# Virtual Host We currently have a single Proxmox VE host in the space. This is used to run various hackerspace services and may be used by members to run VMs for experiments or projects. ## Accessing Proxmox Proxmox has a web interface which is available here: https://vmhost.lab.glashack.space/. You can sign in using SSO - see: [[digital-infrastructure:identity]] If this is your first time signing into Proxmox you'll likely see nothing as you need to be granted appropriate permissions by one of the Proxmox admins: - Jonas - Once you have the correct permissions you'll be able to see the main dashboard for our host: {{ :digital-infrastructure:vhmost_dashboard.png?direct&800 |}} ## Creating VMs ### Using a template The easiest way to create a VM is to use a template. These can be seen on the left hand side and will start with a 9000 number, e.g. 9001 (debian-13-cloudinit-template). Right click on the template and select Clone. Change the Mode to Full Clone and give the VM a name (this will become it's hostname). Once the VM has been cloned (you can see a loading wheel in the bottom log bar) you can modify its settings to suit your requirements. The main things to look at are: Hardware: - Memory - Processors - Hard Disk Cloud-Init: - User (the default user that will be created with sudo privaleges) - Password - SSH public key ## qemu-guest-agent This agent should be installed on VMs whenever possible (https://blog.sreesreejuks.com/Installing-and-Configuring-QEMU-Guest-Agent-in-Proxmox-VMs/) It enables: - Proper shutdown/reboot: Instead of simulating power button presses, Proxmox can request graceful shutdowns - Freezing filesystems: Enables consistent snapshots by freezing filesystems during snapshot creation - Memory statistics: Get accurate memory usage instead of estimates - Network information: Retrieve guest IP addresses directly - File operations: Execute file operations within the guest from the host - VM backup: Improved backup consistency On Debian based systems the following commands can be used: ``` sudo apt update sudo apt install qemu-guest-agent sudo systemctl enable qemu-guest-agent sudo systemctl start qemu-guest-agent ``` \\\ --- ## Proxmox setup The host PC has: - An Intel Xeon E3-1240 v5 CPU @ 3.50GHz - 64GB of DDR4 RAM (4 x 16GB @ 2400MT/s) - 2 x 6TB drives in a zpool (mirror) Instructions for installing Proxmox can be found on the Proxmox website: https://proxmox.com/en/products/proxmox-virtual-environment/get-started Once the installation is complete there are several initial setup steps that have been followed to make the server more usable. ### no-subscription repo for Debian updates The no-subscription repo has been added and enabled while the ceph repo has been disabled. More info: https://pve.proxmox.com/wiki/Package_Repositories#sysadmin_no_subscription_repo {{ :digital-infrastructure:vmhost_no-subscription_repo.png?direct&800 |}} ### 'No valid subscription' message By default Proxmox will show a pop-up message warning that we don't have a subscription. It is possible to remove this message by editing `/usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js` to comment out the lines which check that the subscription is not active as shown: ``` checked_command: function (orig_cmd) { Proxmox.Utils.API2Request({ url: '/nodes/localhost/subscription', method: 'GET', failure: function (response, opts) { Ext.Msg.alert(gettext('Error'), response.htmlStatus); }, success: function (response, opts) { let res = response.result; if ( res === null || res === undefined || !res // || // res.data.status.toLowerCase() !== 'active' ) { Ext.Msg.show({ title: gettext('No valid subscription'), icon: Ext.Msg.WARNING, message: Proxmox.Utils.getNoSubKeyHtml(res.data.url), buttons: Ext.Msg.OK, callback: function (btn) { if (btn !== 'ok') { return; } orig_cmd(); }, }); } else { orig_cmd(); } }, }); }, ``` Run `systemctl restart pveproxy` to apply the change. Any updates to the Proxmox host may reset this fix meaning it must be applied again. ### HTTPS certificates To get trusted HTTPS certificates for the Proxmox web interface (without having to expose it to the internet) we use LetsEncrypt certs with the DNS challenge. https://pve.proxmox.com/wiki/Certificate_Management#sysadmin_certs_acme_dns_challenge A key is generated on the DNS server and added into the config. ``` router# cd /var/named/etc router# tsig-keygen -a HMAC-SHA512 vmhost-key key "vmhost-key" { algorithm hmac-sha512; secret ""; }; router# vim named.conf # add key to DNS config with permission to update lab.glashack.space zone. ``` Unfortunately there is a bug with the default nsupdate script on Proxmox, the following bug report provides a workaround: https://bugzilla.proxmox.com/show_bug.cgi?id=2739#c2. This involves replacing the `/usr/share/proxmox-acme/dnsapi/dns_nsupdate.sh` script to store the (base64 encoded) key directly in the field rather than a path to the key file. The original script is renamed to `dns_nsupdate.sh.orig`, the replacement script is stored in `dns_nsupdate.sh.modified` and a convenience script is stored in `/root/check_dns_nsupdate.sh` which should ensure the script persists after updates (added to the root crontab for 5am every day). The key can be base64 encoded by running `cat my.key | base64 -w 0` (where `my.key` contains the full output of the tsig-keygen command). This encoded string is then used in the Proxmox datacenter config shown below: {{ :digital-infrastructure:vmhost_acme_challenge_config.png?direct&600 |}} On the specific vmhost in Proxmox under 'Certificates' the following config can be created (using the bind-dns plugin defined earlier). Then click 'Order Certificates Now' to run the DNS challenge and get the HTTPS certs. {{ :digital-infrastructure:vmhost_cert-request_config.png?direct&600 |}} More information on the DNS configuration in the hackerspace is available on the dedicated page: [[digital-infrastructure:dns|DNS]]. ### Single Sign On (SSO) We have a Keycloak instance which is used to provide identity services in the hackerspace. This is configured in Proxmox under Datacenter > Permissions > Realms: {{ :digital-infrastructure:vmhost_authentication_realm.png?direct&600 |}} A corresponding OpenID Client is configured in Keycloak. More info on the dedicated identity page here: [[digital-infrastructure:identity|Identity]]. When users sign into Proxmox using SSO for the first time a new user is created in Proxmox. By default they have no permissions. Specific permissions can be added by a Proxmox admin.