Willy TARREAU

Home Page - http://1wt.eu/

> News

Jul 27th, 2006

As Marcelo Tosatti announced it here, I'm becoming the new maintainer of version 2.4 of the Linux Kernel, starting with 2.4.34. It seems to sound exciting to some people, frightening to others, and useless to yet other ones. Well, as long as 2.4 will live, it will need a maintainer. As I'm using it myself and already maintaining my own tree, it should be feasible. Time will tell... I just hope that I'll be able to keep it as reliable and safe as Marcelo made it.

Jun 5th, 2006

The site has moved to a new, shorter domain name: 1wt.eu. It will be easier to dedicate hostnames to projects now. The old one will remain for a while, though.

> Haproxy

HAProxy is a robust, high-performance TCP/HTTP load-balancer and reverse-proxy which is particularly suited to build highly available architectures. It can check servers state, report its own state to an upper-level load-balancer, share the load among several servers, ensure session persistence through the use of HTTP cookies, limit the number of simultaneous requests, add/modify/delete incoming and outgoing HTTP headers, block requests matching pre-defined criteria. Its simple event-based architecture provides very high performance and make its code auditable. I've had report of several moderate traffic sites (10 to 100 Mbps) using it with success at constant loads of up to several thousands hits per second. No break-in has ever been reported (yet). It's known to work at least on FreeBSD, Linux, OpenBSD and Solaris. I too use it to protect my web server and to provide IPv6 connectivity.

Haproxy is now also integrated as a complete solution by Exceliance. The fine kernel tuning permitted in an appliance allows the solution to outperform standard installations.

Haproxy source code has been migrated to GIT. I had lots of difficulties at the beginning, but at least I find it easier to learn GIT on code I know well than on the kernel.

Links :

http://haproxy.1wt.eu/ : The HAProxy page.
http://haproxy.1wt.eu/download/ : The download area.
http://git.1wt.eu/ : The GIT repository
http://git.1wt.eu/git/ : GIT web interface

> Formilux

Formilux is a very light and secure Linux distribution. It is targetted at internet servers, routers, firewalls and semi-embedded systems. It requires a very limited administration but needs fairly skilled administrators. Installing a secured proxy or a firewall just requires about 12 MB and a few minutes. For this reason, we have long been using it for emergency service recovery at customers's. Its main features are Zero Useless File (file-level dependencies), read-only file-system, centralized configuration, very strict default permissions, automatic boot recovery, protection against buffer overflows, and many more.

We've had very few time during the last 2 years to produce an updated image, but we have worked silently to satisfy constantly growing customer requirements. Now that the project is supported by EXOSEC, we'll have some time to release more often.

Links :

http://formilux.ant-computing.com/ : the original site
http://formilux.ods.org/ : this is a local mirror but ironically, it is completely outdated.
http://linux.exosec.net/formilux/ : This site provides an updated rescue CD image with network testing tools. The image is less than 14 MB.

> Linux Kernel

I've always liked playing with kernels. When I was a teen, I played with DOS and BIOS. Now I have something more powerful to play with :-)
I have tried to classify the projects and patches here, but I think I will have to do it again soon :

Linux Kernel Useful Patches (LKUP) [http://linux.1wt.eu/kernel/2.4/lkup/]
Many useful patches are regrouped here. Several of them are also included in my 2.4-wt patches (see below)
Linux Kernel 2.4 patch kits [http://linux.1wt.eu/kernel/2.4/2.4-wt/]
I spend lots of time building hopefully secure and overloaded Linux kernels for use in production environments. Fortunately, most recent 2.4 kernels are becoming stable (both in use and code), so it's becoming worth adding more and more features. Those kernels are the ones which run Formilux. The latest ones provides buffer overflow protection (with PaX), IPSEC (with openswan), AES-encrypted loop devices, enhanced firewall features (with patch-o-matic-ng), socket port ACLs (pspa), high performance web server (Tux), virtual server jails, read-only bind mounts, serial ATA drivers, entropy gathering from network devices, ARP tweaks, MPLS support, low latency and preemptive scheduling, I2C sensors, CPU frequency scaling, x86 CPU emulation for small boxes, etc...
Also mirrored by EXOSEC : http://linux.exosec.net/kernel/2.4-wt/
Linux Kernel 2.4 hotfixes [http://linux.exosec.net/kernel/2.4-hf/]
Regularly, I spend time at work to gather small patches from the most recent stable kernels and port them to older kernels, so that people using a particular 2.4 kernel don't have to make a full update to fix security or stability issues. The work has begun with 2.4.29, and is hosted at Exosec.
Linux Kernel 2.4 upstream tree [http://git.1wt.eu/linux-2.4-upstream.git/]
This is a tree containing patches to be merged in mainline 2.4. Normally you don't need this, but having the URL noted somewhere helps me :-)
Linux Kernels add-ons [http://linux.1wt.eu/]
I've added some features to standard kernels. The most useful one being the extensions to the ethernet bonding driver, which has been included in standard kernels and taken over by Chad Tindel and a bunch of other folks (several ones from Intel). Other non-merged features include :
- lcdpanel, a serial/parallel port
- watchdog, a Watchdog Timer driver for Linux 2.4 for Nexcom's NexGate Network Security Appliances (eg: NSA1045).
- kmsgdump, a tool which does its best to dump the last kernel messages on screen, floppy or printer after a kernel panic or on demand. This one has been ported to 2.5 by Randy Dunlap who now maintains newer versions.
- x86-emu, an i486 and i686 instruction emulator for i386 to i586-class processors. It is common on notebooks or developper workstations to run executables compiled for other targets. This patch makes this possible.
Also mirrored by EXOSEC : http://linux.exosec.net/

