Moab 2011: Day 1

This is obviously not the usual techno babble on this blog: This week I'm in Moab (Utah) with my buddy Randy riding our dirt bikes.


Unfortunately we've started off the week with a pretty rough start. Randy's bike is running like crap, and he ended up having to ride his dad's bike today. Even so, we got a nice ~22 miles on the bikes at and near Gemini Bridges. This is a beautiful place, and the "bridge" is pretty darn cool.

P1000202 P1000194

I've uploaded a couple of the videos: and .

I'm uploading a few pictures to Flickr as well, which I'll make available here soon. Tomorrow we'll hopefully head up to Porcupine rim in the morning, and perhaps Fins and Things in the afternoon. Another update tomorrow as well, stay tuned.


Fedora Core 15 and NIC devices ...

I've been upgrading our internal file server at home, and I've done that by rebuilding it in a separate box, and later moving the new drives over to the real server machine. This is all great. However, when I decided to do the final migration, I edited the IP on the "development" box to be the real server IP, but doing so instantly changes the IP on the machine. And therefore, I took out the old (in-use) server ... This seems like an incredibly bad idea, particularly for a server, but for any networking in general.

These changes should clearly not take effect until I either reboot, or restart the network services. What were they thinking?? Also, while I'm griping, why are there two sets of Firewall 'startup' and configs in Fedora Core 15? It's not enough to simply turn off the iptables service any more, you also have run system-config-firewall and turn it off from there (or manually edit its config file I guess).

I tip for the Fedora Core developers: FC (and RHEL) has always been about the server, please continue to make that the priority. All this focus on the desktop will only make you lose market share, Ubuntu alread does a good job there. At a minimum, if I cared about things such as Gnome 3, and automatic "firewalls" and what not, make it a special Fedora spin.

Filtering Drupal comment spam

I get a fair amount of comment spam on my blog, and even after I changed all comments to be moderated, the spammers still persist. I decided to do something about this, and working under the assumption that most spammers are from a few countries, I decided to implement a Geo-location filter for Apache Traffic Server. The code is currently available at, and only works with MaxMind's APIs (but I'd be more than happy to add support for other Geo-location APIs). This plugin also requires PCRE, but that's already a requirement for building ATS, so shouldn't be a problem.

Once compiled and installed (see the README), setting this up is fairly straight forward. In my remap.config, I now have the following rule

map http://localhost:69 @pparam=country \

This says to apply a country based Geo-location filter on this rule, using the additional configurations from deny_spam.conf. This file contains one single line:

^comment/       deny    CN RU IN

This might look draconian, but for now I'm disabling all comment posts from China, Russia and India. For more details on the plugin configurations and features, again see the README from the source above.



yum failures with missing $releasever

During an upgrade (yum update) on a Fedora VM, something went horribly wrong, and it crashed in the middle of the update. After rebooting, and cleaning up the mess, yum still was very unhappy. Running an update would give me errors like

Could not parse metalink$releasever&arch=x86_64 error was 
No repomd file
Error: Cannot retrieve repository metadata (repomd.xml) for repository: fedora. Please verify its path and try again

Very odd. It turns out, $releasever was not properly set, and I could not figure out why. Poking around, I realized that $reelasever is supposed to come from examining the version number of a particular RPM package, in my case fedora-release. Well, lo and behold, this package was no longer installed on my box, yum must have uninstalled it, but crashed before installing the new update (or something...). I mounted the Fedora Core DVD, and simple reinstalled the missing package, and things are happy joy joy again. Here's the command:

$ sudo rpm -i ./Packages/fedora-release-13-1.noarch.rpm



Limit a threaded Linux app's CPU consumption

I rarely bother to "rate limit" the amount of CPU my Linux processes can do, but since I unfortunately have to share my desktop with some CPU intensive tasks, sometimes it makes sense to do so, for multi-threaded applications at least. Linux has, for some time now, a feature to set CPU affinity for a process. This is btw something that Sun/Solaris have had for almost as long as I can remember. With this feature, you can specify which CPUs (cores) a process is allowed to use.

