XEN/PV - Bootstrapping Debian/Ubuntu

Introduction

The kernel has to be either a freaking custom domU kernel or the official Ubuntu/xen one. In any case, NO INSTALL RAMDISK IS NEEDED.

Requirements

See Debootstrap Ready.

As for the file-system, REISER4 is an invalid base for docker storage overlays. You need EXT4 or eventually XFS. Prepare the guest skeleton,

dist=bionic

mkdir -p /data/guests/$dist/
cd /data/guests/$dist/

dd if=/dev/zero of=$dist.ext4 bs=1G count=0 seek=10
mkfs.ext4 $dist.ext4
#dd if=/dev/zero of=$dist.reiser4 bs=1G count=0 seek=10
#mkfs.reiser4 -yf $dist.reiser4

#dd if=/dev/zero of=ubuntu.swap bs=1G count=0 seek=1
#mkswap ubuntu.swap

mkdir lala/
mount -o loop $dist.ext4 lala/
#mount -o loop $dist.reiser4 lala/

Debootstraping

bootstrap an Ubuntu system,

mirror=ru
#time debootstrap --arch=i386 $dist lala/ http://$mirror.archive.ubuntu.com/ubuntu/
time debootstrap --arch=amd64 $dist lala/ http://$mirror.archive.ubuntu.com/ubuntu/
#--print-debs
#--no-check-gpg

du -sh lala/
# trustyx32 242M
# xenial 248M, 247M
# artful 302M, 307M
# bionic 862M

echo $dist > lala/etc/hostname

bootstrap a Debian system,

mirror=ru
dist=stretch
time debootstrap --arch=amd64 $dist lala/ http://ftp.$mirror.debian.org/debian/

du -sh lala/
# stretch 644M

echo stretch > lala/etc/hostname

Using xvda1 instead of xvda so in case grub gets installed, it will not be able to override anything on a non-existing MBR,

cat lala/etc/fstab # UNCONFIGURED FSTAB FOR BASE SYSTEM
cat > lala/etc/fstab <<-EOF
proc /proc proc defaults 0 0
/dev/xvda1 / ext4 defaults 0 1
EOF
#/dev/xvda1 / reiser4 defaults 0 1
cat lala/etc/fstab
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
#proc            /proc           proc    defaults        0       0
#/dev/xvda1       /               ext4   defaults        0       1
#/dev/xvdb1       none            swap    sw             0       0

Enable TMEM,

ls -lhF lala/lib/modules/
mkdir -p lala/lib/modules/
for libmodules in /data/kernels/lib.modules.*.tar.gz; do
    echo -n $libmodules...
    tar xzf $libmodules -C lala/lib/modules/ && echo done
done; unset lib
ls -lhF lala/lib/modules/
echo tmem >> lala/etc/modules
cat lala/etc/modules

Prepare the system,

chroot lala/ /bin/bash

for ver in `ls -1 /lib/modules/`; do echo -n $ver...; depmod -a $ver && echo done; done; unset ver

console requires a password unless you play with getty, but disabling it instead,

passwd -d root
#usermod -p '*' root

# debian
#apt install locales

dpkg-reconfigure locales
#locale-gen en_US.UTF-8
locale -a
#update-locale LANG=C.UTF-8
update-locale LANG=en_US.UTF-8

cp -pi /etc/bash.bashrc /etc/bash.bashrc.dist
cat >> /etc/bash.bashrc <<EOF
export LANGUAGE="en_US.UTF-8"
export LC_ALL="en_US.UTF-8"
EOF
source /etc/bash.bashrc

ubuntu,

dist=bionic
mv /etc/apt/sources.list /etc/apt/sources.list.dist
cat > /etc/apt/sources.list <<-EOF
deb http://ru.archive.ubuntu.com/ubuntu $dist main restricted universe
deb http://ru.archive.ubuntu.com/ubuntu $dist-updates main restricted universe
deb http://ru.archive.ubuntu.com/ubuntu $dist-security main restricted universe
#multiverse
#$dist-backports
EOF
cat /etc/apt/sources.list

debian,

mv /etc/apt/sources.list /etc/apt/sources.list.dist
cat > /etc/apt/sources.list <<-EOF
deb http://ftp.ru.debian.org/debian stretch main contrib
deb http://ftp.ru.debian.org/debian stretch-updates main contrib
#non-free
#stretch-backports
EOF
cat /etc/apt/sources.list

and proceed,

apt update
apt -y full-upgrade
apt-get autoremove
dpkg -l | grep ^rc

apt -y install man-db manpages ifupdown net-tools ntp

mv -i /etc/ntp.conf /etc/ntp.conf.dist
sed '/^$/d;/^#/d;' /etc/ntp.conf.dist > /etc/ntp.conf.clean
sed '/^pool/d' /etc/ntp.conf.clean > /etc/ntp.conf
cat >> /etc/ntp.conf <<-EOF
server 0.ru.pool.ntp.org iburst
server 1.ru.pool.ntp.org iburst
server 2.ru.pool.ntp.org iburst
server 3.ru.pool.ntp.org iburst
EOF
#https://www.pool.ntp.org/zone/ru
cat /etc/ntp.conf

