diff --git a/pages/02.linux/xcp-ng/xen-orchestra/default.en.md b/pages/02.linux/xcp-ng/xen-orchestra/default.en.md index fff2a76..2ef5354 100644 --- a/pages/02.linux/xcp-ng/xen-orchestra/default.en.md +++ b/pages/02.linux/xcp-ng/xen-orchestra/default.en.md @@ -1,23 +1,29 @@ --- -title: 'Xen Orchestra' +title: "Xen Orchestra" visible: true --- [toc] + ## Installation -> Use the script [XenOrchestraInstallerUpdater](https://github.com/ronivay/XenOrchestraInstallerUpdater) to install Xen Orchestra from sources. + +> Use the script [XenOrchestraInstallerUpdater](https://github.com/ronivay/XenOrchestraInstallerUpdater) to install Xen Orchestra from sources. ### Installation within VM + The supported distibutions are listed in the Github README. -The script can be run with `# ./xo-install.sh --install` +The script can be run with `# ./xo-install.sh --install` ### Installation from dom0 + For an installation from dom0, you can deploy a premade VM. -Run `# xo-vm-import.sh` to import that VM. +Run `# xo-vm-import.sh` to import that VM. ### Installation as container + You need to explicitly allow host loopback for the container, or it won't be able to access the local ssh tunnel we'll create later -We'll need to enter the server on 10.0.2.2 with the local port we gave our ssh tunnel +We'll need to enter the server on 10.0.2.2 with the local port we gave our ssh tunnel + ``` # podman run -itd --name xen-orchestra \ --net slirp4netns:allow_host_loopback=true \ @@ -26,18 +32,21 @@ We'll need to enter the server on 10.0.2.2 with the local port we gave our ssh t ``` ## Secure Connection to Xenserver + By default, dom0 exposes the Xen API on port 443. However, in public settings this would be a security risk, as anyone with enough time could find the access password. A local SSH tunnel is established, forwarding port 443 on dom0 instead. -One prerequisite is ssh-key based access to dom0 from the xen orchestra VM. See [SSH](/remote/ssh) +One prerequisite is ssh-key based access to dom0 from the xen orchestra VM. See [SSH](/remote/ssh) > Based on testing and [this forum post](https://xen-orchestra.com/forum/topic/528/connection-port-in-settings-servers-not-used-for-console) it is known the Xen API returns the dom0 public IP address for additional connections within Xen Orchestra. This includes the VM console and usage statistics for example. -To work around this issue, a firewall rule can be used to redirect traffic outbound to dom0 on port 443 to the local ssh tunnel instead. +To work around this issue, a firewall rule can be used to redirect traffic outbound to dom0 on port 443 to the local ssh tunnel instead. ### SSH Tunnel -To start and stop the tunnel automatically a systemd service is used. It is a special kind of service, similar to wireguards `wg-quick@(vpn config)` in its function. -`/etc/systemd/system/local-tunnel@.service` +To start and stop the tunnel automatically a systemd service is used. It is a special kind of service, similar to wireguards `wg-quick@(vpn config)` in its function. + +`/etc/systemd/system/local-tunnel@.service` + ``` [Unit] Description=Setup a local tunnel to %I @@ -55,7 +64,8 @@ WantedBy=multi-user.target ``` The corresponding config looks as follows: -`/etc/default/local-tunnel@evileye` +`/etc/default/local-tunnel@evileye` + ``` PATH_TO_KEY=(path to key) LOCAL_PORT=(local port, e.g. 4853) @@ -66,33 +76,39 @@ REMOTE_HOST=(also destination in this case) ``` This service can be enabled and started with this command. -`# systemctl enable --now local-tunnel@evileye.service` +`# systemctl enable --now local-tunnel@evileye.service` ### Firewall Redirection -`firewalld` will be used as firewall and to implement the redirection rule. + +`firewalld` will be used as firewall and to implement the redirection rule. Make sure to enable the firewalld service -`# systemctl enable --now firewalld` +`# systemctl enable --now firewalld` -This command implements a redirection rule for packets to *destination* with *destination port*. Packets are redirected to localhost:*port*. The *target port* should be the local port of the local SSH tunnel. -`# firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -d (destination) -p tcp --dport (dest. port) -j DNAT --to-destination 127.0.0.1:(target port)` +This command implements a redirection rule for packets to _destination_ with _destination port_. Packets are redirected to localhost:_port_. The _target port_ should be the local port of the local SSH tunnel. +`# firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -d (destination) -p tcp --dport (dest. port) -j DNAT --to-destination 127.0.0.1:(target port)` This type of rule can be viewed with the following command: -`# firewall-cmd --direct --get-rules ipv4 nat OUTPUT` +`# firewall-cmd --direct --get-rules ipv4 nat OUTPUT` -To remove this rule again, edit `/etc/firewalld/direct.xml` +To remove this rule again, edit `/etc/firewalld/direct.xml` ## Firewalld -This section provides documentation on basic firewall usage. For example, allowing port 22/tcp for ssh with `firewalld`. -> In general, [this guide by Digital Ocean](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7) provides a good starting point. +This section provides documentation on basic firewall usage. For example, allowing port 22/tcp for ssh with `firewalld`. -For this Host the services `http`, `https` and `ssh` are allowed. +> In general, [this guide by Digital Ocean](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7) provides a good starting point. + +For this Host the services `http`, `https` and `ssh` are allowed. ## VM Backups + ### Exclude VM Disks from Backup -To exclude disks from backup jobs, one can prepend the disk name with `[NOBAK]` -> Also see [the official documentation](https://xen-orchestra.com/docs/backups.html#exclude-disks) + +To exclude disks from backup jobs, one can prepend the disk name with `[NOBAK]` + +> Also see [the official documentation](https://xen-orchestra.com/docs/backups.html#exclude-disks) + ### Remove stale backups > [Backup list has a stale entry - how do I remove it?](https://xcp-ng.org/forum/topic/6462/backup-list-has-a-stale-entry-how-do-i-remove-it/2)