XEN3 Installation auf Debian 3.1 Sarge (stable)
Shorewall Firewall
- Shorewall - Minimal Setup
- Shorewall - README.Debian

XEN3 Installation auf Debian 3.1 Sarge (stable)

Siehe auch:

netboot.iso

Zunächst mit dem debian-31r4-i386-netinst.iso booten.

boot: linux26 acpi=off

Spracheinstellungen: deutsch
Partitionierung:
- Gesamtes Laufwerk löschen
- Neue leere Partitionstabelle erzeugen
  - sda1 / 6GB ext3
  - sda2 swap 2GB swap
  - sda3 /data rest XFS

Installation des Debian Grundsystems läuft
- GRUB in MBR → ja
- reboot linux 2.6.8-3-i686
Konfiguration Debian Grundsystem
- Hardware Clock GMT (UTC)
- Zeitzone Europe/Berlin
- Benutzerdefinition
- Apt-Konfiguration
- Apt-Quellen hinzufügen: http: Deutschland: ftp.de.debian.org
- Debian Software Auswahl: [X] Manuell

||/ Name           Version        Beschreibung
+++-==============-==============-============================================
ii  adduser        3.63           Add and remove users and groups
ii  apt            0.5.28.6       Advanced front-end for dpkg
ii  apt-utils      0.5.28.6       APT utility programs
ii  aptitude       0.2.15.9-2     terminal-based apt frontend
ii  at             3.1.8-11       Delayed job execution and batch processing
ii  base-config    2.53.10.2      Debian base system configurator
ii  base-files     3.1.2          Debian base system miscellaneous files
ii  base-passwd    3.5.9          Debian base system master password and group
ii  bash           2.05b-26       The GNU Bourne Again SHell
ii  bind9-host     9.2.4-1sarge1  Version of 'host' bundled with BIND 9.X
ii  bsdmainutils   6.0.17         collection of more utilities from FreeBSD
ii  bsdutils       2.12p-4sarge1  Basic utilities from 4.4BSD-Lite
ii  console-common 0.7.49         Basic infrastructure for text console config
ii  console-data   2002.12.04dbs- Keymaps, fonts, charset maps, fallback table
ii  console-tools  0.2.3dbs-56    Linux console and font utilities
ii  coreutils      5.2.1-2        The GNU core utilities
ii  cpio           2.5-1.3        GNU cpio -- a program to manage archives of 
ii  cramfsprogs    1.1-6          Tools for CramFs (Compressed ROM File System
ii  cron           3.0pl1-86      management of regular background processing
ii  dash           0.5.2-5        The Debian Almquist Shell
ii  debconf        1.4.30.13      Debian configuration management system
ii  debconf-i18n   1.4.30.13      full internationalization support for debcon
ii  debianutils    2.8.4          Miscellaneous utilities specific to Debian
ii  dhcp-client    2.0pl5-19.1sar DHCP Client
ii  diff           2.8.1-11       File comparison utilities
ii  discover1      1.7.7          hardware identification system
ii  discover1-data 1.2005.01.08   hardware lists for libdiscover1
ii  dnsutils       9.2.4-1sarge1  Clients provided with BIND
ii  dpkg           1.10.28        Package maintenance system for Debian
ii  dselect        1.10.28        a user tool to manage Debian packages
ii  e2fslibs       1.37-2sarge1   ext2 filesystem libraries
ii  e2fsprogs      1.37-2sarge1   ext2 file system utilities and libraries
ii  ed             0.2-20         The classic unix line editor
ii  eject          2.0.13deb-8sar ejects CDs and operates CD-Changers under Li
ii  exim4          4.50-8sarge2   metapackage to ease exim MTA (v4) installati
ii  exim4-base     4.50-8sarge2   support files for all exim MTA (v4) packages
ii  exim4-config   4.50-8sarge2   configuration for the exim MTA (v4)
ii  exim4-daemon-l 4.50-8sarge2   lightweight exim MTA (v4) daemon
ii  fdutils        5.4-20040228-1 Linux floppy utilities
ii  file           4.12-1         Determines file type using "magic" numbers
ii  findutils      4.1.20-6       utilities for finding files--find, xargs, an
ii  gcc-3.3-base   3.3.5-13       The GNU Compiler Collection (base package)
ii  gettext-base   0.14.4-2       GNU Internationalization utilities for the b
ii  gnupg          1.4.1-1.sarge5 GNU privacy guard - a free PGP replacement
ii  grep           2.5.1.ds1-4    GNU grep, egrep and fgrep
ii  groff-base     1.18.1.1-7     GNU troff text-formatting system (base syste
ii  grub           0.95+cvs200406 GRand Unified Bootloader
ii  gzip           1.3.5-10sarge2 The GNU compression utility
ii  hostname       2.13           A utility to set/show the host name or domai
ii  hotplug        0.0.20040329-2 Linux Hotplug Scripts
ii  ifupdown       0.6.7          high level tools to configure network interf
ii  info           4.7-2.2        Standalone GNU Info documentation browser
ii  initrd-tools   0.1.81.1       tools to create initrd image for prepackaged
ii  initscripts    2.86.ds1-1     Standard scripts needed for booting and shut
ii  ipchains       1.3.10-15      Network firewalling for Linux 2.2.x
ii  iptables       1.2.11-10      Linux kernel 2.4+ iptables administration to
ii  iputils-ping   20020927-2     Tools to test the reachability of network ho
ii  iso-codes      0.44-1         ISO language, territory, currency  codes and
ii  kernel-image-2 2.6.8-16sarge5 Linux kernel image for version 2.6.8 on 386.
ii  klogd          1.4.1-17       Kernel Logging Daemon
ii  language-env   0.64           simple configuration tool for native languag
ii  less           382-1          Pager program similar to more
ii  libacl1        2.2.23-1       Access control list shared library
ii  libapt-pkg-per 0.1.13         Perl interface to libapt-pkg
ii  libattr1       2.4.16-1       Extended attribute shared library
ii  libblkid1      1.37-2sarge1   block device id library
ii  libbz2-1.0     1.0.2-7        high-quality block-sorting file compressor l
ii  libc6          2.3.2.ds1-22sa GNU C Library: Shared libraries and Timezone
ii  libcap1        1.10-14        support for getting/setting POSIX.1e capabil
ii  libcomerr2     1.37-2sarge1   common error description library
ii  libconfig-inif 2.38-3         Read .ini-style configuration files
ii  libconsole     0.2.3dbs-56    Shared libraries for Linux console and font 
ii  libdb1-compat  2.1.3-7        The Berkeley database routines [glibc 2.0/2.
ii  libdb3         3.2.9-22       Berkeley v3 Database Libraries [runtime]
ii  libdb4.2       4.2.52-18      Berkeley v4.2 Database Libraries [runtime]
ii  libdevmapper1. 1.01.00-4sarge The Linux Kernel Device Mapper userspace lib
ii  libdiscover1   1.7.7          hardware identification library
ii  libdns16       9.2.4-1sarge1  DNS Shared Library used by BIND
