Inhaltsverzeichnis
XEN3 Installation auf Debian 3.1 Sarge (stable)
Siehe auch:
netboot.iso
Zunächst mit dem debian-31r4-i386-netinst.iso booten.
- boot:
linux26 acpi=off
- Spracheinstellungen: deutsch
- Partitionierung:
- Gesamtes Laufwerk löschen
- Neue leere Partitionstabelle erzeugen
- sda1 / 6GB ext3
- sda2 swap 2GB swap
- sda3 /data rest XFS
- Installation des Debian Grundsystems läuft
- GRUB in MBR → ja
- reboot linux 2.6.8-3-i686
- Konfiguration Debian Grundsystem
- Hardware Clock GMT (UTC)
- Zeitzone Europe/Berlin
- Benutzerdefinition
- Apt-Konfiguration
- Apt-Quellen hinzufügen: http: Deutschland: ftp.de.debian.org
- Debian Software Auswahl: [X] Manuell
||/ Name Version Beschreibung +++-==============-==============-============================================ ii adduser 3.63 Add and remove users and groups ii apt 0.5.28.6 Advanced front-end for dpkg ii apt-utils 0.5.28.6 APT utility programs ii aptitude 0.2.15.9-2 terminal-based apt frontend ii at 3.1.8-11 Delayed job execution and batch processing ii base-config 2.53.10.2 Debian base system configurator ii base-files 3.1.2 Debian base system miscellaneous files ii base-passwd 3.5.9 Debian base system master password and group ii bash 2.05b-26 The GNU Bourne Again SHell ii bind9-host 9.2.4-1sarge1 Version of 'host' bundled with BIND 9.X ii bsdmainutils 6.0.17 collection of more utilities from FreeBSD ii bsdutils 2.12p-4sarge1 Basic utilities from 4.4BSD-Lite ii console-common 0.7.49 Basic infrastructure for text console config ii console-data 2002.12.04dbs- Keymaps, fonts, charset maps, fallback table ii console-tools 0.2.3dbs-56 Linux console and font utilities ii coreutils 5.2.1-2 The GNU core utilities ii cpio 2.5-1.3 GNU cpio -- a program to manage archives of ii cramfsprogs 1.1-6 Tools for CramFs (Compressed ROM File System ii cron 3.0pl1-86 management of regular background processing ii dash 0.5.2-5 The Debian Almquist Shell ii debconf 1.4.30.13 Debian configuration management system ii debconf-i18n 1.4.30.13 full internationalization support for debcon ii debianutils 2.8.4 Miscellaneous utilities specific to Debian ii dhcp-client 2.0pl5-19.1sar DHCP Client ii diff 2.8.1-11 File comparison utilities ii discover1 1.7.7 hardware identification system ii discover1-data 1.2005.01.08 hardware lists for libdiscover1 ii dnsutils 9.2.4-1sarge1 Clients provided with BIND ii dpkg 1.10.28 Package maintenance system for Debian ii dselect 1.10.28 a user tool to manage Debian packages ii e2fslibs 1.37-2sarge1 ext2 filesystem libraries ii e2fsprogs 1.37-2sarge1 ext2 file system utilities and libraries ii ed 0.2-20 The classic unix line editor ii eject 2.0.13deb-8sar ejects CDs and operates CD-Changers under Li ii exim4 4.50-8sarge2 metapackage to ease exim MTA (v4) installati ii exim4-base 4.50-8sarge2 support files for all exim MTA (v4) packages ii exim4-config 4.50-8sarge2 configuration for the exim MTA (v4) ii exim4-daemon-l 4.50-8sarge2 lightweight exim MTA (v4) daemon ii fdutils 5.4-20040228-1 Linux floppy utilities ii file 4.12-1 Determines file type using "magic" numbers ii findutils 4.1.20-6 utilities for finding files--find, xargs, an ii gcc-3.3-base 3.3.5-13 The GNU Compiler Collection (base package) ii gettext-base 0.14.4-2 GNU Internationalization utilities for the b ii gnupg 1.4.1-1.sarge5 GNU privacy guard - a free PGP replacement ii grep 2.5.1.ds1-4 GNU grep, egrep and fgrep ii groff-base 1.18.1.1-7 GNU troff text-formatting system (base syste ii grub 0.95+cvs200406 GRand Unified Bootloader ii gzip 1.3.5-10sarge2 The GNU compression utility ii hostname 2.13 A utility to set/show the host name or domai ii hotplug 0.0.20040329-2 Linux Hotplug Scripts ii ifupdown 0.6.7 high level tools to configure network interf ii info 4.7-2.2 Standalone GNU Info documentation browser ii initrd-tools 0.1.81.1 tools to create initrd image for prepackaged ii initscripts 2.86.ds1-1 Standard scripts needed for booting and shut ii ipchains 1.3.10-15 Network firewalling for Linux 2.2.x ii iptables 1.2.11-10 Linux kernel 2.4+ iptables administration to ii iputils-ping 20020927-2 Tools to test the reachability of network ho ii iso-codes 0.44-1 ISO language, territory, currency codes and ii kernel-image-2 2.6.8-16sarge5 Linux kernel image for version 2.6.8 on 386. ii klogd 1.4.1-17 Kernel Logging Daemon ii language-env 0.64 simple configuration tool for native languag ii less 382-1 Pager program similar to more ii libacl1 2.2.23-1 Access control list shared library ii libapt-pkg-per 0.1.13 Perl interface to libapt-pkg ii libattr1 2.4.16-1 Extended attribute shared library ii libblkid1 1.37-2sarge1 block device id library ii libbz2-1.0 1.0.2-7 high-quality block-sorting file compressor l ii libc6 2.3.2.ds1-22sa GNU C Library: Shared libraries and Timezone ii libcap1 1.10-14 support for getting/setting POSIX.1e capabil ii libcomerr2 1.37-2sarge1 common error description library ii libconfig-inif 2.38-3 Read .ini-style configuration files ii libconsole 0.2.3dbs-56 Shared libraries for Linux console and font ii libdb1-compat 2.1.3-7 The Berkeley database routines [glibc 2.0/2. ii libdb3 3.2.9-22 Berkeley v3 Database Libraries [runtime] ii libdb4.2 4.2.52-18 Berkeley v4.2 Database Libraries [runtime] ii libdevmapper1. 