Review Board 1.7.22


Minor change to Runbook (iptables rules for NFS example)

Review Request #5965 - Created July 15, 2012 and submitted

Joe Brockmeier
Reviewers
cloudstack
ke4qqq
cloudstack-git
Changing iptables rules to filter for source so NFS is not wide-open.

 

Diff revision 2 (Latest)

1 2
1 2

  1. docs/runbook/en-US/Environment.xml: Loading...
docs/runbook/en-US/Environment.xml
Revision 9048e1a New Change
1
<?xml version='1.0' encoding='utf-8' ?>
1
<?xml version='1.0' encoding='utf-8' ?>
2
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
2
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
3
<!ENTITY % BOOK_ENTITIES SYSTEM "Runbook.ent">
3
<!ENTITY % BOOK_ENTITIES SYSTEM "Runbook.ent">
4
%BOOK_ENTITIES;
4
%BOOK_ENTITIES;
5
]>
5
]>
6

    
   
6

   
7
<!-- Licensed to the Apache Software Foundation (ASF) under one
7
<!-- Licensed to the Apache Software Foundation (ASF) under one
8
 or more contributor license agreements.  See the NOTICE file
8
 or more contributor license agreements.  See the NOTICE file
9
 distributed with this work for additional information
9
 distributed with this work for additional information
10
 regarding copyright ownership.  The ASF licenses this file
10
 regarding copyright ownership.  The ASF licenses this file
11
 to you under the Apache License, Version 2.0 (the
11
 to you under the Apache License, Version 2.0 (the
12
 "License"); you may not use this file except in compliance
12
 "License"); you may not use this file except in compliance
13
 with the License.  You may obtain a copy of the License at
13
 with the License.  You may obtain a copy of the License at
14
 
14
 
15
   http://www.apache.org/licenses/LICENSE-2.0
15
   http://www.apache.org/licenses/LICENSE-2.0
16
 
16
 
17
 Unless required by applicable law or agreed to in writing,
17
 Unless required by applicable law or agreed to in writing,
18
 software distributed under the License is distributed on an
18
 software distributed under the License is distributed on an
19
 "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
19
 "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
20
 KIND, either express or implied.  See the License for the
20
 KIND, either express or implied.  See the License for the
21
 specific language governing permissions and limitations
21
 specific language governing permissions and limitations
22
 under the License.
22
 under the License.
23
-->
23
-->
24

    
   
24

   
25

    
   
