In the last part of this series, I told you about VMware Server services and executables. Now it's time to get Linux up, running and primed for VMware Server.
There are several enterprise-level distributions of Linux available today, and VMware Server can be installed on most of them. Ubuntu just happens to be my favorite distribution and Edgy Eft Server is Ubuntu latest, stable server release.
Although Ubuntu Linux is very secure out of the box, there are still measures that can be taken to further ensure that no unsavory characters or code will end up creeping about on the server.
Before we begin an Ubuntu installation, I wanted to mention that VMware
Server is only supported on Linux distributions running the Linux kernel
version 2.4.19+ or greater. The lowest acknowledged supported
kernel version listed is 2.4.19 for Mandrake Linux 9.0. VMware also
explicitly states that Kernel version 2.2.14??5.0 is "not" supported.
This seems to indicate that kernel versions earlier than 2.4.19 may work.
I would hazard a guess that most Linux administrators tend to stick to
their favorite Linux distribution. I would also guess that since Ubuntu
Server is still rather new, not many administrators have
much experience installing it. Because of these two assumptions on my
part, I will go into more detail with regards to installing Ubuntu 6.10
(Edgy Eft) Server than I did to installing Windows 2003 Server in this
guide's VMware on Windows counterpart.
Downloading Ubuntu Linux
The first step to installing Ubuntu Server is obtaining the bits that
you want to squirt onto your server's hard drive. You can download
Ubuntu 6.10 (Edgy Eft) Server from
the Ubuntu Website<...
To continue reading for free, register below or login
To read more you must become a member of SearchVMware.com
/a>. You
just need to select your appropriate mirror. Once you have selected
your mirror, you need to find the Server install CD. There are both
32-bit and 64-bit versions of this CD. I will be using the 32-bit version,
but the 64-bit version will work with this guide just the same. The CD
images are available in ISO image format and follow this naming
convention, ubuntu-6.10-server-(i386|amd64).iso. Download the ISO image
that suits you and then burn it to a CD with your favorite CD burning
software.
If you're downloading the ISO image on a Mac, you can burn it with Disk
Utility following the instructions at the University of Alabama at Birmingham IT Website.
Burning a CD in Linux is quite easy; you can use the standard shell
utility cdrecord. Or, since GNOME and
KDE recognize ISO image formats, you should be able to right-click
on the file and select "burn to cd" or something of that sort (Note: I realize
that GNOME and KDE are not the end-all and be-all of Linux desktops, but
they are the two most popular, so please don't give me grief if you are
using Tom's Window Manager or Afterstep). Windows cannot natively burn
ISO images, but there is a free utility that makes this easy called ISO
Recorder and is available at alexfienman.com.
Booting Ubuntu from a CD
Once the installation media is ready, it is time to install! Pop the
install CD into the CD/DVD-ROM on the server. Do not power on the
server quite yet. You need to ensure that the server is set to boot
from the CD-ROM device before the hard drive. If you are unsure whether
or not the boot sequence is set in this order, please be prepared to
enter the server's BIOS to make this settings change.
If you are certain the CD-ROM is first in the boot sequence or you have
made this change, go ahead and let the server power on past the BIOS.
The server will detect the Ubuntu CD and will display the following screen:
[IMAGE]
The first option, "Install to the hard disk," is the one we want and it
is already selected. Go ahead and hit "Enter" to continue.
Linux language and keyboard layout
The installer will prompt for your language and location -- for example,
I chose "English" and "United States".
Next you may encounter a screen that seems confusing:
[IMAGE]
This screen will appear if you do not physically have a keyboard
connected to the server, and are instead installing the server remotely
with the aid of an Avocent connection, DRACs, or some other remote
connection device. If the screen above does appear then select "Yes"
when it asks if you want it to detect your keyboard layout. You will be
prompted with a series of choices of keys to strike. At the end of this
series the installer will attempt to select the keyboard layout it deems
the most appropriate based on your selections. If the installer has not
selected your preferred keyboard layout, don't worry, you have the
option of starting the process over.
Network settings
After you have selected a keyboard layout, the installer will ask how
you wish to configure the server's network interfaces. The screen that
appears will look similar to the following:
[IMAGE]
The server this screenshot was taken from has one on-board Intel NIC and
two Broadcom NICs on a PCI expansion card. It is quite common that PCI
cards have a lower PCI ID than on-board devices and get listed first.
If you have multiple NICs as in the screenshot, try to select the one
that you want to dedicate to being this server's management interface
NIC. If you do not have the luxury of having multiple NICs you will
obviously have to select the only one available, and this is okay.