1.01.00-4sarge The Linux Kernel Device Mapper userspace lib ii libdiscover1 1.7.7 hardware identification library ii libdns16 9.2.4-1sarge1 DNS Shared Library used by BIND ii libgcc1 3.4.3-13sarge1 GCC support library ii libgcrypt11 1.2.0-11.1 LGPL Crypto library - runtime library ii libgdbm3 1.8.3-2 GNU dbm database routines (runtime version) ii libgnutls11 1.0.16-13.2sar GNU TLS library - runtime library ii libgpg-error0 1.0-1 library for common error values and messages ii libisc7 9.2.4-1sarge1 ISC Shared Library used by BIND ii libldap2 2.1.30-8 OpenLDAP libraries ii liblocale-gett 1.01-17 Using libc functions for internationalizatio ii liblockfile1 1.06 NFS-safe locking library, includes dotlockfi ii liblwres1 9.2.4-1sarge1 Lightweight Resolver Library used by BIND ii liblzo1 1.08-1.2 A real-time data compression library ii libmagic1 4.12-1 File type determination library using "magic ii libncurses5 5.4-4 Shared libraries for terminal handling ii libnewt0.51 0.51.6-20 Not Erik's Windowing Toolkit - text mode win ii libopencdk8 0.5.5-10 Open Crypto Development Kit (OpenCDK) (runti ii libpam-modules 0.76-22 Pluggable Authentication Modules for PAM ii libpam-runtime 0.76-22 Runtime support for the PAM library ii libpam0g 0.76-22 Pluggable Authentication Modules library ii libpcap0.7 0.7.2-7 System interface for user-level packet captu ii libpcre3 4.5-1.2sarge1 Perl 5 Compatible Regular Expression Library ii libpopt0 1.7-5 lib for parsing cmdline parameters ii libreadline4 4.3-11 GNU readline and history libraries, run-time ii libreadline5 5.0-10 GNU readline and history libraries, run-time ii libsasl2 2.1.19.dfsg1-0 Authentication abstraction library ii libsigc++-1.2- 1.2.5-4 type-safe Signal Framework for C++ - runtime ii libss2 1.37-2sarge1 command-line interface parsing library ii libssl0.9.7 0.9.7e-3sarge4 SSL shared libraries ii libstdc++5 3.3.5-13 The GNU Standard C++ Library v3 ii libtasn1-2 0.2.10-3sarge1 Manage ASN.1 structures (runtime) ii libtext-charwi 0.04-1 get display widths of characters on the term ii libtext-iconv- 1.2-3 Convert between character sets in Perl ii libtext-wrapi1 0.06-1 internationalized substitute of Text::Wrap ii libtextwrap1 0.1-1 text-wrapping library with i18n - runtime ii libusb-0.1-4 0.1.10a-9.sarg userspace USB programming library ii libuuid1 1.37-2sarge1 universally unique id library ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers library ii locales 2.3.2.ds1-22sa GNU C Library: National Language (locale) da ii localization-c 0.116 configures different programs' locale settin ii login 4.0.3-31sarge9 system login tools ii logrotate 3.7-5 Log rotation utility ii lsb-base 2.0-7 Linux Standard Base 2.0 init script function ii lvm-common 1.5.17 The Logical Volume Manager for Linux (common ii lvm2 2.01.04-5 The Linux Logical Volume Manager ii mailx 8.1.2-0.200405 A simple mail user agent ii makedev 2.3.1-77 creates device files in /dev ii man-db 2.4.2-21 The on-line manual pager ii manpages 1.70-1 Manual pages about using a GNU/Linux system ii manpages-de 0.4-8 German manpages ii mawk 1.3.3-11 a pattern scanning and text processing langu ii mdetect 0.5.2 mouse device autodetection tool ii module-init-to 3.2-pre1-2 tools for managing Linux kernel modules ii modutils 2.4.26-1.2 Linux module utilities ii mount 2.12p-4sarge1 Tools for mounting and manipulating filesyst ii nano 1.2.4-5 free Pico clone with some new features ii ncurses-base 5.4-4 Descriptions of common terminal types ii ncurses-bin 5.4-4 Terminal-related programs and man pages ii net-tools 1.60-10 The NET-3 networking toolkit ii netbase 4.21 Basic TCP/IP networking system rc netkit-inetd 0.10-10 The Internet Superserver ii nvi 1.79-22 4.4BSD re-implementation of vi ii openbsd-inetd 0.20040915-1 The OpenBSD Internet Superserver ii passwd 4.0.3-31sarge9 change and administer password and group dat ii patch 2.5.9-2 Apply a diff file to an original ii pciutils 2.1.11-15 Linux PCI Utilities ii pcmcia-cs 3.2.5-10 PCMCIA Card Services for Linux ii perl 5.8.4-8sarge5 Larry Wall's Practical Extraction and Report ii perl-base 5.8.4-8sarge5 The Pathologically Eclectic Rubbish Lister ii perl-modules 5.8.4-8sarge5 Core Perl modules ii ppp 2.4.3-20050321 Point-to-Point Protocol (PPP) daemon ii pppconfig 2.3.11 A text menu based utility for configuring pp ii pppoe 3.5-4 PPP over Ethernet driver ii pppoeconf 1.7 configures PPPoE/ADSL connections ii procps 3.2.1-2 The /proc file system utilities ii psmisc 21.5-1 Utilities that use the proc filesystem ii read-edid 1.4.1-2 hardware information-gathering tool for VESA ii sed 4.1.2-8 The GNU sed stream editor ii slang1a-utf8 1.4.9dbs-8 The S-Lang programming library with utf8 sup ii sysklogd 1.4.1-17 System Logging Daemon ii sysv-rc 2.86.ds1-1 Standard boot mechanism using symlinks in /e ii sysvinit 2.86.ds1-1 System-V like init ii tar 1.14-2.2 GNU tar ii tasksel 2.24 Tool for selecting tasks for installation on ii tcpd 7.6.dbs-8 Wietse Venema's TCP wrapper utilities ii telnet 0.17-29 The telnet client ii time 1.7-21 The GNU time program for measuring cpu resou ii traceroute 1.4a12-18 traces the route taken by packets over a TCP ii usbutils 0.70-8 USB console utilities ii util-linux 2.12p-4sarge1 Miscellaneous system utilities ii wget 1.9.1-12 retrieves files from the web ii whiptail 0.51.6-20 Displays user-friendly dialog boxes from she ii xfsprogs 2.6.20-1 Utilities for managing the XFS filesystem ii zlib1g 1.2.2-4.sarge. compression library - runtime
- apt-get install ssh
- apt-get remove openbsd-inetd netkit-inetd
- Als nächstes werden Ihnen von Debian einige vorbereitete Paket-Zusammenstellungen angeboten. Sie können natürlich auch Paket für Paket auswählen, was Sie auf Ihrem neuen System installieren möchten. Dies ist auch das Prinzip von aptitude, das weiter unten beschrieben wird. Allerdings könnte dies eine langwierige Sache werden bei ca. 15250 verfügbaren Paketen in Debian!
