The Xen Host Hardware

The host machine we're using this year (2007) has the following specifications

Disk space2 x 320Gb drives (Software RAID)
Bandwidth Allowance100Gb per month
Memory4Gb
IPsOne main IP and a /27 allocation for guests
CPUAMD Semptra 3400

The host system uses the dual drives in a RAID array to allow some redundancy. Note: You are responsible for your own backups.

Disk Setup

The two disk drives are setup with software based RAID-1, which means that we're protected against the failure of a single drive. If both drives suffer problems our data loss will be complete - this is why users are responsible for their own backups.

The partitioning of the systems is as follows:

    Name        Flags      Part Type  FS Type          [Label]        Size (MB)
 ------------------------------------------------------------------------------
    sda1        Boot        Primary   Linux raid autodetect            10240.48 
    sda2                    Primary   Linux raid autodetect           309829.85

In English: Two volumes which can be setup with software raid:

  • /dev/md0 - Root filesystem 10gb.
  • /dev/md1 - Storage for the LVM volume ppp-vol using the rest of the space.

To create the RAID devices and the LVM volume group I ran the following commands:

mdadm --create /dev/md0 -n 2 -l 1 /dev/sda1 /dev/sdb1
mkfs.ext3 /dev/md0

mdadm --create /dev/md1 -n 2 -l 1 /dev/sda3 /dev/sdb3
pvcreate /dev/md1
vgcreate ppp-vol /dev/md1

Server Setup

The server setup is pretty standard, but it is described here for completeness.

1. Partition disks

As described earlier the system is designed to use two drives in a RAID configuration, to provide the ability to recover from a single drive failure.

The first step was thus to partition the disks appropriately.

2. Install Etch

Once partitioned an installation of Debian GNU/Linux was performed. This installation was then slimmed down a little by removing several of the packages which weren't required, and the installation of packages I like (vim, etc).

So that logwatch could send out email alerts, etc, I installed postfix and configured it to only listen upon the loopback adapter.

Once syslog-ng had replaced klogd and syslogd the base installation was finished.

3. Install Grub

The hosting company, Bytemark, provides access to all the dedicated hosts via a serial console. To make sure that I could monitor the bootup progress, boot menu, and serial console of the system I had to configure grub appropriately.

This is the complete /boot/grub/menu.lst file which is being used:

default 0
timeout 10
serial --unit=0 --speed=115200
terminal --timeout=10 serial console

title           Xen 3.0.3-1-amd64 / Debian GNU/Linux, kernel 2.6.18-4-xen-amd64
root            (hd0,0)
kernel          /boot/xen-3.0.3-1-amd64.gz z dom0_mem=512M com1=115200,8n1
module          /boot/vmlinuz-2.6.18-4-xen-amd64 root=/dev/md0 ro console=tty0 console=ttyS0,115200n8 console=tty0
module          /boot/initrd.img-2.6.18-4-xen-amd64

Here we've used serial to specify that grub should do magic with serial. Note also the com1 and console options supplied to Xen (this will be configured later).

Of course giving grub access to the serial console is useless if you don't allow your system to access it too! So I had to modify the /etc/inittab file to match. Here is the appropriate section:

# Listen on serial port.  Speed 115200
#
T0:23:respawn:/sbin/getty -L ttyS0 115200 vt102

If the host doesn't have remote serial console access then these steps won't be required, but having such access is a lifesaver if you're configuring networks remotely.

4. Install Xen

Since we're planning on (reselling) using Xen we needed to install it.

I mostly followed these instructions (which I wrote) for installing Xen upon a Debian Etch release!

Once Xen was installed I installed the xen-tools software from my personal apt-get repository.

Configuring this merely involved setting up the networking details appropriately, configuring the name of the LVM partition I'd allocated to the Xen images.

The LVM setup was achived by reading this LVM introduction, and as described already it was just these commands:

apt-get install lvm2
pvcreate /dev/md1
vgcreate ppp-vol /dev/md1

(I like to name volume groups after hostnames, to allow potential disk swaps to occur in the future without having two disks both named "vol".)

(Remember that our system uses two RAID devices; md0 as the root filesystem, and md1 as the LVM partition for Xen guests.)

Once this was done the system was useable and guests could be created/deleted/updated.

5. Install xen-shell

To allow clients to control their Xen instance I installed xen-shell directly from its CVS repository.

Once this was installed I could setup the new system users, one for each Xen guest. The process was mostly a matter of following the instructions, and looks something like this for each new user to be added:

  1. Run adduser $foo to create the user.
  2. Make a home directory for the user mkdir /home/$foo; chown $foo:users /home/$foo
  3. Change their shell: chsh -s /usr/bin/xen-login-shell $foo
  4. Create a SSH keypair for the user: su -c "ssh-keygen -t dsa" $foo
  5. Rename their keys appropriately: mv ~$foo/.ssh/id_dsa.pub ~foo/.ssh/authorized_keys.
  6. Create ~foo/image.sh to install their image.
  7. Create ~foo/ips.txt to contain the list of IP addresses + reverse DNS entries the given user can control.

These steps were repeated for each user, and once they were complete the key, IP address details, and other information were mailed to each user.

6. Harden Host

Once all systems were configured and installed it was just a matter of hardening the host system. This boiled down to:

  • Mounting things appropriately, ie. nodev, nosuid, etc.
  • Removing packages which aren't required.
  • Portscanning externally to make sure there was nothing listening which shouldn't have been - The only thing was the copy of postfix, which I updated.
  • Disabling cleartext passwords and forcing public keys
  • Installing backup software to backup the host system but not the guests.
  • Adding logwatch, integrit, and other appropriate hardening/detection software.
  • Installing vnstat to track bandwidth usage.