msgbartop
MAC OS X, Linux, Windows and other IT Tips and Tricks
msgbarbottom

30 Dec 16 pygrub: Unable to find partition containing kernel

Introduction:
Lately after I upgraded many packages in a Xen 4.4 DOMU VM the pygrub could not boot the VM any more.
During the security update, the installed grub2(grup-pc), which never created any problems before with pygrub, got updated and suddenly it did create problems to boot the VM. Here is the error message I got when trying to boot it:
Parsing config from /etc/xen/VM.cfg
libxl: error: libxl_bootloader.c:628:bootloader_finished: bootloader failed - consult logfile /var/log/xen/bootloader.32.log
libxl: error: libxl_exec.c:118:libxl_report_child_exitstatus: bootloader [-1] exited with error status 1
libxl: error: libxl_create.c:1024:domcreate_rebuild_done: cannot (re-)build domain: -3
libxl: error: libxl_dom.c:35:libxl__domain_type: unable to get domain type for domid=32
Unable to attach console
libxl: error: libxl_exec.c:118:libxl_report_child_exitstatus: console child [0] exited with error status 1

I have another VM whith the same Debian system in it which boots well. After comparing the grub.conf etc. with each other I could not see any differences.
If I launched the pygrub with the image disk of the VM as argument, I am normally presented with the Grub menu and then kicks out with the normal errors. This time I got no menu at all and got the following error message:
/usr/lib/xen-4.4/bin/pygrub /virtual/xen/VM/disk.img
Traceback (most recent call last):
File "/usr/lib/xen-4.4/bin/pygrub", line 839, in
raise RuntimeError, "Unable to find partition containing kernel"
RuntimeError: Unable to find partition containing kernel

After Googeling a bit I found this site which talks about this problem as well although with an LVM volume instead of with a file disk image. But the principle was the same:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745419
So in resume: If pygrub sees somethings else than zeroes in the first 512 bytes of the image disk, it returns with this error: ‘Unable to find partition containing kernel’

Cause:
During the upgrade of grub-pc the package script asked me to specify the boot sector where grub should be installed and I happen to select the proposed one ‘/dev/xvda2’ which was a mistake.

Preventive solution:
I should have left the image partition untouched and continue the upgrade of Grub-PC without grub being written in the boot sector, and then afterwards run the command:
update-grub

Present Solution:
Overwrite the boot sector(512 bytes) of the image file with zeros.

Command:
dd conv=notrunc if=/dev/zero of=/virtual/xen/domains/VM/disk.img bs=512 count=1
Note: I use the option conv=notrunc to make sure the output file will not be truncated to 512 bytes after the overwriting.

Result:
I could then boot the VM well again.

20 Jan 14 Creating a XEN machine and Installing Group Office in Debian Wheezy

Introduction

In this Tutorial I will explain the steps I did to create a Xen Virtual Machine with minimal packages and then install the latest Group Office Web based Collaboration software. You’ll need to be fluent in Linux and Xen because I don’t explain much here.

Note: My hypervisor is Xen 4.0 in Debian Squeeze with xen-utils-4.0 package installed. I also use fictive domain(myserver.com) names and IP addresses just as example.

Creating the Xen Virtual Machine

This virtual machine will be created with the xen tools which bootstraps the creation of the VM.
Bootstrapping:
mkdir -p /virtual/xen/
cd /virtual/xen/
xen-create-image --dir=. --dist=wheezy --hostname=mail.myserver.com --size=20Gb --swap=2048Mb --ip=87.176.102.167 --gateway=87.176.102.254 --netmask=255.255.255.0 --memory=4096Mb --arch=amd64 --role=udev

Install the kernel and pyGrub
– Put the produced disk.img and swap.img in the proper path.
eg. in /virtual/xen/MAIL/
Mount the disk image in loop
mkdir /mnt/MAIL
mount /virtual/xen/MAIL/disk.img /mnt/MAIL -o loop,rw

Mount /sys, /proc, /dev and chroot to it
mount /proc /mnt/MAIL/proc -o bind
mount /sys /mnt/MAIL/sys -o bind
mount /dev /mnt/MAIL/dev -o bind
chroot /mnt/MAIL

