber. The one I observed was a glass booth for people to smoke their cigarettes… but the glass walls didn’t reach the floor, so the booth wasn’t actually isolated from the surrounding environment. Smokers also didn’t close the door fully, which led to that entire gate area smelling like smoke, unfortunately triggering my asthmatic cough repeatedly for those three hours we were delayed there.

Third, there was a ridiculous lack of use of digital information systems. The counter at the gate where we were waiting appeared to lack an airline reservations/logistics computer, and delays were usually not reflected on the airport displays, instead being announced in Chinese and broken Engrish on the PA. On the counter hung a piece of paper, hand-filled with the flight number and the fact that there was a delay. Eventually when we boarded, I don’t even recall if our tickets were scanned—just checked by the gate agent a flight attendant at the gate.

XIY gate counter, with no computer or TV screens specific to that gate
XIY gate counter, with no computer or TV screens specific to that gate

Whatever illusions of modernity and professionalism one got from the physical appearance of the airport were disrupted by these oversights.

Beijing Capital International Airport (PEK) Terminal 2

Never mind that Terminal 2 (T2) and Terminal 3 (T3) are practically separate airports with a minimum connection time (MCT) of 160 minutes for domestic<->international connections… or that the Airport Express train only goes from T3->T2 and not the other way around…

Possibly because of the passenger load at PEK, the airline would not accept checked baggage prior to 3 hours before departure. Consequently, I could not go through security, and had to lug around my heavy suitcase to coffee and dinner in the unsecured area for a few hours… while coping with the dearth of general (i.e. not paid restaurant) seating space prior to security. While I was sipping my drink, I began wheezing and coughing—remember my allergy-related cough?—because some unscrupulous customers were smoking, indoors, in an open restaurant. I can’t believe no one else complained. At last, a waitress told the smoker to put it out.

The story doesn’t get much better after screening. Once inside, I found that my boarding pass did not indicate a gate, and that the terminal displays did not show a gate assignment. My impression, and I could be wrong, is that PEK—and perhaps other airports—does not assign gates until shortly before departure. Unfortunately, that also meant no clear direction to go in the secured area, and nowhere really to sit…

Well, hey, at least I got to charge my phone at a charging station… which other patrons seemed to treat as a garbage bin in table form.

Patrons' food and garbage at a charging station in PEK T2
Patrons’ food and garbage at a charging station in PEK T2

3. The alternative: high speed rail

High speed rail in China is a wonderful thing. We took it from Shanghai to Nanjing in 2nd class, and from Nanjing to Beijing in 1st class seats. In each segment, top speeds exceeded 300 km/h. Trains always left and arrived on time, and seats were more spacious than any economy class seats on an airplane. Typically trains run about every 15 minutes along this route, and all the ones we took on this trip seemed to be filled.

High speed rail from Shanghai
High speed rail from Shanghai

Here are some photos of Chinese high speed rail stations and trains, from my last visit in 2012:

Given that a trip from Shanghai to Beijing in 2nd class would only be 553 RMB (about $89 USD)—uniform pricing regardless of when the ticket is purchased, unlike airfare—and that train stations are generally more convenient to get to/from than airports are—where a high speed rail link exists, I would definitely choose it.

4. Is it any better in the US?

I don’t fly that much in the US, and when I do, it’s often a rather short flight between Philadelphia and Boston. JetBlue and American are pretty nice, though. Even then, the convenience of taking Amtrak to/from 30th Station in Philadelphia and South Station in Boston usually makes rail travel far preferable to short haul flights when rail is an option.

But I doubt the US will ever develop high speed rail as China has. There’s not enough space or money or will—and, arguably, there is no comparable need.

Do you have comparable complaints about domestic air travel in China or the US? Please share.

Changing this site’s tagline

Previously, my site tagline was “News, technology, life, and more.”

As of today, it is now “Technology, law, life, and more.”

When I first started this blog in 2008, I labelled it “A blog discussing current events, news, politics, technology, law and more.” Even then, as a high schooler, I was interested in the law—and in the intersection of law and technology.

