QEMU with PowerPC64 Guests

TL;DR

For a fully functioning Debian Sid PPC64 guest image, follow the README.txt here: http://npmccallum.fedorapeople.org/qemu/ppc64/debian/

QEMU 1.4.0

With QEMU 1.4.0, PPC64 guests are close to working out of the box. It took some exploration to figure out exactly how to make this work, but it is mostly simple once you figure it out. In short, PPC64 emulation has a flakey IDE controller. This causes random lockups. You can work around this on Debian Sid.

Things that Don’t Work

  • virtio disks: This appears to be a QEMU problem as I can’t get it to work without random lockups on numerous distros, most notably Fedora 18.
  • graphical console: The only way to get the system to boot is with -nographic.
  • boot-loader after install: I’m not sure why, but this crashes QEMU. The workaround is to load the kernel/initrd directly and bypass the boot-loader.
  • power management: There are no fancy features like rebooting or powering off. You’ll have to do it manually.
  • Fedora 18: The PPC64 ISO appears not to have drivers for either the ATA or SCSI controllers that QEMU supports. Since virtio support doesn’t appear to work (see above), that means Fedora 18 has no disk driver support.

Installing Debian Sid

  1. Create a temporary directory:

    mkdir ppc64; cd ppc64

  2. Download the Debian Sid kernel image:

    wget http://ftp.us.debian.org/debian/dists/sid/main/installer-powerpc/current/images/powerpc64/netboot/vmlinux

  3. Download the Debian Sid initrd image:

    wget http://ftp.us.debian.org/debian/dists/sid/main/installer-powerpc/current/images/powerpc64/netboot/initrd.gz

  4. Create a disk image:

    qemu-img create -f qcow2 debian-sid-ppc64.qcow2 10G

  5. Start QEMU:

    qemu-system-ppc64 -nographic -hda debian-sid-ppc64.qcow2 -kernel vmlinux -initrd initrd.gz -append “console=ttyPZ0 libata.dma=0 debian-installer/allow_unauthenticated=true”

    1. console=ttyPZ0 – This is needed to make the console work when using -nographic.
    2. libata.dma=0 – This disables DMA on the ATA controller. It makes the controller more stable (NOTE: I didn’t say perfectly stable…).
    3. debian-installer/allow_unauthenticated=true – When I tried to install the first time through, I got to the end and got complaints about unsigned packages. This is likely a simple error in the repo. NOTE WELL: this option disables security.
  6. Follow install instructions.
  7. When the OS tries to reboot, it won’t work. Just shut down the VM.
  8. Start QEMU again:

    qemu-system-ppc64 -nographic -hda debian-sid-ppc64.qcow2

  9. Notice that QEMU crashes: Uh oh!
  10. Use qemu-nbd to mount your boot/root partition and extract the kernel and initrd images. Alternatively, just download them from here.
  11. Start QEMU again:

    qemu-system-ppc64 -nographic -hda debian-sid-ppc64.qcow2 -kernel vmlinux-3.2.0-4-powerpc64 -initrd initrd.img-3.2.0-4-powerpc64 -append “console=ttyPZ0 libata.dma=0 root=/dev/sda3”

  12. Bask in all the PPC64 guest glory!

 

 

 

Migrating the Blog to OpenShift

So this weekend I migrated the blog to Red Hat’s awesome new OpenShift service. If you are reading this, it means the migration was successful! Overall it went fairly smoothly. I’ve migrated my install multiple times at this point, so I was familiar with the process. But I also found that Deon Garrett has written some great documentation.

One of the problems identified by Deon is the inability to CNAME the root of the domain. Basically he uses a common domain provider’s URL Forwarding feature to redirect example.com to www.example.com. This workaround is great for a typical WordPress install. But for a subdomain-style, multisite installation, you have a problem where his forwarding approach results in an infinite redirect loop.

The key is that in a subdomain-style multisite installation, WordPress redirects www.example.com back to example.com. In order to fix this, we need to trick WordPress into thinking that www.example.com is, in fact, example.com. You can do this simply by adding a single line to your .htaccess file:

RequestHeader edit Host “^www\.(.*)$” “$1”

This line strips ‘www.’ from the start of every Host header. This works in my installation, but you might need something a bit more specific for your installation. For additional options, see mod_headers.