Before selecting a NIC, please write down the NIC IDs that the installer
has assigned the NICs. In the above screenshot they are "eth0", "eth1",
and "eth2". These values are important, and we will need them later.
Select a NIC and hit "Enter" to continue.
If the server is unable to obtain a DHCP lease, (as should be the case
since no Ethernet cables should be plugged into the server at this time,)
on the NIC you selected the following screen will appear:
[IMAGE]
This is okay. Just hit "Enter" to continue. Now the installer will ask
you to enter an IP address. Enter this server's intended IP address and
hit "Enter." The next screen will ask for the server's Netmask value.
Enter the Netmask and hit "Enter." You will be prompted for the
server's Gateway address. Enter the Gateway address and hit "Enter."
Next the installer will prompt for the DNS server addresses this server
will use. Enter the DNS address value(s) and hit "Enter."
As seen in the image below the installer will now prompt for the
server's host name:
[IMAGE]
It is important to note that just as the installer says, you should only
enter the host name, not the fully qualified domain name of the host.
For example, in the above screenshot I only entered "vms02" even though
the FQDN of the host is "vms02.lostcreations.com". Once you have
entered the host name hit "Enter".
Partitioning
It is now time to partition the server's hard drives. We want to
manually edit the partition table, so select the option "Manually edit
partition table" and hit "Enter." You should adhere as closely as
possible to the following partition scheme:
Okay, I know I have just thrown kerosene on the flame war that is Linux
partition schemes, but hear me out. The boot partition does not need to
be that large, and 200 MB will give you room to update your kernels
without always worrying about removing older ones (although after about
1.5 years you will have to start removing the oldest kernels if you
update your kernel often). For an Ubuntu server install, 6 GB is plenty
of space for the slash (/) partition. The swap space and temp (/tmp)
should both be set to 1.5 times the amount of physical RAM in the
server. I did not just pull this number out the air, this is VMware's
recommendation as stated on page 154 of the VMware Server Administration
Manual. Also, if possible, it is a good idea to put the /var file
system on a separate disk than the rest of the file systems. For
example, if your RAID configuration provides you with two containers,
dedicate one of them to /var. This will increase the performance of
your VMs since the VM files will live in /var.
Once you have completed the partitioning, you should hit "Enter" and be
presented with a screen similar to the following:
[IMAGE]
If you are happy with the allocated file systems, go ahead and select
"Finish partitioning and write changes to disk" and hit "Enter." The
installer will ask you once more to confirm your partition table. If
you are still happy with your choices then select "Yes" and hit "Enter."
If not, then boy, are you fickle, and I can offer you no help
what-so-ever. Just kidding. Selecting "No" will let you take another
swing at setting up your file systems. Once you are ready to
commit to your file systems we can proceed.
Time zones and users
The installer will prompt you to select a time zone. Choose the
appropriate time zone and hit "Enter." Before you can proceed, the
installer may ask if your system clock is set to UTC. Most are, so if
you are not sure you should probably select "Yes" and hit "Enter."
Now it is time to create the system's first user account. The first
user account is special because it will automatically be added to the
"admin" group, which in turn is configured in the sudoers file as
"ALL=(ALL) ALL". This means that users in the "admin" group can invoke
sudo on any command from any host. It is important that as an Ubuntu
user you are familiar with sudo, because the "root" user does not have a
password set by default, which means you cannot log into the server as
root. To become the root user you will type "sudo su". Sudo will
prompt you for your passphrase and after confirmation, voila, you are
root! For more information on sudo, type "man sudo" at the shell.
The first screen that appears to assist you in creating the first user
will look like this:
[IMAGE]
Please notice that I have typed my full name here, not my user name. It
is okay to use your user name here, but I recommend you type your
full name. I mean, Ubuntu is asking for it very politely. It would be
rude to refuse. Type your full name and hit "Enter" to continue.
Now is the time to enter your user name. For example, I entered
"akutz." Enter your user name and hit "Enter" to continue.
The next two screens will ask you to enter and confirm your passphrase.
This is very important, especially if you did not disconnect your
server from the network because we will enable SSH later without first
restricting it. Contrary to popular belief, a password's complexity has
little to do with how long it takes to crack it. The idea of a complex
password stems from the fact that many years ago most UNIX systems could
not handle passwords longer than 8 characters and therefore
administrators drummed the ideas into users' heads that their passwords
should be complex. Well congratulations you old computer hippies (said
with a twinkle of respect and jealousy in my eye). you've made my job
harder for the next… well, rest of my life. So forget passwords,
think passphrases.
