Here’s the Linux bit I promised yesterday. I wrote it much earlier, so I might as well throw it out there.
Our test firewall at work is an old Pentium-200 running Red Hat Linux and a commercial firewall app. (No, I won’t disclose which one. Security, you know.) It’s a bit slow. A P200 is severe overkill for the firewall built into the Linux kernel (Steve DeLassus and I made a firewall out of the first PC he ever bought, a 486SX/20 of 1992 vintage, which, save the loss of the original power supply in an electrical storm, has never required any service), but this commercial package does a lot more than the simple firewalls built into Unixish kernels do.
It had 72 megs of RAM in it and swapped mercilessly. Its speed seemed to be OK once it was booted, but seeing as this is a testbed, it tends to get rebooted an awful lot. I needed to do something for it.
So I trekked into the PC graveyard to see what I could dig up. I found a Compaq 386DX/20. I left that alone. That’ll be useful if I ever need to pillage a pair of Compaq drive rails, which has happened before. Unfortunately those rails are worth more than the rest of the computer. I also spotted a Mac SE. That’ll be handy if I ever need a doorstop. Then I found a Pentium-75 and another Pentium of unknown speed. I opened them up. The 75 had a pair of 16-meg sticks. I opened up the unknown Pentium and looked inside. Ugh. Socket 4. That meant it was a Pentium-60, or, at best, a Pentium-66. It had a pair of 8-meg sticks.
I pulled the memory sticks out of the 75. The 60 didn’t have anything usable in it, save a pair of hard drives, both 540 megs, one a Quantum and the other a Seagate. I took the Seagate because it was easier to unbolt. I don’t have any way of knowing at this late date which of those drives was the better performer, and it probably doesn’t make much difference anymore.
The idea was to add some memory, and put in a second hard drive dedicated to virtual memory. Since the likelihood of the machine needing to read data from a drive and simultaneously hit virtual memory was fairly high, I wanted the virtual memory on its own drive. Furthermore, Linux’s partition-read
mechanism isn’t terribly efficient. This doesn’t matter for SCSI drives, which re-order I/O events, but for IDE drives it matters a lot. So getting the swap partition onto a dedicated drive was likely to improve performance a fair bit. (If this were a production system, it would probably have a SCSI
drive in it.)
So I swapped in the 16s for the 4s and found an empty bay to hold the 540, which I put on the second IDE channel as master (another performance trick), and booted Linux. The next trick is to use your favorite disk partitioning tool (I like cfdisk, but I can navigate plain old fdisk) to blow away whatever partition is on the new drive (this one was /dev/hdc) and create a single partition. I just made it the size of the drive, since 2.4 can deal with large swap partitions and Linux is smart enough to use whatever virtual memory it needs, not just automatically use all it has available. Then I set
it to type 82. Linux can do swapfiles, but a filesystemless dedicated swap partition gives better performance.
Next, I edited /etc/fstab. I found an entry for the swap partition pointing at /dev/hda2. I changed that to /dev/hdc1. That means I now have a small swap partition just sitting on the first drive unused, but that’s not a big deal to me. The system’s not using the disk space it has. While I was there, I noticed the CD-ROM drive was pointing at /dev/cdrom. I asked Charlie, our Unix/Linux guru, if Red Hat had some intelligence I didn’t know about. He said /dev/cdrom was just a symlink. I changed the entry to read /dev/hdd, which is where the CD-ROM drive ended up after my shuffle. Better to just code things directly than try to track symlinks, in my estimation.
Next, I issued the command mkswap /dev/hdc1 to initialize the swap partition. Then I rebooted and listened.
Indeed, during boot, the second drive was getting activity. I logged in and ran top, then hit shift-M to have a look at memory usage. The firewalling software was eating up a lot. But swap usage was down.
I decided to try cutting memory usage down a little more. I loaded /etc/inittab into vi. Red Hat by default gives you six virtual consoles. This machine has little need for more than two. Pulling the extras saves you a couple of megs. Near the end of the file you’ll see several lines that look something like this:
1:2345:respawn:/sbin/mingetty 38400 tty1
I commented out the last four of those. Hit the i key to put vi in insert mode, scroll down to those lines, add a # to the beginning of them, then hit ESC, then hit ZZ (shift-Z twice) to rapidly save the file, no questions asked. (I know, vi ain’t friendly, but it’s there.)
Then I had a look at /etc/rc3.d to see what daemons were running. I found apmd, sendmail, and gpm running. That was a waste of a couple megs, not to mention a possible security risk. I vaguely remember all three of them having had security issues in the past, and sendmail is one of those programs that should never be running unless you need it. Yes, this machine’s just practice, but Hall of Fame catcher Johnny Bench found that if he got sloppy and just let wild pitches go while he was warming up pitchers, he wasn’t as sharp at blocking potential wild pitches during the game when
it counted. So he worked just as hard during practice as he did during the game. Now he’s considered the greatest catcher of all time.
So I applied the Johnny Bench principle and disabled them with the following command sequence:
mv /etc/rc3.d/S26apmd /etc/rc3.d/K26apmd
mv /etc/rc3.d/S80sendmail /etc/rc3.d/K80sendmail
mv /etc/rc3.d/S85gpm /etc/rc3.d/K85gpm
I rebooted to find memory usage down by about 4 megs and the system booted a little faster. It was also more secure.
Total downtime: About 45 minutes.
That was time well spent. I may end up having to just bite the bullet and get some memory, but the system will perform better with these changes no matter how much memory is in it. And, more importantly, performing this exercise made me notice something I hadn’t noticed before. It let me tighten up security.
Had I blindly just ordered some memory to put in the system, or a new PC, like some people unfortunately advocate, I wouldn’t have necessarily noticed that as quickly.
Speaking of Linux, I did finally get Apache, PHP, and MySQL all talking together on my church’s 486. I used phpWeblog, which is an awfully nice package. Pages load in an acceptable two seconds. I notice the machine is paging, so a little more memory will probably help that. It’s amazing that people are throwing away Pentium-class machines when even a 486 has enough power to be a decent intranet server.
Not everyone’s so fortunate as you and me. Give ’em to someone who can use them if you don’t want them.