ii  libgcc1        3.4.3-13sarge1 GCC support library
ii  libgcrypt11    1.2.0-11.1     LGPL Crypto library - runtime library
ii  libgdbm3       1.8.3-2        GNU dbm database routines (runtime version)
ii  libgnutls11    1.0.16-13.2sar GNU TLS library - runtime library
ii  libgpg-error0  1.0-1          library for common error values and messages
ii  libisc7        9.2.4-1sarge1  ISC Shared Library used by BIND
ii  libldap2       2.1.30-8       OpenLDAP libraries
ii  liblocale-gett 1.01-17        Using libc functions for internationalizatio
ii  liblockfile1   1.06           NFS-safe locking library, includes dotlockfi
ii  liblwres1      9.2.4-1sarge1  Lightweight Resolver Library used by BIND
ii  liblzo1        1.08-1.2       A real-time data compression library
ii  libmagic1      4.12-1         File type determination library using "magic
ii  libncurses5    5.4-4          Shared libraries for terminal handling
ii  libnewt0.51    0.51.6-20      Not Erik's Windowing Toolkit - text mode win
ii  libopencdk8    0.5.5-10       Open Crypto Development Kit (OpenCDK) (runti
ii  libpam-modules 0.76-22        Pluggable Authentication Modules for PAM
ii  libpam-runtime 0.76-22        Runtime support for the PAM library
ii  libpam0g       0.76-22        Pluggable Authentication Modules library
ii  libpcap0.7     0.7.2-7        System interface for user-level packet captu
ii  libpcre3       4.5-1.2sarge1  Perl 5 Compatible Regular Expression Library
ii  libpopt0       1.7-5          lib for parsing cmdline parameters
ii  libreadline4   4.3-11         GNU readline and history libraries, run-time
ii  libreadline5   5.0-10         GNU readline and history libraries, run-time
ii  libsasl2       2.1.19.dfsg1-0 Authentication abstraction library
ii  libsigc++-1.2- 1.2.5-4        type-safe Signal Framework for C++ - runtime
ii  libss2         1.37-2sarge1   command-line interface parsing library
ii  libssl0.9.7    0.9.7e-3sarge4 SSL shared libraries
ii  libstdc++5     3.3.5-13       The GNU Standard C++ Library v3
ii  libtasn1-2     0.2.10-3sarge1 Manage ASN.1 structures (runtime)
ii  libtext-charwi 0.04-1         get display widths of characters on the term
ii  libtext-iconv- 1.2-3          Convert between character sets in Perl
ii  libtext-wrapi1 0.06-1         internationalized substitute of Text::Wrap
ii  libtextwrap1   0.1-1          text-wrapping library with i18n - runtime
ii  libusb-0.1-4   0.1.10a-9.sarg userspace USB programming library
ii  libuuid1       1.37-2sarge1   universally unique id library
ii  libwrap0       7.6.dbs-8      Wietse Venema's TCP wrappers library
ii  locales        2.3.2.ds1-22sa GNU C Library: National Language (locale) da
ii  localization-c 0.116          configures different programs' locale settin
ii  login          4.0.3-31sarge9 system login tools
ii  logrotate      3.7-5          Log rotation utility
ii  lsb-base       2.0-7          Linux Standard Base 2.0 init script function
ii  lvm-common     1.5.17         The Logical Volume Manager for Linux (common
ii  lvm2           2.01.04-5      The Linux Logical Volume Manager
ii  mailx          8.1.2-0.200405 A simple mail user agent
ii  makedev        2.3.1-77       creates device files in /dev
ii  man-db         2.4.2-21       The on-line manual pager
ii  manpages       1.70-1         Manual pages about using a GNU/Linux system
ii  manpages-de    0.4-8          German manpages
ii  mawk           1.3.3-11       a pattern scanning and text processing langu
ii  mdetect        0.5.2          mouse device autodetection tool
ii  module-init-to 3.2-pre1-2     tools for managing Linux kernel modules
ii  modutils       2.4.26-1.2     Linux module utilities
ii  mount          2.12p-4sarge1  Tools for mounting and manipulating filesyst
ii  nano           1.2.4-5        free Pico clone with some new features
ii  ncurses-base   5.4-4          Descriptions of common terminal types
ii  ncurses-bin    5.4-4          Terminal-related programs and man pages
ii  net-tools      1.60-10        The NET-3 networking toolkit
ii  netbase        4.21           Basic TCP/IP networking system
rc  netkit-inetd   0.10-10        The Internet Superserver
ii  nvi            1.79-22        4.4BSD re-implementation of vi
ii  openbsd-inetd  0.20040915-1   The OpenBSD Internet Superserver
ii  passwd         4.0.3-31sarge9 change and administer password and group dat
ii  patch          2.5.9-2        Apply a diff file to an original
ii  pciutils       2.1.11-15      Linux PCI Utilities
ii  pcmcia-cs      3.2.5-10       PCMCIA Card Services for Linux
ii  perl           5.8.4-8sarge5  Larry Wall's Practical Extraction and Report
ii  perl-base      5.8.4-8sarge5  The Pathologically Eclectic Rubbish Lister
ii  perl-modules   5.8.4-8sarge5  Core Perl modules
ii  ppp            2.4.3-20050321 Point-to-Point Protocol (PPP) daemon
ii  pppconfig      2.3.11         A text menu based utility for configuring pp
ii  pppoe          3.5-4          PPP over Ethernet driver
ii  pppoeconf      1.7            configures PPPoE/ADSL connections
ii  procps         3.2.1-2        The /proc file system utilities
ii  psmisc         21.5-1         Utilities that use the proc filesystem
ii  read-edid      1.4.1-2        hardware information-gathering tool for VESA
ii  sed            4.1.2-8        The GNU sed stream editor
ii  slang1a-utf8   1.4.9dbs-8     The S-Lang programming library with utf8 sup
ii  sysklogd       1.4.1-17       System Logging Daemon
ii  sysv-rc        2.86.ds1-1     Standard boot mechanism using symlinks in /e
ii  sysvinit       2.86.ds1-1     System-V like init
ii  tar            1.14-2.2       GNU tar
ii  tasksel        2.24           Tool for selecting tasks for installation on
ii  tcpd           7.6.dbs-8      Wietse Venema's TCP wrapper utilities
ii  telnet         0.17-29        The telnet client
ii  time           1.7-21         The GNU time program for measuring cpu resou
ii  traceroute     1.4a12-18      traces the route taken by packets over a TCP
ii  usbutils       0.70-8         USB console utilities
ii  util-linux     2.12p-4sarge1  Miscellaneous system utilities
ii  wget           1.9.1-12       retrieves files from the web
ii  whiptail       0.51.6-20      Displays user-friendly dialog boxes from she
ii  xfsprogs       2.6.20-1       Utilities for managing the XFS filesystem
ii  zlib1g         1.2.2-4.sarge. compression library - runtime

