IT Infrastructure and Software Development from the Customer's Perspective
Here’s how to set up the firewall. Here’s my /etc/iptables.rules:
*filter
:INPUT ACCEPT
[273:55355]
:FORWARD ACCEPT [0:0]
:LOGNDROP - [0:0]
:OUTPUT ACCEPT
[92376:20668252]
-A INPUT -m state –state
RELATED,ESTABLISHED -j ACCEPT
# Accept SSH so we can manage the
VM
-A INPUT -i eth0 -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Allow ping (Zenoss uses it to
see if you’re up).
-A INPUT -p icmp –icmp-type
echo-request -j ACCEPT
# Allow SNMP.
-A INPUT -p udp -s 0/0 –sport
1024:65535 –dport 161:162 -j ACCEPT
# Silently block NetBIOS because we
don’t want to hear about Windows
-A INPUT -p udp –dport 137:139
-j DROP
-A INPUT -j LOGNDROP
# Drop and log the rest.
-A LOGNDROP -p tcp -m limit
–limit 5/min -j LOG –log-prefix “Denied TCP: “ –log-level 7
-A LOGNDROP -p udp -m limit
–limit 5/min -j LOG –log-prefix “Denied UDP: “ –log-level 7
-A LOGNDROP -p icmp -m limit
–limit 5/min -j LOG –log-prefix “Denied ICMP: “ –log-level 7
-A LOGNDROP -j DROP
COMMIT
Bringing up the firewall on the “template” VM, I noticed that I was getting more ntp traffic than I expected. I discovered that in my ignorance, I had set my local ntp server to broadcast, which I don’t need. I commented the broadcast line, and everything’s still working.
I also found a good post on ntp that answered one of my long-time questions: What should I look at to see if the ntp client was actually working. Do ntpq -p. On the resulting listing, “the delay and offset values should be non-zero and the jitter value should be under 100.” (The post is Red Hat based, but the information specifically about ntp is distro-agnostic.)
Setting up SNMP on a machine so it can be monitored by Zenoss seems to mess me up every time. This time the problem was the -i option of snmpconf. It’s advertised to put the configuration file where the SNMP programs will find it, but it doesn’t put it at the front of the list of paths where the programs look, at least not on Ubuntu 6.06.
The solution: don’t use snmpconf -i. Run snmpconf to set the access. Make sure it matches what you’ve set up in Zenoss, particularly the version of SNMP and therefore the access model. When you’re done, do sudo mv snmpd.conf /etc/snmp/.
The basic VM needs to have SNMP running on it, because there’s no point having a server if you’re not monitoring it. I had Zenoss set up a year ago monitoring some of my computers, but I was getting “bad oid” messages on the new VM template I was setting up.
The solution: Zenoss had a default SNMP version of 1 for Linux systems. I had set up SNMP on the new VM for version 2c. In Zenoss 2.0 I navigated to /Devices/Server/Linux page and selected the zProperties tab, then scrolled down to zSnmpVer and set it to v2c.
The basic tiny VM needs:
Build an ISO library in /usr/local/vmware/ISOs. Put in the Ubuntu CD and type:
mount /dev/cdrom
sudo dd if=/dev/cdrom0
of=/usr/local/vmware/ISOs/Ubuntu-6.06.1.iso
The VMTools ISOs are in the /tmp/vmware-server-distrib/lib/isoimages:
sudo cp /tmp/vmware-server-distrib/lib/isoimages/*.iso /usr/local/vmware/ISOs
Install VMTools. Here are some good instructions.
sudo apt-get install ssh ntp-simple snmpd snmp
(snmp is the package that contains snmpconf, which you need to set up snmp, and snmpwalk, which is useful for debugging.)
I had everything built and running VMWare Server. Good. So I copied all the VMs I’d built when I was running VMWare on my desktop over to the new server. I started a few, and they were running fine. I could connect to the Zenoss console on one of them, and could ping both. However, all I got was a black screen when I tried to look at the console of the VM using VMWare Console.
The VMWare documentation recommended using the version of VMWare Console program specific to the server you’re running. I grumbled a bit and re-installed (which was actually quite easy), then tried viewing the console of my VMs again. I still got a black screen, but I also got an error message saying that the .vmx file had to have execute permission for the user running the VMWare Console. I checked the .vmx files and sure enough, because of the way I copied them everything had 0644 permissions.
