Changes Coming In Citrix XenServer

I was just getting caught up on some Citrix information and ran across this blog post.  I’m happy to see they are addressing the concern of XenServer being dropped as a product once it was open sourced.  And I’m glad to hear they will be moving it forward with some big changes I didn’t even know needed to happen.  Like moving dom0 to 64-bit.  When I read that, I had to jump on one of my 6.2 servers and do a quick `uname -a` to see if it was true!   And sure enough, it’s kernel is compiled for i686.

Here are the official the preview release notes Citrix gave out:

Click to access xs-tech-preview-release-notes.pdf

XenServer Error I Hates

Sometimes I’ll reboot a linux VM and I can see it went all the way down.  The machine is off far as I can tell but never ends up rebooting.  I then try doing a shutdown via XenCenter and I get error message: “VM didn’t acknowledge the need to shut down”.

I get so angry that the error tells me the VM didn’t ACKNOWLEDGE the NEED to shut down, really?? I, the administrator just told this piece of software to shutdown and it’s telling ME that it doesn’t acknowledge my command?  Reminds of an old error message I saw in Windows 95/98, “Windows will manage these settings”.  I think to myself, am I commanding the computer, or does the computer command me?

Pretty much this GIF explains everything I feel about this error.

Citrix XenServer Upgrade From 6.1 to 6.2

This weekend I’ve updated from 6.1 to 6.2. Here are the steps I took to do the upgrade.

  1. Make sure you have upgraded your licenses to 6.2 (May require login).  They have changed to a per socket structure, for us we have two sockets per server, and was able to upgrade without paying extra.  The upgrade will warning you if you don’t have the 6.2 license, but you can continue on… just make sure you’ve got the new 6.2 license is applied to your license server.
  2. Download the XenServer-6.2.0-install-cd.iso file (May require login)
  3. I uploaded the file to a physical linux web server not part of my Xen pool
  4. Create a directory called ‘xen’ in the root of your web site
  5. Mount the ISO as a loop device:
    sudo mount -o loop XenServer-6.2.0-install-cd.iso xen/
  6. Update XenCenter.msi to the latest version. After updating XenCenter, “About XenCenter” shows my version as “6.2 (build 1377)”
  7. Backup your XenServer Pool, ssh into your pool master and run this command.  Copy into your backups on a file server
    xe pool-dump-database file-name=xenpool.backup.20140510
  8. Disable HA
  9. Shutdown any unneeded VMs, this will decrease the time it takes to preform the upgrade
  10. To preform the upgrade, in XenCenter goto Tools -> Rolling Pool Upgrade
  11. Select your pool
  12. Select ‘Automatic Mode’
  13. Obey the rules of the pre-check
  14. Run the upgrade.  I had a few issues and had to restart the rolling upgrade, which didn’t seem like an issue.  My issues were mostly VMs loosing their VDIs, which can be fixed via this article.

Citrix XenServer PCI Passthrough

Sometimes you need to use a PCI device on a virtual machine. We have a vendor who has supplied a USB dongle for software licensing, which is really annoying. Their software doesn’t merit it’s own server, so we want to put it into our Xenserver pool.

    1. Shutdown the VM you want to attach your device too.
    2. SSH into the host that has your PCI device.  Use the following command to locate the PCI ID for your device.   Should look something like this “00:1d.7″
      lspci -v
    3. Now locate the UUID for the VM you want to attach the PCI device to with the following command
      xe vm-list
    4. Now use the following command to set the pass through
      xe vm-param-set other-config:pci=0/"PCI ID" uuid="UUID of VM"
    5. Now boot the VM and check if your device is now attached.  If not, make sure you are using the correct PCI ID.  USB devices can get tricky, as there maybe many USB devices listed.

Small Changes to Increase Security on Ubuntu Servers

Here is somethings I’ve done to help increase security on my Ubuntu boxes.  The goal when securing a linux system you need to prevent, detect, and react.  These small changes will help in that goal.

Be careful with these changes, as you can lock yourself out of the server.
Also, Ubuntu can use admin(<10.x) or adm(>12.x) is the admin group!!

