> Quick links
News
Haproxy
Formilux
Linux Kernel
Hardware hacking
Networking
Security
External links
Traffic around Paris
Contacts
Willy TARREAU
|
|
Jul 27th, 2006
As Marcelo Tosatti announced it here, I'm becoming the new maintainer of version 2.4 of the Linux Kernel, starting with 2.4.34. It seems to sound exciting to some people, frightening to others, and useless to yet other ones. Well, as long as 2.4 will live, it will need a maintainer. As I'm using it myself and already maintaining my own tree, it should be feasible. Time will tell... I just hope that I'll be able to keep it as reliable and safe as Marcelo made it.
Jun 5th, 2006
The site has moved to a new, shorter domain name: 1wt.eu. It will be easier to dedicate hostnames to projects now. The old one will remain for a while, though.
HAProxy
is a robust, high-performance TCP/HTTP load-balancer and reverse-proxy
which is particularly suited to build highly available
architectures. It can check servers state, report its own state to an
upper-level load-balancer, share the load among several servers,
ensure session persistence through the use of HTTP cookies, limit
the number of simultaneous requests, add/modify/delete incoming and
outgoing HTTP headers, block requests matching pre-defined criteria.
Its simple event-based architecture provides very high performance
and make its code auditable. I've had report of several moderate traffic
sites (10 to 100 Mbps) using it with success at constant loads of up to
several thousands hits per second. No break-in has ever been
reported (yet). It's known to work at least on FreeBSD, Linux,
OpenBSD and Solaris. I too use it to protect my web server and to
provide IPv6 connectivity.
Haproxy is now also integrated as
a complete solution
by Exceliance.
The fine kernel tuning permitted in an appliance allows
the solution to outperform standard installations.
Haproxy source code has been migrated to
GIT.
I had lots of difficulties at the beginning, but at least
I find it easier to learn GIT on code I know well than on
the kernel.
Links :
Formilux is a very light and secure Linux distribution. It
is targetted at internet servers, routers, firewalls and
semi-embedded systems. It requires a very limited administration but
needs fairly skilled administrators. Installing a secured
proxy or a firewall just requires about 12 MB and a few
minutes. For this reason, we have long been using it for emergency
service recovery at customers's. Its main features are
Zero Useless File (file-level dependencies),
read-only file-system, centralized configuration,
very strict default permissions, automatic boot
recovery, protection against buffer overflows,
and many more.
We've had very few time during the last 2 years to produce an updated
image, but we have worked silently to satisfy constantly growing
customer requirements. Now that the project is supported
by EXOSEC, we'll have
some time to release more often.
Links :
I've always liked playing with kernels. When I was a teen,
I played with DOS and BIOS. Now I have something more
powerful to play with :-)
I have tried to classify the projects and patches here,
but I think I will have to do it again soon :
-
Linux Kernel Useful Patches (LKUP)
[http://linux.1wt.eu/kernel/2.4/lkup/]
Many useful patches are regrouped here. Several of them are also
included in my 2.4-wt patches (see below)
-
Linux Kernel 2.4 patch kits
[http://linux.1wt.eu/kernel/2.4/2.4-wt/]
I spend lots of time building hopefully secure and overloaded Linux
kernels for use in production environments. Fortunately, most recent
2.4 kernels are becoming stable (both in use and code), so it's
becoming worth adding more and more features. Those kernels are the
ones which run Formilux. The latest ones provides buffer overflow
protection (with PaX), IPSEC (with openswan),
AES-encrypted loop devices, enhanced firewall features
(with patch-o-matic-ng), socket port ACLs (pspa),
high performance web server
(Tux), virtual server jails, read-only bind
mounts, serial ATA drivers, entropy gathering
from network devices, ARP tweaks, MPLS support,
low latency and preemptive scheduling, I2C sensors,
CPU frequency scaling, x86 CPU emulation for small
boxes, etc...
