·:[ Jason On A Shtick ]:·
• • • • •

You can customize a Xen image with httpd and the mod_proxy_html module to provide a simple reverse proxy. mod_proxy_html parses proxied pages in order to correct non-relative URLs to be relative to the proxy server’s URL scheme.

Here is what you need:

• yum install httpd to get Apache.
• yum install httpd-devel to get the apxs tool.
• yum install mod_ssl to get SSL support.
• yum install libxml2-devel to get libxml2 which is used by mod_proxy_html to parse documents.
• Get mod_proxy_html.c from http://apache.webthing.com/mod_proxy_html/
• Run apxs -c -I/usr/include/libxml2 -i mod_proxy_html.c to build and install the module.

Now you have everything you need to run a reverse proxy. Edit /etc/httpd/conf/httpd.conf and add:

LoadFile /usr/lib/libxml2.so
LoadModule proxy_html_module modules/mod_proxy_html.so

to load the module and libxml2.

Finally, add <Location> directives and the required configuration for proxying. Here is an example:

ProxyRequests off
ProxyPass /inside/ http://inside.somewhere.org/
ProxyHTMLURLMap http://inside.somewhere.org/ /inside
RewriteEngine On
SSLProxyEngine on

<Location /inside/>
SSLRequireSSL
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
ProxyPassReverse /
SetOutputFilter proxy-html
ProxyHTMLURLMap / /inside/
ProxyHTMLURLMap /inside /inside
RequestHeader unset Accept-Encoding
AuthName “Inside Somewhere”
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL ldap://xxx.xxx.xxx.xxx:389/o=people
AuthzLDAPAuthoritative off
require valid-user
</Location>

This configuration does several things. The internal site http://inside.somewhere.org is made available on this server at https://this.server.name/inside/. https is made to be required to access the site, as is authentication against an LDAP directory. In order for the SSLProxyEngine directive to work, this entire configuration must be nested within a <VirtualHost>. I simply add it to the default SSL virtual host in /etc/httpd/conf.d/ssl.conf.

Recently, I have spent time with Xen on Fedora Core 5 and 6 setting up routine services like mail and proxies within their own virtual machines. Following some other Xen blogs, I got into the habit of creating a “base” Fedora image and then simply customizing copies of that image for each new VM. These are notes that I have compiled on managing that process.

First, some useful links:

• Xen
• Wikipedia’s virtual appliances site list
• A XenSource wiki post that gave me some ideas
• jailtime.org’s small prefab images
• FC6 Xen quickstart guide

You can create a new image using the FC6 DVD as the repository if you don’t have a local one, you just need FTP or HTTP access to the disc. The simplest hack is to put a symbolic link on the Domain-0 host in /var/www/html/ that refers to the disc’s mount point with ln -s /media/fedora_dvd /var/www/html/disk. Now, you can specify http://dom0_ip_addr/disk as the install location, assuming you have httpd running there.

Starting in FC6, there is a virt-install script that points to the old xenguest-install one – a sign of preparation for easily slipping in other VM solutions by using generic script names.

I go for about a 3GB image file. That gives me plenty of room for the base Fedora stuff plus some room to install things that don’t grow over time. If you need more space for some type of disk consuming application, you could resize your image file depending on how you laid out partitions, logical volumes, etc. I have also had luck in creating separate “data” image files to be mounted on /opt or some other useful location. I find these easier to deal with resizing because you will likely have only one partition there, not multiple ones plus a partition table to screw up. Steps to create a “data” image file and resize it later:

• Create a 1GB image file with dd if=/dev/zero of=data.img bs=1M count=1 seek=1024
• Format the image file as ext3 with mke2fs -F -j data.img

At this point, you can mount the data image file as any other and use it. Put an entry for the mount in /etc/fstab in the guest VM that will use it. You will also need to customize the Xen config file for the guest image to make the data image available as a particular device. To resize the data image, unmount it (shutdown guest that is using it) and then:

• Remove the journal (making it ext2) with tune2fs -O ^has_journal data.img
• Check things out with e2fsck -f data.img
• Resize the image file to 2.5GB with dd if=/dev/zero of=data.img bs=1M conv=notrunc count=1 seek=2500
• Grow the filesystem to match with resize2fs data.img
• Put a new journal back with tune2fs -j data.img

And you are done. You can also mount the data image file with the loop device to access it, but don’t do it while it is being accessed by a running guest:

• Mount using the loop device with mount -o loop data.img /mnt
• losetup will show you which loop device is used with losetup -a
• Access what you need at /mnt
• Unmount the image when done with umount /mnt

During the Fedora install, I choose a static IP address with my known DNS servers and network configuration. These choices simply save me some time later when I customize a copy of the image. When it comes time to select packages, I customize by deselecting everything except for vim-advanced under the “Editors” category.

