Autoformatter

This commit is contained in:
RealStickman 2022-12-02 09:20:19 +01:00
parent 99f8233d17
commit 4b22206871

View File

@ -1,23 +1,29 @@
--- ---
title: 'Xen Orchestra' title: "Xen Orchestra"
visible: true visible: true
--- ---
[toc] [toc]
## Installation ## Installation
> Use the script [XenOrchestraInstallerUpdater](https://github.com/ronivay/XenOrchestraInstallerUpdater) to install Xen Orchestra from sources.
> Use the script [XenOrchestraInstallerUpdater](https://github.com/ronivay/XenOrchestraInstallerUpdater) to install Xen Orchestra from sources.
### Installation within VM ### Installation within VM
The supported distibutions are listed in the Github README. The supported distibutions are listed in the Github README.
The script can be run with `# ./xo-install.sh --install` The script can be run with `# ./xo-install.sh --install`
### Installation from dom0 ### Installation from dom0
For an installation from dom0, you can deploy a premade VM. For an installation from dom0, you can deploy a premade VM.
Run `# xo-vm-import.sh` to import that VM. Run `# xo-vm-import.sh` to import that VM.
### Installation as container ### Installation as container
You need to explicitly allow host loopback for the container, or it won't be able to access the local ssh tunnel we'll create later You need to explicitly allow host loopback for the container, or it won't be able to access the local ssh tunnel we'll create later
We'll need to enter the server on 10.0.2.2 with the local port we gave our ssh tunnel We'll need to enter the server on 10.0.2.2 with the local port we gave our ssh tunnel
``` ```
# podman run -itd --name xen-orchestra \ # podman run -itd --name xen-orchestra \
--net slirp4netns:allow_host_loopback=true \ --net slirp4netns:allow_host_loopback=true \
@ -26,18 +32,21 @@ We'll need to enter the server on 10.0.2.2 with the local port we gave our ssh t
``` ```
## Secure Connection to Xenserver ## Secure Connection to Xenserver
By default, dom0 exposes the Xen API on port 443. However, in public settings this would be a security risk, as anyone with enough time could find the access password. By default, dom0 exposes the Xen API on port 443. However, in public settings this would be a security risk, as anyone with enough time could find the access password.
A local SSH tunnel is established, forwarding port 443 on dom0 instead. A local SSH tunnel is established, forwarding port 443 on dom0 instead.
One prerequisite is ssh-key based access to dom0 from the xen orchestra VM. See [SSH](/remote/ssh) One prerequisite is ssh-key based access to dom0 from the xen orchestra VM. See [SSH](/remote/ssh)
> Based on testing and [this forum post](https://xen-orchestra.com/forum/topic/528/connection-port-in-settings-servers-not-used-for-console) it is known the Xen API returns the dom0 public IP address for additional connections within Xen Orchestra. This includes the VM console and usage statistics for example. > Based on testing and [this forum post](https://xen-orchestra.com/forum/topic/528/connection-port-in-settings-servers-not-used-for-console) it is known the Xen API returns the dom0 public IP address for additional connections within Xen Orchestra. This includes the VM console and usage statistics for example.
To work around this issue, a firewall rule can be used to redirect traffic outbound to dom0 on port 443 to the local ssh tunnel instead. To work around this issue, a firewall rule can be used to redirect traffic outbound to dom0 on port 443 to the local ssh tunnel instead.
### SSH Tunnel ### SSH Tunnel
To start and stop the tunnel automatically a systemd service is used. It is a special kind of service, similar to wireguards `wg-quick@(vpn config)` in its function.
`/etc/systemd/system/local-tunnel@.service` To start and stop the tunnel automatically a systemd service is used. It is a special kind of service, similar to wireguards `wg-quick@(vpn config)` in its function.
`/etc/systemd/system/local-tunnel@.service`
``` ```
[Unit] [Unit]
Description=Setup a local tunnel to %I Description=Setup a local tunnel to %I
@ -55,7 +64,8 @@ WantedBy=multi-user.target
``` ```
The corresponding config looks as follows: The corresponding config looks as follows:
`/etc/default/local-tunnel@evileye` `/etc/default/local-tunnel@evileye`
``` ```
PATH_TO_KEY=(path to key) PATH_TO_KEY=(path to key)
LOCAL_PORT=(local port, e.g. 4853) LOCAL_PORT=(local port, e.g. 4853)
@ -66,33 +76,39 @@ REMOTE_HOST=(also destination in this case)
``` ```
This service can be enabled and started with this command. This service can be enabled and started with this command.
`# systemctl enable --now local-tunnel@evileye.service` `# systemctl enable --now local-tunnel@evileye.service`
### Firewall Redirection ### Firewall Redirection
`firewalld` will be used as firewall and to implement the redirection rule.
`firewalld` will be used as firewall and to implement the redirection rule.
Make sure to enable the firewalld service Make sure to enable the firewalld service
`# systemctl enable --now firewalld` `# systemctl enable --now firewalld`
This command implements a redirection rule for packets to *destination* with *destination port*. Packets are redirected to localhost:*port*. The *target port* should be the local port of the local SSH tunnel. This command implements a redirection rule for packets to _destination_ with _destination port_. Packets are redirected to localhost:_port_. The _target port_ should be the local port of the local SSH tunnel.
`# firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -d (destination) -p tcp --dport (dest. port) -j DNAT --to-destination 127.0.0.1:(target port)` `# firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -d (destination) -p tcp --dport (dest. port) -j DNAT --to-destination 127.0.0.1:(target port)`
This type of rule can be viewed with the following command: This type of rule can be viewed with the following command:
`# firewall-cmd --direct --get-rules ipv4 nat OUTPUT` `# firewall-cmd --direct --get-rules ipv4 nat OUTPUT`
To remove this rule again, edit `/etc/firewalld/direct.xml` To remove this rule again, edit `/etc/firewalld/direct.xml`
## Firewalld ## Firewalld
This section provides documentation on basic firewall usage. For example, allowing port 22/tcp for ssh with `firewalld`.
> In general, [this guide by Digital Ocean](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7) provides a good starting point. This section provides documentation on basic firewall usage. For example, allowing port 22/tcp for ssh with `firewalld`.
For this Host the services `http`, `https` and `ssh` are allowed. > In general, [this guide by Digital Ocean](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7) provides a good starting point.
For this Host the services `http`, `https` and `ssh` are allowed.
## VM Backups ## VM Backups
### Exclude VM Disks from Backup ### Exclude VM Disks from Backup
To exclude disks from backup jobs, one can prepend the disk name with `[NOBAK]`
> Also see [the official documentation](https://xen-orchestra.com/docs/backups.html#exclude-disks) To exclude disks from backup jobs, one can prepend the disk name with `[NOBAK]`
> Also see [the official documentation](https://xen-orchestra.com/docs/backups.html#exclude-disks)
### Remove stale backups ### Remove stale backups
> [Backup list has a stale entry - how do I remove it?](https://xcp-ng.org/forum/topic/6462/backup-list-has-a-stale-entry-how-do-i-remove-it/2) > [Backup list has a stale entry - how do I remove it?](https://xcp-ng.org/forum/topic/6462/backup-list-has-a-stale-entry-how-do-i-remove-it/2)