UPDATE: Part 2 has been updated.
Keeping the spirit of the Journal, I believe, it’s appropriate to document every bit of learning. So starting up a multi-part series on setting up a new dedicated server with I what need for all my little technical experiments.
While the world is moving towards cloud and VPS, I like to have more control over what I set up as my environment.
Most important part of any development cycle is to know your environment well. Interestingly its also the most overlooked aspect by the developers.
datacenter and System Setup
Dedicated server this journal is running is an Intel E3-1240 V5. Its a reasonably beefy machine for my needs with a benchmark of 10368. I got tempted when the good folks at Clouvider, put the London location server on a Black Friday sale for 39GBP. You cant expect, the kind of service and support Clouvider is able to provide for that budget from anybody out there. Have tried all the usual suspects SYS, Online.net, Hetzner. Only improvement area for Clouvider is the level of automation (Compared with the big guys out there), But they do make it up with their responsive support.
My criteria were simple
- Support for LXCs
- Support for KVM (So that, If needed, can run windows or even custom kernel Linux)
- Must be free
- Support ZFS (Preferable)
- Ability to extend CEPH support (Preferable)
- Support Clusters (Preferable)
- Easy to setup (Optional)
- Easy to maintain (Must)
- Must be open source and
- Should have good community
Proxmox fits the bill perfectly when compared to any other. Proxmox is not without any negative. Key improvement areas for Proxmox are
- UI still looks 2010-ish (Hey! we are in 2017)
- TUN/TAP setup needs some work
Now its time to set up the virtualization on the server. Unfortunately, folks at Cloudiver didn’t have a template and hence had to ask them to install it. However due to some reason (Configuration screw up from my Side). I had to reinstall the whole thing. But, I had asked the folks to setup my drives in RAID 1. If you have no clue on what RAID is, you must read about it here. When I have two disks, I prefer RAID 1 as compared to RAID 0. While RAID 0 might give me the speed, RAID 1 gives me the redundancy. I addressed the speed limitations through ZFS. So I get a virtual RAID 10 support.
If you have to set up a software RAID array by your self, it is straightforward with MDADM utility. Will cover that a bit later.
Preparing for virtualisation
For Proxmox setup, we start with Debian flavour. I am assuming you were delivered a dedicated machine with Debian 9 preinstalled.
Upgrading to Debian 9 from Debian 8
If you only have Debian 8, please do an in-place upgrade using the following steps. I strongly advise using a fresh installation.
apt-get update apt-get upgrade apt-get dist-upgrade
The above step is followed by updating “update/upgrade source”. we have to edit to apt sources for this.
We just need to replace all Jesse (Debian 8) references to Stretch (Debian 9). The following command with does that you.
sed -i 's/jessie/stretch/g' /etc/apt/sources.list
Now its time to upgrade to Debian 9 by again running the following commands.
apt-get update apt-get upgrade apt-get dist-upgrade
This upgrade installation will take time, and in the end, you would be ready with Debian 9. Restart once and log in again.
Installation of helper utilities
I prefer nano as my editing files. it is a lightweight and simple editor for most of my needs. If you use some other editors such as vi or vim, I don’t think you need my help telling you to use to edit the files. In my write-ups, I would be using only nano.
One thing I miss in the new Debian is “ifconfig” tool. Hence I would be installing them as well.
Besides, I would also install curl (I like the flexibility) and ca-certificates bundle (So that I don’t get errors later when “wget” an https files). The command for installing all this is as follows.
apt install curl net-tools ca-certifcates
That will provide most of the helper utilities for the rest of the story.
ZFS might sound complicated. But its a simple installation procedure.
First, we need to install all the kernel headers for the kernel you have.
apt install linux-headers-$(uname -r)
Second, install the ZFS packages. If you notice I used “apt” instead of “apt-get”. “apt” is a convenient way of installing in newer versions of Debian.
apt install zfs-dkms zfsutils-linux
and third, if you want to boot from ZFS (I prefer this)
apt install zfs-initramfs
Then restart. Now the ZFS installation is done.
I generally do a cleanup of apt installation files, as “junk” might accumulate as you install/remove some packages. This cleanup is done by
First pre-requisite for the Proxmox installation is that hostname is resolvable via /etc/hosts. So let’s check that with the following command.
If the command prints out your address, you are good to go. If not, please edit your /etc/hosts file to add your IP.
Now let us add proxmox sources to “apt” packager list.
echo "deb <a class="external free" href="http://download.proxmox.com/debian/pve" rel="nofollow">http://download.proxmox.com/debian/pve</a> stretch pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list
Now we need to tell apt about the repo keys so that apt can reliably update the packages from the source.
wget <a class="external free" href="http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg" rel="nofollow">http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg</a> -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
Again to be on a safer side, let’s ensure all our packages are safely up-to-date.
apt update && apt dist-upgrade
After we have done this, let us install proxmox.
apt install proxmox-ve postfix open-iscsi
Now that’s its. We have installed proxmox with ZFS installed. You can reboot once (For the heck of it), and you should be able to login to proxmox using your [your-ip-address]:8006 port. Your root username and password will work here.
In the next part, we will look at securing the environment with some basic level hardening, using Shorewall to configure firewall and also using OpenVPN to access VMs securely (without exposing all VMs ssh ports)