  1. Increase SSH security by reducing grace time, not allowing root to login (Ubuntu has no root user, but incase you are compromised and a root account is added), and only allow groups you want to login the box.  I run a shell for friends, so in order to allow them to login, I create a “ssh” group and put them into that group.
    Open /etc/ssh/sshd_config
    LoginGraceTime 20
    PermitRootLogin no
    AllowGroups adm ssh
  2. “su” program available to non-admin users
    sudo chown root:adm /bin/su
    sudo chmod 4750 /bin/su
  3. Install more apparmor profiles, read up on apparmor and make sure to think about it when troubleshooting issues.  Sometimes when you don’t use default file paths, apparmor will not allow an application to read/write to locations not whitelisted.
    sudo apt-get install apparmor-profiles
  4. Install denyhosts, this will block bots trying to brutforce you.
    sudo apt-get install denyhosts
  5. Here is an example of my changes to denyhosts
    Edit /etc/denyhosts.conf (diff -U3 denyhosts.conf.orig denyhosts.conf)
    --- denyhosts.conf.orig 2009-07-21 09:54:25.000000000 -0500
    +++ denyhosts.conf      2009-07-21 10:00:59.000000000 -0500
    @@ -57,13 +57,15 @@
    #            'y' = years
    #
    # never purge:
    -PURGE_DENY =
    +#PURGE_DENY =
    #
    # purge entries older than 1 week
    #PURGE_DENY = 1w
    #
    # purge entries older than 5 days
    #PURGE_DENY = 5d
    +# purge entries older than 4 weeks
    +PURGE_DENY = 4w
    #######################################################################
    #######################################################################
    @@ -90,9 +92,9 @@
    # eg.   sshd: 127.0.0.1  # will block sshd logins from 127.0.0.1
    #
    # To block all services for the offending host:
    -#BLOCK_SERVICE = ALL
    +BLOCK_SERVICE = ALL
    # To block only sshd:
    -BLOCK_SERVICE  = sshd
    +#BLOCK_SERVICE  = sshd
    # To only record the offending host and nothing else (if using
    # an auxilary file to list the hosts).  Refer to:
    # http://denyhosts.sourceforge.net/faq.html#aux
    @@ -218,7 +220,7 @@
    # Multiple email addresses can be delimited by a comma, eg:
    # ADMIN_EMAIL = foo@bar.com, bar@foo.com, etc@foobar.com
    #
    -ADMIN_EMAIL = root@localhost
    +#ADMIN_EMAIL = root@localhost
    #
    #######################################################################@@ -285,7 +287,7 @@
    #
    #SYSLOG_REPORT=NO
    #
    -#SYSLOG_REPORT=YES
    +SYSLOG_REPORT=YES
    #
    ######################################################################
  6. In order to whitelist a host from getting into denyhosts, list the ips in this file: /var/lib/denyhosts/allowed-hosts
  7. Make sure changes have been applied:
    sudo /etc/init.d/denyhosts restart
  8. Install performance monitor SAR
    sudo apt-get install sysstat
    Edit /etc/default/sysstat
    Set: ENABLE="true"
    sudo /etc/init.d/sysstat start
  9. Install logwatch and monitor the emails it sends you (root).  This will give you a good overview of your system if you don’t have a syslog server.
    sudo apt-get install logwatch
  10. Install Root Kit Hunter, this a cron job that will check your system for root kits.  It keeps track of your binaries and in case their MD5 changes.
    sudo apt-get install rkhunter
  11. Edit this file /etc/rkhunter.conf and add these changes to the very bottom, these may not work for you but they have been some false positives I needed to whitelist.
    MAIL-ON-WARNING=root@localhost
    ENABLE_TESTS="all"
    DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps"ALLOWHIDDENDIR=/etc/.java
    ALLOWHIDDENDIR=/dev/.static
    ALLOWHIDDENDIR=/dev/.udev
    ALLOWHIDDENDIR=/dev/.initramfs
    ALLOWHIDDENFILE=/dev/.blkid.tab
    ALLOWHIDDENFILE=/dev/.blkid.tab.old
    SCRIPTWHITELIST=/usr/local/bin/lwp-request
  12. After installing rkhunter, you will get emails indicating if there is anything odd happening on your box.  Most of the time it’s from updates, so if you run apt-get upgrade or apt-get dist-upgrade, you need to run this command to update rkhunter:
    sudo rkhunter --propupd
  13. Shared Memory, edit /etc/fstab and add:
    tmpfs           /dev/shm        tmpfs   defaults,noexec,nosuid  0  0
  14. sudo mount -o remount /dev/shm