Install Ubuntu Intrepid KVM server
with gui, squid transparent proxy, vnc (lives through a reboot), and firewall for host and guests
By Rodney Richison
rodney@rcrcomputing.com

While I make these for my own documentation, I try to make them useful to others. Please email me and let me know if this was helfpful to you or you find errors and/or ommisions.

NOTE: The items listed are NOT needed to run KVM

Firehol - Firewall host and guests
xinetd - VNC for host
vnc4server - VNC for host


Let's install some tools we need (remove firhol and xinetd and vnc4server if you are not going to use them)
apt-get install vim firehol squid ssh
 ubuntu-virt-server and ubuntu-virt-mgmt vnc4server xinetd openssh-server
or to  skip firehol and VNC
apt-get install vim ssh ubuntu-virt-server and ubuntu-virt-mgmt openssh-server


Firehol skip this section if you wish.
bug: At the time of this writing 11/02/08 You need a good iana AFTER you install firehol

    wget programs.rcrnet.net/get-iana.sh
        Note: You can download the latest .tar.gz of the distrubution and extract the get-iana script yourself.
    chmod 755 get-iana.sh
    cp get-iana.sh /sbin/get-iana

Now run get-iana and choose "yes" when asked to save.



Configure firehol
Best thing to do here is give you an example.


#server_althttp_ports="tcp/8080"
#client_althttp_ports="default"

# Define alternate port for webmin
server_webmin1_ports="tcp/20125"
client_webmin1_ports="default"

# Define port for vnc
server_vncrcr_ports="tcp/5901"
client_vncrcr_ports="default"

# Define mail server ports pyzor dcc razor and spamassassin
server_pyzor_ports="udp/24441"
client_pyzor_ports="default"

server_dcc_ports="udp/6277"
client_dcc_ports="default"

server_razor_ports="udp/2703"
client_razor_ports="default"

server_spamassassin_ports="udp/783"
client_spamassassin_ports="default"

# define extra postfix port
server_postfix26_ports="tcp/26"
client_postfix26_ports="default"


# if you need to blacklist incoming connection from an IP, use the following line
blacklist this "24.202.51.30 24.202.51.31"
# notice how one is using quotes, but not the other

# redirection example - redirect traffic to port 1234 to port 110
#redirect to 110 inface eth0 proto tcp dport 1234


# This is our host machine.
interface br0 internet

# enable all available protection - against DoS, invalid packets, etc
protection strong

You probably want to remove all access from unprivalaged ip's. So we'll comment it out.
# server "dns smtp http https" accept


# Allow some access from certain ip's and ranges
group with src "22.5.224.192/26 22.168.241.0/24 26.82.9.0/24 27.143.235.0/24"
    server sshrcr    accept
    server aptproxy accept
    server  ssh     accept
    server http        accept
    server squid    accept
    server rndc     accept
    server  rsync   accept
    server  ping    accept
    server webmin1    accept
    server vncrcr    accept
#    server icmp accept
group end

# let's not limit outgoing, so we'll just do "cliant all accept"
# client "icmp ftp ssh smtp dns http https pop3 althttp rsync webmin dhcpclient" accept
client all accept

################## end br0 internet ##############


# Below are examples for guests. Change the word "example" to your needs

###########################
# router for for example1 guest
###########################
router example1 inface br0 outface br0 dst 22.5.224.226

protection strong

server "dns http" accept



group with src "22.5.224.192/26 22.168.241.0/24 26.82.9.0/24 27.143.235.0/24"
    server sshrcr   accept
    server  ssh     accept
    server  rsync   accept
    server webmin1  accept
    server ping accept
    server vncrcr   accept
#   server icmp accept
group end

client all accept
##############################


###########################
# router for example2
###########################
router example2 inface br0 outface br0 dst 22.5.224.222

protection strong

# This is a dns server, so that's the only port open to the public
server "dns" accept



group with src "22.5.224.192/26 22.168.241.0/24 26.82.9.0/24 27.143.235.0/24"
    server  ssh     accept
    server  rsync   accept
    server webmin1  accept
    server ping accept
#   server icmp accept
group end

client all accept
##############################



###########################
# router for example2
###########################
router example3 inface br0 outface br0 dst 22.5.224.221

protection strong

server "dns smtp http https" accept



group with src "22.5.224.192/26 22.168.241.0/24 26.82.9.0/24 27.143.235.0/24"
    server  ssh     accept
    server  rsync   accept
    server webmin1  accept
    server ping accept
#   server icmp accept
group end

client all accept
##############################

###### End firehol.conf example ####
##########################

End Firehol Example



If you don't already have gnome
(note: you may want to remove network-manager and apparmour if they cause problems)
apt-get install ubuntu-desktop