- Deswegen haben Sie die Möglichkeit, zunächst Programmgruppen (tasks) vorzuwählen und danach einzelne individuelle Pakete hinzuzufügen. Diese Gruppen stellen eine lockere Zusammenstellung verschiedener Aufgaben dar, die Sie mit Ihrem Computer erledigen können, wie z.B. „Desktop-Umgebung“ (für einen Arbeitsplatzrechner), „Web-Server“ (Inhalte für das Internet bereitstellen) oder „Druck-Server“ (Drucken und Druckermanagement). Abschnitt C.3, „Festplattenplatz, der für die Programmgruppen benötigt wird“ enthält eine Aufstellung des Festplattenbedarfs verschiedener Programmgruppen.
- Wenn Sie die Programmgruppen ausgewählt haben, die Sie installieren möchten, gehen Sie auf Ok. Nun wird aptitude die Programme installieren. 1)
- Wenn Sie Paket für Paket aussuchen möchten, was Sie installieren, wählen Sie „Manuelle Auswahl“ in der Debian Software Auswahl (tasksel). Falls Sie zusätzlich zu der manuellen Auswahl auch eine oder mehrere Programmgruppen vorgewählt haben, wird aptitude mit dem Parameter –visual-preview gestartet. Dies bedeutet, dass Sie die Möglichkeit haben, die Liste der Pakete, die installiert werden sollen, vorher nochmals zu überprüfen. Falls Sie keine Progammgruppe ausgewählt haben, wird die normale aptitude-Oberfläche angezeigt. Nachdem Sie Ihre Auswahl getroffen haben, drücken Sie „g“, um das Herunterladen und die Installation der Pakete zu starten. 2)
- exim4-config: Keine Konfiguration zum jetzigen Zeitpunkt
- später: dpkg-reconfigure exim4-config
- Empfänger der e-Mails für root und postmaster: tiriadmin
Erstes Login
- /etc/console-tools/config (Zeichensatz auf 80×50 einstellen [default: lat0-sun16])
config
SCREEN_FONT=lat0-08
- /etc/apt/sources.list
sources.list
deb http://www.backports.org/debian/ sarge-backports main
- /etc/apt/preferences
preferences
Package: * Pin: release a=sarge-backports Pin-Priority: 200 Package: xen-3.0 Pin: release a=sarge-backports Pin-Priority: 999 Package: linux-2.6 Pin: release a=sarge-backports Pin-Priority: 999 Package: xen-tools Pin: release a=sarge-backports Pin-Priority: 999 Package: udev Pin: release a=sarge-backports Pin-Priority: 999 Package: lsb Pin: release a=sarge-backports Pin-Priority: 999 Package: module-init-tools Pin: release a=sarge-backports Pin-Priority: 999 Package: grub Pin: release a=sarge-backports Pin-Priority: 999
- apt-get update
- apt-get dist-upgrade
apt-get dist-upgrade
Paketlisten werden gelesen... Fertig Abhängigkeitsbaum wird aufgebaut... Fertig Berechne Upgrade...Fertig Die folgenden Pakete sind zurückgehalten worden: module-init-tools Die folgenden Pakete werden aktualisiert: grub kernel-image-2.6.8-3-386 2 aktualisiert, 0 neu installiert, 0 zu entfernen und 1 nicht aktualisiert. Es müssen 14,4MB Archive geholt werden. Nach dem Auspacken werden 41,0kB Plattenplatz zusätzlich benutzt. Möchten Sie fortfahren? [J/n] j Hole:1 http://security.debian.org stable/updates/main kernel-image-2.6.8-3-386 2.6.8-16sarge6 [14,1MB] Hole:2 http://www.backports.org sarge-backports/main grub 0.97-16.1~bpo.1 [367kB] Es wurden 14,4MB in 20s geholt (719kB/s) (Lese Datenbank ... 22363 Dateien und Verzeichnisse sind derzeit installiert.) Vorbereiten zum Ersetzen von grub 0.95+cvs20040624-17sarge1 (durch .../grub_0.97-16.1~bpo.1_i386.deb) ... Entpacke Ersatz für grub ... Vorbereiten zum Ersetzen von kernel-image-2.6.8-3-386 2.6.8-16sarge5 (durch .../kernel-image-2.6.8-3-386_2.6.8-16sarge6_i386.deb) ... The directory /lib/modules/2.6.8-3-386 still exists. Continuing as directed. Entpacke Ersatz für kernel-image-2.6.8-3-386 ... Your /etc/kernel-img.conf needs upgrade. Read grub's NEWS.Debian[1] file and follow its instructions. 1. /usr/share/doc/grub/NEWS.Debian You shouldn't call /sbin/update-grub. Please call /usr/sbin/update-grub instead! Searching for GRUB installation directory ... found: /boot/grub Testing for an existing GRUB menu.lst file ... found: /boot/grub/menu.lst Searching for splash image ... none found, skipping ... Found kernel: /boot/vmlinuz-2.6.8-3-386 Updating /boot/grub/menu.lst ... done Richte grub ein (0.97-16.1~bpo.1) ... Richte kernel-image-2.6.8-3-386 ein (2.6.8-16sarge6) ... You are attempting to install a kernel version that is the same as the version you are currently running (version 2.6.8-3-386). The modules list is quite likely to have been changed, and the modules dependency file /lib/modules/2.6.8-3-386/modules.dep needs to be re-built. It can not be built correctly right now, since the module list for the running kernel are likely to be different from the kernel installed. I am creating a new modules.dep file, but that may not be correct. It shall be regenerated correctly at next reboot. I repeat: you have to reboot in order for the modules file to be created correctly. Until you reboot, it may be impossible to load some modules. Reboot as soon as this install is finished (Do not reboot right now, since you may not be able to boot back up until installation is over, but boot immediately after). I can not stress that too much. You need to reboot soon. Please Hit return to continue.