Passwords versus passphrases
A passphrase that is 32 or more characters long will
take exponentially longer to crack than a password that is 8 characters
long and complex, even though 32 is only 8 x 4. Complexity does help,
but length is the real deciding factor on how long it takes to crack a
password. If you want examples, then email me, it will take too much
time to explain all of this here. Some people may think that 32
characters is way too long to remember. This is why you should not
think of it is a password, but as a passphrase - a sentence that has
relevancy to your life. For example, one of my old passphrases that I
no longer use (I promise, so try to crack my data in vain) is "I first
met my wife when she was my college T.A. and she hates it when I reveal
that information " That passphrase is 100 characters long and no
computer in my lifetime will ever crack it. Notice that there are two
spaces at the end of the passphrase. If someone had sniffed that
passphrase there is a good chance they would not have noticed the two
trailing spaces and the passphrase would have been useless to them. It
doesn't have to be spaces. It can be any character that is not
visually represented, such as a tab character.
Once you have confirmed your passphrase, it will be time to complete the
installation.
Completing the installation
The installer will now copy the files to the server's hard drive that
are necessary to install Ubuntu Server. After the copy process is
completed the installer will instruct you to eject the CD-ROM. Do not
eject the CD-ROM! Let the installer reboot the server, and proceed to
the next step.
Linux components required by VMware Server
Because we left the CD-ROM in the server, the server will boot into the
Ubuntu installer. This is okay. Simply select the last option "Boot
from first hard disk" and hit "Enter." This will boot into the system
we just installed. :)
Once you are confronted with a logon prompt, logon with the user name
and passphrase you created towards the end of the installation.
There are several components that VMware Server requires and one that is
just good to have.
VMware Server uses xinetd to host its authorization daemon, and we will
need build-essential and the Linux-headers packages to build the modules
that come with VMware Server.
To install xinetd type the following at the shell:
You will be prompted for your passphrase. Enter it and then apt-get
will proceed to install the xinetd package from the CD-ROM media that we
left in the server. See? I wasn't just trying to rebel against the
nice folks at Canonical, I have my reasons.
You will be asked to confirm xinetd's installation by pressing "Y".
Press "Y" to finish installing xinetd.
Now, when it comes to installing build-essential, it is important to
note that the build-essential package is just a meta-package. That is,
when you install build-essential, you are actually installing several
packages, not just one. Type the following:
Depending on how long it took you to read the last few sentences, sudo
will probably still have your passphrase cached and will not prompt you
for it this time. Aside from cached passphrases, you will notice that
Ubuntu will inform you that the following packages will be installed:
The reason I took the time to explain meta-packages is that if you ever
want to remove all of the packages that get installed when you install
build-essential, you cannot just type:
You will have to type:
It is a good idea to keep track of what packages are actually getting
installed when you install a meta-package. Hit "Y" to continue and
the packages will be installed.
Next we need to install the linux-headers package. Type:
Ubuntu will inform you that linux-headers is a virtual package and that
we need to explicitly pick an installation candidate. The candidates
will be listed, and you will want to pick the package named
"linux-headers-2.6.17-10-server". To install this package type:
Notice again that this command actually installs two packages:
ew
So to completely uninstall the Linux headers later you will have to type:
Press "Y" to finish installing the linux-headers package.
Finally it is time to install the ssh daemon. To install sshd type:
You will be prompted to install the following packages:
Press "Y" to finish installing the ssh daemon.
I have mentioned this before, but it is very important so I will mention
it again. Prior to installing the ssh daemon the server was completely
secure because there were no ports open, but now, after installing the
ssh daemon, the server is listening on port 22 (the ssh daemon port) for
incoming connections. If you did not take your server off the network
prior to beginning this guide, try typing the following command:
Is the terminal scrolling? If so, this is because some machine on your
network (or the internet) is unintentionally, or maliciously, hammering
away at your machine with ssh attacks. The auth.log file is where you
will see ssh logon attempts. To stop tailing the log file type CTRL-C.
Finally, we must install various packages that VMware Server will
complain about if it does not find. To install these type:
Press "Y" to install all the packages. For the record, the following
packages were installed by the above command:
Now that we have installed all necessary components, we can proceed with
configuring and securing this Ubuntu installation.
About the author: Andrew Kutz is deeply embedded in the dark, dangerous world of virtualization. Andrew is an avid fan of .NET, open source, Terminal Services, coding and comics. He is a Microsoft Certified Solutions Developer (MCSD) and a SANS/GIAC Certified Windows Security Administrator (GCWN). Andrew graduated from the University of Texas at Austin with a BA in Ancient History and Classical Civilization and currently lives in Austin, TX with his wife Mandy and their two puppies, Lucy and CJ.
