Autoformatter
This commit is contained in:
parent
99f8233d17
commit
4b22206871
@ -1,23 +1,29 @@
|
|||||||
---
|
---
|
||||||
title: 'Xen Orchestra'
|
title: "Xen Orchestra"
|
||||||
visible: true
|
visible: true
|
||||||
---
|
---
|
||||||
|
|
||||||
[toc]
|
[toc]
|
||||||
|
|
||||||
## Installation
|
## Installation
|
||||||
> Use the script [XenOrchestraInstallerUpdater](https://github.com/ronivay/XenOrchestraInstallerUpdater) to install Xen Orchestra from sources.
|
|
||||||
|
> Use the script [XenOrchestraInstallerUpdater](https://github.com/ronivay/XenOrchestraInstallerUpdater) to install Xen Orchestra from sources.
|
||||||
|
|
||||||
### Installation within VM
|
### Installation within VM
|
||||||
|
|
||||||
The supported distibutions are listed in the Github README.
|
The supported distibutions are listed in the Github README.
|
||||||
The script can be run with `# ./xo-install.sh --install`
|
The script can be run with `# ./xo-install.sh --install`
|
||||||
|
|
||||||
### Installation from dom0
|
### Installation from dom0
|
||||||
|
|
||||||
For an installation from dom0, you can deploy a premade VM.
|
For an installation from dom0, you can deploy a premade VM.
|
||||||
Run `# xo-vm-import.sh` to import that VM.
|
Run `# xo-vm-import.sh` to import that VM.
|
||||||
|
|
||||||
### Installation as container
|
### Installation as container
|
||||||
|
|
||||||
You need to explicitly allow host loopback for the container, or it won't be able to access the local ssh tunnel we'll create later
|
You need to explicitly allow host loopback for the container, or it won't be able to access the local ssh tunnel we'll create later
|
||||||
We'll need to enter the server on 10.0.2.2 with the local port we gave our ssh tunnel
|
We'll need to enter the server on 10.0.2.2 with the local port we gave our ssh tunnel
|
||||||
|
|
||||||
```
|
```
|
||||||
# podman run -itd --name xen-orchestra \
|
# podman run -itd --name xen-orchestra \
|
||||||
--net slirp4netns:allow_host_loopback=true \
|
--net slirp4netns:allow_host_loopback=true \
|
||||||
@ -26,18 +32,21 @@ We'll need to enter the server on 10.0.2.2 with the local port we gave our ssh t
|
|||||||
```
|
```
|
||||||
|
|
||||||
## Secure Connection to Xenserver
|
## Secure Connection to Xenserver
|
||||||
|
|
||||||
By default, dom0 exposes the Xen API on port 443. However, in public settings this would be a security risk, as anyone with enough time could find the access password.
|
By default, dom0 exposes the Xen API on port 443. However, in public settings this would be a security risk, as anyone with enough time could find the access password.
|
||||||
A local SSH tunnel is established, forwarding port 443 on dom0 instead.
|
A local SSH tunnel is established, forwarding port 443 on dom0 instead.
|
||||||
One prerequisite is ssh-key based access to dom0 from the xen orchestra VM. See [SSH](/remote/ssh)
|
One prerequisite is ssh-key based access to dom0 from the xen orchestra VM. See [SSH](/remote/ssh)
|
||||||
|
|
||||||
> Based on testing and [this forum post](https://xen-orchestra.com/forum/topic/528/connection-port-in-settings-servers-not-used-for-console) it is known the Xen API returns the dom0 public IP address for additional connections within Xen Orchestra. This includes the VM console and usage statistics for example.
|
> Based on testing and [this forum post](https://xen-orchestra.com/forum/topic/528/connection-port-in-settings-servers-not-used-for-console) it is known the Xen API returns the dom0 public IP address for additional connections within Xen Orchestra. This includes the VM console and usage statistics for example.
|
||||||
|
|
||||||
To work around this issue, a firewall rule can be used to redirect traffic outbound to dom0 on port 443 to the local ssh tunnel instead.
|
To work around this issue, a firewall rule can be used to redirect traffic outbound to dom0 on port 443 to the local ssh tunnel instead.
|
||||||
|
|
||||||
### SSH Tunnel
|
### SSH Tunnel
|
||||||
To start and stop the tunnel automatically a systemd service is used. It is a special kind of service, similar to wireguards `wg-quick@(vpn config)` in its function.
|
|
||||||
|
|
||||||
`/etc/systemd/system/local-tunnel@.service`
|
To start and stop the tunnel automatically a systemd service is used. It is a special kind of service, similar to wireguards `wg-quick@(vpn config)` in its function.