apt-get install ssh
apt-get remove openbsd-inetd netkit-inetd
- Als nächstes werden Ihnen von Debian einige vorbereitete Paket-Zusammenstellungen angeboten. Sie können natürlich auch Paket für Paket auswählen, was Sie auf Ihrem neuen System installieren möchten. Dies ist auch das Prinzip von aptitude, das weiter unten beschrieben wird. Allerdings könnte dies eine langwierige Sache werden bei ca. 15250 verfügbaren Paketen in Debian!
- Deswegen haben Sie die Möglichkeit, zunächst Programmgruppen (tasks) vorzuwählen und danach einzelne individuelle Pakete hinzuzufügen. Diese Gruppen stellen eine lockere Zusammenstellung verschiedener Aufgaben dar, die Sie mit Ihrem Computer erledigen können, wie z.B. „Desktop-Umgebung“ (für einen Arbeitsplatzrechner), „Web-Server“ (Inhalte für das Internet bereitstellen) oder „Druck-Server“ (Drucken und Druckermanagement). Abschnitt C.3, „Festplattenplatz, der für die Programmgruppen benötigt wird“ enthält eine Aufstellung des Festplattenbedarfs verschiedener Programmgruppen.
- Wenn Sie die Programmgruppen ausgewählt haben, die Sie installieren möchten, gehen Sie auf Ok. Nun wird aptitude die Programme installieren. 1)
- Wenn Sie Paket für Paket aussuchen möchten, was Sie installieren, wählen Sie „Manuelle Auswahl“ in der Debian Software Auswahl (tasksel). Falls Sie zusätzlich zu der manuellen Auswahl auch eine oder mehrere Programmgruppen vorgewählt haben, wird aptitude mit dem Parameter –visual-preview gestartet. Dies bedeutet, dass Sie die Möglichkeit haben, die Liste der Pakete, die installiert werden sollen, vorher nochmals zu überprüfen. Falls Sie keine Progammgruppe ausgewählt haben, wird die normale aptitude-Oberfläche angezeigt. Nachdem Sie Ihre Auswahl getroffen haben, drücken Sie „g“, um das Herunterladen und die Installation der Pakete zu starten. 2)
exim4-config: Keine Konfiguration zum jetzigen Zeitpunkt
- später: dpkg-reconfigure exim4-config
- Empfänger der e-Mails für root und postmaster: tiriadmin

Erstes Login

/etc/console-tools/config (Zeichensatz auf 80×50 einstellen [default: lat0-sun16])

config

SCREEN_FONT=lat0-08

/etc/apt/sources.list

sources.list

deb http://www.backports.org/debian/ sarge-backports main

/etc/apt/preferences

preferences

Package: *
Pin: release a=sarge-backports
Pin-Priority: 200

Package: xen-3.0
Pin: release a=sarge-backports
Pin-Priority: 999

Package: linux-2.6
Pin: release a=sarge-backports
Pin-Priority: 999

Package: xen-tools
Pin: release a=sarge-backports
Pin-Priority: 999

Package: udev
Pin: release a=sarge-backports
Pin-Priority: 999

Package: lsb
Pin: release a=sarge-backports
Pin-Priority: 999

Package: module-init-tools
Pin: release a=sarge-backports
Pin-Priority: 999

Package: grub
Pin: release a=sarge-backports
Pin-Priority: 999

apt-get update
apt-get dist-upgrade

apt-get dist-upgrade

Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut... Fertig
Berechne Upgrade...Fertig
Die folgenden Pakete sind zurückgehalten worden:
module-init-tools
Die folgenden Pakete werden aktualisiert:
grub kernel-image-2.6.8-3-386
2 aktualisiert, 0 neu installiert, 0 zu entfernen und 1 nicht aktualisiert.
Es müssen 14,4MB Archive geholt werden.
Nach dem Auspacken werden 41,0kB Plattenplatz zusätzlich benutzt.
Möchten Sie fortfahren? [J/n] j
Hole:1 http://security.debian.org stable/updates/main kernel-image-2.6.8-3-386 2.6.8-16sarge6 [14,1MB]
Hole:2 http://www.backports.org sarge-backports/main grub 0.97-16.1~bpo.1 [367kB]
Es wurden 14,4MB in 20s geholt (719kB/s)
(Lese Datenbank ... 22363 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereiten zum Ersetzen von grub 0.95+cvs20040624-17sarge1 (durch .../grub_0.97-16.1~bpo.1_i386.deb) ...
Entpacke Ersatz für grub ...
Vorbereiten zum Ersetzen von kernel-image-2.6.8-3-386 2.6.8-16sarge5 (durch .../kernel-image-2.6.8-3-386_2.6.8-16sarge6_i386.deb) ...
The directory /lib/modules/2.6.8-3-386 still exists. Continuing as directed.
Entpacke Ersatz für kernel-image-2.6.8-3-386 ...
Your /etc/kernel-img.conf needs upgrade. Read grub's NEWS.Debian[1]
file and follow its instructions.