I distanced myself from law for a while, enticed by opportunities in engineering and medicine, right around the time I was applying to university and completing my first year of undergrad. Mirroring this stage of my life, I removed the keywords “politics” and “law”. I blogged about healthcare-related issues.

As I now decide between two fantastic law schools to attend next year, I’ve realized that my entire path has been leading me to this intersection of law & technology. But no matter where I go, I will always be a technologist first; the order of words in “Technology, law, life, and more” reflects that (and the deliberate Oxford comma).

It was time to update my blog to publicly acknowledge my choice of path in life—indeed, my return to my true passions.

How should Internet regulation of content work?

I first published the following query in a closed discussion forum for CIS 125/LAW 613 (Technology & Policy) at Penn Law. It is reposted here with minor edits.

Understanding the layers of the Internet (TCP/IP, etc) helps us to think about Internet governance in terms of allocating scarce resources, such as IP addresses and domain names. There is another layer to regulating the Internet that has little to do with scarcity or technical concerns: content on the World Wide Web. While people around the world effectively must agree to the same technical standards and the same mechanisms of allocating scarce resources in order for the Internet to function, there seems to be disagreement on which laws relating to speech and content apply, the geographic boundaries (if any) within which they apply, and to what extent foreign entities must comply. These concerns are obvious when we talk about the “Great Firewall of China”, highlighted by Google’s pull-out from mainland China, but less so evident when talking about countries that don’t use technical measures to censor citizens’ Web access.

This week, the issue became topical when Russia’s media/telecom regulator clarified existing rules on use of an individual’s image, seeming to outlaw certain forms of the Internet phenomenon known as memes.[1] The clarification came on the heels of a Russian court ruling in favour of a singer whose likeness was used without his permission in various Internet memes, some of which were unflattering. According to the Roskomnadzor—the agency that issued the clarification—as reported by the Washington Post, it is illegal in Russia to depict a public figure in a way that is unrelated to their “personality”, whatever that should mean. As expected, American media quickly seized on this act as part of a broader effort to control dialogue on the Web, at least within the Web as seen in Russia; noncompliance with the agency’s rules can result in a website being blacklisted in all of Russia.[2]

Setting aside any immediate visceral reaction that categorizes this as censorship, we might pause to consider Roskomnadzor’s justification, which pointed to the offence to celebrities’ “honor, dignity and business.”[3] But this is not some novel argument to protect celebrities at the expense of open expression; after all, even US law, which is weaker than European regimes that acknowledge a dignitary right in privacy, protects one’s likeness and privacy to some extent in tort, for very similar reasons.[4] And even if we disagree with the application of this principle in the agency’s rule, protecting individuals’ privacy and identity is still a legitimate state interest.

The real question, I think, is not whether Russia’s rule accomplishes the right balance of priorities, between privacy/control-of-likeness and open expression. After all, the extent to which the rule can even be enforced is dubious. (It would be a waste of resources for the Russian government to go after every meme of Putin on horseback.)

The much more interesting question for us is, to what extent should geopolitical nations be able to control content on the global Web according to their own sovereign laws? Moreover, given the borderless (by default) accessibility of websites and the diverse origins of Web publishers, is it reasonable to burden companies across the world with the task and cost of complying with a patchwork of nation-by-nation rules and judicial orders lest they allow their site to go dark in Pakistan or Russia or China?

In other contexts, like inconsistent cybersecurity laws across US states, companies have found it easiest to follow the strictest set of rules, hence simplifying their task. Maybe an image host like 9gag, catering to meme-makers, would find it technically easiest to comply with these inconsistent rules by deleting content whenever any nation complains. But then free speech everywhere is constrained to the narrowest rules among jurisdictions, so this is an unacceptable outcome. What is the alternative? Does the company have to add technical complexity to its systems to block Russian visitors only from accessing a picture of Putin? Isn’t this option economically inefficient?

