* deduplication and SE virtual machines
@ 2010-07-04 11:41 Russell Coker
2010-07-07 20:08 ` Serge E. Hallyn
0 siblings, 1 reply; 3+ messages in thread
From: Russell Coker @ 2010-07-04 11:41 UTC (permalink / raw)
To: SE-Linux
Are there any good software-only (IE nothing expensive like NetApp) options
for deduplication of SE Linux virtual machine images?
A basic LVM writable snapshot allows creating a SE Linux test image with less
disk space used. When LVM is used for Xen does the Dom0 do any caching?
Ideally we would have the Dom0 do read-caching of the read-only device.
http://micolous.id.au/archives/2010/01/23/linux-iscsi-cow-images-and-windows-
integration/
Apparently dmsetup supports COW images, the man page on my system doesn't
document it so maybe I would need a newer version. I'm not sure what benefit
this would give over LVM snapshots given that LVM does it's stuff on top of DM
anyway.
http://user-mode-linux.sourceforge.net/old/UserModeLinux-HOWTO-7.html
A COW block device for User-Mode Linux does the same thing but possibly works
better with caching, the above URL documents UML COW as giving performance
improvements but I'm unsure of LVM.
Are there any others?
I'm thinking of setting up a Linux virtual machine server for SE Linux
training, and with most COW setups the initial relabel of the filesystem will
put all the meta-data into a separate copy. So ideally there would be a way
of deduplicating this. Also there's no guarantee that the disk blocks used
would be the same so a simple un-COW operation on LVM or something probably
wouldn't be a viable option.
I believe that NetApp does this well, but there's no chance of getting that
sort of hardware.
--
russell@coker.com.au
http://etbe.coker.com.au/ My Main Blog
http://doc.coker.com.au/ My Documents Blog
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: deduplication and SE virtual machines
2010-07-04 11:41 deduplication and SE virtual machines Russell Coker
@ 2010-07-07 20:08 ` Serge E. Hallyn
2010-07-08 2:51 ` Russell Coker
0 siblings, 1 reply; 3+ messages in thread
From: Serge E. Hallyn @ 2010-07-07 20:08 UTC (permalink / raw)
To: Russell Coker; +Cc: SE-Linux
Quoting Russell Coker (russell@coker.com.au):
> I'm thinking of setting up a Linux virtual machine server for SE Linux
> training, and with most COW setups the initial relabel of the filesystem will
> put all the meta-data into a separate copy. So ideally there would be a way
> of deduplicating this. Also there's no guarantee that the disk blocks used
> would be the same so a simple un-COW operation on LVM or something probably
> wouldn't be a viable option.
Here's an idea - you could create the base fs as a qcow2 block device.
Create copy-on-write images based on that
for i in `seq 1 20`; do
qemu-img create -f qcow2 -b selinux-base.img selinux-vm$i.img
done
Then use qemu-nbd to export those as /dev/nbdX devices
for i in `seq 1 20`; do
qemu-nbd -c /dev/nbd$i selinux-vm$i
done
I'm guessing at the commands as I haven't quite done it. But then your
containers or VMS or chroots or whatever can mount /dev/nbd$i like a
normal block device, COW based on the same base image.
I'm not sure that would suffice though, if there are a lot of small
files, since presumably the xattrs will be spread out along with the
data. So if that does not suffice (I'd love to hear a report if anyone
tests this), then I think we have another motivator for pushing a
'xattr_file=' mount option, where the specified file has
(inode_num,name,value) triplets for the inodes on the fs, i.e.
25,security.selinux,root_u:root_r:root_t
25,security.capabilities,<whatever>
30,security.selinux,user_u:user_r:serge_t
That way the base fs wouldn't need to change much at all for each
of your VMs. The other motivator of course is common filesystems
which don't support xattrs like squashfs and CIFS. I wonder what
sort of reception such a patch would receive... "welcome back to
year 2000"?
-serge
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: deduplication and SE virtual machines
2010-07-07 20:08 ` Serge E. Hallyn
@ 2010-07-08 2:51 ` Russell Coker
0 siblings, 0 replies; 3+ messages in thread
From: Russell Coker @ 2010-07-08 2:51 UTC (permalink / raw)
To: Serge E. Hallyn; +Cc: SE-Linux
On Thu, 8 Jul 2010, "Serge E. Hallyn" <serge@hallyn.com> wrote:
> Here's an idea - you could create the base fs as a qcow2 block device.
> Create copy-on-write images based on that
> for i in `seq 1 20`; do
> qemu-img create -f qcow2 -b selinux-base.img selinux-vm$i.img
> done
> Then use qemu-nbd to export those as /dev/nbdX devices
> for i in `seq 1 20`; do
> qemu-nbd -c /dev/nbd$i selinux-vm$i
> done
>
> I'm guessing at the commands as I haven't quite done it. But then your
> containers or VMS or chroots or whatever can mount /dev/nbd$i like a
> normal block device, COW based on the same base image.
That's an interesting concept. I guess I can use NBD over ::1 for Xen too.
Also I guess if I wanted to have multiple Xen servers then I could have one
machine supplying all the main storage disk and the others just having disks
for swap spaces.
Is there any Xen management software to setup dozens of virtual machines with
user-names and passwords associated with them to permit all management tasks
including create, destroy, and view the console of Xen servers? Please reply
off-list if you know of any such software.
> I'm not sure that would suffice though, if there are a lot of small
> files, since presumably the xattrs will be spread out along with the
> data. So if that does not suffice (I'd love to hear a report if anyone
> tests this), then I think we have another motivator for pushing a
> 'xattr_file=' mount option, where the specified file has
> (inode_num,name,value) triplets for the inodes on the fs, i.e.
> 25,security.selinux,root_u:root_r:root_t
> 25,security.capabilities,<whatever>
> 30,security.selinux,user_u:user_r:serge_t
> That way the base fs wouldn't need to change much at all for each
> of your VMs. The other motivator of course is common filesystems
> which don't support xattrs like squashfs and CIFS. I wonder what
> sort of reception such a patch would receive... "welcome back to
> year 2000"?
No, it's more like back to 2003 or whenever it was such support was removed.
;)
But seriously I think there is a good reason for having this, probably not for
deduplication of unusual cases of virtual machines but for filesystems that
don't have native support for labeling.
--
russell@coker.com.au
http://etbe.coker.com.au/ My Main Blog
http://doc.coker.com.au/ My Documents Blog
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-07-08 2:51 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-07-04 11:41 deduplication and SE virtual machines Russell Coker
2010-07-07 20:08 ` Serge E. Hallyn
2010-07-08 2:51 ` Russell Coker
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.