- apt-get install linux-image-2.6.18-3-i686 (um einen aktuellen Nicht-XEN Kernel zu haben)
- apt-get install
apt-get install -t sarge-backports grub makedev lsb-base (ggf. mdadm)
Paketlisten werden gelesen... Fertig Abhängigkeitsbaum wird aufgebaut... Fertig grub ist schon die neueste Version. Die folgenden NEUEN Pakete werden installiert: mdadm Die folgenden Pakete werden aktualisiert: lsb-base makedev 2 aktualisiert, 1 neu installiert, 0 zu entfernen und 55 nicht aktualisiert. Es müssen 205kB Archive geholt werden.
- apt-cache search linux-image | grep xen
apt-get install linux-image-2.6.18-3-xen-686 xen-utils-3.0.3-1 xen-hypervisor-3.0.3-1-i386 (ggf. xen-ioemu-3.0.3-1)
apt-get install linux-image-2.6.18-3-xen-686 xen-utils-3.0.3-1 xen-hypervisor-3.0.3-1-i386 Paketlisten werden gelesen... Fertig Abhängigkeitsbaum wird aufgebaut... Fertig Die folgenden zusätzlichen Pakete werden installiert: busybox-cvs-static initramfs-tools iproute klibc-utils libatm1 libklibc libvolume-id0 linux-modules-2.6.18-3-xen-686 module-init-tools python python2.3 udev xen-utils-common Vorgeschlagene Pakete: linux-doc-2.6.18 python-doc python-tk python-profiler python2.3-doc python2.3-profiler xen-docs-3.0 Empfohlene Pakete: iproute-doc libc6-xen python2.3-iconvcodec python2.3-cjkcodecs python2.3-japanese-codecs Die folgenden Pakete werden ENTFERNT: hotplug Die folgenden NEUEN Pakete werden installiert: busybox-cvs-static initramfs-tools iproute klibc-utils libatm1 libklibc libvolume-id0 linux-image-2.6.18-3-xen-686 linux-modules-2.6.18-3-xen-686 python python2.3 udev xen-hypervisor-3.0.3-1-i386 xen-utils-3.0.3-1 xen-utils-common Die folgenden Pakete werden aktualisiert: module-init-tools 1 aktualisiert, 15 neu installiert, 1 zu entfernen und 0 nicht aktualisiert. Es müssen 22,4MB Archive geholt werden. Nach dem Auspacken werden 67,9MB Plattenplatz zusätzlich benutzt.
apt-get install -t sarge-backports bridge-utils sysfsutils
Paketlisten werden gelesen... Fertig Abhängigkeitsbaum wird aufgebaut... Fertig Die folgenden zusätzlichen Pakete werden installiert: libsysfs1 libsysfs2 Die folgenden NEUEN Pakete werden installiert: bridge-utils libsysfs1 libsysfs2 sysfsutils 0 aktualisiert, 4 neu installiert, 0 zu entfernen und 55 nicht aktualisiert. Es müssen 102kB Archive geholt werden. Nach dem Auspacken werden 479kB Plattenplatz zusätzlich benutzt.
- Konfiguration Bootloader für XEN
- mv /lib/tls /lib/tls.disabled
- dpkg –purge hotplug
- mkinitramfs -o /boot/initrd.img-2.6.18-3-xen-686 2.6.18-3-xen-686
grub/menu.lst
title Xen 3.0.3-1-i386 / Debian GNU/Linux, kernel 2.6.18-3-xen-686 root (hd0,0) kernel /boot/xen-3.0.3-1-i386.gz dom0_mem=384000 sched=sedf console=com1 com1=57600,8n1 panic=10 module /boot/vmlinuz-2.6.18-3-xen-686 root=/dev/sda1 ro acpi=off console=tty0 console=ttyS0,57600 xencons=ttyS panic=10 module /boot/initrd.img-2.6.18-3-xen-686 savedefault
* Zum Abschluß muß noch die Xen-Config in /etc/xen/xend-config.sxp kontroliert werden, ob (network-script network-bridge) (ca. Zeile 73) und (vif-script vif-bridge) (ca. Zeile 104) eingeschaltet ist. Ggf. die Zeilen auskommentieren und alle anderen Einstellungen dazu als Kommentar setzen. * Nun noch den Xen-VM beim booten mitstarten lassen: ''invoke-rc.d xend restart'' * Netzwerkeinstellungen für xen-bridge
/etc/network/interfaces
# Internal Bridged Network for Internet auto xen-inetbr iface xen-inetbr inet static pre-up brctl addbr xen-inetbr post-down brctl delbr xen-inetbr address 192.168.100.1 netmask 255.255.255.0 network 192.168.100.0 broadcast 192.168.100.255 bridge_fd 0 bridge_hello 0 # bridge_stp off
- Reboot
XEN Tools
apt-get install -t sarge-backports xen-tools
Paketlisten werden gelesen... Fertig Abhängigkeitsbaum wird aufgebaut... Fertig Die folgenden zusätzlichen Pakete werden installiert: debootstrap libtext-template-perl Empfohlene Pakete: xen xen-hypervisor-3.0 reiserfsprogs rpmstrap Die folgenden NEUEN Pakete werden installiert: debootstrap libtext-template-perl xen-tools 0 aktualisiert, 3 neu installiert, 0 zu entfernen und 55 nicht aktualisiert. Es müssen 191kB Archive geholt werden. Nach dem Auspacken werden 930kB Plattenplatz zusätzlich benutzt.
