Releases
Stable: 1.3.7
for kernels:
- 2.4.36
- 2.6.23.14
Devel 1.4: 1.4.0-rc3
for kernels:
- 2.4.36.9
- 2.6.27.5
Full RSBAC kernels
Lazy of patching ?
Get the already rsbac-patched kernel. Choose your flavor.
Classic kernels
Includes vanilla kernel with the RSBAC patch
- 2.6.23.14
- 2.4.35.3
Enhanced kernels
Kernels including latest security fixes, goodies, and of course PaX+RSBAC
- 2.6.23.15 (20080217)
- 2.4.36 (20080217)
Debian repository
Also works for Ubuntu and other Debian-based distributions, of course
SVN
Cutting edge RSBAC source code, can be unstable sometimes
Events
No events planned
Back to igraltist's experiences
Howto setup a kvm user on gentoo
software packages
The follow softwarepackages is required:
- iproute2
- brctl
- tunctl
- tightvnc (for example this vncserver)
- subversion ( optinal can be on the workstation )
Other packages should be on default installation.
create user kvm
first create an user whom start the kvm-guests
#useradd kvm
add the user to the group kvm
#gpasswd -a kvm kvm
Now i had done some stupid. Fixme: Wrapper for kvm-disk-user
add kvm-user to the disk-group
#gpasswd -a kvm disk
udev
Now modify the udev-rules so that while booting all will be done comfortable.
For this i go to directory /etc/udev/rules.d. There i look for tun, kvm and disk.
cd /etc/udev/rules.d grep tun * 50-udev-default.rules:KERNEL=="tun", NAME="net/%k", MODE="0666", OPTIONS+="ignore_remove" grep kvm * grep block.*disk.*MODE * 50-udev-default.rules:SUBSYSTEM=="block", GROUP="disk", MODE="0640"
Find the line under the option: ‘# network devices’ and add GROUP=”kvm” and set MODE=”660”.
KERNEL=="tun", NAME="net/%k", MODE="0660", GROUP="kvm", OPTIONS+="ignore_remove"
Add a new option: ‘# kvm device’ and add this line, this is required for /dev/kvm.
KERNEL=="kvm", NAME="%k", MODE="0660", Group="kvm"
LVM
Only If you used LVM for guest drives then change this rule, because the diskgroup need read and write access on the device.
SUBSYSTEM=="block", GROUP="disk", MODE="0660"
Keep in your mind, that from time to time the udev will upgraded and so you can lost your settings!
sudo
The next step is, to tell the system that the unprivileged kvm-user can create a tap-device and add this to the a bridge. I use the sudo command and edit therefore the file ‘/etc/sudoers’.
- add a new line
kvm All=(All) NOPASSWD: /sbin/brctl, /sbin/ifconfig, /sbin/start-stop-deamon, /usr/bin/tunctl
Fixme: maybe more restrict
network
My setup include two bridges. One for the local guests and one for a dmz. The dmz-bridge i do add in the system-configuration to build on startup. For local-bridge i use a script, and this do rename the local networkdevice eth1 → reth1 and create a bridge with name eth1 and add the interface reth1 to bridge eth1.
- add to the file ‘/etc/conf.d/net’ this lines (for dmz(bridge))
config_dmz=( "10.0.0.1 netmask 255.255.255.0 broadcast 10.0.0.255" ) brctl_dmz=( "setfd 0" "sethello 0" "stp off" )
Change the IP to your ip-address. Than the kvm-guests in the dmz have in this example a ip in this range: 10.0.0.(1-254)
Then i have a small script, this idea i find on a website but i dont rember from where, so thanks to unkown :).
All kvm stuff i have placed in the directory /etc/kvm.
So the next script for create the local-connectet bridge i have in ‘/etc/kvm/scirpts/bridge_starter’.
For do this on bootup:
- add this line in ‘/etc/conf.d/local.start’
/etc/kvm/scripts/bridge_starter
This is the script bridge_starter.
