Xen installation » History » Revision 1
Revision 1/43
| Next »
Anonymous, 07/24/2007 03:41 PM
Installation protocol for wp5demo¶
This documentation describes the installation procedure on the wp5demo server.
The installation bases on Debian Etch providing packages for Xen version 3.0.3-1.
Debian Etch Installation¶
During the software selection part of the Debian Etch installation all possible selections (desktop, standard) have been deselected.
Only the root user has been added to the system (Just cancel the dialog to enter the name of the first user).
After rebooting the system, the package source list for the apt programm (/etc/apt/sources.list) has been configured like this:
deb http://ftp.de.debian.org/debian/ etch main contrib deb-src http://ftp.de.debian.org/debian/ etch main contrib deb http://security.debian.org/ etch/updates main contrib deb-src http://security.debian.org/ etch/updates main contrib
The the system has been updated with the following commands:
apt-get update apt-get upgrade
Now, the basic system installation was done, the following software packages have been added to the system:
less
openssh-server
lvm
OpenSSH configuration¶
The openssh server has been configured to accept logins via openssh keys only. So, no username/password access should be possible on this system. Therefore, the following option has been set in the openssh-server configuration file /etc/ssh/sshd_config.
PasswordAuthentication no UsePAM no
The public keys of users enabled to login as root must be stated in the file_/root/.ssh/authorized_key_. Currently, that's just me !
Network configuration¶
Important note: The standard etch setup configures ethernet network interfaces (eth0, eth1) using the option allow-hotplug eth0. This causes many problems concerning networking (e.g. deletion of the eth0 interface when restarting networking _
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 160.45.63.20
netmask 255.255.255.0
network 160.45.63.0
broadcast 160.45.63.255
gateway 160.45.63.1
dns-nameservers 160.45.8.8
dns-search bgbm.fu-berlin.
Xen Package Installation¶
Based on a fresh, minimal Debian Etch installation, the following packages have been installed:
xen-linux-system-2.6.18-4-xen-686
xen-tools
xen-docs-3.0
libc6-xen
bridge-utils
linux-image-2.6.18-4-xen-686
linux-modules-2.6.18-4-xen-686
xen-hypervisor-3.0.3-1-i386-pae
This has been done using the following command:
Furthermore, the loop module must be added to the kernel at boot time. This is done by adding or changing the following line within the file /etc/modules:
loop max_loop=64
Now we can reboot the system to use the xen kernel!
If the reboot was succesful, entering the following command should produce the subsequent output:
Name ID Mem(MiB) VCPUs State Time(s) Domain-0 0 3922 2 r----- 5.9
Xen Network Configuration¶
As a start, we set up dom0 to use the network nat bridge for the user domains. This enables our domains to be connected to the internet. This is done editing /etc/xen/xend-config.sxp as follows. Uncomment the following line (line 113):
(network-script network-nat) (vif-script vif-nat)
Comment the following line (line 87)
Now, restart the xend daemon:
/etc/init.d/xend restart
Running the command ifconfig, the output should contain the following network devices:
peth0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF vif0.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF xenbr0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
Xen-Tools Configuration¶
Creating and mounting a logical volume for Xen configuration files¶
First, we need to create a logical volume, where all Xen domains and configuration files will be stored. Therefore we create a logical volume with an initial size of 1GB called xen on the volume group vg1 and create an ext3 file system on it:
To mount this file system at boot time on the mount point /xen, create the directory /xen:
and add the following lines to the file /etc/fstab:
/dev/vg1/xen /xen ext3 defaults 1 2
Creation of a base Debian Etch Xen Domain with xen-tools¶
Now, we start with the domain creation. The aim is, to set up a configuration, where any domain can be recreated from the scratch using a single command. This is a little bit complicated, and we have to do some preparational work. So, let's start configuring the creation of a base Debian Etch system with an accessible OpenSSH access for root.
First, we need to edit the xen-tools configuration file. Create the directory /xen/etc/xen-tools and copy the original /etc/xen-tools/xen-tools.conf and /etc/xen-tools/xm.tmpl into it:
We would like to
create LVM volumes for every domain (option lvm)
install Debian etch via network (option debootstrap)
set default sizes for the system and swap lvm volume (options size and swap )
set default size of memory (RAM) (option memory)
set the filesystem type (option fs)
set the Linux distribution to install (option dist)
configure the network parameters (options ip, netmask and gateway)
enable prompting for root password
set the boot kernel and initrd (options kernel and initrd)
set the default mirror for devootstrap
enable debug messages (option verbose)
enable harddisks be attached as ide drives (/dev/hdax, option ide)
specify the role of the domain (option role)
specify the template file for domain startup (option template)
specify the hostname (option hostname)
For that, we have to set the following default options within /xen/etc/xen-tools/base.conf:
lvm = vg1 debootstrap = 1 swap = 128Mb size = 512Mb memory = 64Mb fs = ext3 dist = etch image = full ip = "10.0.0.10" netmask = 255.0.0.0 gateway = 10.0.0.254 passwd = 1 kernel = /boot/vmlinuz-2.6.18-4-xen-686 initrd = /boot/initrd.img-2.6.18-4-xen-686 mirror = http://ftp.de.debian.org/debian/ verbose = 1 ide = 1 role = base template = /xen/etc/xen-tools/base.tmpl hostname = base.wp5demo.org
For this basic installation, we can leave the template file /xen/etc/xen-tools/base.tmpl unchanged. This file will be used by the xen-create-image command to create a startup configuration file (in /etc/xen/) in order to be interpreted by the xend in order to create and start the relating virtual machine.
