Project

General

Profile

Actions
History

WikiStart » DevelopmentNotes » Software » Linux »

Xen installation » History » Revision 17

« Previous | Revision 17/43 (diff) | Next »
Lutz Suhrbier, 03/01/2008 03:37 PM

of Contents,outline)]

XEN-Installation protocol on wp5demo

This documentation describes the installation procedure on the wp5demo server.

The installation bases on Debian Etch providing packages for Xen version 3.0.3-1.

Debian Etch Installation

During the software selection part of the Debian Etch installation all possible selections (desktop, standard) have been deselected.

Only the root user has been added to the system (Just cancel the dialog to enter the name of the first user).

After rebooting the system, the package source list for the apt programm (/etc/apt/sources.list) has been configured like this:

deb http://ftp.de.debian.org/debian/ etch main contrib
deb-src http://ftp.de.debian.org/debian/ etch main contrib 
deb http://security.debian.org/ etch/updates main contrib
deb-src http://security.debian.org/ etch/updates main contrib

The the system has been updated with the following commands:

apt-get update
apt-get upgrade

Now, the basic system installation was done, the following software packages have been added to the system:

  • less

  • openssh-server

  • lvm2

  • lsof

  • nmap

# apt-get install less openssh-server lvm2 lsof nmap

OpenSSH configuration

The openssh server has been configured to accept logins via openssh keys only. So, no username/password access should be possible on this system. Therefore, the following option has been set in the openssh-server configuration file /etc/ssh/sshd_config.

PasswordAuthentication no
UsePAM no

The public keys of users enabled to login as root must be stated in the file_/root/.ssh/authorized_key_.

Network configuration

Important note: The standard etch setup configures ethernet network interfaces (eth0, eth1) using the option allow-hotplug eth0*. This causes many problems concerning networking (e.g. deletion of the eth0 interface when restarting networking # /etc/init.d/networking restart. So, please use the option *auto instead in /etc/network/interfaces :

# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
        address 160.45.63.20
        netmask 255.255.255.0
        network 160.45.63.0
        broadcast 160.45.63.255
        gateway 160.45.63.1
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 160.45.8.8
        dns-search bgbm.fu-berlin.

Xen Package Installation

Based on a fresh, minimal Debian Etch installation, the following packages have been installed:

  • xen-linux-system-2.6.18-4-xen-686

  • xen-tools

  • xen-docs-3.0

  • libc6-xen

  • bridge-utils

  • linux-image-2.6.18-4-xen-686

  • linux-modules-2.6.18-4-xen-686

  • xen-hypervisor-3.0.3-1-i386-pae

This has been done using the following command:

# apt-get install xen-linux-system-2.6.18-4-xen-686 xen-tools xen-docs-3.0 libc6-xen bridge-utils

Furthermore, the loop module must be added to the kernel at boot time. This is done by adding or changing the following line within the file /etc/modules:

loop max_loop=64

Now we can reboot the system to use the xen kernel!

# reboot

If the reboot was succesful, entering the following command should produce the subsequent output:

# xm list
Name                                      ID Mem(MiB) VCPUs State   Time(s)
Domain-0                                   0     3922     2 r-----      5.9

Xen Network Configuration

There are at least two possible configurations for the Xen network:

  • Network Address Translation (NAT)

  • Network Bridge

At the beginning of the wp5demo setup procedure, only one IP-address was available. So, we used the NAT configuration to connect our virtual machines to the internet. Therefore, we used port forwarding to redirect the necessary ports for the virtual machines from wp5demo. Please, consider the relating firewall-configuration skript for wp5demo.

Now, as we can use several IP-addresses for our virtual machines, we use network bridging to allow direct internet access of the virtual machines and assign them own IP-Addresses.

Configuring Network Address Translation (NAT)

Setting up a NAT network for the user domains edit the original version of /etc/xen/xend-config.sxp as follows.

Uncomment the following lines (line 113):

(network-script network-nat)
(vif-script     vif-nat)

Comment the following line (line 87)

#(network-script network-dummy)

Configuring Network Bridge

To configure Xen acting like a network bridge, edit the original version /etc/xen/xend-config.sxp as follows.

Uncomment the following line (line 71):

(network-script network-bridge)

and the following line (line 102):

(vif-script vif-bridge)

Comment the following line (line 87)

#(network-script network-dummy)

After restarting the xend daemon:

/etc/init.d/xend restart

Running the command ifconfig, the output should contain the following network devices:

peth0     Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
vif0.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
xenbr0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF

Xen-Tools Configuration

Creating and mounting a logical volume for Xen configuration files

First, we need to create a logical volume, where all Xen domains and configuration files will be stored. Therefore we create a logical volume with an initial size of 1GB called xen on the volume group vg1 and create an ext3 file system on it:

# lvcreate -L 1G -n xen vg1
# mkfs.ext3 /dev/vg1/xen

To mount this file system at boot time on the mount point /xen, create the directory /xen:

# mkdir /xen

and add the following lines to the file /etc/fstab:

# LVMs
/dev/vg1/xen    /xen            ext3    defaults        1       2

Creation of a base Debian Etch Xen Domain with xen-tools

Now, we start with the domain creation. The aim is, to set up a configuration, where any domain can be recreated from the scratch using a single command. This is a little bit complicated, and we have to do some preparational work. So, let's start configuring the creation of a base Debian Etch system with an accessible OpenSSH access for root.