As an example, lets assume we want the application traffic_server to only consume core 2 and 3, you'd simply start the application with

# taskset -c 2,3 traffic_server

Now, some applications have this built in (unfortuantely traffic_server does not, yet), and there are APIs in linux to control this (see the man page for sched_setaffinity() ). You can of course also "nice" your application accordingly, but the above lets you get a somewhat more controlled behavior (again, for threaded apps that can use more than one core).


Fedora Core 15 as a VirtualBox guest OS

Fedora Core 15 was released today! I of course went straight into VirtualBox, after the download finished of course, to create a new couple of VMs. As I usually do, I assigned 512MB of RAM for the new VMs (one 32-bit and one 64-bit). Booting up, the kernel would crash, wth? It turns out, 512MB is not enough to boot up FC15, at least not under VirtualBox. I increased the memory allocated to each VM to 768MB, and things works just fine now.

Now of course to deal with the disaster that is Gnome 3.0. It's probably time to switch over to KDE, the Gnome org is just going crazy removing options and configurations for no apparent reason other than telling people they know best. I mean, come on, not even allowing me to use "Select windows when the mouse moves over them"?? Grrrr...

Update: You can achieve this particular setting ("focus follows mouse") using gconf-edit, setting



to "sloppy" (without the quotes). Sigh. Of course, turning on "fallback" mode is almost a requirement.


Stupid benchmark

To add to the pool of braindead benchmarks, but perhaps with a little more reason, I'm adding this, and take it for what it is. If anything, this shows that performance is generally not the primary argument for choosing an intermediary. This is what I've been preaching - Yeah, performance is important, but most servers available today will handle a ridicious amount of HTTP traffic.

This is a test against an AMD Phenom(tm) II X4 940 Processor (very cheap), running across a GigE network. There are two linksys switches between the load geneating host and the server, but no routing or packet filtering. The payload is 100 bytes + a fairly small header, and the test is running with keep-alive.

In all tests, all logging is disabled.


The configs are mostly the defaults, the main thing was I had to jack up the minimum threads, 200 seems to be a reasonable number for this test. During the test, the load goes to 300. The version of varnish is v2.1.5, from the Fedora repository.

5719306 fetches on 450 conns, 450 max parallel, 5.776500E+08 bytes, in 60 seconds
101 mean bytes/fetch
95320.7 fetches/sec, 9.627390E+06 bytes/sec
msecs/connect: 3.955 mean, 6.453 max, 0.162 min
msecs/first-response: 3.546 mean, 1005.235 max, 0.076 min



This is running the older v0.8.53 version, since it's what was made available on the Fedora repo. The configs had to be tuned some, increasing the number of worker processes, setting the open_file_cache high, and also increasing the keepalive_requests setting (high).

5848823 fetches on 450 conns, 450 max parallel, 5.848820E+08 bytes, in 60 seconds
100 mean bytes/fetch
97480.4 fetches/sec, 9.748040E+06 bytes/sec
msecs/connect: 1.340 mean, 3.558 max, 0.469 min
msecs/first-response: 3.522 mean, 280.463 max, 0.067 min


Apache Traffic Server

This is the winner, of course, otherwise I wouldn't have published these results ;). This is running ATS v2.1.8, with mostly stock config. The primary configuration changes is to set the number of worker threads to 5 and turning off some verbose Via and server strings.

6944993 fetches on 450 conns, 450 max parallel, 6.945000E+08 bytes, in 60 seconds
100 mean bytes/fetch
115748.6 fetches/sec, 1.157486E+07 bytes/sec
msecs/connect: 1.805 mean, 2.995 max, 0.519 min
msecs/first-response: 1.736 mean, 218.573 max, 0.081 min


Update: I updated with the latest results from ATS v2.1.9, they are marginally different.

May 2011 Apache Traffic Server performance

I just ran a small tests against Apache Traffic Server, to see how performance has improved since last time. My test box is my desktop, an Intel Core i7-920 at 2.67Ghz (no overclocking), and the client runs on a separate box, over a cheap GigE network (two switches in between). Here are the latest results:

2,306,882 fetches on 450 conns, 450 max parallel, 2.306882E+08 bytes, in 15 seconds
100 mean bytes/fetch
153,792.0 fetches/sec, 1.537920E+07 bytes/sec
msecs/connect: 5.326 mean, 13.078 max, 0.149 min
msecs/first-response: 2.094 mean, 579.752 max, 0.099 min


This is of course for very small objects (100 bytes) served out of RAM cache, with HTTP keep-alive. Still respectable, close to 154k QPS out of a vey low end, commodity box.