|
||||||
|
|
||||||
|
`/etc/systemd/system/local-tunnel@.service`
|
||||||
|
|
||||||
```
|
```
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=Setup a local tunnel to %I
|
Description=Setup a local tunnel to %I
|
||||||
@ -55,7 +64,8 @@ WantedBy=multi-user.target
|
|||||||
```
|
```
|
||||||
|
|
||||||
The corresponding config looks as follows:
|
The corresponding config looks as follows:
|
||||||
`/etc/default/local-tunnel@evileye`
|
`/etc/default/local-tunnel@evileye`
|
||||||
|
|
||||||
```
|
```
|
||||||
PATH_TO_KEY=(path to key)
|
PATH_TO_KEY=(path to key)
|
||||||
LOCAL_PORT=(local port, e.g. 4853)
|
LOCAL_PORT=(local port, e.g. 4853)
|
||||||
@ -66,33 +76,39 @@ REMOTE_HOST=(also destination in this case)
|
|||||||
```
|
```
|
||||||
|
|
||||||
This service can be enabled and started with this command.
|
This service can be enabled and started with this command.
|
||||||
`# systemctl enable --now local-tunnel@evileye.service`
|
`# systemctl enable --now local-tunnel@evileye.service`
|
||||||
|
|
||||||
### Firewall Redirection
|
### Firewall Redirection
|
||||||
`firewalld` will be used as firewall and to implement the redirection rule.
|
|
||||||
|
`firewalld` will be used as firewall and to implement the redirection rule.
|
||||||
|
|
||||||
Make sure to enable the firewalld service
|
Make sure to enable the firewalld service
|
||||||
`# systemctl enable --now firewalld`
|
`# systemctl enable --now firewalld`
|
||||||
|
|
||||||
This command implements a redirection rule for packets to *destination* with *destination port*. Packets are redirected to localhost:*port*. The *target port* should be the local port of the local SSH tunnel.
|
This command implements a redirection rule for packets to _destination_ with _destination port_. Packets are redirected to localhost:_port_. The _target port_ should be the local port of the local SSH tunnel.
|
||||||
`# firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -d (destination) -p tcp --dport (dest. port) -j DNAT --to-destination 127.0.0.1:(target port)`
|
`# firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -d (destination) -p tcp --dport (dest. port) -j DNAT --to-destination 127.0.0.1:(target port)`
|
||||||
|
|
||||||
This type of rule can be viewed with the following command:
|
This type of rule can be viewed with the following command:
|
||||||
`# firewall-cmd --direct --get-rules ipv4 nat OUTPUT`
|
`# firewall-cmd --direct --get-rules ipv4 nat OUTPUT`
|
||||||
|
|
||||||
To remove this rule again, edit `/etc/firewalld/direct.xml`
|
To remove this rule again, edit `/etc/firewalld/direct.xml`
|
||||||
|
|
||||||
## Firewalld
|
## Firewalld
|
||||||
This section provides documentation on basic firewall usage. For example, allowing port 22/tcp for ssh with `firewalld`.
|
|
||||||
|
|
||||||
> In general, [this guide by Digital Ocean](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7) provides a good starting point.
|
This section provides documentation on basic firewall usage. For example, allowing port 22/tcp for ssh with `firewalld`.
|
||||||
|
|
||||||
For this Host the services `http`, `https` and `ssh` are allowed.
|
> In general, [this guide by Digital Ocean](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7) provides a good starting point.
|
||||||
|
|
||||||
|
For this Host the services `http`, `https` and `ssh` are allowed.
|
||||||
|
|
||||||
## VM Backups
|
## VM Backups
|
||||||
|
|
||||||
### Exclude VM Disks from Backup
|
### Exclude VM Disks from Backup
|
||||||
To exclude disks from backup jobs, one can prepend the disk name with `[NOBAK]`
|
|
||||||
> Also see [the official documentation](https://xen-orchestra.com/docs/backups.html#exclude-disks)
|
To exclude disks from backup jobs, one can prepend the disk name with `[NOBAK]`
|
||||||
|
|
||||||
|
> Also see [the official documentation](https://xen-orchestra.com/docs/backups.html#exclude-disks)
|
||||||
|
|
||||||
### Remove stale backups
|
### Remove stale backups
|
||||||
|
|
||||||
> [Backup list has a stale entry - how do I remove it?](https://xcp-ng.org/forum/topic/6462/backup-list-has-a-stale-entry-how-do-i-remove-it/2)
|
> [Backup list has a stale entry - how do I remove it?](https://xcp-ng.org/forum/topic/6462/backup-list-has-a-stale-entry-how-do-i-remove-it/2)
|
||||||
|
Loading…
Reference in New Issue
Block a user