1. /usr/share/doc/grub/NEWS.Debian

You shouldn't call /sbin/update-grub. Please call /usr/sbin/update-grub instead!

Searching for GRUB installation directory ... found: /boot/grub
Testing for an existing GRUB menu.lst file ... found: /boot/grub/menu.lst
Searching for splash image ... none found, skipping ...
Found kernel: /boot/vmlinuz-2.6.8-3-386
Updating /boot/grub/menu.lst ... done

Richte grub ein (0.97-16.1~bpo.1) ...
Richte kernel-image-2.6.8-3-386 ein (2.6.8-16sarge6) ...

You are attempting to install a kernel version that is the same as
the version you are currently running (version 2.6.8-3-386). The modules
list is quite likely to have been changed, and the modules dependency
file /lib/modules/2.6.8-3-386/modules.dep needs to be re-built. It can
not be built correctly right now, since the module list for the
running kernel are likely to be different from the kernel installed.
I am creating a new modules.dep file, but that may not be
correct. It shall be regenerated correctly at next reboot.

I repeat: you have to reboot in order for the modules file to be
created correctly. Until you reboot, it may be impossible to load
some modules. Reboot as soon as this install is finished (Do not
reboot right now, since you may not be able to boot back up until
installation is over, but boot immediately after). I can not stress
that too much. You need to reboot soon.

Please Hit return to continue.

apt-get install linux-image-2.6.18-3-i686 (um einen aktuellen Nicht-XEN Kernel zu haben)
apt-get install

apt-get install -t sarge-backports grub makedev lsb-base (ggf. mdadm)

Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut... Fertig
grub ist schon die neueste Version.
Die folgenden NEUEN Pakete werden installiert:
  mdadm
Die folgenden Pakete werden aktualisiert:
  lsb-base makedev
2 aktualisiert, 1 neu installiert, 0 zu entfernen und 55 nicht aktualisiert.
Es müssen 205kB Archive geholt werden.

apt-cache search linux-image | grep xen

apt-get install linux-image-2.6.18-3-xen-686 xen-utils-3.0.3-1 xen-hypervisor-3.0.3-1-i386 (ggf. xen-ioemu-3.0.3-1)

apt-get install linux-image-2.6.18-3-xen-686 xen-utils-3.0.3-1 xen-hypervisor-3.0.3-1-i386                  
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut... Fertig
Die folgenden zusätzlichen Pakete werden installiert:
  busybox-cvs-static initramfs-tools iproute klibc-utils libatm1 libklibc libvolume-id0 linux-modules-2.6.18-3-xen-686 module-init-tools python python2.3 udev xen-utils-common
Vorgeschlagene Pakete:
  linux-doc-2.6.18 python-doc python-tk python-profiler python2.3-doc python2.3-profiler xen-docs-3.0
Empfohlene Pakete:
  iproute-doc libc6-xen python2.3-iconvcodec python2.3-cjkcodecs python2.3-japanese-codecs
Die folgenden Pakete werden ENTFERNT:
  hotplug
Die folgenden NEUEN Pakete werden installiert:
  busybox-cvs-static initramfs-tools iproute klibc-utils libatm1 libklibc libvolume-id0 linux-image-2.6.18-3-xen-686 linux-modules-2.6.18-3-xen-686 python python2.3 udev xen-hypervisor-3.0.3-1-i386
  xen-utils-3.0.3-1 xen-utils-common
Die folgenden Pakete werden aktualisiert:
  module-init-tools
1 aktualisiert, 15 neu installiert, 1 zu entfernen und 0 nicht aktualisiert.
Es müssen 22,4MB Archive geholt werden.
Nach dem Auspacken werden 67,9MB Plattenplatz zusätzlich benutzt.

apt-get install -t sarge-backports bridge-utils sysfsutils

Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut... Fertig
Die folgenden zusätzlichen Pakete werden installiert:
  libsysfs1 libsysfs2
Die folgenden NEUEN Pakete werden installiert:
  bridge-utils libsysfs1 libsysfs2 sysfsutils
0 aktualisiert, 4 neu installiert, 0 zu entfernen und 55 nicht aktualisiert.
Es müssen 102kB Archive geholt werden.
Nach dem Auspacken werden 479kB Plattenplatz zusätzlich benutzt.

Konfiguration Bootloader für XEN
- mv /lib/tls /lib/tls.disabled
- dpkg –purge hotplug
- mkinitramfs -o /boot/initrd.img-2.6.18-3-xen-686 2.6.18-3-xen-686

grub/menu.lst

    
title           Xen 3.0.3-1-i386 / Debian GNU/Linux, kernel 2.6.18-3-xen-686
root            (hd0,0)
kernel          /boot/xen-3.0.3-1-i386.gz dom0_mem=384000 sched=sedf console=com1 com1=57600,8n1 panic=10
module          /boot/vmlinuz-2.6.18-3-xen-686 root=/dev/sda1 ro acpi=off console=tty0 console=ttyS0,57600 xencons=ttyS panic=10
module          /boot/initrd.img-2.6.18-3-xen-686
savedefault

  
* Zum Abschluß muß noch die Xen-Config in /etc/xen/xend-config.sxp kontroliert werden, ob (network-script network-bridge) (ca. Zeile 73) und (vif-script vif-bridge) (ca. Zeile 104) eingeschaltet ist. Ggf. die Zeilen auskommentieren und alle anderen Einstellungen dazu als Kommentar setzen.
* Nun noch den Xen-VM beim booten mitstarten lassen: ''invoke-rc.d xend restart''
* Netzwerkeinstellungen für xen-bridge

