Thursday, March 15, 2018

Easy VMs in Ubuntu 17.10

Let's do some experimenting with QEUM/KVM Virtual Machines in Ubuntu.

I was, frankly, shocked at just how easy Linux VMs are to set up and manage.

Preparation

If the hardware supports hardware virtualization...

$ egrep -c '(vmx|svm)' /proc/cpuinfo 
2                // A result of '0' means no. '1' or higher means yes

...then reboot into BIOS and turn it on.


Creating the first VM:

Once virtualization is turned on, then from zero to fully operating is just three commands. The host is Ubuntu 17.10. The guest will also be 17.10, but that is merely because I lack imagination.

1) Install KVM, qemu, virt-manager and all the other tools you need. The are all dependencies of a single package:

$ sudo apt install uvtool

2) Download a cloud image of Ubuntu 17.10. Cloud images are headless - shell only. The download takes a few minutes (approximately  350 MB), so don't panic:

$ uvt-simplestreams-libvirt sync release=artful arch=amd64

3) Create and start VM Guest 'test1'

$ uvt-kvm create test1 release=artful



Starting, Stopping, Suspending, and Resuming the VM Guest from Host


$ virsh list              // Check status
 Id    Name                           State
----------------------------------------------------
 1     test1                          running

$ virsh suspend test1
Domain test1 suspended

$ virsh resume test1
Domain test1 resumed

$ virsh shutdown test1
Domain test1 is being shutdown

$ virsh list --all        // Use --all to show inactive VMs
 Id    Name                           State
----------------------------------------------------
 -     test1                          shut off

$ virsh start test1
Domain test1 started

$ virsh list
 Id    Name                           State
----------------------------------------------------
 2     test1                          running



Under the hood looking at storage


We didn't set up a any virtual storage, and we don't know where that Ubuntu Cloud image went. Let's take a moment and figure it out using virsh...

$ virsh dumpxml test2 | grep file
    <disk device="disk" type="file">
      <source file="/var/lib/uvtool/libvirt/images/test1.qcow"></source>
      <backingstore index="1" type="file">
        <source file="/var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZDpzZXJ2ZXI6MTcuMTA6YW1kNjQgMjAxODAzMTQ="></source>
    <disk device="disk" type="file">
      <source file="/var/lib/uvtool/libvirt/images/test1-ds.qcow"></source>
    </disk></backingstore>

There are the images for the virtual storage devices, and for the original cloud image ('backingstore') too. Looks like they are all in the same directory.

$ ls -l /var/lib/uvtool/libvirt/images/
total 1490572
-rw------- 1 libvirt-qemu kvm     458752 Mar 14 22:06 test1-ds.qcow
-rw------- 1 libvirt-qemu kvm  490471424 Mar 15 08:14 test1.qcow
-rw------- 1 libvirt-qemu kvm 1035468800 Mar 14 22:05 x-uvt-b64-Y29tLnVidW50dS5jbG91ZDpzZXJ2ZXI6MTcuMTA6YW1kNjQgMjAxODAzMTQ=

Aha. There's the cloud image is the third line - that's where it went! The actual VM Guest storage is the first and second lines - they are simply diffs from the original cloud image. Multiple Guests can base off the same cloud image, keeping storage tidy...and small.

Let's add another Guest VM and see how it changes.

$ uvt-kvm create test2 release=artful
$ ls -l /var/lib/uvtool/libvirt/images/
total 1491344
-rw------- 1 libvirt-qemu kvm     458752 Mar 14 22:06 test1-ds.qcow
-rw------- 1 libvirt-qemu kvm  490471424 Mar 15 08:29 test1.qcow
-rw------- 1 libvirt-qemu kvm     458752 Mar 15 08:34 test2-ds.qcow
-rw------- 1 libvirt-qemu kvm     393216 Mar 15 08:34 test2.qcow
-rw------- 1 libvirt-qemu kvm 1035468800 Mar 14 22:05 x-uvt-b64-Y29tLnVidW50dS5jbG91ZDpzZXJ2ZXI6MTcuMTA6YW1kNjQgMjAxODAzMTQ=

A whole fresh VM takes less than 1 MB. Of course, it will grow quickly once you start giving it work to do.

And here you can see how to destroy a VM Guest properly. The guest files are deleted, the cloud image is not.

