How to create a new VM
This page has been moved to docs.fsfe.org with the rest of the sysadmin documentation.
The goal of this document is to explain how to create a new VM on our proxmox clusters.
To create a new VM, you can use the command line (you can use the qemu tools) or the web interface. The access to the web interface is limited to the IP of the clusters, so to use the web interface you should use SSH forwarding or SSH tunnelling.
Use the following command to bind the remote port to a local one:
ssh -L 8006:localhost:8006 <a host withing the proxmox cluster: platinum, iridium, osmium, krypton>
Now you can browse https://localhost:8006 and that will take you to the web interface.
Choose cluster
We have the following clusters:
- At Plusserver in Düsseldorf, Germany, with 3 physical servers, but quite old and limited hardware
- At PLUTEX in Bremen, Germany, with 3 physical servers. Use this for storage-intensive services.
- At Noris in Nuremberg, Germany, with 3 physical servers. Use this for computing-intensive services.
- 'krypton' in Vienna, Austria, with 1 physical server. In this datacenter it is not possible to do reverse DNS.
If the VM needs to be part of a High Availability group, or need to query the LDAP database without certificates it will need to be in Düsseldorf.
Container or VM?
There are two options for new virtual hosts: container or virtual machine.
- VM: Provides more flexibility and configurability. Migrations to other Proxmox hosts are very fast
- Container: More lightweight and restricts some potentially unpleasant activities
Recently, we rather prefer Virtual Machines.
Create the VM
Click on "Create new VM" and go through the wizard. In most cases, the defaults are fine:
Name: Please check our Naming Schemes. You can re-use names used in the past.
- System:
- QEMU: activate
- Hard disk:
- Use VirtIO as device
- CPU
- Type: host
- Memory:
- disable ballooning
- Network:
- disable firewall
- At PLUTEX/Noris: Bridge vmbr0 and VLAN tag 11
The virtual machine can be HA managed by the cluster. That means the cluster will ensure that the VM is always up. We only have one HA group, so if you need HA please include the VM to this group (hag0). You can increase the restart to 10. (For the Non-HA Vienna server, make shure to enable autostart in the VM/container settings if it should be running)
OS Installation
Go to the console where the ISO should always have been booted. Here're some general hints:
- Use expert install (under advanced)
- Install "network-console" component (you can then connect via SSH to the installation a few steps later)
- Network
- Reuse an IP and perhaps also name of an unused old host
- Set the correct netmask (see below)
- Use the default gateway
- Set IPs of both DNS servers (see below)
- Clock: UTC
- Users: set root password (ask max or albert), create no user
- Partition: Use full disk, guided install, with LVM
- Install only targeted drivers
- Software selection: only SSH server
- In shell: add own key to authorized_keys
Network Settings
DNS
Host having a dedicated IPv4 can use the following DNS servers (tennant & geoffroy): 217.69.89.137 and 188.172.205.115.
IPv6-only host use 2001:aa8:ffed:f5f3::137 and 2a00:11c0:d:1::115.
Subnets and Gateways
- Duesseldorf Cluster:
IPv4 Network: 217.69.89.128/26, 255.255.255.192
IPv4 Gateway: 217.69.89.129
IPv6 Network: 2001:aa8:ffed:f5f3::/64
IPv6 Gateway: 2001:aa8:ffed:f5f3::1
- Vienna Host:
IPv4 Network: 188.172.205.112/28, 255.255.255.240
IPv4 Gateway: 188.172.205.113
IPv6 Network: 2a00:11c0:d:1::/64
IPv6 Gateway: 2a00:11c0:d:1::1
- Nuremberg Cluster:
IPv4 Network: 213.95.165.48/28, 255.255.255.240
IPv4 Gateway: 213.95.165.49
IPv6 Network: 2001:0780:0215:1::/64
IPv6 Gateway: 2001:0780:0215:1::1
- Bremen Cluster:
IPv4 Network: 31.24.147.80/28, 255.255.255.240
IPv4 Gateway: 31.24.147.81
IPv6 Network: 2a02:16d0:1004:5a00:f5f3::cafe:/64
IPv6 Gateway: 2a02:16d0:1004:5a00:f5f3::1
Aftermath
Remove the install ISO from the Proxmox hardware interface.
Connect via SSH and configure the network in /etc/network/interfaces:
Replace allow-hotplug with auto
- Add IPv6, e.g.:
iface ens18 inet6 static address 2001:aa8:ffed:f5f3::140/64 gateway 2001:aa8:ffed:f5f3::1
Install the package qemu-guest-agent if you activated QEMU in the creation process (should not be necessary from Debian bullseye on). But you may have to install python3 manually to make Ansible deployments work.
NAT for IPv6-only hosts
If you set up a IPv6-only host, and the VM depends on contacting IPv4-only services (e.g. Github or Docker Hub), you can give the host a NAT'ed private IPv4 on the Noris and Plutex clusters.
For example, add the following to /etc/network/interfaces:
iface ens18 inet static address 100.64.42.104/24 gateway 100.64.42.1
The subnet/gateway for VMs at Noris is 100.64.42.1/24, for Plutex 100.64.23.1/24.
The address' last octet should be the same as the public IP's last group. So if you host's IPv6 is 2001:780:215:1::123 (Noris), the NAT'ed IPv4 should be 100.64.42.123.
DNS Settings
In the FSFE's DNS settings, add the new host for the domain zone (usually db.fsfeurope.org) and the PTRs in the IPv4 and IPv6 zones.
FOLLOW UP
Remember documenting the new machine! Setting up a Docker container or VM is just the technical part but in order to make the FSFE's technical infrastructure clear and maintainable, we need proper communication and documentation.
Add the VM to vm-overview.txt in the documentation repository
Please make sure to follow the process for new services.
Run the baseline playbook over the new host, also setting the backup password and the hosts.conf for icinga.
Set the SSH keys via the SSH key distributor