- Konfiguration der xen-tools
/etc/xen-tools/xen-tools.conf
dir = /data/xens debootstrap = 1 size = 4Gb # Disk image size. memory = 128Mb # Memory size swap = 128Mb # Swap size fs = ext3 # use the EXT3 filesystem for the disk image. dist = sarge # Default distribution to install. image = sparse # Specify sparse vs. full disk images. gateway = 192.168.100.1 netmask = 255.255.255.0 passwd = 1 kernel = /boot/vmlinuz-2.6.18-3-xen-686 initrd = /boot/initrd.img-2.6.18-3-xen-686 mirror = http://ftp.de.debian.org/debian/
- Erstellen eines ersten Gasts
- Loopbackdriver für HDD-Images laden
modprobe loop loop_max=255
xen-create-image --hostname=xm1 --ip=192.168.100.100 --passwd
General Infomation -------------------- Hostname : xm1 Distribution : sarge Fileystem Type : ext3 Size Information ---------------- Image size : 4Gb Swap size : 128Mb Image type : sparse Memory size : 128Mb Kernel path : /boot/vmlinuz-2.6.18-3-xen-686 initrd path : /boot/initrd.img-2.6.18-3-xen-686 Networking Information ---------------------- IP Address 1 : 192.168.100.100 Netmask : 255.255.255.0 Gateway : 192.168.100.1 Creating swap image: /data/xens/domains/xm1/swap.img Done Creating disk image: /data/xens/domains/xm1/disk.img Done Creating ext3 filesystem on /data/xens/domains/xm1/disk.img Done Installing your system with debootstrap mirror http://ftp.de.debian.org/debian/ Done Running hooks Done No role script specified. Skipping Creating Xen configuration file Done Setting up root password Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully All done
- /etc/xen/conf – Es wird durch o.a. Skript auch die Konfigurationsdatei erstellt
/etc/xen/xm1.cfg
kernel = '/boot/vmlinuz-2.6.18-3-xen-686' ramdisk = '/boot/initrd.img-2.6.18-3-xen-686' memory = '128' root = '/dev/sda1 ro' disk = [ 'file:/data/xens/domains/xm1/disk.img,sda1,w', 'file:/data/xens/domains/xm1/swap.img,sda2,w' ] name = 'xm1' vif = [ 'ip=192.168.100.100' ] on_poweroff = 'destroy' on_reboot = 'restart' on_crash = 'restart'
Start des ersten Gasts
- modprobe loop
- xm create
xm create -c /etc/xen/xm1.cfg
Using config file "/etc/xen/xm1.cfg". Started domain xm1 Linux version 2.6.18-3-xen-686 (Debian 2.6.18-8~bpo.1) (nobse@backports.org) (gcc version 3.3.5 (Debian 1:3.3.5-13)) #1 SMP Fri Dec 15 08:22:55 CET 2006 BIOS-provided physical RAM map: Xen: 0000000000000000 - 0000000008800000 (usable) 0MB HIGHMEM available. 136MB LOWMEM available. ACPI in unprivileged domain disabled Built 1 zonelists. Total pages: 34816 Kernel command line: root=/dev/sda1 ro Enabling fast FPU save and restore... done. Enabling unmasked SIMD FPU exception support... done. Initializing CPU#0 PID hash table entries: 1024 (order: 10, 4096 bytes) Xen reported: 1994.996 MHz processor. Dentry cache hash table entries: 32768 (order: 5, 131072 bytes) Inode-cache hash table entries: 16384 (order: 4, 65536 bytes) Software IO TLB disabled vmalloc area: c9000000-fb7fe000, maxmem 33ffe000 Memory: 114584k/139264k available (1606k kernel code, 16344k reserved, 654k data, 160k init, 0k highmem) Checking if this processor honours the WP bit even in supervisor mode... Ok. Calibrating delay using timer specific routine.. 5035.28 BogoMIPS (lpj=10070571) Security Framework v1.0.0 initialized SELinux: Disabled at boot. Capability LSM initialized Mount-cache hash table entries: 512 CPU: L1 I cache: 32K, L1 D cache: 32K CPU: L2 cache: 4096K Checking 'hlt' instruction... OK. SMP alternatives: switching to UP code Freeing SMP alternatives: 12k freed Brought up 1 CPUs migration_cost=0 checking if image is initramfs... it is Freeing initrd memory: 11943k freed Grant table initialized NET: Registered protocol family 16 Brought up 1 CPUs PCI: setting up Xen PCI frontend stub ACPI: Interpreter disabled. Linux Plug and Play Support v0.97 (c) Adam Belay pnp: PnP ACPI: disabled xen_mem: Initialising balloon driver. PCI: System does not support PCI PCI: System does not support PCI NET: Registered protocol family 2 IP route cache hash table entries: 2048 (order: 1, 8192 bytes) TCP established hash table entries: 8192 (order: 4, 65536 bytes) TCP bind hash table entries: 4096 (order: 3, 32768 bytes) TCP: Hash tables configured (established 8192 bind 4096) TCP reno registered audit: initializing netlink socket (disabled) audit(1169937428.483:1): initialized VFS: Disk quotas dquot_6.5.1 Dquot-cache hash table entries: 1024 (order 0, 4096 bytes) Initializing Cryptographic API io scheduler noop registered io scheduler anticipatory registered io scheduler deadline registered io scheduler cfq registered (default) RAMDISK driver initialized: 16 RAM disks of 8192K size 1024 blocksize Xen virtual console successfully installed as tty1 Event-channel device installed. netfront: Initialising virtual ethernet driver. PNP: No PS/2 controller found. Probing ports directly. i8042.c: No controller found. mice: PS/2 mouse device common for all mice TCP bic registered NET: Registered protocol family 1 NET: Registered protocol family 17 NET: Registered protocol family 8 NET: Registered protocol