Recently I’ve achieved a good setup for a virtualized environment, using Debian Lenny as host, with a RAID10, and LVM for managing VM disk images.

The server was a: CPU Intel Xeon X3430 RAM 4GB HD 4x500GB

During the installation, on each of the 4 disks, I created:

  • a small /boot partition (~300Mb)
  • 10 Gb RAID1 for /
  • 1 Gb RAID10 for swap
  • remaining space as RAID10, with a big LVM volume on top of it.

Please note: at the end of the installation, you should manually install grub on every disk, because if the first disk get destroyed, you cannot boot your system.

mkdir /boot2 /boot3 /boot4
mount /dev/sdb1 /boot2
mount /dev/sdc1 /boot3
mount /dev/sdd1 /boot4
rsync -av /boot/ /boot2/
rsync -av /boot/ /boot3/
rsync -av /boot/ /boot4/
umount /boot2/ /boot3/ /boot4/
dd if=/dev/sda of=/dev/sdb count=1 bs=512
dd if=/dev/sda of=/dev/sdc count=1 bs=512
dd if=/dev/sda of=/dev/sdd count=1 bs=512

At this point, installing kvm plus virt-manager is straightway:

aptitude install kvm libvirt-bin virt-manager

Remember that Lenny is getting pretty old, so for getting more from your server, you should use the backports.org packages.

Now add your user to the libvirt and kvm system groups (/etc/groups):

[..]
kvm:x:112:bob
libvirt:x:115:bob
[..]

At this point, you should connect to virt-manager GUI. As far as I understood, virt-manager support connections from remote hosts, but the TLS configuration is not so well documented, so you can simply do X11 forwarding or install a VNC server, or NX server, on the host to get the local virt-manager.

What I usually do on my lan from my laptop is:

ssh -X -l myuser myserver.local
virt-manager

And the virt-manager window will popup.

LVM Configuration Edit->Host Details->Storage Add your LVM Volume Group defined during the first setup: from this window, you can create virtual disks for your machines. Using LVM instead of simple disk images give great benefits: less overhead, and the ability to expands images (and filesystems on it) without even rebooting the VM.

Network Configuration You can use both bridged networks and private networks. Bridged networks are used when a VM should have the same subnet address of the other hosts on the local networks.

Bridged networks requires additional configuration on the host to work:

cat /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#auto eth0
#allow-hotplug eth0
#iface eth0 inet static
#        address 192.168.0.4
#         netmask 255.255.255.0
#         gateway 192.168.0.1

auto br0
allow-hotplug br0
iface br0 inet static
         address 192.168.0.4
         netmask 255.255.255.0
         gateway 192.168.0.1
         bridge_ports eth0
         bridge_stp off
         bridge_maxwait 15

Private networks should be use to isolate the virtual machine from the physical networks. You can create a DMZ using strict iptables rules for allowing clients to reach VM inside a private network. You can take a look on the iptables scripts I am using on the host, that use both bridged and private networks.

cat firewall.sh
#! /bin/bash
# By Giovanni Toraldo

LAN='br0'
VLAN='virbr0'
SUBNET='192.168.0.0/24'
VSUBNET='192.168.122.0/24'

## FLUSH
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

## Default Policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Basic Routing/Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT

## Local Inbound Services
iptables -A INPUT -p tcp --dport 22 -j ACCEPT # ssh
iptables -A INPUT -p tcp --dport 25 -j ACCEPT # mail
iptables -A INPUT -p udp --dport 123 -j ACCEPT # ntp
iptables -A INPUT -p tcp --dport 80 -s $SUBNET -j ACCEPT # nginx

# VLAN - I accept and route all traffic
iptables -A INPUT -i $VLAN -j ACCEPT
iptables -A INPUT -i $LAN -j ACCEPT
iptables -A FORWARD -i $VLAN -j ACCEPT
iptables -A FORWARD -i $LAN -o $VLAN -j ACCEPT
# Masquerading packets from private networks only!!
iptables -t nat -A POSTROUTING -s $VSUBNET -o $LAN -j MASQUERADE