Once the installer finishes, your new guest domain may or may not start up depending on how things are set up. I mount the guest image and make one change before starting it up to make some further changes.

With the exception of the first one, the following changes are made inside of the running guest image:

1. Before starting the guest, mount the image file and disable SELinux. Edit /etc/selinux/config and change SELINUX=enforcing to SELINUX=disabled, then unmount the image. Now you can start the guest without SELinux running at all. Alternatively, you could start the guest, make this change, then reboot the guest to get SELinux turned off before doing anything else.
2. Stop the yum-updatesd service with service yum-updatesd stop so you can run yum on your own.
3. Issue a yum update to get everything up to snuff. Been a while since you burned that FC6 DVD, huh? I am behind a larger firewall setup that prevents just any IP address from having outside access, so I have squid running on dom0, which does have access. In the guest, I edit /etc/yum.conf to include proxy=http://dom0_ip_addr:3128 so that yum uses the proxy. Note that you may need to deal with squid caching of packages, etc if you do this often.
4. Out of habit, I look for any rpm conflicts by running find / \( -name “*.rpmsave” -o -name “*.rpmnew” \) and resolving anything that needs it.
5. Install ntp. Xen guest domain clocks tend to stray a bit, so this takes care of any time problems. Run yum install ntp.
6. Edit /etc/init.d/ntpd and add echo 1 > /proc/sys/xen/independent_wallclock in the start function after the call to readconf. This marker must be reset at each boot to indicate that the guest will keep its own time.
7. Run ntsysv and enable/disable the services you want to run in this base guest. I turn off everything including hardware stuff, APM and RAID monitoring (do those matter in a guest?) except for anacron, atd, autofs, crond, gpm, iptables (and ip6tables if you have enabled IPv6 support), messagebus, network, ntpd, sendmail, sshd and syslog.
8. Edit /etc/sysconfig/iptables (and ip6tables as above) and make any firewall settings that you want. I generally remove the default Fedora rules that accept multicast and other traffic, leaving only the entries for lo, icmp, state in established/related and the final reject with icmp-host-prohibited. I filter ssh on port 22 a little further by only allowing access from certain subnets on the network with -A RH-Firewall-1-INPUT -s xx.xx.xx.0/255.255.255.0 -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT.
9. Reboot the guest image. I have gotten into the habit of logging out and having Xen do it.

At this point, you have a stock Fedora image that can be customized however you like. When you are ready to create a copy, follow these steps.

1. Shutdown the base image if it is running.
2. Copy the image to a new file with cp basefc6.img customfc6.img.
3. Copy the Xen config file for the image in /etc/xen like cp basefc6 customfc6.
4. Edit the customfc6 config file and change the name of the image, the amount of memory you want, the disk path to the image file and add one to the fake MAC address to make it unique. I usually remove the uuid and let Xen generate one for each guest on the fly. If you are going to use a data image file, make sure it is made available in the disk entry.

Now, your custom image copy is bootable but you may want to go ahead and tweak the network settings before you start it. You can mount the filesystem within the image first to make changes. The mount -o loop used above may not get it done if you have logical volumes defined in the image. Without logical volumes, lomount -t ext3 -diskimage customfc6.img -partition 1 /mnt will mount partition 1. To see a list of partitions in the image, leave off the -partition 1 part. If you have volume groups, consult the FC6 Xen quickstart guide for how to use kpartx.

The following instructions assume you are working in the mounted filesystem of the image file, so prefix the paths with your mount point (/mnt in the example above).

1. Edit /etc/hosts and enter what you like. I personally don’t like for the loopback range to also have the actual host name and shortname. I separate them like:
   127.0.0.1 localhost.localdomain localhost
   xxx.xxx.xxx.xxx something.somewhere.org something
2. Edit /etc/sysconfig/network and change HOSTNAME to a full name like something.somewhere.org.
3. Edit /etc/sysconfig/network-scripts/ifcfg-eth0 and update as much as you can stand. Make sure the HWADDR entry matches the MAC address in the Xen config file for this image. Here is an example:
   DEVICE=eth0
   BROADCAST=172.31.255.255
   HWADDR=00:16:3E:26:6B:DD
   IPADDR=172.16.1.100
   IPV6ADDR=
   IPV6PREFIX=
   NETMASK=255.240.0.0
   NETWORK=172.16.0.0
   ONBOOT=yes
   
4. Edit /etc/resolv.conf and get your DNS on, such as:
   search somewhere.org
   nameserver xxx.xxx.xxx.xxx
   nameserver xxx.xxx.xxx.xxx
5. Edit /etc/sysconfig/iptables and make any firewall settings that you want for this custom VM.