Install the grub-legacy in VM
apt-get update
apt-get install grub-legacy linux-image-3.2.0-4-amd64 mc
mkdir /boot/grub
mcedit /boot/grub/menu.lst
CONTENT:
#----------------
default 0
timeout 2
#
title Debian GNU/Linux
root (hd0,0)
kernel /vmlinuz root=/dev/xvda1 ro
initrd /initrd.img
#
title Debian GNU/Linux (recovery mode)
root (hd0,0)
kernel /vmlinuz root=/dev/xvda1 ro single
initrd /initrd.img
#-------------

Leave chroot and unmount all.
exit
umount /mnt/MAIL/dev
umount /mnt/MAIL/sys
umount /mnt/MAIL/proc
umount /mnt/MAIL/

Adjust the VM xen configuration(/etc/xen/mail.server.com.cfg) as follows:
Replace the older kernel and initrd lines in the Xen DOMu configuration file as follows:
Example:
REPLACE:
kernel = '/boot/vmlinuz-2.6.32-5-xen-amd64'
ramdisk = '/boot/initrd.img-2.6.32-5-xen-amd64'
WITH:
bootloader = '/usr/lib/xen-default/bin/pygrub'

Adjust the paths of the disks properly:
Example:
disk = [
'file:/virtual/xen/MAIL/disk.img,xvda2,w',
'file:/virtual/xen/MAIL/disk.swp,xvda1,w',
]

Test the pyGRUB configuration with the VM disk
Note: A GRUB menu should appear for a few seconds and then disappear with an error message. Ignore the error message. Most important is that the Grub menu appears.
/usr/lib/xen-default/bin/pygrub /virtual/xen/MAIL/disk.img
Start the VM
The Grub menu should appear and start booting.
xm create /etc/xen/mail.server.com.cfg -c

Installing Group-Office


Login as root and configure APT with the Group Office repositories
(REF: https://www.group-office.com/wiki/Installing_on_Debian_or_Ubuntu)
apt-get update, apt-get upgrade
echo -e "\n## Group-Office repository\ndeb http://repos.groupoffice.eu/ fivezero main" | tee -a /etc/apt/sources.list
gpg --keyserver hkp://keyserver.ubuntu.com:11371 --recv-keys 01F1AE44
gpg --export --armor 01F1AE44 | apt-key add -
apt-get update

Install Group Office
apt-get install groupoffice-mailserver postfix postfix-mysql dovecot-mysql dovecot-managesieved dovecot-sieve dovecot-lmtpd rsync mc
– Setting root password to MySQL server.
– Setting the domain name.

Note from Group Office before start of installation.
After installation is completed launch your browser and go to http://localhost/groupoffice/
or replace localhost with the hostname / IP of this machine.
The default login is username: admin and password: admin.
Enjoy Group-Office!

Setting root password to MySQL server:
Setting MySQL password of user:groupoffice-com DB groupofficecom :

Now some undesired installation features messages will appear:

[FAIL] Clamav signatures not found in /var/lib/clamav ... failed!
[FAIL] Please retrieve them using freshclam ... failed!
[FAIL] Then run '/etc/init.d/clamav-daemon start' ... failed!

To fix that:
apt-get -f install
freshclam
/etc/init.d/clamav-daemon start

All looking good now,
In Browser, try to login with your ‘admin’ password at:
http://mail.myserver.com/groupoffice

HINT about domains:
If you configure more domains in the admin web interface under ‘Email Domains’ menu item and try to create new users, only the original domain is offered to select as possible mailboxes for the new users. The newly configured domains are not listed. To remedy to that, you need to enter all of the domains this system may use into both GroupOffice and Amavis the configuration file:
IN /etc/groupoffice/config.php
$config['serverclient_domains']='domain1.com,domain2.com';

IN /etc/amavis/conf.d/05-domain_id
@local_domains_acl = ( ".$mydomain" , "domain1.com", "domain2.com")

Recommendation:
In order to raise your mail server’s general acceptance from large mailing servers like AOL, GMX, Yahoo, etc. it is recommended to:
– Configure your domain in DNS concerning the SPF1 and SPF2
– Configure in your mail server and DNS to send DKIM token.
See DKIM installation at: http://tipstricks.itmatrix.eu/?p=1494 for DKIM installation.
– Configure Postfix to use RBL SPAM filtering(see instructions below)

SPAM Reduction


This server is already providing some anti-spam protection but in some cases extra filter might need to be installed.