25

   
26
<chapter id="chap-Runbook-Environment">
26
<chapter id="chap-Runbook-Environment">
27
  <title>Environment</title>
27
  <title>Environment</title>
28
  <para>
28
  <para>
29
      Before you begin, you need to prepare the environment before you install CloudStack. 
29
      Before you begin, you need to prepare the environment before you install CloudStack. 
30
      We will go over the steps to prepare now.
30
      We will go over the steps to prepare now.
31
  </para>
31
  </para>
32
  <section id="sect-Runbook-Environment-operatingsys">
32
  <section id="sect-Runbook-Environment-operatingsys">
33
    <title>Operating System</title>
33
    <title>Operating System</title>
34
    <para>
34
    <para>
35
      Using the CentOS 6.2 x86_64 minimal install ISO, you'll need to install CentOS
35
      Using the CentOS 6.2 x86_64 minimal install ISO, you'll need to install CentOS
36
      on your hardware. The defaults will generally be acceptable for this installation.
36
      on your hardware. The defaults will generally be acceptable for this installation.
37
    </para>
37
    </para>
38
    <para>
38
    <para>
39
      Once this installation is complete, you'll want to connect to your freshly
39
      Once this installation is complete, you'll want to connect to your freshly
40
      installed machine via SSH as the root user. Note that you should not allow root 
40
      installed machine via SSH as the root user. Note that you should not allow root 
41
      logins in a production environment, so be sure to turn off remote logins once you 
41
      logins in a production environment, so be sure to turn off remote logins once you 
42
      have finished the installation and configuration.
42
      have finished the installation and configuration.
43
    </para>
43
    </para>
44
    <section id="sect-Runbook-Environment-operatingsys-network">
44
    <section id="sect-Runbook-Environment-operatingsys-network">
45
      <title>Configuring the network</title>
45
      <title>Configuring the network</title>
46
      <para>
46
      <para>
47
        By default the network will not come up on your hardware and you
47
        By default the network will not come up on your hardware and you
48
        will need to configure it to work in your environment. Since we 
48
        will need to configure it to work in your environment. Since we 
49
        specified that there will be no DHCP server in this environment
49
        specified that there will be no DHCP server in this environment
50
        we will be manually configuring your network interface. We will
50
        we will be manually configuring your network interface. We will
51
        assume, for the purposes of this exercise, that eth0 is the only network
51
        assume, for the purposes of this exercise, that eth0 is the only network
52
        interface that will be connected and used. 
52
        interface that will be connected and used. 
53
      </para>
53
      </para>
54
      <para>
54
      <para>
55
        Connecting via the console you should login as root. Check the 
55
        Connecting via the console you should login as root. Check the 
56
        file <filename>/etc/sysconfig/network-scripts/ifcfg-eth0</filename>,
56
        file <filename>/etc/sysconfig/network-scripts/ifcfg-eth0</filename>,
57
        it will look like this by default:
57
        it will look like this by default:
58
        <screen>
58
        <screen>
59
DEVICE="eth0"
59
DEVICE="eth0"
60
HWADDR="52:54:00:B9:A6:C0"
60
HWADDR="52:54:00:B9:A6:C0"
61
NM_CONTROLLED="yes"
61
NM_CONTROLLED="yes"
62
ONBOOT="no"
62
ONBOOT="no"
63
        </screen>
63
        </screen>
64
      </para>
64
      </para>
65
      <para>
65
      <para>
66
        Unfortunately, this configuration will not permit you to connect to the network,
66
        Unfortunately, this configuration will not permit you to connect to the network,
67
        and is also unsuitable for our purposes with CloudStack. We want to 
67
        and is also unsuitable for our purposes with CloudStack. We want to 
68
	configure that file so that it specifies the IP address, netmask, etc., as shown
68
	configure that file so that it specifies the IP address, netmask, etc., as shown
69
	in the following example:
69
	in the following example:
70
      </para>
70
      </para>

    
   
71
      <important>

    
   
72
        <title>Hardware Addresses</title>

    
   
73
	<para>You should not use the hardware address (aka MAC address) from our example

    
   
74
	    for your configuration. It is network interface specific, so you should keep the 

    
   
75
	    address already provided in the HWADDR directive.

    
   
76
        </para>

    
   
77
      </important>
71
      <screen>
78
      <screen>
72
DEVICE=eth0
79
DEVICE=eth0
73
HWADDR=52:54:00:B9:A6:C0
80
HWADDR=52:54:00:B9:A6:C0
74
NM_CONTROLLED=no
81
NM_CONTROLLED=no
75
ONBOOT=yes
82
ONBOOT=yes
76
BOOTPROTO=none
83
BOOTPROTO=none
77
IPADDR=172.16.10.2
84
IPADDR=172.16.10.2
78
NETMASK=255.255.255.0
85
NETMASK=255.255.255.0
79
GATEWAY=172.16.10.1
86
GATEWAY=172.16.10.1

    
   
87
DNS1=8.8.8.8

    
   