#!/bin/bash ### bridge_starter ip=$(which ip) ifconfig=$(which ifconfig) brctl=$(which brctl) dev=eth1 dev_old=reth1 ip_dev='ip_address_from_the_local_net_device' # eg.192.168.0.1 $ip addr flush $dev $ip link set $dev down $ip link set $dev name $dev_old $ip link set $dev_old up $brctl addbr $dev $brctl addif $dev $dev_old $ip link set $dev up $ifconfig $dev $ip_dev up
For firewall i use the shorewall and i have do a nat for both bridges.
guest harddrive
So as next is to prepare the directory to store the ‘guest.img’. When now the kvm-user is starting the process than he must able to enter the directory and must have to write access to the image.
For example:
#chmod 770 /vmserver #chgrp kvm /vmserver/guest.imgAlso for storing the pidfile do
kvm-admin
All preparation is done.
I have wrote a script to easy managing kvm-guests.
This script is in beta stage.
It can be find here http://svn.kasten-edv.de/svn/kvm-admin/trunk/.
For using it, iam doing this:
- create a dir for storing and check it out via svn
$mkdir ~/kvm $cd ~/kvm
svn checkout http://svn.kasten-edv.de/svn/kvm-admin/trunk/ .
- copy it to ‘/etc’ - Directory
$cd .. $su #cp -a kvm /etc #chmod 750 /etc/kvm #chgrp kvm /etc/kvm
example kvm-guest-config
If all done then add or if it already there in ‘/etc/kvm/guestconfig/’ a file example.
Open it and add this:
################################################################################# # the config/default.cfg and path_config.cfg has the predefined variables # ################################################################################# #verbose = enabled # give an output what is set, not work in moment test-only = enabled # does not execute it but show it name = example # the name for ifname when used the tap option and ifname is not set #hda = /vmserver/qemu.img cdrom = /usr/src/ISOS/debian-40r3-i386-netinst.iso ## if use the virtio drive the if = virtio must set #file = file:/dev/sda1, if:virtio, boot:on file = file:/vmserver/qemu.img, if:scsi, boot:on #file = file:/vmserver/qemu_1.img, if:ide, index:0, media:disk #file = file:/vmserver/cd.iso, if:ide, index:1, media:cdrom script = kvm-dmz-ifup # default qemu-ifup mem = 265 # default 128 MB => size in MB vnc = 4 # would be on to connect to your vnc host:4 than for use # vnc-max-client is set to 998 #vlan = 1 # default 0, vlan-max is set to 254 #mac = 00:00:00:00:00:01 # #nic-model = virtio # ne2k_pci is default, with wrong driver wich qemu not supported # the kvm-manager will show wich avaible net-tap = enabled # use net option -tap net-user = disabled # if tun-tap setup fail it will user -net user as defaul # -user is not actived in the moment boot = d # default is c first drive "file" oder "hda" usb = enabled # turn on usb support usbdevice = tablet # is good if you used vnc with dektop on guest nographic = disabled # pid = enabled # ifname = iface_test # it is the name for the tap,ifname ; # is not set the name will be used # and if name not set the filename # from the guest-config will be used language = en-us # default is de smp = 2 # default is no smp enabled localtime = enabled # default is False daemonize = enabled # default is enabled no-fd-bootchk = enabled # default is disabled keymaps = enabled # default is disabled, it need the path set in # config/path_config.cfg for keymaps no-acpi = disabled # default is disabled std-vga = enabled # default is enabled
test example config
Now is time to test it.
- #cd /etc/kvm
- #ln -s kvm-admin.py /bin/kvm-admin
#kvm-admin start example uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb) [Errno 2] No such file or directory: '/vmserver/qemu.img' Setting up tun-tap-device, done .... The follow command would be executing: ['/usr/local/kvm/72/bin/qemu-system-x86_64', '-cdrom', '/usr/src/ISOS/debian-40r3-i386-netinst.iso', '-net', 'nic,vlan=0,macaddr=A9:B9:C9:D9:E9:F0,model=rtl8139', '-net', 'tap,vlan=0,ifname=iface_test,script=/etc/kvm/scripts/kvm-dmz-ifup', '-vnc', ':4', '-m', '265', '-boot', 'd', '-k', 'en-us', '-pidfile', '/var/run/kvm/example.pid', '-smp', '2', '-L', '/usr/local/kvm/72/share/qemu', '-usb', '-usbdevice', 'tablet', '-name', 'example', '-no-fd-bootchk', '-daemonize', '-std-vga', '-localtime']