/etc/network/interfaces

# Internal Bridged Network for Internet
auto xen-inetbr
iface xen-inetbr inet static
pre-up brctl addbr xen-inetbr
post-down brctl delbr xen-inetbr
address 192.168.100.1
netmask 255.255.255.0
network 192.168.100.0
broadcast 192.168.100.255
bridge_fd 0
bridge_hello 0
# bridge_stp off

Reboot

XEN Tools

apt-get install -t sarge-backports xen-tools

Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut... Fertig
Die folgenden zusätzlichen Pakete werden installiert:
  debootstrap libtext-template-perl
Empfohlene Pakete:
  xen xen-hypervisor-3.0 reiserfsprogs rpmstrap
Die folgenden NEUEN Pakete werden installiert:
  debootstrap libtext-template-perl xen-tools
0 aktualisiert, 3 neu installiert, 0 zu entfernen und 55 nicht aktualisiert.
Es müssen 191kB Archive geholt werden.
Nach dem Auspacken werden 930kB Plattenplatz zusätzlich benutzt.

Konfiguration der xen-tools

/etc/xen-tools/xen-tools.conf

dir = /data/xens
debootstrap = 1 
size   = 4Gb      # Disk image size.
memory = 128Mb    # Memory size
swap   = 128Mb    # Swap size
fs     = ext3     # use the EXT3 filesystem for the disk image.
dist   = sarge    # Default distribution to install.
image  = sparse   # Specify sparse vs. full disk images.
gateway   = 192.168.100.1
netmask   = 255.255.255.0
passwd = 1
kernel = /boot/vmlinuz-2.6.18-3-xen-686
initrd = /boot/initrd.img-2.6.18-3-xen-686
mirror = http://ftp.de.debian.org/debian/

Erstellen eines ersten Gasts

Loopbackdriver für HDD-Images laden
- modprobe loop loop_max=255

xen-create-image --hostname=xm1 --ip=192.168.100.100 --passwd

General Infomation
--------------------
Hostname       :  xm1
Distribution   :  sarge
Fileystem Type :  ext3

Size Information
----------------
Image size     :  4Gb
Swap size      :  128Mb
Image type     :  sparse
Memory size    :  128Mb
Kernel path    :  /boot/vmlinuz-2.6.18-3-xen-686
initrd path    :  /boot/initrd.img-2.6.18-3-xen-686

Networking Information
----------------------
IP Address 1   : 192.168.100.100
Netmask        : 255.255.255.0
Gateway        : 192.168.100.1


Creating swap image: /data/xens/domains/xm1/swap.img
Done

Creating disk image: /data/xens/domains/xm1/disk.img
Done

Creating ext3 filesystem on /data/xens/domains/xm1/disk.img
Done

Installing your system with debootstrap mirror http://ftp.de.debian.org/debian/
Done

Running hooks
Done

No role script specified.  Skipping

Creating Xen configuration file
Done
Setting up root password
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
All done

/etc/xen/conf – Es wird durch o.a. Skript auch die Konfigurationsdatei erstellt

/etc/xen/xm1.cfg

kernel  = '/boot/vmlinuz-2.6.18-3-xen-686'
ramdisk = '/boot/initrd.img-2.6.18-3-xen-686'
memory  = '128'
root    = '/dev/sda1 ro'
disk    = [ 'file:/data/xens/domains/xm1/disk.img,sda1,w', 'file:/data/xens/domains/xm1/swap.img,sda2,w' ]
name    = 'xm1'
vif  = [ 'ip=192.168.100.100' ]
on_poweroff = 'destroy'
on_reboot   = 'restart'
on_crash    = 'restart'

Start des ersten Gasts

modprobe loop
xm create

xm create -c /etc/xen/xm1.cfg

Using config file "/etc/xen/xm1.cfg".
Started domain xm1
Linux version 2.6.18-3-xen-686 (Debian 2.6.18-8~bpo.1) (nobse@backports.org) (gcc version 3.3.5 (Debian 1:3.3.5-13)) #1 SMP Fri Dec 15 08:22:55 CET 2006
BIOS-provided physical RAM map:
Xen: 0000000000000000 - 0000000008800000 (usable)
0MB HIGHMEM available.
136MB LOWMEM available.
ACPI in unprivileged domain disabled
Built 1 zonelists. Total pages: 34816
Kernel command line: root=/dev/sda1 ro
Enabling fast FPU save and restore... done.
Enabling unmasked SIMD FPU exception support... done.
Initializing CPU#0
PID hash table entries: 1024 (order: 10, 4096 bytes)
Xen reported: 1994.996 MHz processor.
Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
Software IO TLB disabled
vmalloc area: c9000000-fb7fe000, maxmem 33ffe000
Memory: 114584k/139264k available (1606k kernel code, 16344k reserved, 654k data, 160k init, 0k highmem)
Checking if this processor honours the WP bit even in supervisor mode... Ok.
Calibrating delay using timer specific routine.. 5035.28 BogoMIPS (lpj=10070571)
Security Framework v1.0.0 initialized
SELinux: Disabled at boot.
Capability LSM initialized
Mount-cache hash table entries: 512
CPU: L1 I cache: 32K, L1 D cache: 32K
CPU: L2 cache: 4096K
Checking 'hlt' instruction... OK.
SMP alternatives: switching to UP code
Freeing SMP alternatives: 12k freed
Brought up 1 CPUs
migration_cost=0
checking if image is initramfs... it is
Freeing initrd memory: 11943k freed
Grant table initialized
NET: Registered protocol family 16
Brought up 1 CPUs
PCI: setting up Xen PCI frontend stub
ACPI: Interpreter disabled.
Linux Plug and Play Support v0.97 (c) Adam Belay
pnp: PnP ACPI: disabled
xen_mem: Initialising balloon driver.
PCI: System does not support PCI
PCI: System does not support PCI
NET: Registered protocol family 2
IP route cache hash table entries: 2048 (order: 1, 8192 bytes)
TCP established hash table entries: 8192 (order: 4, 65536 bytes)
TCP bind hash table entries: 4096 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 8192 bind 4096)
TCP reno registered
audit: initializing netlink socket (disabled)
audit(1169937428.483:1): initialized
VFS: Disk quotas dquot_6.5.1
Dquot-cache hash table entries: 1024 (order 0, 4096 bytes)
Initializing Cryptographic API
io scheduler noop registered
io scheduler anticipatory registered
io scheduler deadline registered
io scheduler cfq registered (default)
RAMDISK driver initialized: 16 RAM disks of 8192K size 1024 blocksize
Xen virtual console successfully installed as tty1
Event-channel device installed.
netfront: Initialising virtual ethernet driver.
PNP: No PS/2 controller found. Probing ports directly.
i8042.c: No controller found.
mice: PS/2 mouse device common for all mice
TCP bic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
NET: Registered protocol family 8
NET: Registered protocol family 20
Using IPI No-Shortcut mode
Registering block device major 8
netfront: device eth0 has flipping receive path.
Freeing unused kernel memory: 160k freed
Loading, please wait...
Begin: Loading essential drivers... ...
Done.
Begin: Running /scripts/init-premount ...
FATAL: Error inserting fan (/lib/modules/2.6.18-3-xen-686/kernel/drivers/acpi/fan.ko): No such device
FATAL: Error inserting thermal (/lib/modules/2.6.18-3-xen-686/kernel/drivers/acpi/thermal.ko): No such device
Done.
Begin: Mounting root file system... ...
Begin: Running /scripts/local-top ...
Done.
Begin: Running /scripts/local-premount ...
Done.
kjournald starting. Commit interval 5 seconds
EXT3-fs: mounted filesystem with ordered data mode.
Begin: Running /scripts/local-bottom ...
Done.
Done.
Begin: Running /scripts/init-bottom ...
Done.
Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing enabled
INIT: version 2.86 booting
Activating swap.
Checking root file system...
fsck 1.37 (21-Mar-2005)
/dev/sda1: clean, 17342/524288 files, 80037/1048576 blocks
EXT3 FS on sda1, internal journal
System time was Sat Jan 27 22:38:36 UTC 2007.
Setting the System Clock using the Hardware Clock as reference...
System Clock set. System local time is now Sat Jan 27 22:41:17 UTC 2007.
Cleaning up ifupdown...done.
Calculating module dependencies... done.
Loading modules...
All modules loaded.
Checking all file systems...
fsck 1.37 (21-Mar-2005)
Setting kernel variables ...
... done.
Mounting local filesystems...
Cleaning /tmp /var/run /var/lock.
Running 0dns-down to make sure resolv.conf is ok...done.
Setting up networking...done.
Setting up IP spoofing protection: rp_filter.
Configuring network interfaces...done.