88
DNS2=8.8.4.4
80
      </screen>
89
      </screen>
81
      <note>
90
      <note>
82
        <title>IP Addressing</title>
91
        <title>IP Addressing</title>
83
        <para>Throughout this document we are assuming that you will
92
        <para>Throughout this document we are assuming that you will
84
        have a /24 network for your CloudStack implementation. This can be any
93
        have a /24 network for your CloudStack implementation. This can be any
85
        RFC 1918 network. However, we are assuming that you will match the 
94
        RFC 1918 network. However, we are assuming that you will match the 
86
        machine address that we are using. Thus we may use 
95
        machine address that we are using. Thus we may use 
87
        <userinput><replaceable>172.16.10</replaceable>.2</userinput> and because
96
        <userinput><replaceable>172.16.10</replaceable>.2</userinput> and because
88
        you might be using the 192.168.55.0/24 network you would use 
97
        you might be using the 192.168.55.0/24 network you would use 
89
        <userinput><replaceable>192.168.55</replaceable>.2</userinput>
98
        <userinput><replaceable>192.168.55</replaceable>.2</userinput>
90
        </para>
99
        </para>
91
      </note>
100
      </note>
92
      <important>

   
93
        <title>Hardware Addresses</title>

   
94
	<para>You should not use the hardware address (aka MAC address) from our example

   
95
	    for your configuration. It is network interface specific, so you should keep the 

   
96
	    address already provided in the HWADDR directive.

   
97
        </para>

   
98
      </important>

   
99
      <para> Now that we have the configuration files properly set up, we need to run a
101
      <para> Now that we have the configuration files properly set up, we need to run a
100
      few commands to start up the network</para>
102
      few commands to start up the network</para>
101
      <screen><prompt># </prompt><userinput><command>chkconfig</command> network on</userinput></screen>
103
      <screen><prompt># </prompt><userinput><command>chkconfig</command> network on</userinput></screen>
102
      <screen><prompt># </prompt><userinput><command>service</command> network start</userinput></screen>
104
      <screen><prompt># </prompt><userinput><command>service</command> network start</userinput></screen>
103
      <para>This should bring the network up successfully, but we now need to enable name resolution.

   
104
      To do that we will edit <filename>/etc/resolv.conf</filename>. These instructions will add

   
105
      one of the nameservers from Google, though you are free to add a local nameserver if you wish. 

   
106
      Your <filename>/etc/resolv.conf</filename> should modified to look like:

   
107
      </para>

   
108
      <screen>

   
109
nameserver 8.8.8.8

   
110
      </screen>

   
111
    

   
112
    </section>
105
    </section>
113
    <section id="sect-Runbook-Environment-operatingsys-hostname">
106
    <section id="sect-Runbook-Environment-operatingsys-hostname">
114
      <title>Hostname</title>
107
      <title>Hostname</title>
115
      <para>
108
      <para>
116
        Cloudstack requires that the hostname be properly set. If you used the default
109
        Cloudstack requires that the hostname be properly set. If you used the default
117
        options in the installation, then your hostname is currently set to 
110
        options in the installation, then your hostname is currently set to 
