XEN // Bootstrap Debian / Ubuntu / Kali

Introduction

The kernel has to be either a freaking custom domU kernel or the official Ubuntu/xen one. In any case, NO INSTALL RAMDISK IS NEEDED.

Note REISER4 is an invalid file-system for docker storage overlays. You need EXT4 or XFS.

Guest vdisk

Check for latest existing ubuntu (more) or debian releases and proceed

Prepare the guest skeleton

guest=jammy
guest=bullseye

mkdir -p /data/guests/$guest/lala/
cd /data/guests/$guest/

# right below the tar and ustar format file size limits
# and for partclone, also needs to be smaller than destination block device anyhow
dd if=/dev/zero of=$guest.btrfs bs=1M count=0 seek=8191

mkfs.btrfs $guest.btrfs
mount -o compress=lzo $guest.btrfs lala/

#dd if=/dev/zero of=$guest.swap bs=1G count=0 seek=1
#mkswap $guest.swap

Key-rings

debootstrap

Bootstrap

mirror=...

# takes about 4 minutes
time debootstrap --arch=amd64 $guest lala/ $mirror

# cacher=http://x.x.x.x:3142
# $cacher/ftp.ru.debian.org/debian/
# --arch=i386
# --print-debs
# --no-check-gpg

du -sh lala/

Using xvda1 instead of xvda so in case grub gets installed, it will not be able to override anything on an absent area

vi lala/etc/fstab

/dev/xvda1 / btrfs compress=lzo 0 0
proc /proc proc defaults 0 0
tmpfs /tmp tmpfs rw,nodev,nosuid,noatime,relatime 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0

#/dev/xvdb1 none swap sw 0 0

Enable TMEM

mkdir lala/lib/modules/
tar xzf /data/kernels/5.2.21.domureiser4.modules.tar.gz -C lala/lib/modules/
ls -lF lala/lib/modules/
echo tmem >> lala/etc/modules
cat lala/etc/modules

Sysprep

system setup

ls -lF lala/etc/hostname # no exist
    echo $guest > lala/etc/hostname

To make Perl packages happy, you need to tweak bash.bashrc, not profile

    cp -pi lala/etc/bash.bashrc lala/etc/bash.bashrc.dist
    cat >> lala/etc/bash.bashrc <<-EOF

source /usr/share/bash-completion/bash_completion

    export LANGUAGE="en_US:en"
    export LC_ALL="C.UTF-8"
    export LC_COLLATE="C.UTF-8"
    export LANG="C.UTF-8"

    alias ll='ls --group-directories-first --color=auto -alh'
    alias ls='ls --group-directories-first --color=auto'
    alias cp='cp -i'
    alias mv='mv -i'
    alias rm='rm -i'

    EOF

    zone=Europe/Moscow

ls -lF lala/etc/localtime
    ln -sf ../usr/share/zoneinfo/$zone lala/etc/localtime

cat lala/etc/timezone
    echo $zone > lala/etc/timezone # override

point to the closest mirror

    cat lala/etc/apt/sources.list
# ubuntu
    cat > lala/etc/apt/sources.list <<-EOF
    deb $mirror $guest main restricted universe multiverse
    deb $mirror $guest-updates main restricted universe multiverse
    deb $mirror $guest-security main restricted universe multiverse
    #deb $mirror $guest-backports main restricted universe multiverse
    EOF

# debian
    cat > lala/etc/apt/sources.list <<-EOF
    deb $mirror $guest main contrib non-free
    deb $mirror $guest-updates main contrib non-free
    # $guest-backports
    EOF

eventually setup a package proxy

    vi lala/etc/apt/apt.conf.d/02proxy

    Acquire::http { Proxy "http://x.x.x.x:3142"; };

network setup

    mv lala/etc/hosts lala/etc/hosts.dist
    cat > lala/etc/hosts <<-EOF
    127.0.0.1       localhost

    192.168.122.1   gw
    192.168.122.9   $guest

    ::1             localhost ip6-localhost ip6-loopback
    ff02::1         ip6-allnodes
    ff02::2         ip6-allrouters
    EOF

    rmdir lala/etc/network/interfaces.d/
    cat > lala/etc/network/interfaces <<-EOF # override
    auto lo
    iface lo inet loopback

    auto eth0
    iface eth0 inet static
            address 192.168.122.9/24
            gateway 192.168.122.1

