====== IPFire as Xen (4.1) DomU ======
----
===== Introduction =====
----
The following procedure is inspired by [[http://wiki.ipfire.org/en/virtualization/xen/discussion_-_building_hvm_virtual_on_debian_xen_4.1|this article on the IPFire Wiki]], [[http://wiki.ipfire.org/en/virtualization/xen/hvm-on-debian|this article]] being a summary of the previous one as well as [[http://www.panticz.de/IPfire-XEN-DomU|this article on the Panticz web site]].\\
The directories locations that are used in this example are based on this wiki's [[:sample:base|Sample Configuration]], but YMMV.\\
You should also read the README file, inside the ipfire/ directory that's extracted from the archive.
In case you didn't do so already, it is also recommended that you get at least the base concepts that IPFire relies on by ready through their website, you should, at the minimum, grasp the [[http://www.ipfire.org/features#firewall|"colored" concept of the IPFire firewalling]].
Also read [[http://wiki.ipfire.org/en/virtualization/xen/start|this IPFire article]] to understand why it's recommended to install IPFire as a HVM.
----
===== Network =====
----
Setting up a firewall implies having at least 2 physical NICs on the host machine.
**TBC**
----
===== Using the scon Image of IPFire =====
----
==== Get the IPFire image ====
----
Getting to the [[http://downloads.ipfire.org/latest|IPFire download page]] didn't provide us the link to the latest "scon" release... Let's have a look at the [[http://tracker.ipfire.org/|IPFire torrent tracker]]: BINGO ! we have a torrent for [[http://tracker.ipfire.org/d1417c54e16efb4ef79bad7804f20e4ce04a7d1a/download|ipfire-2.17.1gb-ext4-scon.i586-full-core87.img.gz]]
Now use your favorite torrent app to download to the compressed image to your workstation, and transfer the image on your Xen Host.
> cd /directory/of/image/dowload/
> sftp root@
sftp> cd /opt/xen/X-Local-ISO
sftp> put ipfire-2.17.1gb-ext4-scon.i586-full-core87.img.gz
----
==== Create the IPFire Virtual Hard Disk ====
----
We intend to generally use FBD (File Based Devices) VDIs in our deployment, so we'll create an FBD:
> zcat ipfire-2.17.1gb-ext4-scon.i586-full-core87.img.gz > /opt/xen/X-Local-VMS/ipfire
> fallocate -l 4G /opt/xen/X-Local-VMS/ipfire
If we were to use LVM VDIs, we'd use:
> lvcreate -L 4G -n ipfire vg0
> zcat ipfire-2.17.1gb-ext4-scon.i586-full-core87.img.gz > /dev/vg0/ipfire
----
==== Create VM configuration file ====
----
By convention, Xen VMs configuration files should end in .cfg, but to help differentiate Paravirts and HVMs, we'll use the .hvm suffix. Thus we'll create //**/opt/xen/X-Local-VMS/ipfire.hvm**//
To get more details about the configuration's options, you can refer to [[http://wiki.ipfire.org/en/virtualization/xen/discussion_-_building_hvm_virtual_on_debian_xen_4.1#create_the_configuration_file|the original article this procedure is inspired from]].
> nano /opt/xen/X-Local-VMS/ipfire.hvm
kernel="hvmloader"
builder='hvm'
device_model='qemu-dm'
memory = 512 # adjust this as needed, though 512M is enough for most purposes
name = "ipfire"
vcpus=1 # adjust as needed, though a single processor is fine
# this is the heart of the matter, setting up the correct network interfaces
# the bridge should match your configuration (must be defined to Xen)
# the mac address must be unique in YOUR network
# vifname simply allows you to find the interface from the DOM0 using ifconfig
vif = [
'mac=00:17:3e:be:b1:1a, bridge=xenbr0,vifname=fw_green', ## Green
'mac=00:17:3e:be:b1:1b, bridge=xenbr1,vifname=fw_red', ## Red
# 'mac=00:17:3e:be:b1:1c, bridge=xenbr2,vifname=fw_blue', ## Blue
# 'mac=00:17:3e:be:b1:1d, bridge=xenbr3,vifname=fw_orange', ## Orange
]
# points to the storage used for this DOMU
disk = [
'file:/opt/xen/X-Local-VMS/ipfire,hda,w',
# for LVM partitions: 'phy:/dev/vg0/ipfire,hda,w',
]
localtime=0 # take time from server clock
serial='pty' # allow us to connect from xl console
boot="c"
sdl=0
acpi=1
apic=1
pae=1
usbdevice='tablet'
# do not use VNC since console is redirected to DOM0
#vnc=1
#vncdisplay=1
----
==== Start the VM ====
----
Now we'd like to start the virtual machine.