Further, the xen-tools configuration comprises a role.d directory, where templates for specific domain roles (e.g. base system, web-server, IdP) can be defined. These "roles" are executable shell scripts, where the existing role minimal provides a template for a minimal debian system installing and removing several packages. For the time being, we define a base role for our needs and store the relating file in the directory /xen/etc/xen-tools/role.d. Then, we can link this file within the regular xen-tools configuration directory
Currently, we source the minimal role skript and extend it by installing the openssh-server package. Later on, we can extend this skript by removing or installing further packages, or doing other things.
if [ -e ./minimal ]; then
. ./minimal
else
. /etc/xen-tools/role.d/minimal
fi
installDebianPackage ${prefix} openssh-server
Next, we create a skeleton directory for our base role.
Within this directory, we can copy any files we would like to be copied into the file system of any virtual machine created upon our base role. To configure and get access to the virtual machine via ssh, we can simply copy the these files from our dom0 instance.
In the last step, we link all these files to the right place within the /etc/xen-tools directory and start to create our first base vm with the xen-tools command xen-create-image. Therefore, we use the following little shell-script and store it as /xen/create_base :
ROLE=base
unlink /etc/xen-tools/xen-tools.conf
ln -s /xen/etc/xen-tools/${ROLE}.conf /etc/xen-tools/xen-tools.conf
unlink /etc/xen-tools/role.d/${ROLE}
ln -s /xen/etc/xen-tools/role.d/${ROLE} /etc/xen-tools/role.d
unlink /etc/xen-tools/skel
ln -s /xen/etc/xen-tools/skel/${ROLE} /etc/xen-tools/skel
xen-create-image $*
Before using this script for the first time, we need to delete the regular /etc/xen/skel directory
Make sure that this script as well as the role skript are executable.
Now, we are ready to create an instance of our first virtual machine executing our script:
During the script execution, you should be prompted for a password for the root user! You can follow the installation process observing the corresponding log-file:
After the script has finished, you can start the vm with the following command:
Firewall setup¶
In order to connect to our virtual machines via the ssh protocol, we have to configure the firewall of our dom0 to forward e.g. port 110 to port 22 of our virtual machine. Therefore, store the following script in /etc/network/if-up.d/iptables and make it executable (chmod 755).
/sbin/iptables -F /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -A INPUT -j ACCEPT -i lo /sbin/iptables -A INPUT -j ACCEPT -p icmp /sbin/iptables -A INPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATE /sbin/iptables -A INPUT -j ACCEPT -p tcp --dport ssh /sbin/iptables -A INPUT -j ACCEPT -p tcp --dport http /sbin/iptables -A INPUT -j ACCEPT -p tcp --dport 110 /sbin/iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 110 -j DNAT --to 10.0.0.10:22
Now you should be able to login to the base virtual machine using ssh on port 110.
Creation of further virtual machine templates¶
Based on the previous xen-tools configuration, we can proceed setting up further configurations for other purposes.
Shibboleth Identity Provider (IdP)¶
We need the following environment for the IdP
Apache 2.0 or 2.2
mod_jk
Tomcat 5.5
Java 1.5
openssl
This results in the following Debian Etch packages:
Edit /etc/default/apache2 and set NO_START such as Apache will start at boot time
NO_START=0
Configuration of mod_jk¶
Create the file /etc/apache2/mods-available/jk.conf:
<IfModule mod_jk.c>
JkWorkersFile /var/lib/tomcat5.5/conf/jk/workers.properties
JkLogFile /var/log/apache2/mod_jk.log
JkLogLevel emerg
JkMount /shibboleth-idp/* ajp13
JkMount /jsp-examples/* ajp13
</IfModule>
Link the files /etc/apache2/mods-available/jk.load and /etc/apache2/mods-available/jk.conf into the directory /etc/apache2/mods-enabled.
So, the module will be started by the Apache web server. Now, create the module's configuration file /var/lib/tomcat5.5/conf/jk/workers.properties:
worker.list=ajp13 worker.ajp13.type=ajp13 worker.ajp13.host=localhost worker.ajp13.port=8009 worker.ajp13.lbfactor=50 worker.ajp13.cachesize=10 worker.ajp13.cache_timeout=600 worker.ajp13.socket_keepalive=1 worker.ajp13.recycle_timeout=300
SSL configuration¶
Link the files /etc/apache2/mods-available/jk.load and /etc/apache2/mods-available/jk.conf into the directory /etc/apache2/mods-enabled.
Create an SSL Server Key and Certificate:
Generating a 1024 bit RSA private key ................++++++ ..++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]: Locality Name (eg, city) []:Berlin Organization Name (eg, company) [Internet Widgits Pty Ltd]:BGBM Organizational Unit Name (eg, section) []:WP5Demo Common Name (eg, YOUR name) []:IdP.wp5demo.org Email Address []:
Configure Tomcat¶
Tomcat must be directed to accept the authentication information coming in through mod_jk. Add the values request.tomcatAuthentication="false" and address="127.0.0.1" to the AJP 1.3 port 8009 element in line 106 of the file /etc/tomcat5.5/server.xml.
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009"
request.tomcatAuthentication="false" address=127.0.0.1" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
Now, restart Apache and Tomcat
As a result, accessing https://160.45.63.20/jsp-examples/ should reveal a bunch of code examples and demonstrates that Tomcat, Apache, mod_ssl, and mod_jk are all functional.
Shibboleth Service Provider (SP)¶
Updated by over 16 years ago · 1 revisions