Setting the System Clock using the Hardware Clock as reference...
System Clock set. Local time: Sat Jan 27 22:42:42 UTC 2007

Initializing random number generator...done.
Recovering nvi editor sessions... done.
INIT: Entering runlevel: 2
Starting system log daemon: syslogd.
Starting kernel log daemon: klogd.
Starting MTA: exim4.
Starting internet superserver: inetd.
Starting OpenBSD Secure Shell server: sshd.
Starting deferred execution scheduler: atdNET: Registered protocol family 10
lo: Disabled Privacy Extensions
IPv6 over IPv4 tunneling driver
.
Starting periodic command scheduler: cron.

Debian GNU/Linux 3.1 xm1 tty1

xm1 login:

Erstellen eines zweiten Gasts (etch)

Modifizieren der /etc/xen-tools/xen-tools.conf
s.o.
Boot (xm create -c /etc/xen/xm2.conf)

starting etch

Using config file "/etc/xen/xm2.cfg".
Started domain xm2
Linux version 2.6.18-3-xen-686 (Debian 2.6.18-8~bpo.1) (nobse@backports.org) (gcc version 3.3.5 (Debian 1:3.3.5-13)) #1 SMP Fri Dec 15 08:22:55 CET 2006
BIOS-provided physical RAM map:
 Xen: 0000000000000000 - 0000000008800000 (usable)
0MB HIGHMEM available.
136MB LOWMEM available.
ACPI in unprivileged domain disabled
Built 1 zonelists.  Total pages: 34816
Kernel command line:  root=/dev/sda1 ro
Enabling fast FPU save and restore... done.
Enabling unmasked SIMD FPU exception support... done.
Initializing CPU#0
PID hash table entries: 1024 (order: 10, 4096 bytes)
Xen reported: 1994.998 MHz processor.
Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
Software IO TLB disabled
vmalloc area: c9000000-fb7fe000, maxmem 33ffe000
Memory: 114584k/139264k available (1606k kernel code, 16344k reserved, 654k data, 160k init, 0k highmem)
Checking if this processor honours the WP bit even in supervisor mode... Ok.
Calibrating delay using timer specific routine.. 5033.17 BogoMIPS (lpj=10066344)
Security Framework v1.0.0 initialized
SELinux:  Disabled at boot.
Capability LSM initialized
Mount-cache hash table entries: 512
CPU: L1 I cache: 32K, L1 D cache: 32K
CPU: L2 cache: 4096K
Checking 'hlt' instruction... OK.
SMP alternatives: switching to UP code
Freeing SMP alternatives: 12k freed
Brought up 1 CPUs
migration_cost=0
checking if image is initramfs... it is
Freeing initrd memory: 11943k freed
Grant table initialized
NET: Registered protocol family 16
Brought up 1 CPUs
PCI: setting up Xen PCI frontend stub
ACPI: Interpreter disabled.
Linux Plug and Play Support v0.97 (c) Adam Belay
pnp: PnP ACPI: disabled
xen_mem: Initialising balloon driver.
PCI: System does not support PCI
PCI: System does not support PCI
NET: Registered protocol family 2
IP route cache hash table entries: 2048 (order: 1, 8192 bytes)
TCP established hash table entries: 8192 (order: 4, 65536 bytes)
TCP bind hash table entries: 4096 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 8192 bind 4096)
TCP reno registered
audit: initializing netlink socket (disabled)
audit(1169940219.700:1): initialized
VFS: Disk quotas dquot_6.5.1
Dquot-cache hash table entries: 1024 (order 0, 4096 bytes)
Initializing Cryptographic API
io scheduler noop registered
io scheduler anticipatory registered
io scheduler deadline registered
io scheduler cfq registered (default)
RAMDISK driver initialized: 16 RAM disks of 8192K size 1024 blocksize
Xen virtual console successfully installed as tty1
Event-channel device installed.
netfront: Initialising virtual ethernet driver.
PNP: No PS/2 controller found. Probing ports directly.
i8042.c: No controller found.
mice: PS/2 mouse device common for all mice
TCP bic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
NET: Registered protocol family 8
NET: Registered protocol family 20
Using IPI No-Shortcut mode
Registering block device major 8
netfront: device eth0 has flipping receive path.
Freeing unused kernel memory: 160k freed
Loading, please wait...
Begin: Loading essential drivers... ...
Done.
Begin: Running /scripts/init-premount ...
FATAL: Error inserting fan (/lib/modules/2.6.18-3-xen-686/kernel/drivers/acpi/fan.ko): No such device
FATAL: Error inserting thermal (/lib/modules/2.6.18-3-xen-686/kernel/drivers/acpi/thermal.ko): No such device
Done.
Begin: Mounting root file system... ...
Begin: Running /scripts/local-top ...
Done.
Begin: Running /scripts/local-premount ...
Done.
kjournald starting.  Commit interval 5 seconds
EXT3-fs: mounted filesystem with ordered data mode.
Begin: Running /scripts/local-bottom ...
Done.
Done.
Begin: Running /scripts/init-bottom ...
Done.
Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing enabled
INIT: version 2.86 booting
* Mount point '/dev/shm' does not exist. Skipping mount.
Activating swap...done.
Checking root file system...fsck 1.40-WIP (14-Nov-2006)
/dev/sda1: clean, 16982/524288 files, 86122/1048576 blocks
done.
EXT3 FS on sda1, internal journal
Setting the system clock again..
Cleaning up ifupdown....
Loading kernel modules...done.
Loading device-mapper supportdevice-mapper: ioctl: 4.7.0-ioctl (2006-06-24) initialised: dm-devel@redhat.com
.
Checking file systems...fsck 1.40-WIP (14-Nov-2006)
done.
Setting kernel variables...done.
Mounting local filesystems...done.
Activating swapfile swap...done.
Setting up networking....
Configuring network interfaces...done.
INIT: Entering runlevel: 2
Starting system log daemon: syslogd.
Starting kernel log daemon: klogd.
* Not starting internet superserver: no services enabled.
Starting OpenBSD Secure Shell server: sshdNET: Registered protocol family 10
lo: Disabled Privacy Extensions
IPv6 over IPv4 tunneling driver
.
Starting periodic command scheduler: crond.

