EL6 Xen Dom0 kernel gets mirrors!

In a bid to provider better service to people using my repo for Xen Dom0 kernels for EL6, I've put in place two mirror sites which yum will be able to use.

I recommend to everyone using my repo to install the yum-plugin-fastestmirror plugin for yum and to also redownload /etc/yum.repos.d/kernel-xen.repo from here

If you are able to offer a stable mirror for this repository in another country, please email me!

Xen Dom0 kernel update & new -devel packages

Rebuild based on kernel version. Changelogs are as follows:

* Tue Feb 07 2012 Steven Haigh - Re-enable all but the digitv USB DVB modules. Sadly, digitv still fails to build. - Minor tweak of the kernel-xen-devel package.
  • Wed Feb 01 2012 Steven Haigh
  • Attempt to create kernel-xen-devel package able to build modules from.
  • There has been success in building the drbd kernel module against this kernel-xen-devel package - so hopefully others should be buildable without too many issues as well.

    I've also included a new bridge-utils package that removes the errors associated with the stock EL6 bridge-utils when doing brctl show.

    Xen kernel testers required

    Ok, so I've had quite a few requests to get a kernel-xen-devel package happening so people can build third party kernel modules against my Xen Dom0 kernel.

    Now I think that I've got this sorted out - but before I inflict it on the world I'd like to get a few testers to check if it works at all. It seems the most common request is to build the drbd module from somewhere (not quite sure where).

    As such, I'm hunting for at least one or two people that can install my kernel RPMs + the kernel-xen-devel package and see if they succeed in building third party modules, then let me know if it works or not.

    Email me if you're able to help!

    Network antispoof with Xen 4.x

    I've recently set up a new Xen Dom0 for use by a lot of people - many of whom I may not know very well. This being the case, I want to make sure that people behave and don't take more than they are allocated. The big thing that I needed to solve was people just taking IP addresses out of the /24 assigned to the server.

    Xen 3.4.1 had a working solution, however it seems to be completely broken in 4.x.

    So, to solve this, I found that you can do some magic in iptables to give the same result.

    1) Enable iptables on bridging interfaces in /etc/sysctl.conf net.bridge.bridge-nf-call-iptables = 1 Then reload the file using sysctl -p

    2) Write the rules in /etc/sysconfig/iptables: *filter :INPUT ACCEPT [26:2197] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [444:63703] -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p icmp -j ACCEPT -A INPUT -i eth0 -j REJECT --reject-with icmp-host-prohibited -A FORWARD -d -j ACCEPT -A FORWARD -s -m mac --mac-source 11:22:33:44:55:66 -j ACCEPT -A FORWARD -s -m mac --mac-source 11:22:33:44:55:67 -j ACCEPT -A FORWARD -j DROP COMMIT

    3) When you set up the DomU config file in /etc/xen, alter your vif line to specify the MAC address: vif = [ 'mac=11:22:33:44:55:66,bridge=br0' ]

    Now for the explanation. When a packet gets sent TO the DomU, the destination rule is hit and the packet flows TO the DomU. When the DomU replies, if its MAC address doesn't match the one in --mac-source, then the packet is dropped.

    The added benefit here is that as we DROP everything else, if the DomU tries to change IP or grab an IP not associated with a MAC, the packets will just get dropped.

    Sadly, theres nothing you can do to stop people from using other entries you put on the list - however it does stop random resource grabs for IPs.

    Whats happened to the last few months?

    Ok, so I've neglected to put a lot of new up here lately...

    1) kernel-xen packages have been updated to

    2) Started up a new photography site to try and get some great images to people. I really enjoy taking photos, but DAMN the equipment is expensive. I'm hoping to invest anything made on that site back into equipment to take more photos etc..

    3) Damn, Christmas AND New Years has passed. It was the first real Christmas dinner with family and friends that I'd been a part of in my own home for waaay too long. Emma really pulled it all together and I couldn't have done any of it without her.

    EL6 Xen kernel updates

    I've just posted some new kernel-xen RPMs based on


    * Sat Sep 17 2011 Steven Haigh 
    - Revert "xen/apic: Provide an 'apic_xen' to set the override the apic->[read|write] for all cases."
    - Merged in fixes:
          igb: Fix lack of flush after register write and before delay
          fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
          drm/ttm: fix ttm_bo_add_ttm(user) failure path
          x86, UV: Remove UV delay in starting slave cpus
          x86-32, vdso: On system call restart after SYSENTER, use int $0x80
          futex: Fix regression with read only mappings
          ALSA: ac97: Add HP Compaq dc5100 SFF(PT003AW) to Headphone Jack Sense whitelist
          ALSA: snd_usb_caiaq: track submitted output urbs
          befs: Validate length of long symbolic links.
          fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops
          perf tools: do not look at ./config for configuration
          mm: fix wrong vmap address calculations with odd NR_CPUS values
          ALSA: snd-usb-caiaq: Correct offset fields of outbound iso_frame_desc
          hwmon: (ibmaem) add missing kfree
          atm: br2864: sent packets truncated in VC routed mode
          USB: Serial: Added device ID for Qualcomm Modem in Sagemcom's HiLo3G
          USB: usb-storage: unusual_devs entry for ARM V2M motherboard.
          USB: assign instead of equal in usbtmc.c
          USB: xhci: fix OS want to own HC

    The guide can be found here.

    The future - Its going to be a wild ride.

    For a long time now, I've been seeing the effect of technology on everyday life. This is a great video on how technology is causing a very disruptive shift in how we view the world, what it means, and how the next generation will live.

    To me, this is one of the best reasons on earth that we should be building the NBN in Australia. The future of having fibre to everywhere will give us a mass of opportunity to live in the new economy in 20-30 years time.

    Kernel-xen & xen updates

    Just posted an update to both kernel-xen and the xen packages.

    Xen changelog:

    * Sun Aug 14 2011 Michael Young - 4.1.1-3 - untrusted guest controlling PCI[E] device can lock up host CPU [CVE-2011-3131]

    kernel-xen changelog:

    * Fri Aug 19 2011 Steven Haigh ! Note: USB-DVB still seems to be broken. - commit 'v2.6.32.45': - Linux - powerpc: pseries: Fix kexec on machines with more than 4TB of RAM - powerpc: Fix device tree claim code - ALSA: snd-usb-caiaq: Fix keymap for RigKontrol3 - ALSA: timer - Fix Oops at closing slave timer - net: Compute protocol sequence numbers and fragment IDs using MD5. - crypto: Move md5_transform to lib/md5.c

    Details on how to use these packages and set up a repository are available on the EL6 and Xen howto guide.

    Kernel-xen updates

    Have just finished posting a new kernel-xen to the repo.


    * Sun Aug 14 2011 Steven Haigh 
    - Disabled module creation for USB DVB tuners due to errors on compile. This
      will affect all DVB tuners using the dvb-usb module.
      I would assume most people who run this kernel won't use USB tuners on Dom0.
    - Merged in