Add some more RBL SPAM Filtering

Note: In my mail server, almost every day about 800 to 2000 Spams are blocked using the RBL filtering method. So I do recommend it since its also quite simple as well.
Edit your Postfix main configuration file /etc/postfix/main.cf and replace the existing configuration with the following one. It contains the same configuration as the original except it adds to the list of RBL servers.
Postfix RBL settings:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_rhsbl_sender dsn.fc-ignorant.org,
check_recipient_access hash:/etc/postfix/spam_rec_addr,
check_client_access hash:/etc/postfix/rbl_whitelist,
reject_rbl_client abuse.rfc-ignorant.org,
reject_rbl_client blackholes.brainerd.net,
reject_rbl_client bl.deadbeef.com,
reject_rbl_client dnsbl.antispam.or.id,
reject_rbl_client korea.services.net,
reject_rbl_client l1.spews.dnsbl.sorbs.net,
reject_rbl_client l2.spews.dnsbl.sorbs.net,
reject_rbl_client postmaster.rfc-ignorant.org,
reject_rbl_client query.bondedsender.org,
reject_rbl_client relays.bl.kundenserver.de,
reject_rbl_client relays.nether.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client ix.dnsbl.manitu.net,
reject_rbl_client spamguard.leadmon.net,
reject_rbl_client tr.countries.nerd.dk,
reject_rbl_client unsure.nether.net,
reject_rbl_client whois.rfc-ignorant.org,
reject_rbl_client l1.bbfh.ext.sorbs.net,
reject_rbl_client l2.bbfh.ext.sorbs.net,
reject_rbl_client psbl.surriel.com,
reject_rbl_client b.barracudacentral.org,
reject_rbl_client cbl.abuseat.org,
permit

# Allows to add a SPAM blacklist if needed (/etc/postfix/spam_addr)
smtpd_reject_unlisted_sender = yes
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_sender_domain,
reject_non_fqdn_sender,
check_sender_access hash:/etc/postfix/spam_addr
permit

# Allows to set regex rules to refuse certain know SPAM content in (/etc/postfix/spam_body_regex)
body_checks = regexp:/etc/postfix/spam_body_regex

Raising server delivery acceptance rate with DKIM

Ref: See instruction in http://tipstricks.itmatrix.eu/?p=1494

Raising security with TLS mail delivery

Ref: http://tipstricks.itmatrix.eu/?p=855
This feature allows postfix to send emails to remote mail servers using TLS encryption if the remote email server does support TLS transport otherwise clear text as usual.

Edit the file: /etc/postfix/main.cf and at the end enter the following:
smtp_tls_security_level = may

OPTIONAL: Enable DKIM verification in Amavis

This verification will warn you if a mail has been received which failed the DKIM verification.
Edit the file /etc/amavis/conf.d/60-groupoffice_defaults
Add the following line:
# Activating warnings for failed DKIM checked emails
$enable_dkim_verification = 1;

OPTIONAL: Enable the addition of ‘*****SPAM*****’ in header of suspicious emails.

Edit the file: /etc/amavis/conf.d/60-groupoffice_defaults
Add the following line:
$sa_spam_subject_tag = '***SPAM*** ';
You can then use this extra Subject tag to filter your mails and send them automatically in another directory like in ‘Spam’ directory.

OPTIONAL: Enable the Bayes Spam and Ham learning


For this we need to feed Spamassassin some Spam(Bad) and Ham(good) emails.
In this above configuration file the path of the files where Spamassassin learns is set to /home/spamd which doesn’t exist.
I don’t quite know how SA will discern the difference between Ham and spam So I’m doing it another way.
In order to feed it some spam mails each user should contribute to it as follows:
– The users create two new mail folder called exactly ‘Spam’ and ‘Ok’
– Then each time the user receives a definite SPAM email that is NOT tagged *****SPAM*****, he drops the email into his ‘Spam’ folder and forget about it.
– Each time he sees that a good mail has been erroneously tagged *****SPAM***** he drops a COPY a copy of the email into his ‘Ok’ folder and forgets about it.
The following configurations will ensure the following:
– The emails gathered in user’s ‘Spam’ and ‘Ok’ directories will be harvested by a cron job and be added automatically to /home/SA/spam(BAD) or /home/SA/ham(Good) directories respectively for sa-learn to learn from them.

