Posted on Leave a comment

Defining Storage Pools via the Terminal

Using VMDashboard, you can define Libvirt storage pools in the /var, /mnt, and /media directories. This was done to prevent full access to the operating system from the Web interface. If you need to define a storage pool outside of these limitations, you can use the terminal using Libvirt to register a storage pool. In this example we will define the /home/ubuntu/ directory as a storage pool.

Define the storage pool using the pool-define-as command from virsh. We will pass in the type of storage devices which is a directory, name which we will call myHomePool, and the filepath to the storage pool.

virsh pool-define-as --type dir --name myHomePool --target /home/ubuntu

The storage pool will now show up in VMDashboard. If you wish to view it in the terminal you can use the following command

virsh pool-list --all

The storage pool myHomePool will not be running, you can start it using VMDashboard, or in the terminal you can use the following command to start the storage pool. Optionally you can use pool-autostart to automatically start the pool upon the system boot and use pool-autostart –disable to remove it.

virsh pool-start myHomePool

If you choose to stop the storage pool from running, you can do this in VMDashboard or by using the pool-destroy option.

virsh pool-destroy myHomePool

Lastly if you decide to remove the storage pool you can undefine it. This will leave the directory intact on the operating system, just removing it from the list of storage pools. Again, this can be done in VMDashboard or by using the pool-undefine option in the terminal.

virsh pool-undefine myHomePool
Posted on Leave a comment

ISO images for KVM machines

When getting started with KVM virtual machines, one common question is how do I get ISO image files used to install the operating systems in the virtual machines. The default location that Libvirt uses as a storage pool for KVM virtual machines is the /var/lib/libvirt/images/ directory. You will need to download the ISO files using a command such as wget. Find the URL of the ISO from from the vendor, for example http://releases.ubuntu.com/18.04.1/ubuntu-18.04.1-live-server-amd64.iso.

You will need to switch your user account to the root user:

sudo su

Navigate to the /var/lib/libvirt/images/ directory:

cd /var/lib/libvirt/images/

Use wget to download the file:

wget http://releases.ubuntu.com/18.04.1/ubuntu-18.04.1-live-server-amd64.iso

The ISO file will now show up in VMDashboard.

Posted on Leave a comment

Encrypting VMDashboard with Let’s Encrypt

As a security recommendation, it is always a good practice to encrypt the data sent across the Internet. You can encrypt both your VMDashboard connection as well as the VNC console connection to your virtual machines.

With the Apache web server on Ubuntu you can enable HTTPS traffic using the following command:
sudo a2enmod ssl

If you are using a domain name, you can use a Certificate Authority such as Let’s Encrypt to create a free validated SSL certificate. To get started we will need to create an Apache site configuration file for your domain. I will using the domain server1.vmdashboard.org for this example. The new config file should end with the .conf extension and be located in the /etc/apache2/sites-available/ directory. To create a new file for your domain use the following command, and be sure to change the domain name:
sudo nano /etc/apache2/sites-available/server1.vmdashboard.org.conf

We will just be adding just the minimum information in the configuration file. The first line below <VirtualHost *:80> tells Apache that this configuration file will be used for HTTP traffic. When we configure Let’s Encrypt, the HTTPS  connection (port 443) will be configured automatically.  The second line ServerName server1.vmdashboard.org tells Apache what domain name it should be listening for to apply this configuration. The third line DocumentRoot /var/www/html/vmdashboard/ indicates the root location of the web site files and that should be the filepath for your files.

<VirtualHost *:80>
ServerName server1.vmdashboard.org
DocumentRoot /var/www/html/vmdashboard/
</VirtualHost>

Once you add the above information to the configuration file and save it, we will then need to enable the configuration file in Apache using the a2ensite command. To do that run the following command, be sure to use your domain name:
sudo a2ensite server1.vmdashboard.org

When Apache is only used for the VMDashboard it would be a good idea to disable the default configuration file that comes with the install of Apache. To do that use the command:
sudo a2dissite 000-default.conf

You will need to restart/reload the Apache web server to apply the configuration changes. Use the following command:
sudo systemctl reload apache2

To automate the Let’s Encrypt certificate using Apache we will need to install the python-certbot-apache package. Use the following command:
sudo apt install python-certbot-apache

To create the SSL Certificate and Apache configuration file run the following command, changing your domain name. You will be asked for an email address and you will be given an option to either redirect all traffic to the HTTPS protocol or not.
sudo certbot --apache -d server1.vmdashboard.org

Now login to your VM Dashboard. Go to the settings page and add the location of the Let’s Encrypt certificate file and key file and submit your changes. Below is the location created for server1.vmdashboard.org

Certificate file: /etc/letsencrypt/live/server1.vmdashboard.org/fullchain.pem
Key file: /etc/letsencrypt/live/server1.vmdashboard.org/privkey.pem

The permissions for the certificates are tied to the root user. There will need to be a permission change on the /etc/letsencrypt/live folder as well as /etc/letsencrypt/archive. We can change the permission to 755 (rwxr-xr-x) to allow the VMDashoard to be able to read the information. Run the following commands:
sudo chmod 755 /etc/letsencrypt/live
sudo chmod 755 /etc/letsencrypt/archive

You can either decide to restart your server or restart the python process tied to noVNC to apply the certificate and key files. If you decide to restart the service you should be able to determine which process id (PID) is using port 6080. Use the following command:
sudo netstat -tulpn | grep 6080

Then after determining the PID number, kill the process. For example, if it was PID 1386, I would use the command:
sudo kill 1386

Now logout and login to the VMDashboard to restart the VNC connection and the new certificate should be applied.

Posted on Leave a comment

Encrypting VMDashboard with a self-signed cert

As a security recommendation, it is always a good practice to encrypt your the data sent across the Internet. You can encrypt both your VMDashboard connection as well as the VNC connection to your virtual machines.

With the Apache web server on Ubuntu you can enable https traffic using the following command:
sudo a2enmod ssl

Ubuntu has a configuration already setup to be used with a self-signed certificate. It can be activated by using the following command:
sudo a2ensite default-ssl.conf

You will need to restart/reload the Apache web server to apply the SSL connection. Use the following command:
sudo systemctl restart apache2

The VNC connection will default to using the protocol of you web connection. If you wish to use https with VNC you will need to create a certificate. By default, the noVNC app that comes with VMDashboard looks for a cert called self.pem in the /etc/ssl/ directory.

To create the certificate for the VNC connection navigate to the /etc/ssl/ directory.
cd /etc/ssl/

Create the certificate by using the following command:
sudo openssl req -x509 -days 365 -new -nodes -out self.pem -keyout self.pem

Now change the permissions of the self.pem file
sudo chmod 755 self.pem

If you have already used VMDashboard, you will need to kill the existing VNC process. To determine the process to kill use netstat and determine the process number that is listening on port 6080.
sudo netstat -tulpn | grep 6080

Now kill the process. For example if the process was numbered 29226, you would kill it using the command:
sudo kill 29226

Now when you log into VMDashboard, the VNC software will use the self-signed cert. Because it is self-signed your browser will not trust it. To trust the certification visit your URL:6080 and click the Advanced button on the screen. For example, if I were using 192.168.1.2 to view the web interface I would use https://192.168.1.2:6080.