Gentoo, qemu+kvm and virt-manager: Automating guest base install

Updated 2014-12-23: Update file links to gitweb.

I recently got myself a new server that is, amongst others, intended to use for kvm/qemu virtual machines that I administer using virt-manager. As most of the guest VMs will be running Gentoo linux, and the installation procedure is nice and command-line based it enable quick installation of an up to date system without using an image by utilizing a few simple bash scripts that require a minimum of user interaction during install in order to get a base OS.

It goes like this: After booting the Gentoo live-cd we reset the root password to get a known password and start sshd to allow me to upload the script files.

passwd
/etc/init.d/sshd start

Once this is done we upload the script files using scp:

scp *.sh root@192.168.0.62:/

At this stage we edit the config.sh file using nano that is part of the live CD:

nano /config.sh

I rarely change much in the config file, but other users will naturally want to adjust this to their own environment. As for the drive layout I normally default it to
xda1: 5MB - spare for MBR
xda2: 100MB - /boot
xda3: 4096MB - swap
xda4: residual - /

xda is used in place for vda (if Virtio) or sda (if SATA) in this case. The underlying drive is an LVM2 logical volume created using

lvcreate -L 125G -n myVM vg0

A little trick on getting to use the LVM drive directly in virt-manager is to create a storage group for the directory of the volume group (/dev/vg0) which allows me to allocate the logical volumes directly to the drive as a virtio disk.

Attempting to run /host.sh without a drive setup it will naturally abort and we get a warning about missing drive configuration. Once this is configured (I normally use cfdisk /dev/xda) it is time to run:

/host.sh

The first thing that happens then is that the filesystems are configured appropriately (ext4) and a stage3 is downloaded and extracted, along with setting up the necessary mounts to enter the chroot. No more interaction is then necessary until we enter the chroot using:

chroot /mnt/gentoo /bin/bash
/chroot.sh

At this point the rest of the install instructions are being run, installing a regular gentoo-sources kernel with grub2 and setting up syslog-ng and cronie. Additionally I use Monkeysphere to set up the public keys for logging into the system as my user so this is automated as well as adding the user to wheel group (the latter two steps being optional in config file, but if you haven't looked into Monkeysphere before I recommend doing so)

Once this complete it is just a matter of running

exit

to get of the of the chroot, and

reboot

and we have a working base-install of a VM once it gets back up. Then I can start making any adjustments for the service the VM is supposed to provide from here.

As for the actual scripts:gitweb

CURL and using HTTP Host Header for SNI

Recently I added a HKPS pool to sks-keyservers.net , and in that process I'm validating the SKS keyservers SSL/TLS certificates versus my own Certificate Authority, so only servers with certificates signed by myself are included. This ensure a subjectAltName for the appropriate host, in order to avoid certificate failures. So far so good.

Some servers for various reasons need to have another certificate installed signed by another authority. In order for this to be handled properly, Server Name Indication is used to properly map the request with the virtual host and the certificate to present to the client.

My crawler use curl as the basis for the requests, and as I connect using the hostname found in server-discovery, it use the HTTP Host: header for the pool. The issue with vanilla curl, is however, that there is no way to manually set the SNI hostname to use, and it will default to the hostname of the request.

As such I added a patch that will use the Host header presented instead. I'm adding it here in case it is useful for anyone else.

mod_gnutls: Requiring encryption

I recently switched over from using mod_ssl to mod_gnutls for providing encryption and verification on some of my web servers. mod_gnutls uses the GnuTLS library to provide SSL 3.0, TLS 1.0, TLS 1.1 and 1.2 encryption for Apache HTTPD, and it is similar to mod_ssl in purpose - but does not use OpenSSL. Since some of the servers only have 1 public IP; in order to provide encryption on multiple websites I prefer to use TLS, although, in all fairness, SSL with SNI is an alternative. I do, however feel the TLS protocol is a cleaner one, so I'll support that.

As a result of the switch sks-keyservers.net is now also encryption-enabled, using a self-signed certificate that can be verified through the Web of Trust of OpenPGP using Monkeysphere.

One thing I am missing in mod_gnutls is however a way to require certain file paths to be encrypted. Ok, this can be done using configuration directives in the VirtualHost settings for the non-TLS enabled host, but I find it much cleaner to be able to append this on a per-directory basis (.htaccess). As such, I've written a small patch that add the "GnuTLSRequireSSL" directive to mod_gnutls. This take one argument that can have the values "On" or "Off". Download the patch here