XEN/PV - Bootstrapping Debian/Ubuntu

Introduction

The kernel has to be either a freaking custom domU kernel or the official Ubuntu/xen one. In any case, NO INSTALL RAMDISK IS NEEDED.

Note REISER4 is an invalid file-system for docker storage overlays. You need EXT4 or XFS.

Requirements

Prepare the guest skeleton

guest=bionic

mkdir -p /data/guests/$guest/
cd /data/guests/$guest/

dd if=/dev/zero of=$guest.ext4 bs=1G count=0 seek=10
mkfs.ext4 $guest.ext4
#dd if=/dev/zero of=$guest.reiser4 bs=1G count=0 seek=10
#mkfs.reiser4 -yf $guest.reiser4

#dd if=/dev/zero of=ubuntu.swap bs=1G count=0 seek=1
#mkswap ubuntu.swap

mkdir lala/
mount $guest.ext4 lala/
#mount $guest.reiser4 lala/

Keyrings

See debootstrap

Debootstraping

mirror=ru
dist=$guest
cacher=http://x.x.x.x:3142

#time debootstrap --arch=i386 $dist lala/ http://$mirror.archive.ubuntu.com/ubuntu/
time debootstrap --arch=amd64 $dist lala/ http://$mirror.archive.ubuntu.com/ubuntu/
#time debootstrap --arch=amd64 $dist lala/ http://ftp.$mirror.debian.org/debian/
#time debootstrap --arch=amd64 $dist lala/ $cacher/ftp.$mirror.debian.org/debian/
#--print-debs
#--no-check-gpg

du -sh lala/
# trustyx32 242M
# xenial 248M, 247M
# artful 302M, 307M
# bionic 306M ??862M
# stretch 644M
# buster 653M

cat lala/etc/hostname #noexist
echo $guest > lala/etc/hostname

Using xvda1 instead of xvda so in case grub gets installed, it will not be able to override anything on an absent area

vi lala/etc/fstab

/dev/xvda1 / ext4 defaults 0 1
#/dev/xvda1 / reiser4 defaults 0 1
#/dev/xvdb1 none swap sw 0 0
proc /proc proc defaults 0 0
tmpfs /tmp tmpfs rw,nodev,nosuid,noatime,relatime 0 0

Enable TMEM

mkdir lala/lib/modules/
ls -lF /data/kernels/lib.modules.*.tar.gz
tar xzf /data/kernels/lib.modules.5.2.14.domureiser4.tar.gz -C lala/lib/modules/
tar xzf /data/kernels/lib.modules.5.2.21.lightUreiser4.tar.gz -C lala/lib/modules/
ls -lF lala/lib/modules/
echo tmem >> lala/etc/modules
cat lala/etc/modules

Prepare the system,

chroot lala/ /bin/bash

cat >> /etc/bash.bashrc <<-EOF

    alias ll='ls -alhF'
    alias cp='cp -i'
    alias mv='mv -i'
    alias rm='rm -i'
    alias runq='postfix flush'

EOF

#for ver in `ls -1 /lib/modules/`; do echo -n $ver...; depmod -a $ver && echo done; done; unset ver

console requires a password unless you play with getty – disabling it instead,

passwd -d root
#usermod -p '*' root

# debian
#apt install locales
#apt install debian-keyring debian-archive-keyring

locale -a
locale-gen
#locale-gen en_US.UTF-8
#dpkg-reconfigure locales

export LANGUAGE="en_US:en"
export LC_ALL="en_US.UTF-8"
export LC_COLLATE="en_US.UTF-8"
export LANG="en_US.UTF-8"

vi /etc/profile
export LANGUAGE="en_US:en"
export LC_ALL="en_US.UTF-8"
export LC_COLLATE="en_US.UTF-8"
export LANG="en_US.UTF-8"

update-locale LANGUAGE="en_US:en"
update-locale LC_ALL="en_US.UTF-8"
update-locale LC_COLLATE="en_US.UTF-8"
update-locale LANG="en_US.UTF-8"
cat /etc/default/locale

ubuntu

dist=bionic
mv /etc/apt/sources.list /etc/apt/sources.list.dist
vi /etc/apt/sources.list

deb http://ru.archive.ubuntu.com/ubuntu $dist main restricted universe
deb http://ru.archive.ubuntu.com/ubuntu $dist-updates main restricted universe
deb http://ru.archive.ubuntu.com/ubuntu $dist-security main restricted universe
#multiverse
#$dist-backports

debian

mv /etc/apt/sources.list /etc/apt/sources.list.dist
vi /etc/apt/sources.list

deb http://ftp.ru.debian.org/debian stable main contrib
deb http://ftp.ru.debian.org/debian stable-updates main contrib
#non-free
#stable-backports

and proceed

vi /etc/apt/apt.conf.d/02proxy

Acquire::http { Proxy "http://x.x.x.x:3142"; };

apt update
apt -y full-upgrade
export DEBIAN_FRONTEND=noninteractive
apt -y install man-db manpages ifupdown resolvconf net-tools openssh-server openssh-client mlocate bsd-mailx
ls -lF /etc/postfix/main.cf