Unfortunately, we're using the XAPI toolstack which doesn't provide an equivalent to the **xl create -c**.\\
Well have to modify the toolstack and reboot (had no time to search how to only reboot the toolstack itself).
> nano /etc/default/xen
TOOLSTACK=xl
> reboot
Start the virtual with
> cd /opt/xen/X-Local-VMS/
> xl create ipfire -c
It will boot, do some housekeeping and reboot. During the reboot you will lose your console, and must reconnect.
the -c tells xl to connect you to the console immediately. You can watch as the housekeeping is done (mainly, enlarging the / partition), then you will see the reboot message. When you are back at the DOM0 prompt, reconnect with
> xl console ipfire
Then configure the router. Remember, if you are connected over a terminal window on your workstation (likely via ssh), the size of the window should be as close as possible to 80 char x 24 lines. This is an ongoing issue with the scon install, and one that can not be easily fixed.
==== STOP ====
++++ Deprecated method (click to see) |
Follow the [[hypervisor:base:xcp-xapi#create_and_access_a_vdi_from_dom0|procedure described in this wiki]] to create a dedicated VDI for the IPFire VM. But **DO NOT PLUG THE VBD YET**, as we'll first copy the IPFire image disk to it.
=== Copy the IPFire image to the vhd file ===
The IPFire image contains the partitions that are needed by the IPFire VM we intend to create, you could verify this by unzipping it and examine it with kpartx:
> gunzip /opt/xen/X-Local-ISO/ipfire-2.17.1gb-ext4-scon.i586-full-core87.img
> kpartx -l /opt/xen/X-Local-ISO/ipfire-2.17.1gb-ext4-scon.i586-full-core87.img
loop0p1 : 0 122880 /dev/loop0 8192
loop0p3 : 0 1536000 /dev/loop0 131072
loop deleted : /dev/loop0
Let's copy the image to our vhd file:
> cat /opt/xen/X-Local-ISO/ipfire-2.17.1gb-ext4-scon.i586-full-core87.img > /run/sr-mount/26b9d87b-f344-1c8d-c5c5-a155d4e4e2e0/72e00fc6-98bb-48fe-ab4d-b52d1ef721b5.vhd
Using zcat, the image doesn't even need to be unzipped before the copy:
> zcat /opt/xen/X-Local-ISO/ipfire-2.17.1gb-ext4-scon.i586-full-core87.img.gz > /run/sr-mount/26b9d87b-f344-1c8d-c5c5-a155d4e4e2e0/72e00fc6-98bb-48fe-ab4d-b52d1ef721b5.vhd
We can verify that our vhd file now contains 2 partitions:
> kpartx -l /run/sr-mount/26b9d87b-f344-1c8d-c5c5-a155d4e4e2e0/72e00fc6-98bb-48fe-ab4d-b52d1ef721b5.vhd
loop0p1 : 0 122880 /dev/loop0 8192
loop0p3 : 0 1536000 /dev/loop0 131072
loop deleted : /dev/loop0
++++
----
++++ See deprecated method |
----
===== Extract the IPFire Installer Script =====
----
Go to the [[http://downloads.ipfire.org/latest|IPFire download page]] and get the link to latest Xen-Image, as of this writing (2015-03-07) that is [[http://mirrors-uk.go-parts.com/ipfire/releases/ipfire-2.x/2.17-core87/ipfire-2.17.xen.i586-downloader-core87.tar.bz2]].\\
The download link will get you install scripts that you'll need to run in order to download and build the IPFire xen-images. You'll need to be root to do this.
> ssh root@
> cd /opt/xen/X-Local-XVA
> wget http://downloads.ipfire.org/releases/ipfire-2.x/2.17-core87/ipfire-2.17.xen.i586-downloader-core87.tar.bz2
> tar -xjf ipfire-2.17.xen.i586-downloader-core87.tar.bz2
++++