Version 31 (modified by 12 years ago) ( diff ) | ,
---|
This page documents the procedure for creating a new KVM guest on a mayfirst server.
Creating a new KVM guest
In these direcitons, the host (or <hostname>) refers to the name of the kvm host computer (e.g. negri, or bolivar, etc.). The guest (or <guestname>) refers to the name of the virtualized server you are creating. The examples use negri as the host and hay as the guest.
Initial steps
- Pick an activist to name the server after. Find the wikipedia page (or a similar page) describing your activist.
- Edit the ip allocation wiki page, assigning yourself a new IP address
- Add a Host record in the May First/People Link -> mayfirst.org -> DNS section of the control panel matching your server name with the IP you have allocated for it.
- Copy an existing puppet node file, preferably one from the same host, naming it after your activist (pick either the first or last name of the activist, up to you)
- Replace all instances of the old guest name with your new guest name and change the namesake URL and description text and anything else (be sure that the onsite/rdiff-backup server is in the same colo center as the server you are creating).
- Replace the IP address in the nagios stanza with the correct IP address
- Edit the puppet configuration file for the host server. Copy an existing m_kvm::guest stanza, replacing values as needed
- commit changes to the puppet repo and git push to the host machine
While root on the host machine
- Fix the permissions of the created ISO file (hopefully this bug will get fixed soon...).
chmod a+r /usr/local/share/ISOs/<guestname>.iso
- Create a symlink to the ISO in the newly created user's home directory...
ln -s /usr/local/share/ISOs/<guestname>.iso /home/<guestname>/vms/<guestname>/cd.iso
- Add access to the new guest to all root users:
cat /root/.monkeysphere/authorized_user_ids >> /home/<guestname>/.monkeysphere/authorized_user_ids monkeysphere-authentication update-users <guestname>
- Start the new guest
update-service --add /etc/sv/kvm/<guestname>
- Remove the symlink to the ISO in the newly created user's home directory...
rm /home/<guestname>/vms/<guestname>/cd.iso
While logged in as <guestname>@<host>
- Enter the screen session:
screen -x
- Press enter to start the install. Confirm the disk format.
- Afer installation, Login with root and no password
- The preseed file will leave all leftover space on the disk in a logical volume called "delete". You can remove this logical volume (so the extra space is available to enlarge other logical volumes): with:
lvremove vg_<guestname>0/delete
Replace <guestname> with the name of the server, e.g.:lvremove vg_hay0/delete
- Set the root password. Generate one locally with pwgen.
- Record new password in MFPL keyringer
- Check the ssh host fingerprint (for comparison during steps below)
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
While in your puppet conf directory on your local machine
- Setup a remote for the new server:
freepuppet-helper gsr:<guestname>
- Initialize the new server for puppet with:
freepuppet-helper is:<guestname>
- Push git repo to guest:
freepuppet-helper gp:<guestname>
- Sign host key:
freepuppet-helper shgk:<guestname>
- Sign root user key:
freepuppet-helper srgk:<guestname>
- Push changes to the nagios server and to each of the backup servers
freepuppet-helper gp:jojobe freepuppet-helper gp:<onsite-backup-server> freepuppet-helper gp:<offsite-backup-server>
- Restart the server!
MOSH servers
If you are installing a MOSH server:
- Grant access to the Control panel database, from your local machine:
freepuppet-helper rda:<guestname>
- Purchase an SSL certificate from http://rapidssl.com/. The certificate signing request will already be generated by puppet and is on the guest server in /etc/ssl/<guestname>.mayfirst.org.csr.
- Once you have the certificate:
- remove the symlink /etc/ssl/<guestname>.mayfirst.org.crt
- create a new file with the same name containing the cert and the intermediate cert.
- remove the symlink /etc/ssl/private/<guestname>.mayfirst.org.pem.
- rename /etc/ssl/private/<guestname>.mayfirst.org.key.uncertified to /etc/ssl/private/<guestname>.mayfirst.org.pem
- add the cert and intermediate cert to this file (courier needs both the key and cert in the same file
Note:
See TracWiki
for help on using the wiki.