wiki-grav/pages/02.linux/07.xcp-ng/03.xen-orchestra/default.en.md
2022-05-20 21:15:05 +02:00

4.1 KiB

title
Xen Orchestra

Installation

Use the script XenOrchestraInstallerUpdater to install Xen Orchestra from sources.
{.is-info}

Installation within VM

The supported distibutions are listed in the Github README.
The script can be run with # ./xo-install.sh --install

Installation from dom0

For an installation from dom0, you can deploy a premade VM.
Run # xo-vm-import.sh to import that VM.

Installation as container

You need to explicitly allow host loopback for the container, or it won't be able to access the local ssh tunnel we'll create later
We'll need to enter the server on 10.0.2.2 with the local port we gave our ssh tunnel

# podman run -itd --name xen-orchestra \
    --net slirp4netns:allow_host_loopback=true \
    -p 8080:80 \
    docker.io/ronivay/xen-orchestra

Secure Connection to Xenserver

By default, dom0 exposes the Xen API on port 443. However, in public settings this would be a security risk, as anyone with enough time could find the access password.
A local SSH tunnel is established, forwarding port 443 on dom0 instead.
One prerequisite is ssh-key based access to dom0 from the xen orchestra VM. See SSH

Based on testing and this forum post it is known the Xen API returns the dom0 public IP address for additional connections within Xen Orchestra. This includes the VM console and usage statistics for example. {.is-info}

To work around this issue, a firewall rule can be used to redirect traffic outbound to dom0 on port 443 to the local ssh tunnel instead.

SSH Tunnel

To start and stop the tunnel automatically a systemd service is used. It is a special kind of service, similar to wireguards wg-quick@(vpn config) in its function.

/etc/systemd/system/local-tunnel@.service

[Unit]
Description=Setup a local tunnel to %I
After=network.target

[Service]
EnvironmentFile=/etc/default/local-tunnel@%i
ExecStart=/usr/bin/ssh -i ${PATH_TO_KEY} -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -nNT -L ${LOCAL_PORT}:${REMOTE_ADDR}:${REMOTE_PORT} ${REMOTE_USER}@${REMOTE_HOST}
RestartSec=15
Restart=always
KillMode=mixed

[Install]
WantedBy=multi-user.target

The corresponding config looks as follows:
/etc/default/local-tunnel@evileye

PATH_TO_KEY=(path to key)
LOCAL_PORT=(local port, e.g. 4853)
REMOTE_ADDR=(destination, e.g. 182.52.32.12)
REMOTE_PORT=443
REMOTE_USER=(remote user)
REMOTE_HOST=(also destination in this case)

This service can be enabled and started with this command.
# systemctl enable --now local-tunnel@evileye.service

Firewall Redirection

firewalld will be used as firewall and to implement the redirection rule.

Make sure to enable the firewalld service
# systemctl enable --now firewalld

This command implements a redirection rule for packets to destination with destination port. Packets are redirected to localhost:port. The target port should be the local port of the local SSH tunnel.
# firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -d (destination) -p tcp --dport (dest. port) -j DNAT --to-destination 127.0.0.1:(target port)

This type of rule can be viewed with the following command:
# firewall-cmd --direct --get-rules ipv4 nat OUTPUT

To remove this rule again, edit /etc/firewalld/direct.xml

Firewalld

This section provides documentation on basic firewall usage. For example, allowing port 22/tcp for ssh with firewalld.

In general, this guide by Digital Ocean provides a good starting point.
{.is-info}

For this Host the services http, https and ssh are allowed.

VM Backups

Exclude VM Disks from Backup

To exclude disks from backup jobs, one can prepend the disk name with [NOBAK]

Also see the official documentation
{.is-info}