We will create the directories and assign full access to the user ‘spamd’
mkdir -p /home/SA/spam
mkdir -p /home/SA/ham
chown spamd: /home/SA/spam /home/SA/ham

– SpamAssassin will regularly learn from it and offer a continuous increasing accuracy in detecting spams.
System cron job to harvest each day the user’s Spam mails and feed SA learning directory:
0 0 * * * /root/bin/SA-learn.sh

Creating the script:
touch /root/bin/SA-Learn.sh
chmod 755 /root/bin/SA-Learn.sh
Content of script /root/bin/SA-Learn.sh
#!/bin/bash
# make sure the lock file can be written in /home/spamd/
mkdir -p /home/spamd
chown -R spamd: /home/spamd
#
# Purpose: Feeds SA to learn the SPAM emails and GOOD emails
# Harvest the SPAM emails from users and deposit them in spam directory
for spamdir in $(find /home/vmail/ -type d -name '.Spam') ; do rsync -au $spamdir/cur/ /home/SA/spam/; done
#
# Harvest the HAM emails from users and deposit them in ham directory
for hamdir in $(find /home/vmail/ -type d -name '.Ham') ; do rsync -au $hamdir/cur/ /home/SA/ham/; done
#
# Now tell SA to learn from them
/usr/bin/sa-learn --spam -u spamd --dir /home/SA/spam/* -D
/usr/bin/sa-learn --ham -u spamd --dir /home/SA/ham/* -D
#
# Then deleted the mails it learned from to prevent relearning the same thing and accumulating old mails
rm -r /home/SA/spam/* /home/SA/ham/*
# We let the users delete their own spam and ham mails.
# eof

IMPORTANT: In order for the spam filtering/Dovecot sieve to work you have to make sure that the following line is disabled or not present in /etc/postfix/main.cf
#transport_maps = proxy:mysql:/etc/postfix/mysql_virtual_transports.cf
If present and enabled this above line overwrites the setting of transport agent and prevents postfix from using ‘dovecot’ as local transport by using ‘virtual’ instead. It’s been fixed in the GroupOffice version 5.0.44.

Enabling DNS White List (DNSWL) in Postfix


Resources: http://www.dnswl.org
DNSWL.org provides a Whitelist of known legitimate email servers to reduce the chances of false positives while spam filtering. To enable it edit the file /etc/postfix/main.cf and add the following line right before the postgrey line as follows:
smtpd_recipient_restrictions =
......
permit_dnswl_client list.dnswl.org,
(postgrey line below)
check_policy_service inet:127.0.0.1:10023,
permit

OPTIONAL:
To force using TLS for delivering to selected destinations and fail sending the mail if the destination server doesn’t support it.
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
Content of /etc/postfix/tls_policy
example.com encrypt
.example.com encrypt

Hash the list:
postmap /etc/postfix/tls_policy

Allowing roaming SMTP use with SASL authentication

NOTE: Because the users’ credentials are stored in GroupOffice MySQL database we need to do the special authentication chain via dovecot which is configured to read Group Office database and its users data:
Configure SASL authentication
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_type = dovecot'
postconf -e 'smtpd_sasl_path = private/auth'

Edit the file /etc/dovecot/conf.d/10-master.conf and enter inside the section ‘service auth {‘ insert the following lines as follows:

# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}

PROBLEM: After I upgraded GroupOffice to version 5.0.55 I was no more capable to login my mail accounts.
See solution in http://www.dovecot.org/list/dovecot/2012-June/066444.html
The /var/log/mail.log said:
..... inbox=yes namespace missing
The solution is:
Edit the file /etc/dovecot/conf.d/15-mailboxes.conf and right under the line:
namespace inbox {
Insert the line
inbox=yes

Raising the SMTP security with TLS encryption

This generates a self-signed certificate. It is strongly recommended to buy a proper CA signed certificate for that purpose especially if your mail clients are not very computer literates. The security warning messages appearing in their mail clients because of self-signed certificates might scare them and lose trust in your service.
Generating the self-signed certificate:
mkdir -p /etc/ssl/mailserver/
cd /etc/ssl/mailserver/
openssl genrsa 1024 > mail-key.pem
chmod 400 mail-key.pem
openssl req -new -x509 -nodes -sha1 -days 365 -key mail-key.pem > mail-cert.pem

Enter the information required for the self signed certificate.
IMPORTANT: Enter your host name when ‘Common Name’ is asked.
Configuring postfix for TLS
Run the commands:
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'smtpd_tls_cert_file = /etc/ssl/mailserver/mail-cert.pem'
postconf -e 'smtpd_tls_key_file = /etc/ssl/mailserver/mail-key.pem'
postconf -e 'smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache'
postconf -e 'smtpd_tls_security_level = may'
postconf -e 'smtpd_tls_loglevel = 0'
postconf -e 'tls_random_source = dev:/dev/urandom'
postconf -e '#smtpd_tls_CAfile = /etc/postfix/cert/cacert.pem'

IMPORTANT NOTE: The intermediate CA and Key of certificate MUST be included in the certificate file (CRT) if you dont specify it in smtpd_tls_CAfile and smtpd_tls_key_file.