$ uvt-kvm destroy test2
$ ls -l /var/lib/uvtool/libvirt/images/
total 1490572
-rw------- 1 libvirt-qemu kvm     458752 Mar 14 22:06 test1-ds.qcow
-rw------- 1 libvirt-qemu kvm  490471424 Mar 15 08:29 test1.qcow
-rw------- 1 libvirt-qemu kvm 1035468800 Mar 14 22:05 x-uvt-b64-Y29tLnVidW50dS5jbG91ZDpzZXJ2ZXI6MTcuMTA6YW1kNjQgMjAxODAzMTQ=


Securing VM Guest with a new admin account and SSH Keys

uvt-created guests start with the 'ubuntu' admin user, so you can start the process of customization without a lot of hassle. But they are insecure, so let's add our own admin user and delete that default fellow.

Step 1. On the HOST, login insecurely to the Guest

host$ uvt-kvm ssh test1

Step 2. On the GUEST, add the new admin user. Let's call her 'adminnnn', and let's make her part of the 'sudo' group (since she's an admin, of course). The 'adduser' command below asks a few questions, including a password. Give a password. We will need it once later to set up SSH keys, and --of course-- to use sudo in the Guest.

test1$ sudo adduser adminnnn --ingroup sudo

Step 3. Edit the SSH settings to briefly permit insecure login so we can place the ssh key. We will change this back in a later step. I use nano - you use whatever editor you wish.

test1$ sudo nano /etc/ssh/sshd_config

Make sure these settings are active:


     PubKey Authentication yes
     Password Authentication yes
     ChallengeResponseAuthentication no
     UsePAM yes
     (Remember to save your changes!)

Step 4. Restart SSH so the sshd config changes take effect, and logout from the 'ubuntu' user

test1$ sudo service sshd restart
test1$ exit

Step 5. Create an SSH key if you don't already have one. If you already have a key then use it, of course. Learn the IP address of the Guest. Copy the key across to the Guest. Login using the new key

host$ ssh-keygen
host$ uvt-kvm ip test1
192.168.122.249
host$ ssh-copy-id adminnnn@192.168.122.249
host$ ssh adminnnn@192.168.122.249

Step 6. Test adminnnn's new sudo powers. If they work then delete the 'ubuntu' user.

test1$ sudo apt update
test1$ sudo apt upgrade
test1$ sudo deluser ubuntu

Step 7. Tighten ssh to allow keys only. Finally, we will exit so the sshd changes take effect.

test1$ sudo nano /etc/ssh/sshd_config

Make sure these settings are active:



     PubKey Authentication yes
     Password Authentication no
     ChallengeResponseAuthentication no
     UsePAM no
     (Remember to save your changes!)

test1$ sudo service sshd restart
test1$ exit

...and that's all you need


Let's add a full Desktop Environment

In this case, let's add Lubuntu.

host$ ssh adminnnn@192.168.122.249

test1$ sudo apt install lubuntu-desktop --no-install-recommends
test1$ exit

A reboot is necessary for the new desktop to launch at startup. Let's use virt-viewer to watch the reboot process. We could also use remmina since we know the IP address.

host$ virt-viewer test1

test1$ sudo reboot

After reboot, the desktop should come up.


To eliminate the desktop, including another way to reboot:

host$ ssh adminnnn@192.168.122.249

test1$ sudo apt remove lubuntu-desktop
test1$ sudo apt autoremove
test1$ exit

host$ virsh reboot test1


Cleaning Up


It's poor practice to leave your system littered with old experiments. When finished playing, here's how to clean up. All of these commands, of course, are done on the HOST.

To delete just one Guest VM, but leave the VM Host software on your system:

$ uvt-kvm destroy test1

To delete the VM Host software from your system (Ubuntu), but leave guest Virtual Disks intact:

$ sudo apt remove uvtool
$ sudo apt autoremove

To delete any remaining Virtual Disks, including the cloud image(s) they are based upon.

sudo rm -r /var/lib/uvtool
References:
https://help.ubuntu.com/community/KVM
https://help.ubuntu.com/lts/serverguide/cloud-images-and-uvtool.html

Sunday, December 20, 2015

Are you ready for new members?

In a few days, many Ubuntu users will unwrap new hardware, plug it in, and have a fantastic experience.

Some users will get inspired to join the community to solve bugs, add features, contribute code, and much more.


Support Gurus: use Find-a-Task

New, enthusiastic users often show up in the many Ubuntu help forums.

Encourage them to try Find-a-Task to see the variety of ways they can help.
Just send them over, and we'll do the rest.


Team Leaders: Is your team ready?

Is your team ready to welcome, train, and integrate these new volunteers?

Has your team looked at it's Find-a-Task roles for volunteers? It's easy to add or change your team's listings.