First, we need to edit the xen-tools configuration file. Create the directory /xen/etc/xen-tools and copy the original /etc/xen-tools/xen-tools.conf and /etc/xen-tools/xm.tmpl into it:

# mkdir /xen/etc/xen-tools
# cp /etc/xen-tools/xen-tools.conf /xen/etc/xen-tools/base.conf
# cp /etc/xen-tools/xm.tmpl /xen/etc/xen-tools/base.tmpl

We would like to

  • create LVM volumes for every domain (option lvm)

  • install Debian etch via network (option debootstrap)

  • set default sizes for the system and swap lvm volume (options size and swap )

  • set default size of memory (RAM) (option memory)

  • set the filesystem type (option fs)

  • set the Linux distribution to install (option dist)

  • configure the network parameters (options ip, netmask and gateway)

  • enable prompting for root password

  • set the boot kernel and initrd (options kernel and initrd)

  • set the default mirror for devootstrap

  • enable debug messages (option verbose)

  • enable harddisks be attached as ide drives (/dev/hdax, option ide)

  • specify the role of the domain (option role)

  • specify the template file for domain startup (option template)

  • specify the hostname (option hostname)

For that, we have to set the following default options within /xen/etc/xen-tools/base.conf:

lvm = vg1
debootstrap = 1
swap    = 128Mb # Swap size
size    = 512Mb # Disk image size.
memory  = 64Mb  # Memory size
fs      = ext3  # use the EXT3 filesystem for the disk image.
dist    = etch  # Default distribution to install.
image   = full  # Specify sparse vs. full disk images.
ip      = "10.0.0.10"
netmask = 255.0.0.0
gateway = 10.0.0.254
passwd = 1
kernel = /boot/vmlinuz-2.6.18-4-xen-686
initrd = /boot/initrd.img-2.6.18-4-xen-686
mirror = http://ftp.de.debian.org/debian/
verbose         = 1
ide             = 1
role            = base
template        = /xen/etc/xen-tools/base.tmpl
hostname        = base.wp5demo.org

For this basic installation, we can leave the template file /xen/etc/xen-tools/base.tmpl unchanged. This file will be used by the xen-create-image command to create a startup configuration file (in /etc/xen/) in order to be interpreted by the xend in order to create and start the relating virtual machine.

Further, the xen-tools configuration comprises a role.d directory, where templates for specific domain roles (e.g. base system, web-server, IdP) can be defined. These "roles" are executable shell scripts, where the existing role minimal provides a template for a minimal debian system installing and removing several packages. For the time being, we define a base role for our needs and store the relating file in the directory /xen/etc/xen-tools/role.d. Then, we can link this file within the regular xen-tools configuration directory

# mkdir /xen/etc/xen-tools/role.d
# vi /xen/etc/xen-tools/role.d/base

Currently, we source the minimal role skript and extend it by installing the openssh-server package. Later on, we can extend this skript by removing or installing further packages, or doing other things.

#!/bin/sh
#
#  Source the minimal role
#

prefix=$1

if [ -e ./minimal ]; then
    . ./minimal
else
    . /etc/xen-tools/role.d/minimal
fi

installDebianPackage ${prefix} openssh-server

Next, we create a skeleton directory for our base role.

# mkdir -p /xen/etc/xen-tools/skel/base

Within this directory, we can copy any files we would like to be copied into the file system of any virtual machine created upon our base role. To configure and get access to the virtual machine via ssh, we can simply copy the these files from our dom0 instance.

# mkdir -p /xen/etc/xen-tools/skel/base/root/.ssh
# cp -av /root/.ssh/authorized_keys /xen/etc/xen-tools/skel/base/root/.ssh
# mkdir -p /xen/etc/xen-tools/skel/base/etc/ssh
# cp -av /etc/ssh/sshd_config /xen/etc/xen-tools/skel/base/etc/ssh

In the last step, we link all these files to the right place within the /etc/xen-tools directory and start to create our first base vm with the xen-tools command xen-create-image. Therefore, we use the following little shell-script and store it as /xen/create_base :

#!/bin/sh
ROLE=base
# link the role's xen-tools config to /etc/xen-tools
unlink /etc/xen-tools/xen-tools.conf
ln -s /xen/etc/xen-tools/${ROLE}.conf /etc/xen-tools/xen-tools.conf
# link the role's sxript to /etc/xen-tools/role.d
unlink /etc/xen-tools/role.d/${ROLE}
ln -s /xen/etc/xen-tools/role.d/${ROLE} /etc/xen-tools/role.d
# link the role's file system skeleton to /etc/xen-tools/skel
unlink /etc/xen-tools/skel
ln -s /xen/etc/xen-tools/skel/${ROLE} /etc/xen-tools/skel
xen-create-image $*

Before using this script for the first time, we need to delete the regular /etc/xen/skel directory

# rm -R /etc/xen-tools/skel

Make sure that this script as well as the role skript are executable.