#ubuntu
apt purge nplan netplan.io ntp
apt-get autoremove --purge
systemctl disable systemd-resolved.service
systemctl disable systemd-timesyncd
systemctl enable resolvconf.service

systemctl get-default
systemctl set-default multi-user

no NTP required, as this is XEN/PV, but timezone will help

ls -lF /etc/localtime
ln -sf ../usr/share/zoneinfo/Europe/Moscow /etc/localtime
cat /etc/timezone
echo Europe/Moscow > /etc/timezone

template network

rmdir /etc/network/interfaces.d/
vi /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address IP_ADDRESS/24
        gateway GATEWAY_IP
        dns-nameservers x.x.x.x
        #208.67.222.222 208.67.220.220
        #dns-search example.net

vi /etc/hosts

127.0.0.1       localhost buster tpl

revert back to sane defaults

mv -i /etc/ssh/ssh_config /etc/ssh/ssh_config.dist
#sed '/^#/d; /^$/d;
#   s/HashKnownHosts yes/HashKnownHosts no/;
#   s/GSSAPIAuthentication yes/GSSAPIAuthentication no/;
#   ' /etc/ssh/ssh_config.dist > /etc/ssh/ssh_config
vi /etc/ssh/ssh_config

Host *
    SendEnv LANG LC_*
    HashKnownHosts no
    GSSAPIAuthentication no
    VerifyHostKeyDNS ask
    #VisualHostKey yes

mv -i /etc/ssh/sshd_config /etc/ssh/sshd_config.dist
grep -vE '^[[:space:]]*(#|$)' /etc/ssh/sshd_config.dist > /etc/ssh/sshd_config
vi /etc/ssh/sshd_config

AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server

AddressFamily inet
#ListenAddress x.x.x.x
Protocol 2
Port 2222
AllowGroups root wheel
#AllowUsers root@CLIENT-IP gollum@CLIENT2 *@CIDR
PermitRootLogin without-password
PasswordAuthentication no
PermitEmptyPasswords no
StrictModes yes
X11Forwarding no
ChallengeResponseAuthentication no
UsePAM no
UseDNS no
HostKey /etc/ssh/ssh_host_ed25519_key
PrintMotd no

cd ~/
mkdir .ssh/
chmod 700 .ssh/
vi .ssh/authorized_keys
PASTE YOUR PUB KEYS HERE
chmod 600 .ssh/authorized_keys

^D
umount lala/
rmdir lala/

Guest configuration

echo $guest
cat > $guest <<-EOF
kernel = "/data/kernels/vmlinuz"
root = "/dev/xvda1 ro console=hvc0 netcfg/do_not_use_netplan=true net.ifnames=0 biosdevname=0 mitigations=off"
memory = 7168
#memory = 8192
#memory = 16384
#memory = 32768
name = "$guest"
vcpus = 16
maxvcpus = 16
disk = ['tap:tapdisk:aio:/data/guests/$guest/$guest.ext4,xvda1,w']
#disk = ['tap:tapdisk:aio:/data/guests/$guest/$guest.reiser4,xvda1,w']
#disk = ['phy:/dev/drbd1,xvda1,w']
vif = [ 'bridge=xenbr0, vifname=$guest.0' ]
EOF
vi $guest

Acceptance

xl create $guest -c

cat /sys/devices/system/clocksource/*/current_clocksource
cat /sys/devices/system/clocksource/clocksource0/current_clocksource
systemctl get-default
ifconfig
ls -lF /etc/resolv.conf*
cat /etc/resolv.conf
ping opendns.com
lsmod | grep tmem
free -m
updatedb
history -c
poweroff

Template

eventually make a template out of it, and avoid doing this on an NFS share

fsck.ext4 $guest/$guest.ext4
#fsck.reiser4 -y buster.reiser4
#xfs_repair $guest.xfs
cd ../
tar czSf ../templates/$guest.tar.gz $guest/

then while deploying it (cloning the template), regenerate host-keys first

mkdir lala
mount $guest.ext4 lala
echo NEW-HOST > lala/etc/hostname
ls -lF lala/etc/ssh/ssh_host_*
rm -f lala/etc/ssh/ssh_host_*
ssh-keygen -q -t ed25519 -f lala/etc/ssh/ssh_host_ed25519_key -C "root@$guest" -N ""
#chroot lala dpkg-reconfigure openssh-server
umount lala
rmdir lala

you might even consider re-creating the snakeoil cert

openssl x509 -text -noout < lala/etc/ssl/certs/ssl-cert-snakeoil.pem
...

Debian/Ubuntu // xen-tools & debootstrap & LVM2

apt install lvm2 xen-tools
pvcreate /dev/sdaX
vgcreate guestsvg /dev/sdaX
vi /etc/xen-tools/xen-tools.conf

lvm = guestsvg
install-method = debootstrap
size = 10Gb
memory = 2Gb
swap = 1Gb
fs = ext4
ext4_options = noatime,nodiratime,errors=remount-ro
dist = `xt-guess-suite-and-mirror --suite`
image = sparse
kernel = /boot/vmlinuz-`uname -r`
initrd = /boot/initrd.img-`uname -r`
pygrub = 1
mirror = `xt-guess-suite-and-mirror --mirror`

ready to build a guest,

guest=GUEST-NAME

xen-create-image --hostname $guest --ip x.x.x.x --netmask x.x.x.x --gateway x.x.x.x --vcpus 2 --dist stretch

vi /etc/xen/$guest.cfg

vif = [ 'script=vif-bridge, bridge=xenbr0' ]

xl create /etc/xen/$guest.cfg -c

References