Is your team approachable? Can you be contacted easily by a new volunteer? Is your web page for new volunteers accurate?


Improving Find-a-Task

Find-a-Task is the Ubuntu community's job board for volunteers. Introduced in January 2015, Find-a-Task shows fellow volunteers the variety of tasks and roles available, and links those roles to the team web pages.

Please share your suggestions to improve Find-a-Task to the Ubuntu Community Team mailing list.

Wednesday, November 4, 2015

UOS Overflow Session: FInd-a-Task

The Ubuntu Online Summit has added an overflow session on Find-a-Task, the Ubuntu community's volunteer job board. The job board tries to link volunteers with a wide range of jobs that need to be done.

  • Does it work?
  • Have you tried it?
  • Do you know anyone who has joined a team after using it?
  • Is your team listed on it?
  • How can it be improved?
  • Is it the best gateway for undecided new volunteers?

Join us tomorrow, 05 Nov at 1800 UTC to discuss the future of Find-a-Task, and the best ways to recruit new Ubuntu Members.

Watch Live at http://summit.ubuntu.com/uos-1511/meeting/22644/growing-new-community-members/
Or join us on freenode IRC:  #ubuntu-uos-overflow

See you there!

Saturday, October 31, 2015

Is your team ready for UOS?

The Ubuntu Online Summit (UOS), 03-05 November 2015, is only a few days away.

Is your team ready to welcome, train, and integrate new volunteers inspired by UOS?

Has your team updated it's Find-a-Task roles for volunteers? It's easy to add or change your team's listings.

Find-a-Task is the Ubuntu community's job board for volunteers. Introduced in January 2015, Find-a-Task shows fellow volunteers the variety of tasks and roles available.


It's for everyone, new and old

UOS is one of the events that energizes the Ubuntu community. It is a great time for volunteers to change tracks, to try something new.

Your Find-a-Task roles should reflect that. Don't limit yourself to new enthusiasts. Your roles should welcome experienced members, too!


Improving Find-a-Task

Please share your suggestions to improve Find-a-Task during any of the UOS Community Roundtable sessions.
See you there!

Saturday, October 10, 2015

Point New Participants to Find-a-Task!

Find-a-Task is the Ubuntu community's job board for volunteers.

Introduced in January 2015, Find-a-Task shows fellow volunteers the variety of tasks and roles available.


Are you using Find-a-Task?

Volunteers can browse the many ways to contribute to Ubuntu, and choose their favorite. No hassle, no pressure, no sign-up, no commitment.

New enthusiasts don't know about Find-a-Task. (How could they?)
It only works if *you* encourage new volunteers to try it.


It's for new participants

Take a quick look, and see the variety of volunteer roles available. We have listings for many different skills and interests, including plenty of non-technical tasks.


It's also for longtime participants

Life moves on. Jobs and family and hobbies change.

Losing interest in your current role, or have less time for it? Renew the magic - use Find-a-Task to try something new and different!

Real friends don't let their mates burn out or drop off.  When you see a friend start to teeter or flame out, guide them to Find-a-Task and help them recover with a different role.


Adding Listings and Improving Find-a-Task

It's easy to add or change your team's listing.

Please share your suggestions to improve Find-a-Task on the ubuntu-community-team mailing list.

Wednesday, October 7, 2015

CAC on Firefox using Ubuntu 15.04

After a couple years away form CAC on Linux, it's time to revisit how to install a DOD CAC reader for Firefox under Ubuntu 15.10.

Very good instructions are on the Ubuntu Help pages. This guide clarifies a few vague elements, and reorganizes the information to help you troubleshoot.

There are five simple steps:
  • Get an appropriate card reader
  • Install the card reader software (pcsd)
  • Test the card, reader, and software
  • Install cackey
  • Install the DOD certs and point Firefox to the card reader

The Firefox extension requires cackey, cackey requires pcsd, pcsd requires hardware to detect. We will follow best practice for Debian/Ubuntu and install the dependences first, in the right order.


Get A Card Reader

There's nothing to add here. The Ubuntu Help page says it all.



Install Card Reader Software


sudo apt-get install pcscd pcsc-tools

The key software you need is the pcsc daemon, and it's libpcsclite1 dependency. pcsc-tools is handy for testing the connection in the next step.



Test the card reader and software


Insert your CAC card and run:

pcsc_scan

As shown in the Ubuntu Help page, pcscd will clearly show you if your card reader and card are detected.



Install cackey

The cackey library provides access to the cryptographic and certificate functions of the CAC card.