118
        localhost.localdomain. To test this we will run: </para>
111
        localhost.localdomain. To test this we will run: </para>
119
        <screen><prompt># </prompt><userinput>hostname --fqdn</userinput></screen>
112
        <screen><prompt># </prompt><userinput>hostname --fqdn</userinput></screen>
120
        <para>At this point it will likely return:</para>
113
        <para>At this point it will likely return:</para>
121
        <screen>localhost</screen>
114
        <screen>localhost</screen>
122
        <para>To rectify this situation - we'll set the hostname by editing the
115
        <para>To rectify this situation - we'll set the hostname by editing the
123
        <filename>/etc/hosts</filename> file so that it follows a similar format to this example:<screen>
116
        <filename>/etc/hosts</filename> file so that it follows a similar format to this example:<screen>
124
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
117
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
125
172.16.10.2 srvr1.cloud.priv
118
172.16.10.2 srvr1.cloud.priv
126
</screen>
119
</screen>
127
        </para>
120
        </para>
128
        <para>After you've modified that file, go ahead and restart the network using:</para>
121
        <para>After you've modified that file, go ahead and restart the network using:</para>
129
<screen><prompt># </prompt><userinput><command>service</command> network restart</userinput></screen>
122
<screen><prompt># </prompt><userinput><command>service</command> network restart</userinput></screen>
130
        <para>Now recheck with the <command>hostname --fqdn</command> command and ensure that it returns 
123
        <para>Now recheck with the <command>hostname --fqdn</command> command and ensure that it returns 
131
        a FQDN response</para>
124
        a FQDN response</para>
132
    </section>
125
    </section>
133
    <section id="sect-Runbook-Environment-operatingsys-selinux">
126
    <section id="sect-Runbook-Environment-operatingsys-selinux">
134
      <title>SELinux</title>
127
      <title>SELinux</title>
135
      <para>At the moment, for CloudStack to work properly SELinux must be 
128
      <para>At the moment, for CloudStack to work properly SELinux must be 
136
      set to permissive. We want to both configure this for future boots and modify it
129
      set to permissive. We want to both configure this for future boots and modify it
137
      in the current running system.
130
      in the current running system.
138
      </para>
131
      </para>
139
      <para>To configure SELinux to be permissive in the running system we need to run 
132
      <para>To configure SELinux to be permissive in the running system we need to run 
140
      the following command:</para>
133
      the following command:</para>
141
      <screen><prompt># </prompt><userinput><command>setenforce</command> 0</userinput></screen>
134
      <screen><prompt># </prompt><userinput><command>setenforce</command> 0</userinput></screen>
142
      <para> 
135
      <para> 
143
        To ensure that it remains in that state we need to configure the file 
136
        To ensure that it remains in that state we need to configure the file 
144
        <filename>/etc/selinux/config</filename> to reflect the permissive state, 
137
        <filename>/etc/selinux/config</filename> to reflect the permissive state, 
145
	as shown in this example: </para>
138
	as shown in this example: </para>
146
      <screen>
139
      <screen>
147