Network manager doesn't play well with br0
apt-get remove network-manager

Edit vi /etc/resolv.conf with YOUR ISP's dns numbers
# search example.com
nameserver 62.38.52.226
nameserver 62.38.52.236

Backup /etc/network/interfaces
cp /etc/network/interfaces /etc/network/interfaces.beforebr0
Edit your /etc/network/interfaces
Note: Edit to your needs

############ /etc/network/interfaces ###################
#Here is an example of the /etc/network/interfaces file
###############################################
# The loopback network interface
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
address 62.38.52.26
netmask 255.255.255.192
gateway 62.38.52.24
bridge_ports eth0
bridge_stp off
bridge_maxwait 5
############################################


Now reboot
shutdown -r now

Firehol skip this section if you wish
After you get internet working, enable the firewall.
vi /etc/default/firehol
Change NO to YES

Start firehol
/etc/init.d/firehol start

Verify internet still works
Verify ssh to the host works
If they do not, you may have to work on the /etc/firehol/firehol.conf file




Add yourself to libvirtd group
adduser username libvirtd

VNC for host - skip this section if you wish
Ok, we want to be able to VNC into this machine and we want it to live through a reboot!
(If you wish to logged into the same "local" display - Follow this howto - http://www.thelinuxvault.net/wiki/X11vnc )
This will open VNC in a differant desktop window, I may look into other options later.. But it does work well
Enable XDMCP
This is the part that is responsible for bring up the gdm login.

vi /etc/gdm/gdm.conf

Uncomment this line
RemoteGreeter=/usr/lib/gdm/gdmlogin

Enable xdmcp, look for [xdmcp] and change Enable to true.

[xdmcp]
Enable=true

Restart gdm (note: if your logged into this machine, your gui will dissappear..)
/etc/init.d/gdm restart

Setup xinetd
Create a new service file for xinetd
vi /etc/xinetd.d/Xvnc

Paste the following into the file and save:

service Xvnc
{
        type = UNLISTED
        disable = no
        socket_type = stream
        protocol = tcp
        wait = no
        user = nobody
       # only_from = localhost
        server = /usr/bin/Xvnc
        server_args = -inetd -query localhost -geometry 1024x768  -depth 16 -cc 3 -once -SecurityTypes=none -extension XFIXES
        port = 5901
}

Restart xinetd
/etc/init.d/xinetd restart


NOTE: I use KRDC to get to the VNC. Something like this (unless you use a ssh tunnel)
vnc:/62.38.52.26:1

NOTE: 06/01/09 - I now use tsclient to connect to vnc and rdp. (may require you install xvnc4viewer)
terminal_server_client.png

Virt-Manager needs to be root to do the bridge. In a terminal,
 "sudo virt-manager"
 or better yet, read how to change your icon
A nice trick here is to change the icon you have for virt-manager to run this command if you've already added yourself to the libvirtd group.
virt-manager -c qemu:///system


For god's sake, if you get nothing else from this tutorial, change the libvert template and any previous xml files you had for using virsh or vm-builder for the network card. This gave me hell! Expecially the model=type because it defaults to rl3129 and is buggy and will drop network connections under a load! When did I find this out? When I went live with production servers!!  :( Example of lines in .xml files below..


    <interface type='bridge'>
      <mac address='00:16:36:44:d1:99'/>
      <source bridge='br0'/>
      <model type='virtio'/>  # You may also want to try e1000 if you don't want to use virtio
    </interface>

Windows XP Guests


Also of interest is a nasty bug if you install windows with at the time of this writing (11/15/2008) using virt-manager. It won't boot! :)
You'll find the bug here:
https://bugs.launchpad.net/ubuntu/+source/kvm/+bug/105195

You'll see the fix I (rodney) posted, but here it is to save you time.