> Hardware hacking

I also like embedded systems, microcontrollers and such miniature systems. So when I have the opportunity to install Linux on small hardware, I cannot resist :

Build your own 1U, half-width Internet server [http://www.ant-computing.com/]
With Benoit Dolez, we have designed very small systems for high density, low consumption web hosting. Now this may seem a bit "classic", but this was in 2000, and not so common at this time. Our site has even been Slashdotted !

Hacking into the Linksys NSLU2 [http://1wt.eu/nslu2/]
This very nice small system hosts an intel XScale-IXP420 running at 133 or 266 MHz, contains 8 MB Flash and 32 MB RAM, a 10/100 Mbps Fast Ethernet interface, two USB 2.0 ports and a serial port, all this for under 100 euros. It has decent network performance, it can route 100 Mbps in+100 Mbps out at 133 MHz with lots of idle remaining. And it runs haproxy up to 600 hits/s and 50 Mbps :-)
You'll find some photos showing how to open it, connect a serial port to it, and switch it to 266 MHz (it's factory-set to 133).

> Networking

Network tools : http://1wt.eu/tools/
Most of these tools (inject, ethforge, connect) are load generators used in benchmarking. Some are pretty straight-forward, but efficient.ZProx is an old proxy I wrote in 1998 with the idea in mind to connect through my 33600 bps modem to a remote high-speed network, and compress the data between the two hosts to make use of the other site's proxy efficiently. In 1999, I quickly and dirtily replaced the compression code with some traffic shaping code for a benchmark in which it was necessary to emulate 28800 bps modems.
How to enable IPv6 on your web servers

> Security

EZRouter is a floppy-disk based iptables firewall. It is in a certain manner Formilux's ancestor, has been used as a temporary replacement on broken hardware at several customers's, and has been used a lot in benchmarking because of its easy setup. It's not maintained anymore, but could still prove useful on supported hardware. Genovex is an utility to test and potentially exploit buffer overflow bugs on x86. I've used it a lot on my own programs to ensure they cannot be exploited.

> External links

http://formilux.ods.org/ : Ultra light, server oriented, Linux distribution
http://ant-computing.ods.org/ : Build your own 1U server !
http://www.exosec.fr/ : Exosec, my full-time job. Please send us spam to these addresses: exosec@free.fr and devnull@exosec.fr
http://www.exosec.fr/index2.htm : Exosec, my full-time job (without the flash intro).
http://linux.exosec.net/ : Some OpenSource work contributed by Exosec.
http://www.histoiresenparoles.org/ Histoires en paroles est une association oeuvrant pour améliorer le quotidien des personnes agées et enfants hospitalisés par la diffusion d'enregistrements sonores.
http://www.gazou.ath.cx/ : Le premier site de Nico le Grand Pharaon : envoyez-lui du spam ici : nico@gazou.ath.cx
http://1np.free.fr/ : Le site de mon petit frère Nicolas qui se lance sur Linux et OpenBSD

> Traffic around Paris

Informations about traffic around Paris provided by Sytadin and Infotrafic.

> Contacts

Main site in IPv4 : http://1wt.eu/ : for those who went here via IPv6 :-)
Main site in IPv6 : http://www6.1wt.eu/ : Interesting for those who want to test their IPv6 connectivity. Being connected via Nerim, I have native IPv6 connectivity.
Main site in FTP : ftp://ftp.1wt.eu/ : The site is also accessible via FTP, which makes it easier to download numerous files (patches, etc...).
This site can be reached at those URLs :
- http://1wt.eu/ : new preferred access
- http://1wt.fr/ : alias
- http://w.ods.org/ : old preferred access
- http://willy.net1.nerim.net/ : reverse DNS
Contact me : Willy TARREAU

Willy TARREAU

Home Page - http://1wt.eu/

> Quick links