[CentOS-virt] Mixed dom0/domU usage?

Wed Feb 4 19:16:30 UTC 2009
Christopher G. Stach II <cgs at ldsys.net>

----- "Kai Schaetzl" <maillists at conactive.com> wrote:

> Ben Montanelli wrote on Wed, 04 Feb 2009 11:50:04 -0500:
> 
> > I guess many of us want the optimized "grail" dom0.
> 
> There is none. It depends on your needs.

This is pretty close to one. :)  I also attached a trimmed down version of the kickstart config I use for dom0s.  Some of it is irrelevant to many people, but I figured someone would find something useful in it, like fixing some of the brokenness.  Some of the packages (like the ones for NTP, MD RAID, IPMI, LUKS, and iSCSI) can be removed if you don't need them.  ntpd and snmpd can be disabled if you don't need/use them, or for security policy reasons, as well.

dom0 services:

srv1:[1:13pm]:120:~# chkconfig --list | grep :on
acpid           0:off   1:off   2:off   3:on    4:on    5:on    6:off
auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
cpuspeed        0:off   1:on    2:on    3:on    4:on    5:on    6:off
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
edac            0:off   1:off   2:on    3:on    4:on    5:on    6:off
ip6tables       0:off   1:off   2:on    3:on    4:on    5:on    6:off
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
libvirtd        0:off   1:off   2:off   3:on    4:on    5:on    6:off
lm_sensors      0:off   1:off   2:on    3:on    4:on    5:on    6:off
lvm2-monitor    0:off   1:on    2:on    3:on    4:on    5:on    6:off
mcstrans        0:off   1:off   2:on    3:on    4:on    5:on    6:off
mdmonitor       0:off   1:off   2:on    3:on    4:on    5:on    6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
ntpd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
postfix         0:off   1:off   2:on    3:on    4:on    5:on    6:off
restorecond     0:off   1:off   2:on    3:on    4:on    5:on    6:off
smartd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
snmpd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off
sysstat         0:off   1:off   2:on    3:on    4:off   5:on    6:off
xend            0:off   1:off   2:on    3:on    4:on    5:on    6:off
xendomains      0:off   1:off   2:off   3:on    4:on    5:on    6:off

dom0 kickstart:

[...]
services --disabled=avahi-daemon,gpm,haldaemon,kudzu,messagebus,netfs --enabled=ntpd,snmpd
[...]

%packages --nobase
@core
xen
kernel-xen
libvirt
postfix
ntp
net-snmp
sudo
sysstat
rsync
tcpdump
tcsh
bzip2
man
lsof
smartmontools
mailx
screen
vim-enhanced
isns-utils
iscsi-initiator-utils
cryptsetup-luks
vconfig
acpid
audit
cpuspeed
mdadm
psacct
xorg-x11-xauth
edac-utils
memtest86+
patch
which
yum-protectbase
OpenIPMI
OpenIPMI-tools

%post

touch /.autorelabel

sed -i '/^\[/aprotect=1' /etc/yum.repos.d/CentOS-Base.repo

cat << _EOF_ >> /etc/sysctl.conf

net.core.rmem_max = 1048576
net.core.rmem_default = 1048576
net.core.wmem_max = 1048576
net.core.wmem_default = 1048576

vm.swappiness = 1

_EOF_

cat << _EOF_ > /etc/snmp/snmpd.conf
[...]
# This is so SNMP reports correct interface rates
interface bond0 161 1000000000
interface bond0.10 135 1000000000
interface bond0.20 135 1000000000
interface bond0.30 135 1000000000
interface bond0.40 135 1000000000
interface bond0.101 135 1000000000
[...]
_EOF_

sed -i 's/^[ \t]*LoginGraceTime.*/#&/g' /etc/ssh/sshd_config
sed -i 's/^[ \t]*PermitRootLogin.*/#&/g' /etc/ssh/sshd_config
sed -i 's/^[ \t]*MaxAuthTries.*/#&/g' /etc/ssh/sshd_config
sed -i 's/^[ \t]*PasswordAuthentication.*/#&/g' /etc/ssh/sshd_config
sed -i 's/^[ \t]*MaxStartups.*/#&/g' /etc/ssh/sshd_config

cat << _EOF_ >> /etc/ssh/sshd_config

LoginGraceTime 1m
PermitRootLogin forced-commands-only
MaxAuthTries 2
PasswordAuthentication no
MaxStartups 2
_EOF_

