1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
** packages
all packages have been installed with the apt default settings of installing
recommended packages but not installing suggested packages

*** repositories
updated /etc/apt/sources.list with this content:

#+begin_src sources.list
deb http://ftp.us.debian.org/debian/ squeeze main non-free contrib
deb-src http://ftp.us.debian.org/debian/ squeeze main non-free contrib

deb http://security.debian.org/ squeeze/updates main contrib non-free
deb-src http://security.debian.org/ squeeze/updates main contrib non-free

deb http://ftp.us.debian.org/debian/ squeeze-updates main contrib non-free
deb-src http://ftp.us.debian.org/debian/ squeeze-updates main contrib non-free

deb http://backports.debian.org/debian-backports squeeze-backports main
deb-src http://backports.debian.org/debian-backports squeeze-backports main
#+end_src

the backports are there only for selected packages. there's no preference set to
prefer backports for certain things.

Right now that list of packages is:

  - linux-image-3.2.0-0.bpo.3-amd64
  - firmware-linux-free
  - firmware-linux-nonfree

    as installed through:
    $ apt-get install -t squeeze-backports linux-image-3.2.0-0.bpo.3-amd64 \
      firmware-linux-free firmware-linux-nonfree

In the future, we might also want to install additional backported packages,
such as munin-node, given how superior munin 2.0 is to older versions.

*** molly-guard
cause SSHing to the wrong host is easy
*** zsh + screen + less
so rafl won't be a sad sysadmin
*** shorewall
for firewalling, dnat, masquerading
*** libvirt-bin + qemu-kvm + bridge-utils + virtinst + sysfsutils
*** rsync
for backups
** configuration
*** compile de_DE.UTF-8 locale
so rafl can has his german LC_CTYPE without perl and some other bits whining
about it not being available.

as updated via dpkg-reconfigure locales and selecting de_DE.UTF-8 in addition to
the other selected locales. No default locale was chosen.

*** hostname
**** changed /etc/hostname from cpan2 to sc2
**** updated /etc/hosts for s/cpan2/sc2/
**** updated /etc/hosts for s/${REAL_IP_ADDR}/127.0.1.1/ for the sc2 localhost

*** firewall
the firewall configuration for this is all self-contained in /etc/shorewall

to enable the firewall on boot, /etc/default/shorewall has been modified to
contain ~startup=1~

**** bridge for VMs

This setup assumes only one public IP address and VMs behind a NAT.

In ~/etc/network/interfaces~, add

#+begin_src interfaces
auto vir-sc2
iface vir-sc2 inet static
        address 10.10.23.1
        netmask 255.255.255.0
        bridge_stp off
        bridge_fd  0
        pre-up     brctl addbr vir-sc2
        post-down  brctl delbr vir-sc2
#+end_src

**** ip forwarding
~net.ipv4.ip_forward=1~ in /etc/sysctl.conf

*** libvirt
**** storage pool

Have a pool definition in some xml file:

#+begin_src xml
  <pool type="logical">
    <name>cpan2</name>
    <target>
      <path>/dev/cpan2</path>
    </target>
  </pool>
#+end_src

The name and target path will need to correspond to an existing LVM volume
group. If there is no volume group yet, you'll need to either assemble it
yourself or provide ~<source />~ information on how to assemble it.

  $ virsh pool-define $PATH_TO_POOL_XML_FILE # create pool in libvirt
  $ virsh pool-start cpan2 # start the pool. might hang while udev settles.
                           # that's ok.
  $ virsh pool-autostart cpan2 # start the pool on boot


After this, the configuration for this is contained in
/etc/libvirt/storage/. However, one can't just create that directory using
puppet or whatever, as the VGs UUID will be different for different hosts.

**** network

The libvirt network abstraction in the version of libvirt in debian squeeze
isn't terribly smart. Until we're upgrading to a new libvirt, we're gonna
maintain the network bits of this manually, and not through libvirt.

The configuration of this is covered earlier in this document. No libvirt
configuration is required.

**** KSM

~kernel/mm/ksm/run = 1~ in /etc/sysfs.conf

**** installing a VM

*NOTE*: be sure to change the host name and the network adapter's mac address to
something unique.

$ virt-install -n sc2-n1 -r 32768 --vcpus 4 \
  -l http://ftp.us.debian.org/debian/dists/squeeze/main/installer-amd64/ \
  --network bridge=vir-sc2,model=virtio,mac=00:50:56:00:3E:50 --nographics \
  --serial pty -x 'console=ttyS0 priority=low' \
  --disk pool=cpan2,bus=virtio,sparse=false,size=300 \
  --os-type=linux --os-variant=debiansqueeze

then, add the static ip address you configured in the installer to the host
machine's ~/etc/hosts~:

  10.10.23.2 sc2-n1.metacpan.org sc2-n1 n1