I have built a couple of Linux based VMWare servers that are used at work for development. There are often issues with backing up VMWare virtual machines, especially when you need to shut down a VM in order to back it up.

In Linux, I have come up with a way to automate this process. For our example, let’s assume that we have a VM located at /var/VMs/Ubuntu.vmx. Let’s also assume that our backup starts at 2:00 AM and finished by 3:00 AM each morning. What I am doing is scheduling two cron jobs, one at 1:00 AM to shut down the virtual machine and one again at 4:00 AM to restart the virtual machine.

Here is what my crontab file looks like:

0 1 * * * vmware-cmd '/var/VMs/Ubuntu.vmx' stop>/dev/null 2>&1
0 4 * * * vmware-cmd ‘/var/VMs/Ubuntu.vmx’ start>/dev/null 2>&1

If you are wondering about the /dev/null 2>&1 part of the command, this disables the e-mail output that is automatically sent by crontab.

The vmware-cmd utility has a number of other uses. For your reference, here is the complete usage and options:

Usage: vmware-cmd <options> <vm-cfg-path> <vm-action> <arguments>
vmware-cmd -s <options> <server-action> <arguments>

Options:
Connection Options:
-H <host> specifies an alternative host (if set, -U and -P must also be set)
-O <port> specifies an alternative port
-U <username> specifies a user
-P <password> specifies a password
General Options:
-h More detailed help.
-q Quiet. Minimal output
-v Verbose.

Server Operations:
vmware-cmd -l
vmware-cmd -s register <config_file_path>
vmware-cmd -s unregister <config_file_path>
vmware-cmd -s getresource <variable>
vmware-cmd -s setresource <variable> <value>

VM Operations:
vmware-cmd <cfg> getconnectedusers
vmware-cmd <cfg> getstate
vmware-cmd <cfg> start <powerop_mode>
vmware-cmd <cfg> stop <powerop_mode>
vmware-cmd <cfg> reset <powerop_mode>
vmware-cmd <cfg> suspend <powerop_mode>
vmware-cmd <cfg> setconfig <variable> <value>
vmware-cmd <cfg> getconfig <variable>
vmware-cmd <cfg> setguestinfo <variable> <value>
vmware-cmd <cfg> getguestinfo <variable>
vmware-cmd <cfg> getid
vmware-cmd <cfg> getpid
vmware-cmd <cfg> getproductinfo <prodinfo>
vmware-cmd <cfg> connectdevice <device_name>
vmware-cmd <cfg> disconnectdevice <device_name>
vmware-cmd <cfg> getconfigfile
vmware-cmd <cfg> getheartbeat
vmware-cmd <cfg> getuptime
vmware-cmd <cfg> getremoteconnections
vmware-cmd <cfg> gettoolslastactive
vmware-cmd <cfg> getresource <variable>
vmware-cmd <cfg> setresource <variable> <value>
vmware-cmd <cfg> setrunasuser <username> <password>
vmware-cmd <cfg> getrunasuser
vmware-cmd <cfg> getcapabilities
vmware-cmd <cfg> addredo <disk_device_name>
vmware-cmd <cfg> commit <disk_device_name> <level> <freeze> <wait>
vmware-cmd <cfg> answer

Trackback link - http://www.dailycupoftech.com/2008/08/16/scheduling-vmware-in-linux/trackback/

Since the whole VPS (Virtual Private Server) thing is going so well for me, I thought that I would let my readers know about some of the steps that I took to set it up. In this episode I will be talking about updating the initially installed image and configuring the linux firewall using iptables.

Just as a side note, the VPS that I have is running Ubuntu 8.04 (Hardy Heron) so if you are using a different OS, you make have to do things a bit differently.

Update The Server

For those of you from the Windows world, this may seem to be shockingly easy. First, you need to edit the file which tells the system where to get all of the updates. I like to enable all of the sources, including universe and source code. To do this, you need to edit /etc/apt/sources.list:

sudo nano /etc/apt/sources.list

Remove the # characters in front of all the sources. When I was done, my sources.list file looked like this:

deb http://archive.ubuntu.com/ubuntu/ hardy main restricted universe
deb-src http://archive.ubuntu.com/ubuntu/ hardy main restricted universe

deb http://archive.ubuntu.com/ubuntu/ hardy-updates main restricted universe
deb-src http://archive.ubuntu.com/ubuntu/ hardy-updates main restricted universe

deb http://security.ubuntu.com/ubuntu hardy-security main restricted universe
deb-src http://security.ubuntu.com/ubuntu hardy-security main restricted universe

Now, update Ubuntu by entering these three commands one after another:

sudo aptitude –y update
sudo aptitude –y safe-upgrade
sudo aptitude –y full-upgrade

That’s all there is to it!