Unmount the image filesystem with umount /mnt. Your custom image is now ready to boot! Depending on how long ago you updated your base image, you may want to yum update this new custom one.

There has always been a raging debate about whether it is better to pay off your mortgage early or put your extra money into a 401k, the stock market or some other investment vehicle. There is no one right answer for everyone because many money factors come into play. As a person that has chosen to pay off the mortgage early, I find myself defending my position more often than having it supported. In an effort to bolster my defense, I have tried to bring together some numbers and ideas that will help me.

As an example, let’s consider a $150,000 mortgage loan. Let’s say it is a fixed rate 30 year loan at 7% APR with no penalty for early payoff. We’ll throw out points and fees to simplify things a little. Any amortization chart will show you that your monthly payment is $997.95. If you pay that exact amount each month over the life of the loan, you will have paid $209,263.35 in interest, plus the $150,000 principal amount of the loan.

Now, let’s say that you pay $300 a month on top of the payment, making it $1,297.95. At the end of the loan, you will have paid $100,219.88 in interest, a savings of $109,043.47. You will also pay the loan off nearly 14 years early. Here is a link to one of those online amortization calculators that lets you see what happens when you pay over each month.

Right off the bat, this appears to be a huge savings in interest at an average of around $7,269 a year for the 16 years that you will pay on the loan. You will also be free of the debt much earlier, allowing you to invest earlier with the money that you would have been spending on the mortgage. There are obvious questions about whether you can afford to pay that much over each month, what would you do with that extra money if you didn’t pay it on the mortgage, etc. But, let’s assume that you can pay that much over for most of the term and that you would have put it into some other investment if you hadn’t.

One argument for not paying off your mortgage early is the tax benefit. You can make use of mortgage interest when you itemize your deductions, so people assume that they would be losing a tax savings by paying off early and losing this deduction. But upon closer examination, the mortgage interest deduction may not be such a big factor.

The standard federal deduction for 2006 for married taxpayers filing jointly is $10,300 (an increase from previous years and it goes up again next year). This means that in order to itemize your deductions and claim your mortgage interest, your itemized deductions will need to come out to be greater than that amount.

You’ll pay $10,451.73 in interest during the first year of the loan if you don’t pay anything over, so you’ve easily eclipsed the standard deduction. Paying $300 a month over the first year, you’ll pay $10,333.95 in interest so you will still be able to itemize easily. However, as the life of the loan goes on, you pay more in principal and less in interest. In year 15, you will pay $7927.12 in interest if you don’t pay extra, leaving a wider gap to get up to the standard deduction. Consequently, you will pay only $1,649.43 in interest during year 15 if you pay over each month, which may be an insurmountable gap.

We also need to calculate how much money you actually save in taxes by making this deduction. Let’s consider the Kentucky income tax rate of 6% (assuming your income is over $8,001 a year) and a federal income tax rate of $12,020.00 plus 28% of the amount over $61,850 (assuming your income is between $61,850 and $94,225 and you are married and filing jointly). Using these numbers, you could be eligible to claim $3,378.00 in interest deductions in the first year if you pay nothing over. Your average tax savings over the 30 year loan is $2,254.50 per year. Here is a link to a calculator that helps you figure this one out. There is a big assumption here that tax rates will remain unchanged for the duration of the loan.

You are most certainly going to have a harder time beating the standard deduction sooner if you pay off early, meaning you may not be able to itemize deductions for as long a period of time. But, you only lose the difference between the standard deduction and your itemized deductions, not the entire value of your mortgage interest tax savings. Additionally, the gap between these two items gets smaller each year as you pay less interest and further still if the standard deduction goes up. So, even in the later years of being able to itemize deductions, the extra benefit gets smaller and smaller.

In short, the perceived tax benefit of itemizing deductions is most likely outweighed by the sheer savings in total interest payments over the life of the loan. Simply consider the average tax savings over the 30 year loan. $2,254.50 per year over 30 years is $67,635 – far short of the amount of interest we save by paying off early.

Another argument against paying off your mortgage early is that you could be earning a similar or better rate through other investments on that extra money. What you have to compare here is the after-tax cost of your debt versus the after-tax earnings of your investments.