Forcing a "check" on a Linux md RAID device

To be proactive, I've found that once in a while (perhaps via a cron job) it might be a good idea to force a Linux RAID (mirror or RAID5/6) to be checked for consistency. This can easily be done from command line, with something like

% sudo echo check >  /sys/block/md0/md/sync_action

Also, to repair bad raid device, perhaps something like

% sudo echo repair >/sys/block/md0/md/sync_action

This second command solved a problem for me, where I'd get an email warnings once a week, saying "WARNING: mismatch_cnt is not 0 on /dev/md0". This was verified with

% sudo cat /sys/block/md1/md/mismatch_cnt



Upgrading Fedora with yum

I've been doing a number of upgrades of Fedora Core recently, and was semi-disappointed with how slow the upgrade process from DVD was. On every upgrade, it had to first install well over 1000 packages from DVD, and to finish it off with a "yum update" after the upgrade, at least another 1000 packages upgraded again. I decided for my next upgrade to do an update on the live system, using yum directly. I decided to follow the excellent upgrade instructions from the Fedora project, and it worked surprisingly well (and much, much faster). On top of that, I also cleaned out some groups that I no longer thought were necessary.

Here's the quick summary of the commands I ran:

# Run an update first, just in case
yum update

# Cleanup/merge config updates
yum install rpmconf
rpmconf -a

# Find and review unused packages
yum install yum-utils
package-cleanup --leaves
# Now yum remove the packages you think should be removed

# Find and review lost packages
package-cleanup --orphans

# Cleanup
yum clean all

# Do the upgrade, preferably in run-level 3 (no GUI)

# For FC13 -> 14 upgrade
rpm --import
# For FC14 -> 15 upgrade
rpm --import
# For FC15 -> 16 upgrade
rpm --import
# For FC16 -> 17 upgrade
rpm --import
# For FC17 - > 18 upgrade
rpm --import
# For FC18 - > 19 upgrade
rpm --import
# For FC19 -> 20 upgrade
rpm --import

yum update yum
# The following steps are a bit different than Fedora recommendations, they
# say to run the updates with --skip-broken. But I don't like it.
yum check
# and then resolve any duplicates. When running the following, you will get
# conflicts, resolve those by uninstalling the offending packages.
# For FC13 -> 14
yum --releasever=14 distro-sync
# For FC14 -> 15
yum --releasever=15 distro-sync
yum groupupdate Base
# For FC15 -> 16
yum --releasever=16 --disableplugin=presto distro-sync
yum groupupdate Base
# For FC16 -> 17
yum --releasever=17 --disableplugin=presto distro-sync
yum groupupdate Base
# For FC17 -> 18
yum --releasever=18 --disableplugin=presto distro-sync
yum groupupdate Base
# For FC18 -> 19
yum --releasever=19 --disableplugin=presto distro-sync
yum groupupdate Base
# For FC19 -> 20
yum --releasever=20 --disableplugin=presto distro-sync
yum groupupdate Base

# Examine other groups and update (or remove) as necessary yum grouplist yum groupupdate "Administration Tools" "Server Configuration Tools" ... # Prepare for boot, assuming your boot device is /dev/sda (change as appropriate) /sbin/grub-install /dev/sda # Or, if you are switching to grub (as in FC16) /sbin/grub2-mkconfig -o /boot/grub2/grub.cfg /sbin/grub2-install /dev/sda # Update startup order; This is not for FC16 or later! cd /etc/rc.d/init.d; for f in *; do /sbin/chkconfig $f resetpriorities; done # Find packages that haven't been upgraded package-cleanup --orphans

I made a small shell script available to make it a little easier to manage the update (and additions / removals) of yum groups. It's far from perfect, and does indeed have bugs, but I still find it helpful. Right now, it still runs the necessary yum commands "interactively", to give you some extra safety deciding if you want to proceed with a particular operation. The script supports upgrading, removing and adding yum groups. It is available from github, at, it is named


Note: I take no responsibilities for failed upgrades, but this process worked nicely for me, upgrading from FC13 to FC14.



Subscribe to RSS