EOF

moar options

            #dns-nameservers 208.67.222.222 208.67.220.220
            #dns-nameservers 62.210.16.6 62.210.16.7
            #dns-search DOMAIN.TLD

we use our own stub-resolver

cat lala/etc/resolv.conf
    mv lala/etc/resolv.conf lala/etc/resolv.conf.dist

    echo nameserver 192.168.122.1 > lala/etc/resolv.conf

    echo nameserver 208.67.222.222 > lala/etc/resolv.conf
    echo nameserver 208.67.222.220 >> lala/etc/resolv.conf

ls -lF lala/etc/resolv.conf*

chroot

now let’s proceed with the insider stuff

    mount -o bind /dev/pts lala/dev/pts
    mount -o bind /proc lala/proc # rsyslog:systemd-tmpfiles
    chroot lala/ bash

    perl -e exit

console requires a password unless you tweak getty like hell – disabling it instead

    passwd -d root
    #usermod -p '*' root

tune the guest userland serial console

    systemctl get-default
    systemctl set-default multi-user

# kvm-only
    #systemctl enable serial-getty@ttyS0.service

No NTP is required, this is a guest system

dpkg -l | grep ntp # not installed
    systemctl list-unit-files | grep ntp # not present

    # ubuntu
    systemctl disable systemd-timesyncd

also disable the stub-on-steroids

# not in use anymore
dpkg -l | grep resolv
    systemctl list-unit-files | grep resolv

systemctl disable systemd-resolved 

perform a system upgrade before making a template out of it

    export DEBIAN_FRONTEND=noninteractive
    apt update
    apt dist-upgrade
apt autoremove --purge

you might also want those additional packages

    apt install \
            ifupdown \
            net-tools \
            man-db \
            manpages \
            openssh-server \
            openssh-client \
            mlocate \
            wget \
            elvis-tiny \
            bash-completion

ls -lF /usr/share/bash-completion/bash_completion

    #bsd-mailx would install postfix of exim
    #ls -lF /etc/postfix/main.cf
    #ls -lF /etc/exim4/

finally exit the chroot

    updatedb
history -c
    ^D

we’re done!

rm -f lala/root/.bash_history
    umount -R lala/
    rmdir lala/
    du -sh $guest.btrfs
# 948M    jammy.btrfs w/ lzo
# 990M    bullseye.btrfs

Skeleton

unless you want a disk template

cat > $guest <<-EOF
kernel = "/data/kernels/5.2.21.domureiser4.vmlinuz"
root = "/dev/xvda1 ro console=hvc0 net.ifnames=0 biosdevname=0 netcfg/do_not_use_netplan=true mitigations=off"
#extra = "init=/bin/bash"
name = "$guest"
memory = 1024
vcpus = 2
disk = ['tap:tapdisk:aio:/data/guests/$guest/$guest.ext4,xvda1,w']
#disk = ['phy:/dev/drbd/by-res/dnc9/0,xvda1,w']
vif = [ 'bridge=guestbr0, vifname=$guest' ]
    #type = "pvh"
EOF

# maxvcpus = 16
# ipv6.disable=1
# extra = "init=/bin/bash"
# memory = 7168 8192 10240 12288 16384 32768
# disk = ['phy:/dev/vdisks/thin1,xvda1,w']

Acceptance

or skip to template section already

xl create $guest -c

login and check that everything is fine

ifconfig
netstat -rn
ls -lF /etc/resolv.conf*
cat /etc/resolv.conf
ping -c3 opendns.com

cat /sys/devices/system/clocksource/clocksource0/available_clocksource
cat /sys/devices/system/clocksource/clocksource0/current_clocksource
dpkg -l | grep ntp # no exist
systemctl get-default
lsmod | grep tmem
free -m
updatedb
rm -f .bash_history
history -c
#poweroff
^]

xl shu $guest

Template

see tpl for new kind of DRBD thin volume templates.

for the old way with sparse files, here we go

cd /data/guests/

either do it manually

(avoid doing this on an NFS share)

fsck.reiser4 -y $guest.reiser4
#xfs_repair $guest.xfs
tar cSf /data/templates/$guest.tar $guest/

