Autoformatter

This commit is contained in:
RealStickman 2022-12-02 09:20:19 +01:00
parent 99f8233d17
commit 4b22206871

View File

@ -1,23 +1,29 @@
---
title: 'Xen Orchestra'
title: "Xen Orchestra"
visible: true
---
[toc]
## Installation
> Use the script [XenOrchestraInstallerUpdater](https://github.com/ronivay/XenOrchestraInstallerUpdater) to install Xen Orchestra from sources.
> Use the script [XenOrchestraInstallerUpdater](https://github.com/ronivay/XenOrchestraInstallerUpdater) to install Xen Orchestra from sources.
### Installation within VM
The supported distibutions are listed in the Github README.
The script can be run with `# ./xo-install.sh --install`
The script can be run with `# ./xo-install.sh --install`
### Installation from dom0
For an installation from dom0, you can deploy a premade VM.
Run `# xo-vm-import.sh` to import that VM.
Run `# xo-vm-import.sh` to import that VM.
### Installation as container
You need to explicitly allow host loopback for the container, or it won't be able to access the local ssh tunnel we'll create later
We'll need to enter the server on 10.0.2.2 with the local port we gave our ssh tunnel
We'll need to enter the server on 10.0.2.2 with the local port we gave our ssh tunnel
```
# podman run -itd --name xen-orchestra \
--net slirp4netns:allow_host_loopback=true \
@ -26,18 +32,21 @@ We'll need to enter the server on 10.0.2.2 with the local port we gave our ssh t
```
## Secure Connection to Xenserver
By default, dom0 exposes the Xen API on port 443. However, in public settings this would be a security risk, as anyone with enough time could find the access password.
A local SSH tunnel is established, forwarding port 443 on dom0 instead.
One prerequisite is ssh-key based access to dom0 from the xen orchestra VM. See [SSH](/remote/ssh)
One prerequisite is ssh-key based access to dom0 from the xen orchestra VM. See [SSH](/remote/ssh)
> Based on testing and [this forum post](https://xen-orchestra.com/forum/topic/528/connection-port-in-settings-servers-not-used-for-console) it is known the Xen API returns the dom0 public IP address for additional connections within Xen Orchestra. This includes the VM console and usage statistics for example.
To work around this issue, a firewall rule can be used to redirect traffic outbound to dom0 on port 443 to the local ssh tunnel instead.
To work around this issue, a firewall rule can be used to redirect traffic outbound to dom0 on port 443 to the local ssh tunnel instead.
### SSH Tunnel
To start and stop the tunnel automatically a systemd service is used. It is a special kind of service, similar to wireguards `wg-quick@(vpn config)` in its function.
`/etc/systemd/system/local-tunnel@.service`
To start and stop the tunnel automatically a systemd service is used. It is a special kind of service, similar to wireguards `wg-quick@(vpn config)` in its function.
`/etc/systemd/system/local-tunnel@.service`
```
[Unit]
Description=Setup a local tunnel to %I
@ -55,7 +64,8 @@ WantedBy=multi-user.target
```
The corresponding config looks as follows:
`/etc/default/local-tunnel@evileye`
`/etc/default/local-tunnel@evileye`
```
PATH_TO_KEY=(path to key)
LOCAL_PORT=(local port, e.g. 4853)
@ -66,33 +76,39 @@ REMOTE_HOST=(also destination in this case)
```
This service can be enabled and started with this command.
`# systemctl enable --now local-tunnel@evileye.service`
`# systemctl enable --now local-tunnel@evileye.service`
### Firewall Redirection
`firewalld` will be used as firewall and to implement the redirection rule.
`firewalld` will be used as firewall and to implement the redirection rule.
Make sure to enable the firewalld service
`# systemctl enable --now firewalld`
`# systemctl enable --now firewalld`
This command implements a redirection rule for packets to *destination* with *destination port*. Packets are redirected to localhost:*port*. The *target port* should be the local port of the local SSH tunnel.
`# firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -d (destination) -p tcp --dport (dest. port) -j DNAT --to-destination 127.0.0.1:(target port)`
This command implements a redirection rule for packets to _destination_ with _destination port_. Packets are redirected to localhost:_port_. The _target port_ should be the local port of the local SSH tunnel.
`# firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -d (destination) -p tcp --dport (dest. port) -j DNAT --to-destination 127.0.0.1:(target port)`
This type of rule can be viewed with the following command:
`# firewall-cmd --direct --get-rules ipv4 nat OUTPUT`
`# firewall-cmd --direct --get-rules ipv4 nat OUTPUT`
To remove this rule again, edit `/etc/firewalld/direct.xml`
To remove this rule again, edit `/etc/firewalld/direct.xml`
## Firewalld
This section provides documentation on basic firewall usage. For example, allowing port 22/tcp for ssh with `firewalld`.
> In general, [this guide by Digital Ocean](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7) provides a good starting point.
This section provides documentation on basic firewall usage. For example, allowing port 22/tcp for ssh with `firewalld`.
For this Host the services `http`, `https` and `ssh` are allowed.
> In general, [this guide by Digital Ocean](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7) provides a good starting point.
For this Host the services `http`, `https` and `ssh` are allowed.
## VM Backups
### Exclude VM Disks from Backup
To exclude disks from backup jobs, one can prepend the disk name with `[NOBAK]`
> Also see [the official documentation](https://xen-orchestra.com/docs/backups.html#exclude-disks)
To exclude disks from backup jobs, one can prepend the disk name with `[NOBAK]`
> Also see [the official documentation](https://xen-orchestra.com/docs/backups.html#exclude-disks)
### Remove stale backups
> [Backup list has a stale entry - how do I remove it?](https://xcp-ng.org/forum/topic/6462/backup-list-has-a-stale-entry-how-do-i-remove-it/2)