Configure iptables

In my opinion, this is the most important thing that you can do because it helps to restrict access to your VPS. The configuration that I am presenting here is just the basics that you should set out and you may want to tighten in down a bit afterward.

Backup

The first thing that you need to do is backup your present iptables rules:

iptables-save > /etc/iptables.up.rules

Create Filter

Next, you are going to want to create your filter. This is a set of rules that tells the firewall what you want to do with data packets that hit your network card.

First, allow all loopback (lo0) traffic and drop all traffic to 127.0.0.0/8 that doesn’t use lo0. This will allow you network services that run on your VPS to talk to other network services on your VPS:

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT

Next, accepts all established inbound connections. This means that anything that is already connected to your firewall will remain connected, even if there is a change to the rules. This is very handy to prevent you from locking yourself out of your virtual server if you accidentally disable the wrong port:

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

You want your VPS to be able to talk to anything on the Internet so you need to be enable that access:

sudo iptables -A OUTPUT -j ACCEPT

Since we are building a web server, we need to allows HTTP (port 80) and HTTPS (port 443) connections from anywhere on the Internet:

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Linux servers are managed primarily via SSH. So, we need to make sure that we have an SSH port open. I decided to use a non-standard port (port 999) rather than the standard port 22:

sudo iptables -A INPUT -p tcp -m state --state NEW --dport 999 -j ACCEPT

The next line will allow you (and others) to ping your server. There is some debate as to whether or not you should allow pings but, in the end, it is really up to you:

sudo iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

We will be needing to know if there is anyone out there trying to tamper with our server. So, we are going to log iptables denied calls:

sudo iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

Since we have configured all of the ports that we want access to, we will reject all other inbound traffic that is not explicitly allowed by a policy:

sudo iptables -A INPUT -j DROP
sudo iptables -A FORWARD -j DROP

Save Rules

Now that we have created out filter/rules, we need to save it:

sudo iptables-save > /etc/iptables.up.rules

When you are finished, your /etc/iptables.up.rules file should look something like this:

# Generated by iptables-save v1.3.8 on Fri Jul 18 02:03:12 2008
*filter
:INPUT ACCEPT [15:1712]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [15:9376]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/255.0.0.0 -i ! lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 999 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Fri Jul 18 02:03:12 2008

Configure Network to Load Rules Automatically

We need to make sure that these rules reload automatically whenever we reboot the server. Do this by editting the network interface to load the rules automatically:

sudo nano /etc/network/interfaces

Add pre-up iptables-restore < /etc/iptables.up.rules after iface lo inet loopback and then save the file.

Conclusion

With this short tutorial, we have upgraded and secured out VPS. In part 2, we are going to look at installing and configuring SSH so that we can remotely connect and manage the VPS plus we are going to add some security to our SSH sessions by changing the SSH port to 999 and setting up and using public and private keys with PuTTY in Windows.

Trackback link - http://www.dailycupoftech.com/2008/07/27/vps-setup-part-1-update-ubuntu-and-configure-iptables/trackback/

We are presently working on a project to convert all of our servers to virtual servers. There seems to be a number of players in this arena and I wanted to just present them for all to see.

Each of these come with an open source/freeware version that can be used indefinitely for as long as you want.

VMWare

Obviously, the big boy in the field. These guys have recently gone public with their stock and have made a big splash. They have several different products but their server virtualization product is what interests me. Here is what their website has to say:

Begin enjoying the benefits of server virtualization with the free VMware Server. VMware Server installs on any existing server hardware and partitions a physical server into multiple virtual machines by abstracting processor, memory, storage and networking resources, giving you greater hardware utilization and flexibility. Streamline software development and testing and simplify server provisioning as you utilize the ability to “build once, deploy many times.”

• Provision a new server in minutes without investing in new hardware
• Simplify IT testing of patches, new applications and operating systems
• The benefits of server virtualization can be realized by a company of any size

• Website: http://www.vmware.com
• Download: http://www.vmware.com/download/

XenSource

• Packaged Xen Virtualization
• Blazing Fast Performance for Windows and Linux Guests
• XenCenter Single Server Management
• Seamless Upgrade Path to XenServer™ and XenEnterprise™
• Free

XenExpress v4 is a free, production-ready virtualization platform that enables everyone to quickly get started with Xen virtualization. Easily installed and seamlessly upgradeable, XenExpress is your on-ramp to Xen and the XenSource v4 product family.