Also mirrored by EXOSEC :
http://linux.exosec.net/kernel/2.4-wt/
-
Linux Kernel 2.4 hotfixes
[http://linux.exosec.net/kernel/2.4-hf/]
Regularly, I spend time at work to gather small patches from the most
recent stable kernels and port them to older kernels, so that people
using a particular 2.4 kernel don't have to make a full update to fix
security or stability issues. The work has begun with 2.4.29, and is
hosted at Exosec.
-
Linux Kernel 2.4 upstream tree
[http://git.1wt.eu/linux-2.4-upstream.git/]
This is a tree containing patches to be merged in mainline 2.4. Normally
you don't need this, but having the URL noted somewhere helps me :-)
-
Linux Kernels add-ons
[http://linux.1wt.eu/]
I've added some features to standard kernels. The most useful one
being the extensions to the
ethernet bonding driver, which has been included in standard
kernels and taken over by Chad Tindel and a bunch of
other folks (several ones from Intel). Other non-merged features include :
- lcdpanel, a serial/parallel port
- watchdog, a Watchdog Timer driver
for Linux 2.4 for Nexcom's NexGate Network Security Appliances (eg: NSA1045).
- kmsgdump, a tool which does its
best to dump the last kernel messages on screen, floppy or printer
after a kernel panic or on demand. This one has been ported to 2.5
by Randy
Dunlap who now maintains newer versions.
- x86-emu, an i486 and i686
instruction emulator for i386 to i586-class processors. It is
common on notebooks or developper workstations to run executables
compiled for other targets. This patch makes this possible.
Also mirrored by EXOSEC :
http://linux.exosec.net/
I also like embedded systems, microcontrollers and such
miniature systems. So when I have the opportunity to
install Linux on small hardware, I cannot resist :
- Build your own 1U, half-width Internet server
[http://www.ant-computing.com/]
With Benoit Dolez, we have designed very
small systems for high density, low consumption web hosting. Now this may seem
a bit "classic", but this was in 2000, and not so common at this time. Our site
has even been Slashdotted !
- Hacking into the Linksys NSLU2
[http://1wt.eu/nslu2/]
This very nice small system hosts an intel XScale-IXP420 running
at 133 or 266 MHz, contains 8 MB Flash and 32 MB RAM, a 10/100
Mbps Fast Ethernet interface, two USB 2.0 ports and a serial port,
all this for under 100 euros. It has decent network performance,
it can route 100 Mbps in+100 Mbps out at 133 MHz with lots of idle
remaining. And it runs haproxy up to 600 hits/s and 50 Mbps :-)
You'll find some photos showing how to open it, connect a serial port
to it, and switch it to 266 MHz (it's factory-set to 133).
- Network tools : http://1wt.eu/tools/
Most of these tools (inject,
ethforge,
connect) are load generators
used in benchmarking. Some are pretty straight-forward, but
efficient.ZProx is an
old proxy I wrote in 1998 with the idea in mind to connect
through my 33600 bps modem to a remote high-speed network, and
compress the data between the two hosts to make use of the other
site's proxy efficiently. In 1999, I quickly and dirtily replaced the
compression code with some traffic shaping code for a benchmark in
which it was necessary to emulate 28800 bps modems.
-
How to enable IPv6 on your web servers
EZRouter is a floppy-disk
based iptables firewall. It is in a certain manner
Formilux's ancestor, has been used as a temporary
replacement on broken hardware at several customers's, and
has been used a lot in benchmarking because of its easy
setup. It's not maintained anymore, but could still prove
useful on supported hardware.
Genovex is an utility to test
and potentially exploit buffer overflow bugs on x86. I've
used it a lot on my own programs to ensure they cannot be
exploited.
Informations about traffic around Paris provided by
Sytadin and
Infotrafic.
- Main site in IPv4 : http://1wt.eu/ :
for those who went here via IPv6 :-)
- Main site in IPv6 : http://www6.1wt.eu/ :
Interesting for those who want to test their IPv6
connectivity. Being connected via
Nerim, I have native
IPv6 connectivity.
- Main site in FTP : ftp://ftp.1wt.eu/ :
The site is also accessible via FTP, which makes it easier to download
numerous files (patches, etc...).
- This site can be reached at those URLs :
- Contact me :
Willy TARREAU
|
|