You must also make sure the “permit_sasl_authenticated” is present in the “smtpd_recipient_restrictions” configuration option. Edit this option in /etc/postfix/main.cf and add it right after “permit_mynetworks”.

Edit the file /etc/postfix/master.cf and add the following lines:
# Added to allow postfix to also listen to port 587(submission) well as port 465(smtps)
587 inet n - - - - smtpd
465 inet n - - - - smtpd

Adding extra postfix server security


Recommendation for better security by OpenVAS
postconf -e 'disable_vrfy_command=yes'

Restart postfix and dovecot

/etc/init.d/postfix restart
/etc/init.d/dovecot restart

APACHE2 Configuration

Configuring Redirection of ALL HTTP requests to HTTPS

Commands:
a2enmod ssl rewrite
a2ensite default-ssl

Edit the file: /etc/apache2/sites-available/default-ssl
and add the following lines at the very end after </IfModule>.
# Redirecting all HTTP to HTTPs
<IfModule mod_rewrite.c>
<IfModule mod_ssl.c>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L]
</IfModule>
</IfModule>

Edit the file: /etc/apache2/sites-available/default
and add the following lines after LogLevel warn.
# Redirecting all HTTP to HTTPs
<IfModule mod_rewrite.c>
<IfModule mod_ssl.c>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L]
</IfModule>
</IfModule>

Installing separate WebMail Interfaces

Configuration of RoundCube and Apache

Install Roundcube WebMail interface
apt-get install roundcube roundcube-plugins roundcube-plugins-extra
Prepare configuration for Roundcube and Apache
Edit file: /etc/roundcube/apache.conf
Uncomment the following 2 lines as follows:
Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/
Alias /roundcube /var/lib/roundcube

Configuration of Squirrelmail and Apache

Installing Squirrelmail WebMail interface
apt-get install squirrelmail squirrelmail-decode
ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail

Optional:
For changing configuration of squirrelmail, run the command:
/usr/sbin/squirrelmail-configure

ADD authentication security to admin sites

Edit the file /etc/apache2/sites-available/default-ssl
and add the following lines at the very end:
# Authentication for private areas
<LocationMatch (/awstats|/awstats-icon|/mailgraph|/queuegraph|/phpmyadmin)>
AuthName "Private Area"
AuthType Basic
AuthUserFile /etc/apache2/web.auth
Require valid-user
</LocationMatch>

Run:
touch /etc/apache2/web.auth
For each admin user you need to create a password with this command
htpasswd /etc/apache2/web.auth <username>

Installing AWSTATS, MAILGRAPH and QUEUEGRAPH for Mail stats

As default Awstats creates a full new report at: 03:10 Hrs each day
it also refreshes the data every 10 minutes.

Installation:
apt-get install awstats mailgraph queuegraph
chown www-data. /var/lib/awstats
chmod o+r /var/log/mail.log

Edit /etc/awstats/awstats.local
Add the following lines:
# You can overrides config directives here.
# This is particularly useful for users with several configs for
# different virtual servers, who want to reuse common parameters.
# Also, this file is not updated with each new upstream release.
LogFile="perl /usr/share/doc/awstats/examples/maillogconvert.pl standard < /var/log/mail.log |"
LogType=M
LogFormat="%time2 %email %email_r %host %host_r %method %url %code %bytesd"
LevelForBrowsersDetection=0
LevelForOSDetection=0
LevelForRefererAnalyze=0
LevelForRobotsDetection=0
LevelForWormsDetection=0
LevelForSearchEnginesDetection=0
LevelForFileTypesDetection=0
ShowMenu=1
ShowSummary=HB
ShowMonthStats=HB
ShowDaysOfMonthStats=HB
ShowDaysOfWeekStats=HB
ShowHoursStats=HB
ShowDomainsStats=0
ShowHostsStats=HBL
ShowAuthenticatedUsers=0
ShowRobotsStats=0
ShowEMailSenders=HBML
ShowEMailReceivers=HBML
ShowSessionsStats=0
ShowPagesStats=0
ShowFileTypesStats=0
ShowFileSizesStats=0
ShowBrowsersStats=0
ShowOSStats=0
ShowOriginStats=0
ShowKeyphrasesStats=0
ShowKeywordsStats=0
ShowMiscStats=0
ShowHTTPErrorsStats=0
ShowSMTPErrorsStats=1
SiteDomain=mail.myserver.com
LoadPlugin="geoipfree"