sed -i 's#kernel /xen.*#& dom0_mem=2G#' /boot/grub/grub.conf

sed -i 's#module /vmlinuz.*#& elevator=deadline#' /boot/grub/grub.conf

cat << _EOF_ >> /etc/modprobe.conf
alias bond0 bonding
options bond0 mode=balance-rr miimon=100 updelay=1000
options netloop nloopbacks=64
options forcedeth max_interrupt_work=10
_EOF_

touch /etc/sysconfig/iptables

sed -i -r 's/^IPTABLES_MODULES=.*/#&/' /etc/sysconfig/iptables-config

sed -i -r '/^#IPTABLES_MODULES=.*/a \IPTABLES_MODULES=""' /etc/sysconfig/iptables-config

cat << _EOF_ > /etc/sysconfig/network-scripts/ifcfg-bond0
DEVICE=bond0
BOOTPROTO=none
ONBOOT=yes
USERCTL=no
_EOF_

cat << _EOF_ > /etc/sysconfig/network-scripts/ifcfg-bond0.10
DEVICE=bond0.10
BOOTPROTO=none
ONBOOT=yes
USERCTL=no
VLAN=yes
BRIDGE=br10
_EOF_

cat << _EOF_ > /etc/sysconfig/network-scripts/ifcfg-br10
DEVICE=br10
TYPE=Bridge
BOOTPROTO=static
BROADCAST=<xxx>
IPADDR=<xxx>
NETMASK=<xxx>
NETWORK=<xxx>
IPV6INIT=yes
IPV6_AUTOCONF=yes
ONBOOT=yes
DELAY=0
STP=on
_EOF_

sed -i -r '/^(HWADDR=|#)/!d' /etc/sysconfig/network-scripts/ifcfg-eth0

cat << _EOF_ >> /etc/sysconfig/network-scripts/ifcfg-eth0
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
USERCTL=no
_EOF_

sed -i -r '/^(HWADDR=|#)/!d' /etc/sysconfig/network-scripts/ifcfg-eth1

cat << _EOF_ >> /etc/sysconfig/network-scripts/ifcfg-eth1
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
USERCTL=no
_EOF_

sed -i -r '/^(HWADDR=|#)/!d' /etc/sysconfig/network-scripts/ifcfg-eth2

cat << _EOF_ >> /etc/sysconfig/network-scripts/ifcfg-eth2
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
USERCTL=no
_EOF_

sed -i -r '/^(HWADDR=|#)/!d' /etc/sysconfig/network-scripts/ifcfg-eth3

cat << _EOF_ >> /etc/sysconfig/network-scripts/ifcfg-eth3
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
USERCTL=no
_EOF_

sed -i -r 's/(SYNC_HWCLOCK=).*/\1yes/' /etc/sysconfig/ntpd

cat << _EOF_ > /root/xendomains.patch
--- /etc/init.d/xendomains.dist 2008-11-04 09:57:48.000000000 -0600
+++ /etc/init.d/xendomains      2008-11-04 09:58:30.000000000 -0600
@@ -175,9 +175,9 @@

 parseln()
 {
-    name=\`echo "\$1" | cut -c0-17\`
+    name=\`echo "\$1" | cut -d' ' -f1\`
     name=\${name%% *}
-    rest=\`echo "\$1" | cut -c18- \`
+    rest=\`echo "\$1" | cut -d' ' -f2-\`
     read id mem cpu vcpu state tm < <(echo "\$rest")
 }

_EOF_

patch -p0 < /root/xendomains.patch

mv /etc/xen/xend-config.sxp /etc/xen/xend-config.sxp.dist

cat << _EOF_ > /etc/xen/xend-config.sxp
# -*- sh -*-

(xend-unix-server yes)
(xend-unix-path /var/lib/xend/xend-socket)
(xend-relocation-server yes)
(xend-relocation-port 8002)
(xend-relocation-address '<xxx>')
(xend-relocation-hosts-allow '^localhost\$ ^localhost\\\\.localdomain\$ ^<xxx>\$')
(network-script /bin/true)
(vif-script vif-bridge)
(dom0-min-mem 768)
(dom0-cpus 1)
(vncpasswd '')

_EOF_

sed -i -r 's/^XENDOMAINS_SAVE=.*/#&/' /etc/sysconfig/xendomains

sed -i '/^#XENDOMAINS_SAVE=/a \XENDOMAINS_SAVE=' /etc/sysconfig/xendomains

rm -f /etc/libvirt/qemu/networks/autostart/default.xml

mkdir /root/.ssh

cat << _EOF_ > /root/.ssh/authorized_keys
command="/usr/bin/virt-manager" ssh-rsa <xxx> <xxx>
_EOF_

%end

-- 
Christopher G. Stach II