–or– proceed with the script (does the same)

newtemplate.bash $guest

and get rid of the temporary guest, or rename it to something useful already

rm -rf $guest/
#renameguest.bash $guest NEW-NAME

Re-deploy

while deploying it, regenerate host-keys first

mkdir lala
mount $guest.ext4 lala
echo NEW-HOST > lala/etc/hostname
ls -lF lala/etc/ssh/ssh_host_*
rm -f lala/etc/ssh/ssh_host_*
ssh-keygen -q -t ed25519 -f lala/etc/ssh/ssh_host_ed25519_key -C "root@$guest" -N ""
#chroot lala dpkg-reconfigure openssh-server
umount lala
rmdir lala

you might even consider re-creating the snakeoil cert

openssl x509 -text -noout < lala/etc/ssl/certs/ssl-cert-snakeoil.pem
...

Additional notes

xen-tools & debootstrap & lvm2

apt install lvm2 xen-tools
pvcreate /dev/sdaX
vgcreate guestsvg /dev/sdaX
vi /etc/xen-tools/xen-tools.conf

lvm = guestsvg
install-method = debootstrap
size = 10Gb
memory = 2Gb
swap = 1Gb
fs = ext4
ext4_options = noatime,nodiratime,errors=remount-ro
dist = `xt-guess-suite-and-mirror --suite`
image = sparse
kernel = /boot/vmlinuz-`uname -r`
initrd = /boot/initrd.img-`uname -r`
pygrub = 1
mirror = `xt-guess-suite-and-mirror --mirror`

ready to build a guest,

xen-create-image --hostname $guest --ip x.x.x.x --netmask x.x.x.x --gateway x.x.x.x --vcpus 2 --dist stretch

vi /etc/xen/$guest.cfg

vif = [ 'script=vif-bridge, bridge=xenbr0' ]

xl create /etc/xen/$guest.cfg -c

netplan

vi lala/etc/netplan/nethence.yaml

network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp4: no
      dhcp6: no
      addresses:
       - $ip/24
      gateway4: ${ip%\.*}.254
      nameservers:
    addresses: [62.210.16.6, 62.210.16.7]
    search: [nethence.com]

Troubleshooting

W: Cannot check Release signature; keyring file not available /usr/share/keyrings/debian-archive-keyring.gpg

==> Double-check debootstrap.

perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
    LANGUAGE = (unset),
    LC_ALL = (unset),
    LC_COLLATE = "C",
    LANG = "en_US.UTF-8"
    are supported and installed on your system.

and also

Setting up resolvconf (1.79) ...
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory

==> Define those missing variables in bashrc and not profile, as seen above.

References

overall

https://www.virtuatopia.com/index.php/Building_a_Xen_Virtual_Guest_Filesystem_on_a_Physical_Disk_Partition_(Cloning_Host_System)

https://wiki.debian.org/DebianKeyring#Obtaining_Keys

https://askubuntu.com/questions/958795/how-to-use-the-mirror-option-of-apt-cacher-ng-for-debootstrap

sysprep

https://superuser.com/questions/1318220/ubuntu-18-04-disable-dnsmasq-base-and-enable-full-dnsmasq

https://unix.stackexchange.com/questions/197670/how-to-disable-a-service-without-using-systemctl-disable

https://www.thomas-krenn.com/en/wiki/Perl_warning_Setting_locale_failed_in_Debian

syntax

https://xenbits.xen.org/docs/unstable/SUPPORT.html#blkback

https://xenbits.xen.org/docs/unstable/man/xen-vbd-interface.7.html

https://xenbits.xen.org/docs/unstable/man/xl-disk-configuration.5.html

locales

https://askubuntu.com/questions/162391/how-do-i-fix-my-locale-issue

pts

https://www.linuxsecrets.com/discussions/5940-howto-linux-mount-devpts-file-system-on-dev-pts

https://wiki.debian.org/chroot#A.2Fdev.2Fpts

https://www.cyberciti.biz/faq/linux-mount-devpts/


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | NU | HTML5
Copyright © 2022 Pierre-Philipp Braun