Machine/template-xenial

From Sugar Labs
Jump to navigation Jump to search

VM Creation (host part)

virt-install -v --accelerate --nographics -x console=ttyS0,115200 \
--name template-xenial --vcpus=3 --ram $((1 * 1024)) \
--os-type=linux --os-variant=ubuntu16.04 --network bridge:br0 \
--disk path=/var/lib/libvirt/images/boot/template-xenial-boot.img,bus=virtio,size=0.25,format=raw \
--disk path=/dev/justice/template-xenial-root,bus=virtio,size=10 \
--location http://ubuntu.media.mit.edu/ubuntu/dists/xenial/main/installer-amd64/

Obs: format=raw is mandatory, otherwise qcow2 format will be used by default. raw format allows us to easily create device mappings for the image.

The new VM will boot into the installer. Answer all questions with the defaults, except:

  1. Hostname: template-precise
  2. Mirror: enter information manually
  3. Mirror hostname: ubuntu.media.mit.edu
  4. (create your user with a strong password and no encrypted home)
  5. Partitioning: manual (see Partitioning below)
  6. Automatically install security updates
  7. Software selection:
    • Basic Ubuntu Server
    • OpenSSH server
  8. GRUB: let the installer setup grub on /dev/vba (which contains /boot)

Partitioning

The goal is to have a small disk file for the MBR and /boot, and a larger raw filesystem in an LVM Logical Volume. We don't want the LV to be partitioned because this makes it harder to resize, mount, etc.

Now create a partition table in the smallest disk (256MB) and create a single partition in it. Format this partition as ext4, labeled "boot" and mounted as /boot.

The installer won't let you format the entire disk as a filesystem, so go ahead and partition the 10GB disk too, then create a primary partition in it and format it as ext4, mounted as / and labeled "template-xenial" ("template-xenial-root" would exceed the ext4 limit).

And yes.. just in case you're wondering. We don't use swap partitions.

We'll have to fix the disk later.

First boot

After installation has finished and OS is restarted, it will boot but we won't have serial console access (virsh console template-xenial). This is due the getty service for serial device is disabled by default on Ubuntu 16.04. We'll fix this later.

Switch the root filesystem to an LV

When the machine is offline, go to the host to recreate the root filesystem directly as an LV (as opposed to a partitioned volume)

First of all, we need to set up the device mapping for the first and only partition where the root filesystem resides.

kpartx -av  /dev/justice/template-xenial-root

Mount the root partition:

mkdir /mnt/template-xenial-root
mount /dev/mapper/justice-template--xenial-root1 /mnt/template-xenial-root

Now create and format a new LV:

 lvcreate -L 10G -n template-xenial-root2 justice
 mkfs.ext4 -L template-xenial -O flex_bg,extent,uninit_bg,sparse_super /dev/justice/template-xenial-root2
 tune2fs -c -1 -i 0 /dev/justice/template-xenial-root2
 mkdir /mnt/template-xenial-root2
 mount /dev/justice/template-xenial-root2 /mnt/template-xenial-root2

Move the files over:

 rsync -HAXphax --numeric-ids /mnt/template-xenial-root/ /mnt/template-xenial-root2/

NOTE: By default, Ubuntu 16.04 uses UUID in /etc/fstab in order to mount partitions. Since we have changed the root partition to a new disk, the UUID will change. Aside from that, the grub.cfg also specifies the location of the root filesystem using UUID notation (ex: /vmlinuz-4.4.0-89-generic root=UUID=0ad5d004-e5dd-4b93-abe4-2bb0ba4fd94a).

Before we umount the filesystems, let's create a chroot environment and fix previous issues:

 kpartx -av /var/lib/libvirt/images/boot/template-xenial-boot.img
 mount /dev/mapper/loop0p1 /mnt/template-xenial-root2/boot
 mount --bind /dev/ /mnt/template-xenial-root2/dev/
 mount -t proc proc /mnt/template-xenial-root2/proc/
 mount -t sysfs sys /mnt/template-xenial-root2/sys/
 chroot /mnt/template-xenial-root2/

Once inside the chroot environment:

  • Fix serial console access by making getty listen on /dev/ttyS0:
 systemctl enable serial-getty@ttyS0.service
  • Replace UUID with device name for root fs location inside /boot/grub/grub.cfg
 sed -i -r "s/root=UUID=[0-9a-f-]+/root=\/dev\/vdb/" /boot/grub/grub.cfg
  • Adjust /etc/fstab to mount the filesystems from "LABEL=boot" and "LABEL=template-xenial".