Looking to a historical example, even a company that wants to stand up for human rights and free speech principles might find a weighty cost of defiance. In 2010, Google withdrew from operating the mainland Chinese edition of its search engine so as to relieve itself of the burden of obeying mainland Chinese regulations.[5] Reportedly frustrated with complying with strict censorship, and probably having small market share in the shadow of China’s Baidu, Google decided to redirect all mainland Chinese visitors to its Hong Kong edition, which operates under more lax rules. The cost of doing so? Losing relevance in the Chinese market.[6]

Many other companies lacking Google’s backbone and cash would likely roll over when requested to avoid losing their audience. Does this give too much influence to countries like the United States, China, and the UK, over what citizens can see on the Web? Is the Web any better under the rules of the superpowers than under the patchwork of nation-by-nation restrictions on free speech?

Footnotes

Footnotes
1 Megan Geuss, Russia’s Internet censor reminds citizens that some memes are illegal, Ars Technica (Apr. 11, 2015), http://arstechnica.com/tech-policy/2015/04/russias-internet-censor-reminds-citizens-that-some-memes-are-illegal/; Caitlin Dewey, Russia just made a ton of Internet memes illegal, Wash. Post Intersect Blog (Apr. 10, 2015), http://www.washingtonpost.com/news/the-intersect/wp/2015/04/10/russia-just-made-a-ton-of-internet-memes-illegal/.
2 See Caitlin Dewey, supra note 1.
3 Id.
4 Restatement (Second) of Torts § 652A-E (1977).
5 Jemima Kiss, Roundup: Google pulls out of China, Guardian (Mar. 23, 2010), http://www.theguardian.com/media/pda/2010/mar/23/google-china.
6 See Kaylene Hong, Google’s steady decline in China continues, now ranked fifth with just 2% of search traffic, Next Web (Jul. 5, 2013), http://thenextweb.com/asia/2013/07/05/googles-steady-decline-in-china-continues-now-ranked-fifth-with-just-2-of-search-traffic/.

Installing a Puppet master on CentOS 7 with nginx and Unicorn

Puppet master node successful test

I was experimenting with configuration management tools, and wanted to set up a Puppet master node for my virtualized machines.

It is unfortunate that most guides out there today are tailored specifically for Ubuntu, or rely on prepackaged DEBs that do all the work (which, obviously, don’t really help on CentOS/Fedora/RedHat). This guide on DigitalOcean for setting up a Puppet master on Ubuntu 14.04 is pretty solid, but my own preferences are for CentOS and Fedora. Furthermore, I have completely migrated to using nginx in all my servers, though many deployment guides for Puppet still use Apache and Passenger. And the closest I could find in a guide for CentOS 6, nginx, and Unicorn used SysVinit and God… which are unnecessary now that systemd has been adopted.

(If you’re not as picky, just use Foreman Installer. It’ll take care of everything… even on CentOS 7.)

This guide will use:

  • CentOS 7 (at the time of writing, latest release)
    • systemd
  • nginx 1.7.x (mainline, from official nginx repository)
  • Unicorn
  • Puppet open source 3.7.x

Continue reading “Installing a Puppet master on CentOS 7 with nginx and Unicorn”

Fedora 21 on XenServer

Fedora

In this post:

  1. Prebuilt Fedora Cloud images for XenServer
  2. Kickstart scripts for Fedora Server on XenServer

Fedora
Fedora 21 was just released earlier this week on December 9, 2014. The biggest change was the separation of the distribution into three “products”:

  • Fedora Cloud, a lightweight optimized distribution for public/private clouds, containerization with Docker and Project Atomic.
  • Fedora Server, the traditional platform for running services, usually on a headless host whether virtualized or on baremetal.
  • Fedora Workstation, a developer-friendly desktop running a cutting edge OS.

Of course, as always, OpenStack/KVM and Docker get a lot of love, but Xen and XenServer are once again ignored. This post is my solution. With the prebuilt images distributed here and the kickstart scripts below, you can deploy Fedora 21 on your own XenServer (6.2+).
Continue reading “Fedora 21 on XenServer”