mv /etc/default/ntp /etc/default/ntp.dist
cat > /etc/default/ntp <<-EOF
NTPD_OPTS='-g -x'
EOF
systemctl enable ntp

ln -sf ../usr/share/zoneinfo/Europe/Moscow /etc/localtime
ls -lhF /etc/localtime
echo Europe/Moscow > /etc/timezone

rm -rf /etc/network/interfaces.d/
cat > /etc/network/interfaces <<-EOF
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address IP_ADDRESS/24
        gateway GATEWAY_IP
        #dns-search sne.lan
        #dns-nameservers x.x.x.x
        #208.67.222.222 208.67.220.220
EOF
vi /etc/network/interfaces

ubuntu only,

ls -lhF /etc/resolv.conf
mv -i /etc/resolv.conf /etc/resolv.conf.dist
systemctl disable systemd-resolved.service
#ls -lhF /etc/systemd/system/multi-user.target.wants/systemd-resolved.service
#rm -f /etc/systemd/system/multi-user.target.wants/systemd-resolved.service

#cat >> /etc/systemd/resolved.conf <<-EOF
#Cache=no
#DNSStubListener=no
#EOF

then proceed for both,

ls -lhF /etc/resolv.conf
cat /etc/resolv.conf
cat > /etc/resolv.conf <<EOF
search example.local
#nameserver SOMEDNS
nameserver 208.67.222.222
nameserver 208.67.220.220
EOF
vi /etc/resolv.conf

secure sshd,

apt -y install openssh-server openssh-client
cd /etc/ssh/
mv -i sshd_config sshd_config.dist
sed '/^#/d; /^$/d' sshd_config.dist > sshd_config.dist.clean
cat > sshd_config <<-EOF
ChallengeResponseAuthentication no
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server

Port XXX
Protocol 2
AddressFamily inet
#ListenAddress x.x.x.x
AllowGroups root
#AllowGroups wheel
PermitRootLogin without-password
PasswordAuthentication no
PermitEmptyPasswords no
StrictModes yes
X11Forwarding no
UsePam no
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
EOF
#UsePrivilegeSeparation yes
vi sshd_config

Note. Change the tcp port accordingly.

mv -i ssh_config ssh_config.dist
sed '/^#/d; /^$/d' ssh_config.dist > ssh_config.dist.clean
sed 's/HashKnownHosts yes/HashKnownHosts no/' ssh_config.dist.clean > ssh_config
cat ssh_config

cd ~/
mkdir .ssh/
chmod 700 .ssh/
vi .ssh/authorized_keys
PASTE YOUR PUB KEYS HERE
chmod 600 .ssh/authorized_keys

^D
umount lala/
rmdir lala/

Guest Configuration

cat > $dist <<-EOF
kernel = "/data/kernels/vmlinuz"
root = "/dev/xvda1 ro console=hvc0 netcfg/do_not_use_netplan=true ipv6.disable=1"
memory = 8192
name = "$dist"
vcpus = 16
maxvcpus = 16
disk = ['tap:tapdisk:aio:/data/guests/$dist/$dist.ext4,xvda1,w']
#disk = ['tap:tapdisk:aio:/data/guests/$dist/$dist.reiser4,xvda1,w']
vif = [ 'bridge=pubbr0, vifname=$dist.0' ]
EOF
vi $dist

Note. change the bridge accordingly.

Ready to go

xl create $dist -c

login and check that everything is fine,

lsmod | grep tmem
free -m
ifconfig
ping opendns.com
poweroff

unset dist

eventually clone the template and regenerate host-keys,

ls -lhF /etc/ssh/ssh_host_*
rm -f /etc/ssh/ssh_host_* && echo HOST KEYS CLEANED-UP
echo NEW-HOST > /etc/hostname
hostname NEW-HOST
dpkg-reconfigure openssh-server

Operations

#xl des ubuntu
#xfs_repair ubuntu.xfs
fsck ubuntu.ext4
mount -o loop ubuntu.ext4 /tmp/xenloop
...
umount /tmp/xenloop

Debian/Ubuntu // xen-tools & debootstrap & LVM2

apt install lvm2 xen-tools
pvcreate /dev/sdaX
vgcreate guestsvg /dev/sdaX
vi /etc/xen-tools/xen-tools.conf

lvm = guestsvg
install-method = debootstrap
size = 10Gb
memory = 2Gb
swap = 1Gb
fs = ext4
ext4_options = noatime,nodiratime,errors=remount-ro
dist = `xt-guess-suite-and-mirror --suite`
image = sparse
kernel = /boot/vmlinuz-`uname -r`
initrd = /boot/initrd.img-`uname -r`
pygrub = 1
mirror = `xt-guess-suite-and-mirror --mirror`

ready to build a guest,

guest=GUEST-NAME

xen-create-image --hostname $guest --ip x.x.x.x --netmask x.x.x.x --gateway x.x.x.x --vcpus 2 --dist stretch

vi /etc/xen/$guest.cfg

vif = [ 'script=vif-bridge, bridge=xenbr0' ]

xl create /etc/xen/$guest.cfg -c

References

overall

sysprep

syntax

Nethence | Doc | Pub | Lab | Pbraun | SNE Russia | xhtml