family 20 Using IPI No-Shortcut mode Registering block device major 8 netfront: device eth0 has flipping receive path. Freeing unused kernel memory: 160k freed Loading, please wait... Begin: Loading essential drivers... ... Done. Begin: Running /scripts/init-premount ... FATAL: Error inserting fan (/lib/modules/2.6.18-3-xen-686/kernel/drivers/acpi/fan.ko): No such device FATAL: Error inserting thermal (/lib/modules/2.6.18-3-xen-686/kernel/drivers/acpi/thermal.ko): No such device Done. Begin: Mounting root file system... ... Begin: Running /scripts/local-top ... Done. Begin: Running /scripts/local-premount ... Done. kjournald starting. Commit interval 5 seconds EXT3-fs: mounted filesystem with ordered data mode. Begin: Running /scripts/local-bottom ... Done. Done. Begin: Running /scripts/init-bottom ... Done. Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing enabled INIT: version 2.86 booting Activating swap. Checking root file system... fsck 1.37 (21-Mar-2005) /dev/sda1: clean, 17342/524288 files, 80037/1048576 blocks EXT3 FS on sda1, internal journal System time was Sat Jan 27 22:38:36 UTC 2007. Setting the System Clock using the Hardware Clock as reference... System Clock set. System local time is now Sat Jan 27 22:41:17 UTC 2007. Cleaning up ifupdown...done. Calculating module dependencies... done. Loading modules... All modules loaded. Checking all file systems... fsck 1.37 (21-Mar-2005) Setting kernel variables ... ... done. Mounting local filesystems... Cleaning /tmp /var/run /var/lock. Running 0dns-down to make sure resolv.conf is ok...done. Setting up networking...done. Setting up IP spoofing protection: rp_filter. Configuring network interfaces...done. Setting the System Clock using the Hardware Clock as reference... System Clock set. Local time: Sat Jan 27 22:42:42 UTC 2007 Initializing random number generator...done. Recovering nvi editor sessions... done. INIT: Entering runlevel: 2 Starting system log daemon: syslogd. Starting kernel log daemon: klogd. Starting MTA: exim4. Starting internet superserver: inetd. Starting OpenBSD Secure Shell server: sshd. Starting deferred execution scheduler: atdNET: Registered protocol family 10 lo: Disabled Privacy Extensions IPv6 over IPv4 tunneling driver . Starting periodic command scheduler: cron. Debian GNU/Linux 3.1 xm1 tty1 xm1 login:
Erstellen eines zweiten Gasts (etch)
- Modifizieren der /etc/xen-tools/xen-tools.conf
- s.o.
- Boot (xm create -c /etc/xen/xm2.conf)
starting etch
Using config file "/etc/xen/xm2.cfg". Started domain xm2 Linux version 2.6.18-3-xen-686 (Debian 2.6.18-8~bpo.1) (nobse@backports.org) (gcc version 3.3.5 (Debian 1:3.3.5-13)) #1 SMP Fri Dec 15 08:22:55 CET 2006 BIOS-provided physical RAM map: Xen: 0000000000000000 - 0000000008800000 (usable) 0MB HIGHMEM available. 136MB LOWMEM available. ACPI in unprivileged domain disabled Built 1 zonelists. Total pages: 34816 Kernel command line: root=/dev/sda1 ro Enabling fast FPU save and restore... done. Enabling unmasked SIMD FPU exception support... done. Initializing CPU#0 PID hash table entries: 1024 (order: 10, 4096 bytes) Xen reported: 1994.998 MHz processor. Dentry cache hash table entries: 32768 (order: 5, 131072 bytes) Inode-cache hash table entries: 16384 (order: 4, 65536 bytes) Software IO TLB disabled vmalloc area: c9000000-fb7fe000, maxmem 33ffe000 Memory: 114584k/139264k available (1606k kernel code, 16344k reserved, 654k data, 160k init, 0k highmem) Checking if this processor honours the WP bit even in supervisor mode... Ok. Calibrating delay using timer specific routine.. 5033.17 BogoMIPS (lpj=10066344) Security Framework v1.0.0 initialized SELinux: Disabled at boot. Capability LSM initialized Mount-cache hash table entries: 512 CPU: L1 I cache: 32K, L1 D cache: 32K CPU: L2 cache: 4096K Checking 'hlt' instruction... OK. SMP alternatives: switching to UP code Freeing SMP alternatives: 12k freed Brought up 1 CPUs migration_cost=0 checking if image is initramfs... it is Freeing initrd memory: 11943k freed Grant table initialized NET: Registered protocol family 16 Brought up 1 CPUs PCI: setting up Xen PCI frontend stub ACPI: Interpreter disabled. Linux Plug and Play Support v0.97 (c) Adam Belay pnp: PnP ACPI: disabled xen_mem: Initialising balloon driver. PCI: System does not support PCI PCI: System does not support PCI NET: Registered protocol family 2 IP route cache hash table entries: 2048 (order: 1, 8192 bytes) TCP established hash table entries: 8192 (order: 4, 65536 bytes) TCP bind hash table entries: 4096 (order: 3, 32768 bytes) TCP: Hash tables configured (established 8192 bind 4096) TCP reno registered audit: initializing netlink socket (disabled) audit(1169940219.700:1): initialized VFS: Disk quotas dquot_6.5.1 Dquot-cache hash table entries: 1024 (order 0, 4096 bytes) Initializing Cryptographic API io scheduler noop registered io scheduler anticipatory registered io scheduler deadline registered io scheduler cfq registered (default) RAMDISK driver initialized: 16 RAM disks of 8192K size 1024 