Debian GNU/Linux 4.0 xm2 tty1

xm2 login:

xm list // xentop

xm list

xm list
Name                                      ID Mem(MiB) VCPUs State   Time(s)
Domain-0                                   0      375     1 r-----   1824.6
xm1                                        2      128     1 -b----    334.3
xm2                                        3      128     1 -b----     97.3

xentop

xentop - 00:27:35   Xen 3.0.3-1
3 domains: 1 running, 2 blocked, 0 paused, 0 crashed, 0 dying, 0 shutdown
Mem: 917052k total, 667004k used, 250048k free    CPUs: 1 @ 1995MHz
      NAME  STATE   CPU(sec) CPU(%)     MEM(k) MEM(%)  MAXMEM(k) MAXMEM(%) VCPUS NETS NETTX(k) NETRX(k) VBDS   VBD_OO   VBD_RD   VBD_WR SSID
  Domain-0 -----r       1823    1.0     384148   41.9   no limit       n/a     1    0        0        0    0        0        0        0    0
       xm1 --b---        334    0.1     130916   14.3     131072      14.3     1    1       66       41    2        0     1128      453    0
       xm2 --b---         97    0.1     130564   14.2     131072      14.3     1    1        0        0    2        0      595      171    0

Shorewall Firewall

Die Shorewall Firewall basiert auf iptables und ist recht klar zu konfigurieren. Um Fehlermeldungen wie “ip_tables: policy match: invalid size 308 != 116” zu vermeiden, sind auch hier die iptables (1.3.6) aus den backports zu installieren.

apt-get install -t sarge-backports iptables shorewall

Shorewall - Minimal Setup

shorewall.conf
- IP_FORWARDING=On
- ADD_SNAT_ALIASES=Yes
interfaces

/etc/shorewall/interfaces

loc     lo              -               dhcp,routeback
dmz     xen-inetbr      detect          dhcp,routeback
net     eth0            detect          dhcp,logmartians,blacklist,tcpflags,nosmurfs

masq (deshalb: ADD_SNAT_ALIASES=Yes)

/etc/shorewall/masq

eth0                    192.168.100.0/24 192.168.178.180
eth0:1                  192.168.100.0/24 192.168.178.181

policy

/etc/shorewall/policy

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
dmz             all             REJECT          info
all             dmz             REJECT          info
net             all             REJECT          info
all             net             REJECT          info
loc             net             ACCEPT
all             all             REJECT          info

zones

/etc/shorewall/zones

#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
loc     ipv4
dmz     ipv4
net     ipv4

rules

/etc/shorewall/rules

#ACTION SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/
#                                               PORT    PORT(S)         DEST            LIMIT           GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
#ACCEPT net             fw                      icmp
ACCEPT  net             fw                      tcp     22
ACCEPT  fw              net                     udp     53
ACCEPT  fw              net                     tcp     53
ACCEPT  fw              net                     tcp     23
ACCEPT  fw              net                     tcp     ntp
ACCEPT  fw              net                     tcp     443
ACCEPT  fw              net                     tcp     80
ACCEPT  fw              net                     udp     ntp
ACCEPT  fw              net                     tcp     22
ACCEPT  fw              dmz                     tcp     22
ACCEPT  fw              net                     icmp
ACCEPT  fw              dmz                     icmp
ACCEPT  fw              dmz                     tcp     80
Trcrt/ACCEPT    fw      dmz
DNAT    net             dmz:192.168.100.100:80   tcp     80      -       192.168.178.181
DNAT    loc             dmz:192.168.100.100:22   tcp     22      -       192.168.178.181
ACCEPT  dmz             net                      udp     123
ACCEPT  dmz             net                     icmp
ACCEPT  dmz             net                     udp     53
ACCEPT  dmz             fw                      udp     53
ACCEPT  dmz             net                     tcp     80
ACCEPT  dmz             fw                      tcp     80
ACCEPT  dmz             fw                      tcp     3128
ACCEPT  dmz             fw                      icmp

Shorewall - README.Debian

README.Debian

                             NOTES FOR DEBIAN USERS
                             ======================


1. AUTOMATIC STARTUP
--------------------

In order to avoid the startup of the firewall on an unconfigured machine,
automatic startup, on boot, is disabled by default. To enable it just edit the
file /etc/default/shorewall and set the "startup" variable to 1.