To calculate the after-tax cost of debt, multiply the interest rate by one minus your tax rate. Your tax rate is your marginal federal income tax rate (28% in our example) plus your state income tax rate if you can deduct on that one, too (yes for Kentucky, 6% in our example). Here, the after-tax cost of debt is 7.0 x (1 – 0.34) which is 4.62%. So in order to beat that, your investments need to yield better than 4.62% earnings after taxes. Here is a link to that handy formula.

As with most investments, the key is risk. While you might hear that average long term returns from the stock market are 10%, there is always the potential to lose money, too. EE savings bonds, considered a safer investment alternative, currently pay a rate of 3.60% which is short of our target number. So, meeting or beating the target number comes down to guessing that your investments will do better. If you are willing to take that risk, then investing may be the way to go.

Private Mortgage Insurance (PMI) plays another role in the numbers. Assuming you did not pay the required amount down on the loan in order to avoid PMI (usually around 20 percent), you will be paying PMI longer on the loan if you do not pay over since it will take you longer to reach the percentage required to rid yourself of it. Clearly, paying the loan off early will save you some money in this regard.

Considering all we’ve discussed so far, you may be able to lean either way based on your particular situation or beliefs. Now come the X factors that sell me on paying off the mortgage early.

First and foremost, the stability of your income is paramount to paying off your loan. Are you sure that you’ll be able to afford the payments for the entire 30 years? Hopefully so, or you might not have taken the loan in the first place. But, consider the economy and your occupation. Personally, I am wistfully waiting for the day that my I/T job gets outsourced and I am out on the street. I like to think that I am skilled enough to find gainful employment, but flinging lattes at the Starbucks might not be out of the question. So, the sooner I pay off the mortgage, the better. Without that debt, I believe I could live comfortably on a much smaller income than what I earn today.

Second, consider how you would like to live. A lot of people look at me like I am crazy when I tell them that I pay extra on my mortgage instead of investing more money for retirement. A friend once asked me “Do you plan to work until you die?”. No – in fact, once I pay my mortgage off, I plan to do some additional investing for retirement and I might even work part time because I will be free of the debt much sooner! As long as you have the debt, you have limited flexibility in how you can live. Paying it off sooner means more choices for your lifestyle sooner. My response to my friend’s question is “Do you want to have to work and keep up the same income to support the same payments for 30 years?”

You must also consider the money you might save the sooner you don’t have a mortgage payment. We’ve all paid way more for a car than it was worth because we had to take a loan on it. Once the mortgage is paid off, you can save up and pay for a new car by writing a check. You’ll save yourself thousands of dollars in loan interest by doing so, while you probably would not have been able to if you still had your mortgage payment. Again, the sooner you can save money, the better.

Finally, the big one is the unexpected. Crap happens in life, and there is no telling when or why you might be in need of money for a big emergency. Again, the sooner you pay off your loan, the sooner you might be able to better survive a monetary crisis because you have more funds available.

Some people might argue that by paying over on the mortgage, you actually have less money available for emergencies than if you simply saved the extra cash. I would actually agree with that statement, but I am willing to take the shorter term gamble of paying that extra money on the loan versus having the loan for a much longer period of time. By paying off early, I am shortening the amount of time that I am vulnerable to a financial emergency. We could also argue that $300 might be too much to pay over each month if it leaves you with no emergency funds at all. It would be wise in any case to adjust that extra amount so that you still have some walking around money.

If you’ve read this far, you are probably crazy anyway so come join me! Stop gambling with investments for a while and start paying your mortgage down. The sooner you do, the sooner we’ll be able to live like kings without all that debt hanging over our heads.

I love Kentucky basketball. It is hard to grow up in this state and not love Kentucky basketball. And I hate Duke basketball. It is hard to love Kentucky basketball and not hate Duke basketball. But Duke really is better. Yes, shoot me. But here’s why.

I watched North Carolina beat Duke on Duke’s own court tonight. You know what the Duke fans did at the end of the game? They stayed. They stayed and stood and chanted “Let’s go Duke!” and pumped their arms the exact same way they had done ten minutes earlier when there was still time on the clock and they had a chance.

You know how many seats were empty? None. Yes, Cameron Indoor Stadium is a much smaller venue than Rupp Arena. But that doesn’t matter. When you love the team and you love the game, you will be there. And if you can’t be there, you’ll give your lower arena tickets to someone who can.

You know what the Duke fans did in the final seconds when it was clear that Duke was going to lose? They didn’t stream out of the place to get a jump on traffic. They didn’t mutter about three loses in a row or how the coach needed to be fired or how DeMarcus Nelson was a bonehead and missed two crucial, late free throws. And they for sure didn’t boo any of their own players. No, they didn’t do any of those things. They stayed and they stood and they cheered “Let’s go Duke!”.