Start the vm with this command "change to suit your setup"

kvm -m 512 -hda winxp.qcow2 -cdrom xp_sp2.iso -boot d

As you can see, we're booting from a cdrom image.
During the windows install, you have a chance to choose the partition your installing to, then you choose to format that partition.
Right after the format, you can stop the installation and quit the vm.
Now you start the vm with virt-manager, booting from the cdrom and go thru the installation a second time. This time, you choose the partition you made but DO NOT FORMAT IT, choose "leave file system as it is". From there, it's a normal installation.

Note: If you finish the install from the kvm command rather than the virt-manager, windows will likely not boot thereafter from virt-manager. However, that's no problem, you can re-install over it WITHOUT formating. The virt-manager partitioning/formatting seems to be the issue.

The mouse was really jerky an unresponsive, the fix at this time was to go to "computer" in device manager and change the processor to "standard pc".
On a personal note, I connect to the windows client using "tsclient" rdp.
apt-get install tsclient

When using RDP, you might want to look into this patch to allow multiple people logged in at the same time.
NOTE: You should own a copy of WinXP for each user you connect with. It's just the right thing to do.
terminal-server-patch

Then go to services in your guest and make "terminal services" set to automatic instead of manual.

Windows virtio network drivers.

Dowload the driver to your guest desktop
Windows Driver

Add the below line to your .xml file in your interface section.
 <model type='virtio'/>

Restart the guest and finish the driver install

Your done. Read futher for helpful information






Now that everything is setup. You will want to get familiar with the "virsh" command.

Here's a few of handy commands

Start the guest
virsh start name_of_guest

After building a host with vmbuilder, you want to define it
virsh define /etc/libvert/qemu/name_of_guest.xml

Make guest boot when host boots
virsh autostart name_of_guest

Save a guest
virsh save name_of_guest /path/to/backup/to/name_of_guest.qcow2.backup

Convert a VDI to QCOW2
kvm-img convert -O qcow2 test.vdi test.qcow2  #This did not work for me

Create a new qcow image
kvm-img create -f qcow2 test.qcow2 100G


Misc Notes



Jeos does not come with command-not-found
I really like this, so

apt-get install command-not-found

Then edit bash.bashrc and and this to the bottom of it.
Afterwards, reload bash by typing in "bash"

# if the command-not-found package is installed, use it
if [ -x /usr/lib/command-not-found ]; then
    function command_not_found_handle {
            # check because c-n-f could've been removed in the meantime
                if [ -x /usr/lib/command-not-found ]; then
           /usr/bin/python /usr/lib/command-not-found -- $1
                   return $?
        else
           return 127
        fi
    }
fi


When I ssh to a machine, I go to the same place many times. Let's make that the default directory.
Just add something like this to the bottom of your .bashrc file in the guest.
cd /home/username/vservers
And my bind server would be cd/etc/bind in the .bashrc  and my mail server might be cd /etc/postfix


When setting up new machines, there are things I'd always like to be installed, and I always want a few things in .bashrc etc...
Right after installation, I download my script to make all these changes. You can download it and check it out or edit it to your needs and put it on your web server for installs.
wget programs.rcrnet.net/post_install/post_install.sh
You will also note, it downloads and chmod's a couple of more scripts for rsyncing backups (it will ask if you want to).
It will create a /root/bin directory for these scripts with an export in your .bashrc so they'll be in your path. Also includes a "keymaker" script to generate a ssh key and alternatively upload that key to another server. You just keep running keymaker and uploading the key to where ever you'd like.


Keep time in sync
apt-get install ntp ntpdate

Set time zone (if you installed jeos, you most certainly want to do this)
dpkg-reconfigure tzdata

Send a message alert is someone logs into the machine.
Put this in your /etc/profile
You must edit the email address at the end of the line

echo 'ALERT - Shell Access detected at' `hostname`'.'`hostname -d` 'on' `date` 'from ip#' `who |awk '{print $6}'` 'to' `whoami` 's account.      NOTE  This message is generated by your /etc/profile or your .bashrc file' | mail -s "Alert:  Access from `who | awk '{print $6}'`" your@email.address


Upgrade Notes: 09/01/09
We upgraded the server and all the vms to Jaunty
virsh would not work because it could not connect to the hyperviser.
We added the user to the libvirtd group and rebooted the machine. That worked.
One vm would still not start as it had a problem with the display setting.
We deleted the display from the vm hardware and re-added it. It then worked as we let it assign it's own port.