If you have interest in deploying WordPress on OpenShift, you should note that I have provided pull requests for updating OpenShift’s WordPress to 3.5.1 (the latest) and for enabling multisite WordPress uploads.

Happy OpenShifting!

Announcing… webSSO

webSSO is a new cloud-centric, federated authentication system developed to solve the problems of deploying authentication across heterogeneous infrastructures. It is a thin policy layer on top of widely deployed and trusted protocols such as HTTPS and TLS client certificate authentication. It provides:

  • Single sign-on across local, Internet and cloud infrastructures
  • Globally unique identities via existing certificate authorities
  • Decentralized authentication
  • Credential delegation
  • Depoyment on existing HTTPS stacks
  • Multi-protocol support (i.e. not restricted to HTTP)
  • Cryptographic trust validation of all parties

It is true, there are lots of authentication protocols available. Kerberos, for instance, is a widely deployed, mature protocol for local infrastructure. However, it has almost no Internet presence, mostly because identity providers are not willing to expose their Kerberos servers to the Internet. Kerberos also competes in the encryption space with SSL/TLS, the hands down winner in the web-enabled world. Lastly, Kerberos has difficulty scaling in large, flat topologies.

Outside of the enterprise context, OpenID has a large presence on the Internet. As one of the first attempts at creating a federated identity system in the Internet, it has accomplished remarkable things. However, OpenID doesn’t do single sign-on. Nor does it validate all parties in the authentication transaction, leading to problems with security/phishing. When combined with OAuth, OpenID can perform credential delegation. But implementing these protocols is quite complex, leading to bugs that compromise security. OpenID is also tightly tied with the web-based world and has gained no traction outside this environment.

The true problem arises when the local infrastructure and Internet worlds meet. If you want to use your enterprise identity on the Internet or in a cloud service, you’re pretty much out of luck. The same is mostly true with using your Internet identity in the enterprise. Thus, webSSO came about as we began to envision a world where there was no division between local, Internet and cloud infrastructures.

For more information about webSSO, check out our website where you can find the Internet Draft, a full description of the protocol and my presentation for the Cloud Identity Summit. If you happen to be at the Summit, check out the New Technology Panel in the Cascade Ballroom at 12pm Mountain Time today or look me up!

Dear 10gen,

Please merge my patches. I want to give MongoDB the best possible “out of the box” experience on Fedora and RHEL EPEL. I’ve taken my time to make sure that these patches were written in a way that preserves upstream behavior and compatibility, because I think upstream should have a great experience too. Since we support releases from RHEL5 to Fedora Rawhide, our packaging provides you with valuable testing and help to ensure that MongoDB will work with RHEL N+1 before it is even released. However, every release you make without our patches makes my life harder and all but ensures that Fedora won’t be able to run the latest version until well after it is released. In short: help us help you.

Sincerely,

Nathaniel McCallum
MongoDB Maintainer – Fedora

systemd Rocks My World

In the spirit of giving credit where it is due, I had my first foray into systemd last week. It is well designed, implemented and documented. Kudos! If I have one complaint, its that in the documentation many subject matters that are related are divided into different areas (for example systemd.socket, systemd.service and systemd.exec). I’d love to see a single page version of this documentation so you can search through it for relevant things.

Testing Needed (MongoDB)

I’ve built packages of MongoDB 2.0.2 for f15, f16 and f17. This should be a drop in replacement for your 1.8.x server. See http://www.mongodb.org/display/DOCS/2.0+Release+Notes#2.0ReleaseNotes-Upgrading for further details.

However, I had to rewrite the patch providing js 1.8.5 support. So I’d like some hands on testing before I push out this update.

The builds should appear shortly in updates-testing and you can provide here:

https://admin.fedoraproject.org/updates/mongodb-2.0.2-5.fc15
https://admin.fedoraproject.org/updates/mongodb-2.0.2-5.fc16

Thanks!

Arrived at FUDCon Blacksburg

I arrived at FUDCon this evening at about 5pm after picking up tdfischer and codeblocker from the airport. We went out to dinner with Colin Walters and John Palmieri and a bunch of others. It was a lot of fun. It was also great to meet up with Dan Walsh again and to meet Dave Jones and Josh Boyer.

I’m looking forward to the workshop tomorrow on Fedora multi-factor authentication and I’ll be proposing BarCamp-style talks on my Kerberos OTP work and libql. If you’re on your way to Blacksburg, see you there!