    
   
140

   
148
# This file controls the state of SELinux on the system.
141
# This file controls the state of SELinux on the system.
149
# SELINUX= can take one of these three values:
142
# SELINUX= can take one of these three values:
150
#     enforcing - SELinux security policy is enforced.
143
#     enforcing - SELinux security policy is enforced.
151
#     permissive - SELinux prints warnings instead of enforcing.
144
#     permissive - SELinux prints warnings instead of enforcing.
152
#     disabled - No SELinux policy is loaded.
145
#     disabled - No SELinux policy is loaded.
153
SELINUX=permissive
146
SELINUX=permissive
154
# SELINUXTYPE= can take one of these two values:
147
# SELINUXTYPE= can take one of these two values:
155
#     targeted - Targeted processes are protected,
148
#     targeted - Targeted processes are protected,
156
#     mls - Multi Level Security protection.
149
#     mls - Multi Level Security protection.
157
SELINUXTYPE=targeted
150
SELINUXTYPE=targeted
158
      </screen>
151
      </screen>
159

    
   
152

   
160
    </section>
153
    </section>
161
    <section id="sect-Runbook-Environment-operatingsys-ntp">
154
    <section id="sect-Runbook-Environment-operatingsys-ntp">
162
      <title>NTP</title>
155
      <title>NTP</title>
163
      <para>NTP configuration is a necessity for keeping all of the clocks in your cloud
156
      <para>NTP configuration is a necessity for keeping all of the clocks in your cloud
164
      servers in sync. However, NTP is not installed by default. So we'll install and 
157
      servers in sync. However, NTP is not installed by default. So we'll install and 
165
      and configure NTP at this stage. Installation is accomplished as follows:
158
      and configure NTP at this stage. Installation is accomplished as follows:
166
      </para>
159
      </para>
167
      <screen><prompt># </prompt><userinput><command>yum</command> install ntp</userinput></screen>
160
      <screen><prompt># </prompt><userinput><command>yum</command> install ntp</userinput></screen>
168
      <para>The actual default configuration is fine for our purposes, so we merely need to
161
      <para>The actual default configuration is fine for our purposes, so we merely need to
169
      enable it and set it to start on boot as follows:</para>
162
      enable it and set it to start on boot as follows:</para>
170
      <screen><prompt># </prompt><userinput><command>chkconfig</command> ntpd on</userinput></screen>
163
      <screen><prompt># </prompt><userinput><command>chkconfig</command> ntpd on</userinput></screen>
171
      <screen><prompt># </prompt><userinput><command>service</command> ntpd start</userinput></screen>
164
      <screen><prompt># </prompt><userinput><command>service</command> ntpd start</userinput></screen>
172
    </section>
165
    </section>
173
  </section>
166
  </section>
174
  <section id="sect-Runbook-Environment-nfs">
167
  <section id="sect-Runbook-Environment-nfs">
175
    <title>NFS</title>
168
    <title>NFS</title>
176
    <para>
169
    <para>
177
      Our configuration is going to use NFS for both primary and secondary
170
      Our configuration is going to use NFS for both primary and secondary
178
      storage. We are going to go ahead and setup two NFS shares for those 
171
      storage. We are going to go ahead and setup two NFS shares for those 
179
      purposes. We'll start out by installing
172
      purposes. We'll start out by installing
180
      <application>nfs-utils</application>.
173
      <application>nfs-utils</application>.
181
    </para>
174
    </para>
182
    <screen><prompt># </prompt><userinput><command>yum</command> install nfs-utils</userinput></screen>
175
    <screen><prompt># </prompt><userinput><command>yum</command> install nfs-utils</userinput></screen>
183
    <para>
176
    <para>
184
      We now need to configure NFS to serve up two different shares. This is handled comparatively easily
177
      We now need to configure NFS to serve up two different shares. This is handled comparatively easily
185
      in the <filename>/etc/exports</filename> file. You should ensure that it has the following content:
178
      in the <filename>/etc/exports</filename> file. You should ensure that it has the following content:
186
    </para>
179
    </para>
187
    <screen>
180
    <screen>
188
/secondary *(rw,async,no_root_squash)
181
/secondary *(rw,async,no_root_squash)
189
/primary   *(rw,async,no_root_squash)
182
/primary   *(rw,async,no_root_squash)
190
    </screen>
183
    </screen>
191
    <para>
184
    <para>
192
      You will note that we specified two directories that don't exist (yet) on the system. 
185
      You will note that we specified two directories that don't exist (yet) on the system. 
193
      We'll go ahead and create those directories and set permissions appropriately on them with the following commands:
186
      We'll go ahead and create those directories and set permissions appropriately on them with the following commands:
194
    </para>
187
    </para>
195
    <screen>
188
    <screen>
196
<prompt># </prompt><userinput><command>mkdir</command> /primary</userinput>
189
<prompt># </prompt><userinput><command>mkdir</command> /primary</userinput>
197
<prompt># </prompt><userinput><command>mkdir</command> /secondary</userinput>
190
<prompt># </prompt><userinput><command>mkdir</command> /secondary</userinput>
198
<prompt># </prompt><userinput><command>chmod</command> 777 /primary</userinput>

   
199
<prompt># </prompt><userinput><command>chmod</command> 777 /secondary</userinput>