Finally (VERY IMPORTANT), umount all filesystems before starting the VM:

 umount /mnt/template-xenial-root2/boot/
 umount /mnt/template-xenial-root2/dev/
 umount /mnt/template-xenial-root2/proc/
 umount /mnt/template-xenial-root2/sys/
 umount /mnt/template-xenial-root2/ /mnt/template-xenial-root/

Get rid of the old root and rename the new one on top of it

 lvremove /dev/justice/template-xenial-root
 lvrename justice template-xenial-root2 template-xenial-root


Configuration after system start

After the installation, the machine will boot automatically and you'll be dropped into the serial console. You can return to the console at any time by doing:

virsh console template-xenial

Login with your installation username and password, then become root:

sudo -i
  • Adjust /etc/default/grub:
    • Set `GRUB_CMDLINE_LINUX_DEFAULT="console=ttyS0,115200"` (and remove the obnoxious "quiet splash")
    • Uncomment GRUB_DISABLE_LINUX_UUID
  • Update grub: `update-grub`
  • Get rid of the restricted repositories from /etc/apt/sources.list (virtual machines don't need any non-free drivers anyway).
  • Add a few useful packages:
apt-get install etckeeper bash-completion strace munin-node postfix vim aptitude

Note: etckeeper uses git by default :)

When prompted on how to configure postfix, say "Internet site". Afterwards, edit `/etc/postfix/main.cs` by hand and set `inet_interfaces = loopback-only` and restart postfix.

  • Monitor mail for root:
echo >>/etc/aliases "root: systems-logs@lists.sugarlabs.org"
newaliases
  • Switch to the virtual kernel:
apt-get install linux-image-virtual linux-virtual
apt-get purge linux-image-generic
apt-get autoremove
update-grub

Network interface setup

We use 6to4 to reach the closest IPv6 anycast relay. Append the following to /etc/network/interfaces:

auto eth0
iface eth0 inet static

address 18.85.44.67 netmask 255.255.255.0 gateway 18.85.44.1 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 18.71.0.151 18.70.0.160 18.72.0.3 dns-search sugarlabs.org

auto tun6to4
iface tun6to4 inet6 v4tunnel

# printf "2002:%02x%02x:%02x%02x::1\n" `echo $IPV4ADDR | tr . ' '` address 2002:1255:2c43::1 netmask 16 gateway ::192.88.99.1 endpoint any local 18.85.44.67

Other configurations

Add these to /etc/sudoers:

#bernie: forward ssh-agent
Defaults    env_keep+="SSH_AUTH_SOCK"
#bernie: 
%sudo ALL=(ALL:ALL) NOPASSWD: ALL
  • Install your ssh keys to /root/.ssh/authorized_keys and to your user account. Also install the wizbackup keys for Service/backup.

Once your keys are installed, you might SSH in and start configuration using a SSH session.

Log in with "ssh -A template-xenial.sugarlabs.org" to forward your ssh-agent and copy files from sunjammer

rsync -aP <your-user>@sunjammer.sugarlabs.org:/usr/src/devtools/ /usr/src/devtools/
ln -sf /usr/src/devtools/sysadm/bashrc.sh /etc/skel/.bashrc
ln -sf /usr/src/devtools/sysadm/bashrc.sh /root/.bashrc
ln -sf /usr/src/devtools/sysadm/zzz_profile.sh /etc/profile.d/zzz_profile.sh
ln -sf /usr/src/devtools/conf/vimrc /etc/vim/vimrc.local
vim /etc/bash.bashrc # comment out code messing with PS1
vim /etc/login.defs # set umask 002
  • Create /etc/zzz_profile.conf:
HOST_COLOR='\033[1;40;37m'
  • Disable PasswordAuthentication in /etc/ssh/sshd_config, then restart ssh
  • Set a blank password for root, to be used to log in from the console only
 passwd -d
  • Insert into /etc/munin/munin.node:
#bernie
allow ^208\.118\.235\.53$     # sunjammer.sugarlabs.org
allow ^2001:4830:134:7::11$   # sunjammer.sugarlabs.org (IPv6)
  • Add/remove munin plugins
cd /etc/munin/plugins
rm df_inode entropy forks fw_packets if_err_ens2 open_files open_inodes threads uptime processes proc_pri swap
  • Disable unused services (They are dependencies of the ubuntu-server package):
 systemctl disable snapd.service
 systemctl disable atd.service 
 systemctl disable iscsid.service 
 systemctl disable lvm2-monitor.service
 systemctl disable open-vm-tools.service
 systemctl disable lxcfs.service
 systemctl disable lxd-containers.service