blocksize Xen virtual console successfully installed as tty1 Event-channel device installed. netfront: Initialising virtual ethernet driver. PNP: No PS/2 controller found. Probing ports directly. i8042.c: No controller found. mice: PS/2 mouse device common for all mice TCP bic registered NET: Registered protocol family 1 NET: Registered protocol family 17 NET: Registered protocol family 8 NET: Registered protocol family 20 Using IPI No-Shortcut mode Registering block device major 8 netfront: device eth0 has flipping receive path. Freeing unused kernel memory: 160k freed Loading, please wait... Begin: Loading essential drivers... ... Done. Begin: Running /scripts/init-premount ... FATAL: Error inserting fan (/lib/modules/2.6.18-3-xen-686/kernel/drivers/acpi/fan.ko): No such device FATAL: Error inserting thermal (/lib/modules/2.6.18-3-xen-686/kernel/drivers/acpi/thermal.ko): No such device Done. Begin: Mounting root file system... ... Begin: Running /scripts/local-top ... Done. Begin: Running /scripts/local-premount ... Done. kjournald starting. Commit interval 5 seconds EXT3-fs: mounted filesystem with ordered data mode. Begin: Running /scripts/local-bottom ... Done. Done. Begin: Running /scripts/init-bottom ... Done. Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing enabled INIT: version 2.86 booting * Mount point '/dev/shm' does not exist. Skipping mount. Activating swap...done. Checking root file system...fsck 1.40-WIP (14-Nov-2006) /dev/sda1: clean, 16982/524288 files, 86122/1048576 blocks done. EXT3 FS on sda1, internal journal Setting the system clock again.. Cleaning up ifupdown.... Loading kernel modules...done. Loading device-mapper supportdevice-mapper: ioctl: 4.7.0-ioctl (2006-06-24) initialised: dm-devel@redhat.com . Checking file systems...fsck 1.40-WIP (14-Nov-2006) done. Setting kernel variables...done. Mounting local filesystems...done. Activating swapfile swap...done. Setting up networking.... Configuring network interfaces...done. INIT: Entering runlevel: 2 Starting system log daemon: syslogd. Starting kernel log daemon: klogd. * Not starting internet superserver: no services enabled. Starting OpenBSD Secure Shell server: sshdNET: Registered protocol family 10 lo: Disabled Privacy Extensions IPv6 over IPv4 tunneling driver . Starting periodic command scheduler: crond. Debian GNU/Linux 4.0 xm2 tty1 xm2 login:
xm list // xentop
xm list
xm list Name ID Mem(MiB) VCPUs State Time(s) Domain-0 0 375 1 r----- 1824.6 xm1 2 128 1 -b---- 334.3 xm2 3 128 1 -b---- 97.3
xentop
xentop - 00:27:35 Xen 3.0.3-1
3 domains: 1 running, 2 blocked, 0 paused, 0 crashed, 0 dying, 0 shutdown
Mem: 917052k total, 667004k used, 250048k free CPUs: 1 @ 1995MHz
NAME STATE CPU(sec) CPU(%) MEM(k) MEM(%) MAXMEM(k) MAXMEM(%) VCPUS NETS NETTX(k) NETRX(k) VBDS VBD_OO VBD_RD VBD_WR SSID
Domain-0 -----r 1823 1.0 384148 41.9 no limit n/a 1 0 0 0 0 0 0 0 0
xm1 --b--- 334 0.1 130916 14.3 131072 14.3 1 1 66 41 2 0 1128 453 0
xm2 --b--- 97 0.1 130564 14.2 131072 14.3 1 1 0 0 2 0 595 171 0
Shorewall Firewall
Die Shorewall Firewall basiert auf iptables und ist recht klar zu konfigurieren. Um Fehlermeldungen wie “ip_tables: policy match: invalid size 308 != 116” zu vermeiden, sind auch hier die iptables (1.3.6) aus den backports zu installieren.
- apt-get install -t sarge-backports iptables shorewall
Shorewall - Minimal Setup
- shorewall.conf
- IP_FORWARDING=On
- ADD_SNAT_ALIASES=Yes
- interfaces
/etc/shorewall/interfaces
loc lo - dhcp,routeback dmz xen-inetbr detect dhcp,routeback net eth0 detect dhcp,logmartians,blacklist,tcpflags,nosmurfs
- masq (deshalb: ADD_SNAT_ALIASES=Yes)
/etc/shorewall/masq
eth0 192.168.100.0/24 192.168.178.180 eth0:1 192.168.100.0/24 192.168.178.181
- policy
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL dmz all REJECT info all dmz REJECT info net all REJECT info all net REJECT info loc net ACCEPT all all REJECT info
- zones
/etc/shorewall/zones
#ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall loc ipv4 dmz ipv4 net ipv4
- rules
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED SECTION NEW #ACCEPT net fw icmp ACCEPT net fw tcp 22 ACCEPT fw net udp 53 ACCEPT fw net tcp 53 ACCEPT fw net tcp 23 ACCEPT fw net tcp ntp ACCEPT fw net tcp 443 ACCEPT fw net tcp 80 ACCEPT fw net udp ntp ACCEPT fw net tcp 22 ACCEPT fw dmz tcp 22 ACCEPT fw net icmp ACCEPT fw dmz icmp ACCEPT fw dmz tcp 80 Trcrt/ACCEPT fw dmz DNAT net dmz:192.168.100.100:80 tcp 80 - 192.168.178.181 DNAT loc dmz:192.168.100.100:22 tcp 22 - 192.168.178.181 ACCEPT dmz net udp 123 ACCEPT dmz net icmp ACCEPT dmz net udp 53 ACCEPT dmz fw udp 53 ACCEPT dmz net tcp 80 ACCEPT dmz fw tcp 80 ACCEPT dmz fw tcp 3128 ACCEPT dmz fw icmp
Shorewall - README.Debian
README.Debian
NOTES FOR DEBIAN USERS
======================
1. AUTOMATIC STARTUP
--------------------
In order to avoid the startup of the firewall on an unconfigured machine,
automatic startup, on boot, is disabled by default. To enable it just edit the
file /etc/default/shorewall and set the "startup" variable to 1.