So I cd’d to the directory where all the VM directories were and typed:
The install went smoothly. I created a user “vmware” and added it to the admin group. Then I had to:
sudo apt-get
install xinetd
sudo apt-get
install libx11-6 libx11-dev libxtst6 xlibs-dev
The last line was thanks to this post. Without it, it wouldn’t validate my serial number (and I’m sure I would have run into other problems).
The only default I changed was to put my virtual machines in /usr/local/vmware/Virtual Machines, because /usr/local is the big partition I made for VMs.
As should be obvious from my recent posts, I’ve been trying to set up a host for virtual machines. I need to be able to try things out easily, and virtual machines are great for that. I’d also like to get rid of my old boxes that are running core network infrastructure. It’s not so much that I want to get rid of them, but the risk of continuing to use them is a problem. I have an 11-year-old Macintosh Performa that’s my DHCP and DNS server for my whole network. If it breaks, I’m scrambling to replace it unless I get something new built. Obviously if it runs on a computer with a 1 GB hard drive and 32 MB of memory, I should be able to run it on a VM.
Anyway, being cheap I wasn’t sure I wanted to pay for VMWare. They have a free version of course, but XenSource’s free version is a license-key upgrade, whereas VMWare Server to Virtual Infrastructure (AKA ESX) is a complete software upgrade. So I thought I’d try XenSource, especially since they seemed to be saying that they could run any OS if you bought a CPU with virtualization support.
So I carefully researched the chips I was looking for and bought a Dell SC440 with an Intel Xeon 3050. A low-price server but with the right parts, or so I thought.
The install of XenSource was easy, as was the install of XenCenter, the control program on Windows. Unfortunately, there was a problem with the shortcut to install XenCenter. I posted a question in the Xen community boards and got no help. I found the solution myself a few days later, but not after noticing that there was very, very little activity on the community boards. I wonder if anyone is using Xen, or at least is anyone using it without paying Citrix for support?
Also, it turns out you can’t run anything you want as a VM. I tried to run Ubuntu Server 6.06.1 and it gets disk errors. This is a known problem, apparently. Okay, I know it’s hard to support every Linux distro, but Ubuntu should be one you support. Look at the numbers.
Anyway, worse than not supporting Ubuntu is that the answer from Citrix seemed to be, “use one of our supported distros.” They’ll always be niche if that’s their approach. The market for virtualization is the world of heterogenous data centres that need to shrink their power and A/C footprint. You’re not going to get into that market unless you can run anything that an off-the-shelf PC can run. So, I decided to try VMWare.
Installing a 60-day evaluation copy of ESX 3i didn’t work. Neither did installing an evaluation copy of ESX 3.5, but at least it told me that the network card wasn’t supported. So I tried Ubuntu 6.06.1, and the network card wasn’t supported there, either. Broadcom, what are you doing releasing a NIC that doesn’t work with older drivers? I found how to get Ubuntu installed, and so I’ll continue with installing the free version of VMWare Server. This is not what I wanted to be doing.
I guess the lesson is you really have to check the hardware compatibility list, but I didn’t even know I was going to go this path. I’m interested in how many other problems I’m going to have.
Even though I’m not up with VMWare Server, I have to say that it’s the preferable approach. At least you have an underlying OS you can work with, and my experience with VMWare elsewhere says it’s going to run whatever I try to put on it. Too bad the thinner versions (ESX) don’t work on my hardware.
The Dell SC440 has a Broadcom BCM5754 NIC, which isn’t supported by the Ubuntu 6.06.1 server CD. You have to build the server without a network interface, then copy the new driver source onto it using a USB drive and build and install the driver.
I’m building Ubuntu on this server to run VMWare Server, so I also was particular about the disk partitioning. I created a 4 GB partition for root, then let it partition the rest itself. It made partition 5 the swap with 6.1 GB (I have 2 GB of RAM), and the rest of the disk on partition 2 (143.7 GB), which I put on /usr/local. I changed the usage of the file system to “largefile4” to give one inode for every 4 MB. I don’t really know what that’s going to do to performance, but it seems to make sense given that I’m going to be creating VMs there.
Next I followed the instructions here to build and install the driver. The instructions worked perfectly (with the usual 50 percent “forget to sudo” rate).
The I edited /etc/dhcp3/dhclient.conf to send the hostname:
send host-name “vmhost01”;