Maybe Duke is just a classier school. Maybe smarter people go there and they have manners and upbringing. Maybe most of the people that attend Duke games actually went to Duke, so they have a little more pride in their team. Maybe Duke fans realize that while some of their players will go on to be top rate NBA a$$holes like all the others, they are just 18, 19 and 20 year old kids while they are at Duke. And kids don’t really need to be hearing all that crap that people throw at them. They need someone to stand and chant “Let’s go Duke!” even when they lose.

Let’s go Duke! Indeed.

While I am not a big fan of mobile DVD systems, long car trips are rough on little kids without some form of entertainment to occupy them. When we bought our Honda Pilot, we were simply unwilling to pay an extra $1500 for a built in system. We didn’t think we’d use it that much and we figured we could buy a portable setup for a lot less.

Eventually, we got an Audiovox PVS3393 from Target. It has a 9 inch screen, rechargeable battery, remote control, AC power adapter and DC car power adapter. List price is $159.99, but Jenny got it for around $90 on special the day after Thanksgiving.

As Christmas travel approached, we started looking at the various cases that you can buy to strap the thing to the back of your car seat. None of them seemed like a good choice because they were either too bulky or didn’t fit the player well. We borrowed one from some friends that opens at 90 degrees as if you might use it sitting on your lap. I could strap it to the back of the seat but Lindsay loves to push buttons, so having the bottom half of the player folded out right in front of her like a shelf with fun things to push wasn’t going to work. I began looking for a way to mount the unit to the seat while opened flat.

A couple months earlier, I had bought a set of Kwik Twists at Lowes. I am a total junkie when it comes to shop tools and organizational goodies, so I can’t make a trip to Lowes without buying something. Kwik Twists are like long, thick, foamy twist ties. They have a metal wire inside to help them keep their shape when you bend them, but they are all foamy on the outside so you can pull them tight without scratching stuff. They just happened to be hanging in the aisle with organizational items and shelving and I couldn’t resist them. I paid just under $10 for the set of two.

I was sitting in the back seat of the Pilot with the DVD player and the borrowed case trying to think of a way to make it work. I just happened to look up at my workbench in the garage and saw the Kwik Twists hanging there. The idea popped in my head that I could use the twists to strap the player to the seat!

I love it when a plan comes together. It took me all of about five minutes to make this one work. Once you get the hang of it, you can install the player in even less time. Here are the steps to install your portable DVD player into your car using a pair of Kwik Twists.

First, take a twist and put it around the head rest in front of you like you are going to strangle the person in the seat. Pull it back snugly between the seat and the head rest, then bend the ends straight down. Bend the very tips back up to form little hooks. The edge of the player will sit down in these hooks.

Next, open your DVD player flat and sit the bottom down in the hooks that you formed with the twists. Our DVD player will not open flat with the battery attached so we have to use the power adapter when we rig this up, but that’s OK! Be sure that the hooks don’t obstruct the door or the buttons – just spread them out to make room. And be careful here as you’ll probably have to keep a hand or an elbow on the player if it won’t stand up in the hooks by itself.

Now, take the second twist and wrap it the other way, bracing the center of the player with it and folding the ends around the head rest in front of you. The head rests on the Pilot are fixed, so I can just tuck the ends between the head rest and the seat for a snug fit. I bend the excess back around to keep it from poking the person who will be sitting in this seat.

I’ve done this setup in our Accord, too, where the head rests move and do not sit so firmly against the seat. In that case, you might have to fold the ends of the twist around to the front of the seat and actually tie them together to stay in place. With a little effort, you can find a way to tie them and shove them up between the head rest and the seat so that they are out of the way of the passenger in front.

Now comes the best part. Since the twists are flexible, you can grab the sides of the DVD player and move it around a little to get it lined up straight. It seems like I never get the hooks on the first twist in exactly the same shape, so I have to push the player down on one side or the other to straighten it up. But, the twists happily assume the new shape that you push them into, so all is well!

Finally, pick out one of your favorite DVDs and load it up. Nemo, Cinderella and Mickey Mouse Clubhouse are all suitable candidates. Strap your child in and let the good times roll! If they can handle headphones, you might even get to listen to your own music instead of the movie. Hand the remote control to your spouse and have them practice the patented aim-around-the-back-and-hit-play move. Most importantly, when you pass a huge Suburban or Sequoia on the road with the built in DVD system that the owner paid big bucks for, slide right up next to them so they can see your custom rig and get all jealous.