Setting up a dedicated server Part 1 : Proxmox 5 + ZFS + Shorewall +Open VPN

S

UPDATE: Part 2 has been updated.

Keeping the spirit of the Journal, I believe, it’s appropriate to document every bit of learning. So starting up a multi-part series on setting up a new dedicated server with I what need for all my little technical experiments.

While the world is moving towards cloud and VPS, I like to have more control over what I set up as my environment.

Most important part of any development cycle is to know your environment well. Interestingly its also the most overlooked aspect by the developers.
datacenter and System Setup

Dedicated server this journal is running is an Intel E3-1240 V5. Its a reasonably beefy machine for my needs with a benchmark of 10368. I got tempted when the good folks at Clouvider, put the London location server on a Black Friday sale for 39GBP. You cant expect, the kind of service and support Clouvider is able to provide for that budget from anybody out there. Have tried all the usual suspects SYS, Online.net, Hetzner. Only improvement area for Clouvider is the level of automation (Compared with the big guys out there), But they do make it up with their responsive support.

Selecting Virtualisation

My criteria were simple

  • Support for LXCs
  • Support for KVM (So that, If needed, can run windows or even custom kernel Linux)
  • Must be free
  • Support ZFS (Preferable)
  • Ability to extend CEPH support (Preferable)
  • Support Clusters (Preferable)
  • Easy to setup (Optional)
  • Easy to maintain (Must)
  • Must be open source and
  • Should have good community

Proxmox fits the bill perfectly when compared to any other. Proxmox is not without any negative. Key improvement areas for Proxmox are

  • UI still looks 2010-ish (Hey! we are in 2017)
  • TUN/TAP setup needs some work

Now its time to set up the virtualization on the server.  Unfortunately, folks at Cloudiver didn’t have a template and hence had to ask them to install it. However due to some reason (Configuration screw up from my Side). I had to reinstall the whole thing. But, I had asked the folks to setup my drives in RAID 1. If you have no clue on what RAID is, you must read about it here. When I have two disks, I prefer RAID 1 as compared to RAID 0. While RAID 0 might give me the speed, RAID 1 gives me the redundancy. I addressed the speed limitations through ZFS. So I get a virtual RAID 10 support.

If you have to set up a software RAID array by your self, it is straightforward with MDADM utility.  Will cover that a bit later.

Preparing for virtualisation

For Proxmox setup, we start with Debian flavour. I am assuming you were delivered a dedicated machine with Debian 9 preinstalled.

Upgrading to Debian 9 from Debian 8

If you only have Debian 8, please do an in-place upgrade using the following steps. I strongly advise using a fresh installation.

apt-get update
apt-get upgrade
apt-get dist-upgrade

The above step is followed by updating “update/upgrade source”. we have to edit to apt sources for this.

/etc/apt/sources.list

We just need to replace all Jesse (Debian 8) references to Stretch (Debian 9). The following command with does that you.

sed -i 's/jessie/stretch/g' /etc/apt/sources.list

Now its time to upgrade to Debian 9 by again running the following commands.

apt-get update
apt-get upgrade
apt-get dist-upgrade

This upgrade installation will take time, and in the end, you would be ready with Debian 9. Restart once and log in again.

Installation of helper utilities

I prefer nano as my editing files. it is a lightweight and simple editor for most of my needs. If you use some other editors such as vi or vim, I don’t think you need my help telling you to use to edit the files. In my write-ups, I would be using only nano.

One thing I miss in the new Debian is “ifconfig” tool. Hence I would be installing them as well.

Besides, I would also install curl (I like the flexibility) and ca-certificates bundle (So that I don’t get errors later when “wget” an https files). The command for installing all this is as follows.

apt install curl net-tools ca-certifcates

That will provide most of the helper utilities for the rest of the story.

ZFS Installation

ZFS might sound complicated. But its a simple installation procedure.

First, we need to install all the kernel headers for the kernel you have.

apt install linux-headers-$(uname -r)

Second, install the ZFS packages. If you notice I used “apt” instead of “apt-get”. “apt” is a convenient way of installing in newer versions of Debian.

apt install zfs-dkms zfsutils-linux

and third, if you want to boot from ZFS (I prefer this)

apt install zfs-initramfs

Then restart. Now the ZFS installation is done.

proxmox installation

I generally do a cleanup of apt installation files, as “junk” might accumulate as you install/remove some packages. This cleanup is done by

apt auto-remove

First pre-requisite for the Proxmox installation is that hostname is resolvable via /etc/hosts. So let’s check that with the following command.

hostname --ip-address

If the command prints out your address, you are good to go. If not, please edit your /etc/hosts file to add your IP.

Now let us add proxmox sources to “apt” packager list.

echo "deb <a class="external free" href="http://download.proxmox.com/debian/pve" rel="nofollow">http://download.proxmox.com/debian/pve</a> stretch pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list

Now we need to tell apt about the repo keys so that apt can reliably update the packages from the source.

wget <a class="external free" href="http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg" rel="nofollow">http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg</a> -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg

Again to be on a safer side, let’s ensure all our packages are safely up-to-date.

apt update && apt dist-upgrade

After we have done this, let us install proxmox.

apt install proxmox-ve postfix open-iscsi

Now that’s its. We have installed proxmox with ZFS installed. You can reboot once (For the heck of it), and you should be able to login to proxmox using your [your-ip-address]:8006 port. Your root username and password will work here.

In the next part, we will look at securing the environment with some basic level hardening, using Shorewall to configure firewall and also using OpenVPN to access VMs securely (without exposing all VMs ssh ports)

 

 

About the author

nagu

Business leader, Technology Consultant and a Polyglot programmer. Infectious passion for Innovations and new technologies. Respects good UX. Current interests are in Microservices, ethical hacking and lockpicking!.

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By nagu

Nagu Gopalakrishnan

Business leader, Technology Consultant and a Polyglot programmer. Infectious passion for Innovations and new technologies. Respects good UX. Current interests are in Microservices, ethical hacking and lockpicking!.

About Me