Create the a Apache configuration file: /etc/apache2/conf.d/awstats
and add this following content:
# Configuration for email-AWSTATS, MAILGRAPH and QUEUEGRAPH
Alias /awstats /usr/lib/cgi-bin/
Alias /awstats-icon/ /usr/share/awstats/icon/
Alias /mailgraph /usr/lib/cgi-bin/mailgraph.cgi
Alias /queuegraph /usr/lib/cgi-bin/queuegraph.cgi
Alias /queuegraph.cgi /usr/lib/cgi-bin/queuegraph.cgi
#
<Directory /usr/lib/cgi-bin/>
Options +execCGI
AddHandler cgi-script .pl .cgi
DirectoryIndex awstats.pl
</Directory>

Restart Apache service

service apache2 restart

List of URLs for this mail server:

Group Office https://mail.myserver.com/groupoffice
Roundcube Webmail https://mail.myserver.com/roundcube
Squirrelmail Webmail https://mail.myserver.com/squirrelmail
Mail stats(Awstats) https://mail.myserver.com/awstats
Mail traffic graph https://mail.myserver.com/mailgraph
Mail queues graph https://mail.myserver.com/queuegraph

Group Office forum and wikis addresses

https://www.group-office.com/
https://www.group-office.com/forum/
https://www.group-office.com/wiki/
https://www.group-office.com/wiki/Mailserver

14 Dec 10 Assigning CPUs to Xen virtual Machines

Introduction:
I’m renting a 8 CPU machine at Hetzner and I wanted to improve the performance.
At the beginning I was distributing many CPUs to the virtual machines which needed it and less cpus to others.
This included that some cpus would be shared by more than one Xen virtual machine.
I noticed that the performance was quite sluggish.
After having read about it in Internet I opted to assign 1 or maximum 2 CPUs per machine including DOM0
and no CPUs would be shared by the machines that need performance.
At the end this really improved the performance significantly because Xen has less CPU switching to do.

So here is the plan:
DOM0 : CPU 0 & 1
DOMU1 : CPU 2 & 3
DOMU2 : CPU 4 & 5
DOMUx : Shared CPUs 6 & 7 (some machines might get one CPU and others 2 CPUs

The principle is also that we assign vCPUs to Physical CPUs.
I have seen in Internet some ways to assign CPUs to DOM0 but somehow the following method doesn’t seem to work.
in /boot/grub/menu.lst
dom0_max_vcpus=2 dom0_vcpus_pin

Distributing CPUs for DOM0 and DOMUs


Manually assign a vCPU to a physical CPU
Syntax:
xm vcpu-pin ID VCPU CPU
eg.
xm vcpu-pin 14 0 7
Assigns vCPU 0 to physical CPU 7 for the DOMU-ID 14

So here is my method for the DOM0.
Note: Unfortunately this has to be done every time I boot, therefore putting the following content in a system init script which starts after the ‘xend’ daemon has started could be helpful.
DOM0
xm vcpu-pin 0 0 0
xm vcpu-pin 0 1 0
xm vcpu-pin 0 2 0
xm vcpu-pin 0 3 0
xm vcpu-pin 0 4 1
xm vcpu-pin 0 5 1
xm vcpu-pin 0 6 1
xm vcpu-pin 0 7 1

This assigns only the first 2 physical CPUs to 8 vCPUs used by DOM0


Command for listing the cpu distribution:
xm vcpu-list
DOMUs
Assigning CPUs to DOMUs can be done by hand as seen above, but I recommend doing it in their respective Xen configuration files as follows:

Edit the DOMu configuration file: eg. /etc/xen/domu_test.cfg
Add this content
vcpus = 2
cpus = ["4","5"]

This would assign 2 CPUs to the DOMu which will be CPU 2 and 3.

After these configuration changes the DOMU has to be shut down and then restarted.
A ‘Reboot’ command from DOM0 or inside the DOMU will not work.