2. CONFIGURATION
----------------

This section replaces old documentation found in
/usr/shore/doc/shorewall/Debian_install.txt

After the installation of the package the configuration directory
/etc/shorewall/ will remain empty, except for:
   
   1. shorewall.conf
   2. Makefile

This is intentional because:

   1. it does not exists a sane default configuration 
   2. to avoid dpkg to prompt for upgrade of configuration file on every
      package update

The default upstream configuration files are installed, just as an example, in
/usr/share/doc/shorewall/default-config/. The only file that can be used 'as
is' are the ones installed by the package (P.s. Debian policy, point 12,
requires that file installed under /usr/share/doc/XXX/ should be compressed;
for this reason packaging tools automatically compress some of the
documentation files).

In order to configure a simple firewall you should, at least, set up the
following files:

   1. /etc/shorewall/interfaces
   2. /etc/shorewall/policy
   3. /etc/shorewall/rules
   4. /etc/shorewall/zones

Default Debian configuration is slightly different from upstream configuration.
The differences are:

   1. IP forwarding is neither enabled nor disabled. It is set to "keep", that
      means that if it is enabled it will remain enabled, and if it is disabled
      it will remain disabled. If you are going to configure you host to act as
      a router take care of this fact. To enable IP forwarding you have to set
      to "on" the IP_FORWARDING variable in /etc/shorewall/shorewall.conf
   2. Anti-spoofing kernel protections is enabled, by default, on all
      interfaces. Upstream configuration disables it. To disable it set the
      variable ROUTE_FILTER to "no" in /etc/shorewall/shorewall.conf
   3. IPv6 support is enabled by default. It is disabled in upstream
      configuration. To disable it set DISABLE_IPV6 to "yes" in
      /etc/shorewall/shorewall.conf. IPv6 is enabled by default on Debian
      because the protocol is not supported by default kernels.

Other file such as modules, action.* and actions.std, that usually don't need
customization, are installed within /usr/share/shorewall. Customization can be
done in /etc/shorewall as shorewall looks for files in /etc/shorewall and then
in /usr/share/shorewall. If a configuration file is found in /etc/shorewall the
one in /usr/share/shorewall is ignored.

More information about shorewall configuration can be found in the
shorewall-doc package and on the shorewall website (http://www.shorewall.net).


3. AVODING FLOOD (WITH LOGGED TRAFFIC) ON THE CONSOLE
-----------------------------------------------------

Shorewall logs packets using level "info". With the default klogd
configuration this kind of logs are also written on the console and,
when the frequency of logging is high the console becomes unusable. It
is highly recommended to configure klogd in order to prevent that
messages of level "info" are logged on the console. You have two
alternatives:

   1. set KLOGD="-c 5" in /etc/init.d/klogd 
   2. add dmesg -n5 in your /etc/shorewall/start


4. IPV6
-------

The Shorewall default configuration does not block IPV6 traffic; the Debian
package, instead, has this feature enabled (see DISABLE_IPV6 in
/etc/shorewall.conf). Please note that when IPV6 is disabled the traffic is
dropped and no logs are generated. As the drop policy just discards the traffic
if you try to use IPV6 you could run into timeouts.


5. PPP USERS 
------------

This section replaces old documentation found in
/usr/share/doc/shorewall/README.ppp

If you are running shorewall on a machine with a ppp connection and your
firewall needs to calculate the interface's ip address, the startup can fail.
It can fail because at the time the firewall is started the ppp interface is
not ready yet. For other information about the problem see bugs #175382 and
#234189.

An example of this problem could be:

/etc/shorewall/params:

   EXT_IP=`find_interface_address ppp0`

/etc/shorewall/rules:

   DNAT    loc     dmz:10.0.0.1  tcp     http    -       $EXT_IP

If $EXT_IP is not configured the startup fails.
   
If your ppp connection is configured with /etc/init.d/ppp you must set it up
using /etc/network/interfaces using the PPP method because just the networking
script is run before shorewall. Moreover the interface name must be listed,
using the "wait_interface" keyword, in /etc/default/shorewall in order to get
the init script to wait until its ready.

Examples of /etc/default/shorewall:

   wait_interface="ppp0"

or 

   wait_interface="ppp0 ppp1"

or, if you have defined $PPP in /etc/shorewall/params
   
   wait_interface=$PPP


 -- Lorenzo Martignoni <martignlo@debian.org>, Thu, 19 Oct 2006 04:21:16 +0200

1) Auch wenn Sie keine Programme zur Installation ausgewählt haben, werden einige wichtige oder benötigte Standardpakete installiert, die noch nicht auf dem System vorhanden sind. Dies ist das gleiche, als wenn Sie auf der Kommandozeile tasksel -ris eingeben; es werden in diesem Fall ca. 37MB an Archiven heruntergeladen. Die Zahl der zu installierenden Pakete wird angezeigt und wie viele Kilobytes an Daten heruntergeladen werden müssen, falls erforderlich.

2) Wenn Sie „Manuelle Auswahl“ ausgewählt haben, ohne dabei eine Programmgruppe vorzuwählen, werden keine Pakete installiert, die Sie nicht selbst auswählen. Dies bedeutet einerseits, dass Sie mittels dieser Option ein Minimalsystem erstellen können; andererseits liegt dann bei Ihnen die Verantwortung, dafür zu sorgen, dass vom System benötigte Pakete ausgewählt und installiert werden, die noch nicht als Teil des Basissystems installiert wurden (vor dem Neustart).