# chmod 755 /xen/create_base
# chmod 755 /xen/etc/xen-tools/role.d/base

Now, we are ready to create an instance of our first virtual machine executing our script:

# /xen/create_base

During the script execution, you should be prompted for a password for the root user! You can follow the installation process observing the corresponding log-file:

# tail -f /var/log/xen-tools/base.wp5demo.org.log

After the script has finished, you can start the vm with the following command:

# xm create /etc/xen/base.wp5demo.org.cfg -c

Firewall setup

Using Xen's NAT network configuration, connecting our virtual machines e.g. via the ssh protocol, we have to configure the firewall of our dom0 to forward e.g. port 110 to port 22 of our virtual machine. Therefore, store the following script in /etc/network/if-up.d/iptables and make it executable (chmod 755).

#!/bin/sh
### Clean up rules ###
/sbin/iptables -F
### Nothing in ###
/sbin/iptables -P INPUT DROP
### All out ###
/sbin/iptables -P OUTPUT ACCEPT
### Accept all localhost traffic ###
/sbin/iptables -A INPUT -j ACCEPT -i lo
### Accept all icmp traffic ###
/sbin/iptables -A INPUT -j ACCEPT -p icmp
### Accept all responses ###
/sbin/iptables -A INPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATE
### Accept Incoming Ports ###
/sbin/iptables -A INPUT -j ACCEPT -p tcp --dport ssh
/sbin/iptables -A INPUT -j ACCEPT -p tcp --dport http
### Accept SSH-Port for base.wp5demo.org ###
/sbin/iptables -A INPUT -j ACCEPT -p tcp --dport 110
### Forwarding Ports ###
### Forward SSH-Port for base.wp5demo.org ###
/sbin/iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 110 -j DNAT --to 10.0.0.10:22

Now you should be able to login to the base virtual machine using ssh on port 110.

Creation of further virtual machine templates

Based on the previous xen-tools configuration, we can proceed setting up further configurations for other purposes.

On wp5demo, all xen-tools configuration files are located in the directory /xen. The latest revision can be retrieved source:/trunk/commtools/xen.

Shibboleth Identity Provider (IdP) Installation

According to the step-by-step description of the Shibboleth Identity Provider (IdP) Installation on Debian Etch, a Xen-Tools role script idp is prepared, a corresponding configuration file idp.conf the skeleton directory /etc/xen-tools/skel/idp and the setup, start and shutdown scripts /xen/create_idp, /xen/start_idp and /xen/shutdown_idp are availabe.

The setup script will automatically install a fresh copy of an Shibboleth Identity Provider. Nevertheless, you will have to follow the installation procedure in a second window, observing the log file produced:

# tail -f /var/log/xen-tools/idp.e-taxonomy.eu.log

  • During the shibboleth installation, you have to answer five questions just pushing the __ key to accept the prepared default values.

  • Before finishing the installation, you have to enter the root password for the newly created IdP instance.

*Please, make the required input in the terminal, where you started the ./create_idp skript !

Making input into the log windows will not have any effect !

*

The current instance is just prepared to be tested against the !TestShib service.

Further configurations will adept this installation to the final IdP instance for the EDIT Cyber Taxonomy Network.

Shibboleth Service Provider (SP) Installation

Regarding the installation procedure,please refer to the step-by-step description Shibboleth Service Provider (SP) Installation on Debian Etch. For the xen-tools, the role script sp, the configuration and template files sp.conf, the skeleton directory /etc/xen-tools/skel/sp and the setup, start and shutdown scripts /xen/create_sp, /xen/start_sp and /xen/shutdown_sp are prepared.

The setup script automatically installs a fresh copy of an Shibboleth Identity Provider. At the end of the installation script, you will be asked to enter the root password for the created sp instance.

The installation procedure can be observed via the installation log file produced:

# tail -f /var/log/xen-tools/sp.e-taxonomy.eu.log

The current instance is just prepared to be tested against the !TestShib service.

Further configurations will adept this installation to the final IdP instance for the EDIT Cyber Taxonomy Network.

Updated by Lutz Suhrbier over 16 years ago · 17 revisions