(Grav GitSync) Automatic Commit from RealStickman
This commit is contained in:
parent
4f051e21c5
commit
61ed619e4f
@ -1,97 +1,4 @@
|
||||
---
|
||||
title: 'XCP-ng Xen Orchestra'
|
||||
title: XCP-ng
|
||||
---
|
||||
|
||||
## Installation
|
||||
> Use the script [XenOrchestraInstallerUpdater](https://github.com/ronivay/XenOrchestraInstallerUpdater) to install Xen Orchestra from sources.
|
||||
{.is-info}
|
||||
|
||||
### Installation within VM
|
||||
The supported distibutions are listed in the Github README.
|
||||
The script can be run with `# ./xo-install.sh --install`
|
||||
|
||||
### Installation from dom0
|
||||
For an installation from dom0, you can deploy a premade VM.
|
||||
Run `# xo-vm-import.sh` to import that VM.
|
||||
|
||||
### Installation as container
|
||||
You need to explicitly allow host loopback for the container, or it won't be able to access the local ssh tunnel we'll create later
|
||||
We'll need to enter the server on 10.0.2.2 with the local port we gave our ssh tunnel
|
||||
```
|
||||
# podman run -itd --name xen-orchestra \
|
||||
--net slirp4netns:allow_host_loopback=true \
|
||||
-p 8080:80 \
|
||||
docker.io/ronivay/xen-orchestra
|
||||
```
|
||||
|
||||
## Secure Connection to Xenserver
|
||||
By default, dom0 exposes the Xen API on port 443. However, in public settings this would be a security risk, as anyone with enough time could find the access password.
|
||||
A local SSH tunnel is established, forwarding port 443 on dom0 instead.
|
||||
One prerequisite is ssh-key based access to dom0 from the xen orchestra VM. See [SSH](/remote/ssh)
|
||||
|
||||
> Based on testing and [this forum post](https://xen-orchestra.com/forum/topic/528/connection-port-in-settings-servers-not-used-for-console) it is known the Xen API returns the dom0 public IP address for additional connections within Xen Orchestra. This includes the VM console and usage statistics for example.
|
||||
{.is-info}
|
||||
|
||||
To work around this issue, a firewall rule can be used to redirect traffic outbound to dom0 on port 443 to the local ssh tunnel instead.
|
||||
|
||||
### SSH Tunnel
|
||||
To start and stop the tunnel automatically a systemd service is used. It is a special kind of service, similar to wireguards `wg-quick@(vpn config)` in its function.
|
||||
|
||||
`/etc/systemd/system/local-tunnel@.service`
|
||||
```
|
||||
[Unit]
|
||||
Description=Setup a local tunnel to %I
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
EnvironmentFile=/etc/default/local-tunnel@%i
|
||||
ExecStart=/usr/bin/ssh -i ${PATH_TO_KEY} -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -nNT -L ${LOCAL_PORT}:${REMOTE_ADDR}:${REMOTE_PORT} ${REMOTE_USER}@${REMOTE_HOST}
|
||||
RestartSec=15
|
||||
Restart=always
|
||||
KillMode=mixed
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
```
|
||||
|
||||
The corresponding config looks as follows:
|
||||
`/etc/default/local-tunnel@evileye`
|
||||
```
|
||||
PATH_TO_KEY=(path to key)
|
||||
LOCAL_PORT=(local port, e.g. 4853)
|
||||
REMOTE_ADDR=(destination, e.g. 182.52.32.12)
|
||||
REMOTE_PORT=443
|
||||
REMOTE_USER=(remote user)
|
||||
REMOTE_HOST=(also destination in this case)
|
||||
```
|
||||
|
||||
This service can be enabled and started with this command.
|
||||
`# systemctl enable --now local-tunnel@evileye.service`
|
||||
|
||||
### Firewall Redirection
|
||||
`firewalld` will be used as firewall and to implement the redirection rule.
|
||||
|
||||
Make sure to enable the firewalld service
|
||||
`# systemctl enable --now firewalld`
|
||||
|
||||
This command implements a redirection rule for packets to *destination* with *destination port*. Packets are redirected to localhost:*port*. The *target port* should be the local port of the local SSH tunnel.
|
||||
`# firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -d (destination) -p tcp --dport (dest. port) -j DNAT --to-destination 127.0.0.1:(target port)`
|
||||
|
||||
This type of rule can be viewed with the following command:
|
||||
`# firewall-cmd --direct --get-rules ipv4 nat OUTPUT`
|
||||
|
||||
To remove this rule again, edit `/etc/firewalld/direct.xml`
|
||||
|
||||
## Firewalld
|
||||
This section provides documentation on basic firewall usage. For example, allowing port 22/tcp for ssh with `firewalld`.
|
||||
|
||||
> In general, [this guide by Digital Ocean](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7) provides a good starting point.
|
||||
{.is-info}
|
||||
|
||||
For this Host the services `http`, `https` and `ssh` are allowed.
|
||||
|
||||
## VM Backups
|
||||
### Exclude VM Disks from Backup
|
||||
To exclude disks from backup jobs, one can prepend the disk name with `[NOBAK]`
|
||||
> Also see [the official documentation](https://xen-orchestra.com/docs/backups.html#exclude-disks)
|
||||
{.is-info}
|
||||
|
Loading…
Reference in New Issue
Block a user