2. CONFIGURATION
----------------
This section replaces old documentation found in
/usr/shore/doc/shorewall/Debian_install.txt
After the installation of the package the configuration directory
/etc/shorewall/ will remain empty, except for:
1. shorewall.conf
2. Makefile
This is intentional because:
1. it does not exists a sane default configuration
2. to avoid dpkg to prompt for upgrade of configuration file on every
package update
The default upstream configuration files are installed, just as an example, in
/usr/share/doc/shorewall/default-config/. The only file that can be used 'as
is' are the ones installed by the package (P.s. Debian policy, point 12,
requires that file installed under /usr/share/doc/XXX/ should be compressed;
for this reason packaging tools automatically compress some of the
documentation files).
In order to configure a simple firewall you should, at least, set up the
following files:
1. /etc/shorewall/interfaces
2. /etc/shorewall/policy
3. /etc/shorewall/rules
4. /etc/shorewall/zones
Default Debian configuration is slightly different from upstream configuration.
The differences are:
1. IP forwarding is neither enabled nor disabled. It is set to "keep", that
means that if it is enabled it will remain enabled, and if it is disabled
it will remain disabled. If you are going to configure you host to act as
a router take care of this fact. To enable IP forwarding you have to set
to "on" the IP_FORWARDING variable in /etc/shorewall/shorewall.conf
2. Anti-spoofing kernel protections is enabled, by default, on all
interfaces. Upstream configuration disables it. To disable it set the
variable ROUTE_FILTER to "no" in /etc/shorewall/shorewall.conf
3. IPv6 support is enabled by default. It is disabled in upstream
configuration. To disable it set DISABLE_IPV6 to "yes" in
/etc/shorewall/shorewall.conf. IPv6 is enabled by default on Debian
because the protocol is not supported by default kernels.
Other file such as modules, action.* and actions.std, that usually don't need
customization, are installed within /usr/share/shorewall. Customization can be
done in /etc/shorewall as shorewall looks for files in /etc/shorewall and then
in /usr/share/shorewall. If a configuration file is found in /etc/shorewall the
one in /usr/share/shorewall is ignored.
More information about shorewall configuration can be found in the
shorewall-doc package and on the shorewall website (http://www.shorewall.net).
3. AVODING FLOOD (WITH LOGGED TRAFFIC) ON THE CONSOLE
-----------------------------------------------------
Shorewall logs packets using level "info". With the default klogd
configuration this kind of logs are also written on the console and,
when the frequency of logging is high the console becomes unusable. It
is highly recommended to configure klogd in order to prevent that
messages of level "info" are logged on the console. You have two
alternatives:
1. set KLOGD="-c 5" in /etc/init.d/klogd
2. add dmesg -n5 in your /etc/shorewall/start
4. IPV6
-------
The Shorewall default configuration does not block IPV6 traffic; the Debian
package, instead, has this feature enabled (see DISABLE_IPV6 in
/etc/shorewall.conf). Please note that when IPV6 is disabled the traffic is
dropped and no logs are generated. As the drop policy just discards the traffic
if you try to use IPV6 you could run into timeouts.
5. PPP USERS
------------
This section replaces old documentation found in
/usr/share/doc/shorewall/README.ppp
If you are running shorewall on a machine with a ppp connection and your
firewall needs to calculate the interface's ip address, the startup can fail.
It can fail because at the time the firewall is started the ppp interface is
not ready yet. For other information about the problem see bugs #175382 and
#234189.
An example of this problem could be:
/etc/shorewall/params:
EXT_IP=`find_interface_address ppp0`
/etc/shorewall/rules:
DNAT loc dmz:10.0.0.1 tcp http - $EXT_IP
If $EXT_IP is not configured the startup fails.
If your ppp connection is configured with /etc/init.d/ppp you must set it up
using /etc/network/interfaces using the PPP method because just the networking
script is run before shorewall. Moreover the interface name must be listed,
using the "wait_interface" keyword, in /etc/default/shorewall in order to get
the init script to wait until its ready.
Examples of /etc/default/shorewall:
wait_interface="ppp0"
or
wait_interface="ppp0 ppp1"
or, if you have defined $PPP in /etc/shorewall/params
wait_interface=$PPP
-- Lorenzo Martignoni <martignlo@debian.org>, Thu, 19 Oct 2006 04:21:16 +0200
1)
Auch wenn Sie keine Programme zur Installation ausgewählt haben, werden einige wichtige oder benötigte Standardpakete installiert, die noch nicht auf dem System vorhanden sind. Dies ist das gleiche, als wenn Sie auf der Kommandozeile tasksel -ris eingeben; es werden in diesem Fall ca. 37MB an Archiven heruntergeladen. Die Zahl der zu installierenden Pakete wird angezeigt und wie viele Kilobytes an Daten heruntergeladen werden müssen, falls erforderlich.
2)
Wenn Sie „Manuelle Auswahl“ ausgewählt haben, ohne dabei eine Programmgruppe vorzuwählen, werden keine Pakete installiert, die Sie nicht selbst auswählen. Dies bedeutet einerseits, dass Sie mittels dieser Option ein Minimalsystem erstellen können; andererseits liegt dann bei Ihnen die Verantwortung, dafür zu sorgen, dass vom System benötigte Pakete ausgewählt und installiert werden, die noch nicht als Teil des Basissystems installiert wurden (vor dem Neustart).