   
200
    </screen>
191
    </screen>
201
    <para>CentOS 6.x releases use NFSv4 by default. NFSv4 requires that domain setting matches on all clients. 
192
    <para>CentOS 6.x releases use NFSv4 by default. NFSv4 requires that domain setting matches on all clients. 
202
    In our case, the domain is cloud.priv, so ensure that the domain setting in <filename>/etc/idmapd.conf</filename>
193
    In our case, the domain is cloud.priv, so ensure that the domain setting in <filename>/etc/idmapd.conf</filename>
203
    is uncommented and set as follows:</para>
194
    is uncommented and set as follows:</para>
204
    <screen>Domain = cloud.priv</screen>
195
    <screen>Domain = cloud.priv</screen>
205
    <para>Now you'll need uncomment the configuration values in the file <filename>/etc/sysconfig/nfs</filename></para>
196
    <para>Now you'll need uncomment the configuration values in the file <filename>/etc/sysconfig/nfs</filename></para>
206
    <screen>
197
    <screen>
207
LOCKD_TCPPORT=32803
198
LOCKD_TCPPORT=32803
208
LOCKD_UDPPORT=32769
199
LOCKD_UDPPORT=32769
209
MOUNTD_PORT=892
200
MOUNTD_PORT=892
210
RQUOTAD_PORT=875
201
RQUOTAD_PORT=875
211
STATD_PORT=662
202
STATD_PORT=662
212
STATD_OUTGOING_PORT=2020
203
STATD_OUTGOING_PORT=2020
213
    </screen>
204
    </screen>
214
    <para> Now we need to configure the firewall to permit incoming NFS connections. 
205
    <para> Now we need to configure the firewall to permit incoming NFS connections. 
215
    Edit the file <filename>/etc/sysconfig/iptables</filename>
206
    Edit the file <filename>/etc/sysconfig/iptables</filename>
216
    </para>
207
    </para>
217
    <screen>
208
    <screen>
218
-A INPUT -m state --state NEW -p udp --dport 111 -j ACCEPT
209
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p udp --dport 111 -j ACCEPT
219
-A INPUT -m state --state NEW -p tcp --dport 111 -j ACCEPT
210
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT
220
-A INPUT -m state --state NEW -p tcp --dport 2049 -j ACCEPT
211
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT
221
-A INPUT -m state --state NEW -p tcp --dport 32803 -j ACCEPT
212
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 32803 -j ACCEPT
222
-A INPUT -m state --state NEW -p udp --dport 32769 -j ACCEPT
213
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p udp --dport 32769 -j ACCEPT
223
-A INPUT -m state --state NEW -p tcp --dport 892 -j ACCEPT
214
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 892 -j ACCEPT
224
-A INPUT -m state --state NEW -p udp --dport 892 -j ACCEPT
215
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p udp --dport 892 -j ACCEPT
225
-A INPUT -m state --state NEW -p tcp --dport 875 -j ACCEPT
216
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 875 -j ACCEPT
226
-A INPUT -m state --state NEW -p udp --dport 875 -j ACCEPT
217
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p udp --dport 875 -j ACCEPT
227
-A INPUT -m state --state NEW -p tcp --dport 662 -j ACCEPT
218
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 662 -j ACCEPT
228
-A INPUT -m state --state NEW -p udp --dport 662 -j ACCEPT
219
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p udp --dport 662 -j ACCEPT
229
    </screen>
220
    </screen>
230
    <para>Now you can restart the iptables service with the following command:
221
    <para>Now you can restart the iptables service with the following command:
231
    </para>
222
    </para>
232
    <screen><prompt># </prompt><userinput><command>service</command> iptables restart</userinput></screen>
223
    <screen><prompt># </prompt><userinput><command>service</command> iptables restart</userinput></screen>
233
    <para>We now need to configure nfs service to start on boot and actually start it on the host by
224
    <para>We now need to configure nfs service to start on boot and actually start it on the host by
234
    executing the following commands:</para>
225
    executing the following commands:</para>
235
    <screen>
226
    <screen>
236
      <prompt># </prompt><userinput><command>service</command> rpcbind start</userinput>
227
      <prompt># </prompt><userinput><command>service</command> rpcbind start</userinput>
237
      <prompt># </prompt><userinput><command>service</command> nfs start</userinput>
228
      <prompt># </prompt><userinput><command>service</command> nfs start</userinput>
238
      <prompt># </prompt><userinput><command>chkconfig</command> rpcbind on</userinput>
229
      <prompt># </prompt><userinput><command>chkconfig</command> rpcbind on</userinput>
239
      <prompt># </prompt><userinput><command>chkconfig</command> nfs on</userinput>
230
      <prompt># </prompt><userinput><command>chkconfig</command> nfs on</userinput>
240
    </screen>
231
    </screen>
241
  </section>
232
  </section>
242

    
   
233

   
243

    
   
234

   
244
</chapter>
235
</chapter>
  1. docs/runbook/en-US/Environment.xml: Loading...