1) You need to know if your Ubuntu system is a 32-bit or 64-bit install. Don't trust a sticker of what you remember - checking takes but a moment:

uname -i

If the result is 'i386' or similar, you are running a 32-bit system. Look for a download labeled 'i386'.
If the result is 'x86_64' or similar, you are running a 64-bit system. Look for a download labeled 'amd64'

2) There are two places to download the latest cackey package from:
https://software.forge.mil/sf/projects/community_cac (CAC required)
http://cackey.rkeene.org/fossil/home (non-CAC)

3) Download the latest cackey .deb package. Be sure to choose between 32/64 bit properly - the wrong package will happily install...but won't work.

4) Bug workaround for 64-bit only: Cackey tries to install to the /usr/lib64 directory, which probably doesn't exist on your system. Simply create it. This bug does not affect 32-bit users, who can safely ignore this entire paragraph.

5) Finally, install the downloaded cackey deb using the 'dpkg --install' command.


Example:
1) I'm running a 64-bit system.
3) I downloaded cackey_0.7.5-1_amd64.deb to my Downloads directory.
Then I installed the deb using:

sudo mkdir /usr/lib64        ## Step 4 - 64-bit bug workaround
sudo dpkg --install ~/Downloads/cackey_0.7.5-1_amd64.deb    ## Step 5



Install DOD Certificates and Point Firefox to the Card Reader

Happily, forge.mil has a Firefox add-on that does all this for you!

1) Simply download the latest 'dod_configuration-X.X.X.xpi' file from http://www.forge.mil/Resources-Firefox.html (non-CAC).

2) Quit Firefox

3) Double-click on the dod_configuration-X.X.X.xpi file you downloaded (it might be in your Downloads directory). Firefox will restart, and offer to install the add-on. Go ahead and install it.




Testing

Try your favorite CAC website (like AKO or OWA) and see if the site works, and if the site communicates properly with your card.

Be sure your USB card reader is snugly inserted, of course.

Start (or restart) Firefox after your CAC reader and card are inserted and recognized by the system. 

Thursday, September 3, 2015

The best DebConf 15 videos

I simply cannot take time off work to attend DebConf, so each year I watch the videos instead. It took almost a month, thanks to the back-to-school rush at work, but I finally got through the sessions I wanted to see.

Here are my highlights from DebConf 15:

Cool Stuff


Creating A More Inviting Environment For Newcomers New Experiences From MoM SoB Teammetrics - A detailed discussion of how a mature team with tapering contributions re-energized itself with new enthusiasts. How they were recruited, mentored, trained, and finally assigned key roles in the team. Lots of discussion of mentoring strategies and the costs of mentoring (less time for the work) from the developer/maintainer perspective. Lots of good ideas for any mature team, and thoroughly applicable to Ubuntu teams too.

Linux in the City of Munich AKA LiMux - There has been a lot of FUD written about one of the largest public conversions to an open-source platform, and it was great to see an actual insider talking about the project. Worth a watch.

Lightning Talks 2 - The first Lightning Talk was a proposal to add a new service to Debian. The service tests all uploaded packages for many known faults (using valgrind, infer, etc.), and automatically files bug reports on the faults. This should provide a large number of real bite-sized bugs for drive-by patches, and corresponding hefty improvement in code quality. Most cool.


Under the hood


Your Systemd Tool Box - Dissecting And Debugging Boot And Services - This is a great walk-through of the new (to me) tools. Had a terminal window open alongside to try each of the tools. Saved the video for a refresh, it's a lot to digest in one sitting.

Systemd How We Survived Jessie And How We Will Break Stretch - Fantastic discussion of coming systemd features: Persistent interface names, networkd, kdbus, and more. Also great discussion of how to get involved around the edges.

Dpkg The Interface - A presentation by the current maintainer, explaining how he keeps dpkg stable and the future roadmap. Since Snappy uses dpkg (but not apt), that roadmap is important! I have used dpkg for a decade, but never thought about all the bits of it I never see....


Keeping Free Software Free


Debians Central Role In The Future Of Software Freedom - A presentation by the President of the Software Freedom Conservancy (SFC), explaining the problems they see, their strategies to attack those problems, and how they try to effectively challenge GPL violations. A bit of Canonical-bashing in this one at a couple points (some deserved, some not).

At 23:30, it introduces the Debian Copyright Aggregation Project, where Debian contributors can opt to revocably assign their copyright to SFC, and can also permit the SFC to enforce those copyrights. This is one strategy SFC is pursuing to fight both CLAs and license violations.