XenExpress v4 offers all of the base performance, tools, and easy to use features of XenEnterprise v4 and is built to run on the broadest range of standard server hardware. It supports dual socket servers with up to 4GB of RAM and can host up to four virtual machines on each system.

XenExpress v4 can be quickly upgraded to the richer capabilities of XenServer or XenEnterprise by the simple addition of a license key, with no need to reinstall software or convert guests.

• Website: http://www.xensource.com
• Download: http://www.xensource.com/Pages/XenExpress.aspx

Virtual Iron

Virtual Iron provides enterprise-class software for server virtualization & virtual infrastructure management. The product offers comparable capabilities and performance to established proprietary offerings – for just a fraction of the cost.

By taking full advantage of industry standards and open source economics, Virtual Iron dramatically reduces the cost and complexity of virtualization and for the first time, makes production-ready capabilities available to the mainstream market.

A Comprehensive Virtualization Solution

Virtual Iron enables server partitioning for single and multi-server configuration, no downtime virtual server migration (LiveMigrate™), advanced management capabilities for rapid provisioning, high availability and disaster recovery (LiveRecovery™) and capacity management (LiveCapacity™). With these advanced capabilities, users can:

• Virtualize enterprise-class workloads running on unmodified Windows and Linux operating systems.
• Improve the utilization of current systems and reduce power, space and cooling issues through server consolidation.
• Quickly set up development, test and production environments.
• Recover from failures quickly, reliably and cost-efficiently.
• Match resource capacity to workload demands automatically.
• Reduce human labor and errors via policy-based automation.

• Website: http://www.virtualiron.com/
• Download: http://www.virtualiron.com/products/download_single_server.cfm

Trackback link - http://www.dailycupoftech.com/2007/09/05/virtual-server-options/trackback/

My USB drive houses pretty much everything that I use on a regular basis as far as data and applications.  The one thing that it does not house is my operating system.  Now, I know that there are several different ways that I could get an operating system onto my USB drive, including BartPE and Linux bootable USB drives.  But, what if I want to have multiple operating systems available to me and I do not want to have to shut down, swap or reconfigure USB drives offline and then reboot?  What then?

This is where Moka5 comes in. Moka5 has created a virtual computer engine based on VMWare player. The engine can install on your Windows system or even on a USB drive.  According to the Moka5 website, the engine is used to…

…launch, create, and share LivePCs™ on Windows XP machines. The moka5 Engine will stream and prefetch LivePCs™ so they can be shared efficiently. It automatically updates the LivePCs™ as the maintainers make changes, ensuring that you stay current. You can install it on a USB flash drive, USB hard disk, iPod, or a desktop computer.

What is a LivePC, you ask?  Moka5 says:

moka5 LivePCs™ contain everything needed to run a virtual computer — an operating system and a set of applications. You can use LivePCs™ on your desktop, or you can take them with you on a portable USB drive. You can create and share your own LivePCs™, or use the public LivePCs™ created by others in our LivePC Library™

So, essentially, these virtual computers reside in either online or offline mode.  In offline mode, the LivePC is located on your local drive (including USB drive).  All user files are stored outside the virtual computer and the whole system runs from your system.

In online mode, the LivePC is initially streamed from a web server and then cached locally.  Whenever the maintainer of the LivePC updates the code for the LivePC, the updates are automatically sent out to all users of that LivePC.

There is also a bare metal version of the LivePC Engine which installs directly on hardware without the need of a host operating system.  This helps to increase the speed of the systems and also help with the security of the systems.  This version, unfortunately, is not available for a USB drive.

Useful Links

• Moka5 website - http://www.moka5.com/
• Live PC Information - http://www.moka5.com/products/features.html
• Moka5 Engine Information - http://www.moka5.com/products/getstarted.html
• Moka5 Engine, Bare Metal Edition Information - http://www.moka5.com/products/baremetal.html
• LivePC Library - http://www.moka5.com/livepc
• LiveCD Library - http://www.moka5.com/livecd
• Forum - http://www.moka5.com/forum
• Blog - http://www.moka5.com/blog
• Documentation - http://www.moka5.com/docs/index.html

Trackback link - http://www.dailycupoftech.com/2007/07/22/a-virtual-computer-in-your-pocket/trackback/