In the last part of this series, I told you about VMware Server services and executables. Now it's time to get...
Linux up, running and primed for VMware Server.
There are several enterprise-level distributions of Linux available today, and VMware Server can be installed on most of them. Ubuntu just happens to be my favorite distribution and Edgy Eft Server is Ubuntu latest, stable server release.
Although Ubuntu Linux is very secure out of the box, there are still measures that can be taken to further ensure that no unsavory characters or code will end up creeping about on the server.
Before we begin an Ubuntu installation, I wanted to mention that VMware Server is only supported on Linux distributions running the Linux kernel version 2.4.19+ or greater. The lowest acknowledged supported kernel version listed is 2.4.19 for Mandrake Linux 9.0. VMware also explicitly states that Kernel version 2.2.14??5.0 is "not" supported. This seems to indicate that kernel versions earlier than 2.4.19 may work.
I would hazard a guess that most Linux administrators tend to stick to their favorite Linux distribution. I would also guess that since Ubuntu Server is still rather new, not many administrators have much experience installing it. Because of these two assumptions on my part, I will go into more detail with regards to installing Ubuntu 6.10 (Edgy Eft) Server than I did to installing Windows 2003 Server in this guide's VMware on Windows counterpart.
Downloading Ubuntu Linux
The first step to installing Ubuntu Server is obtaining the bits that you want to squirt onto your server's hard drive. You can download Ubuntu 6.10 (Edgy Eft) Server from the Ubuntu Website. You just need to select your appropriate mirror. Once you have selected your mirror, you need to find the Server install CD. There are both 32-bit and 64-bit versions of this CD. I will be using the 32-bit version, but the 64-bit version will work with this guide just the same. The CD images are available in ISO image format and follow this naming convention, ubuntu-6.10-server-(i386|amd64).iso. Download the ISO image that suits you and then burn it to a CD with your favorite CD burning software.
If you're downloading the ISO image on a Mac, you can burn it with Disk Utility following the instructions at the University of Alabama at Birmingham IT Website. Burning a CD in Linux is quite easy; you can use the standard shell utility cdrecord. Or, since GNOME and KDE recognize ISO image formats, you should be able to right-click on the file and select "burn to cd" or something of that sort (Note: I realize that GNOME and KDE are not the end-all and be-all of Linux desktops, but they are the two most popular, so please don't give me grief if you are using Tom's Window Manager or Afterstep). Windows cannot natively burn ISO images, but there is a free utility that makes this easy called ISO Recorder and is available at alexfienman.com.
Booting Ubuntu from a CD
Once the installation media is ready, it is time to install! Pop the install CD into the CD/DVD-ROM on the server. Do not power on the server quite yet. You need to ensure that the server is set to boot from the CD-ROM device before the hard drive. If you are unsure whether or not the boot sequence is set in this order, please be prepared to enter the server's BIOS to make this settings change.
If you are certain the CD-ROM is first in the boot sequence or you have made this change, go ahead and let the server power on past the BIOS. The server will detect the Ubuntu CD and will display the following screen:
The first option, "Install to the hard disk," is the one we want and it is already selected. Go ahead and hit "Enter" to continue.
Linux language and keyboard layout
The installer will prompt for your language and location -- for example, I chose "English" and "United States".
Next you may encounter a screen that seems confusing:
This screen will appear if you do not physically have a keyboard connected to the server, and are instead installing the server remotely with the aid of an Avocent connection, DRACs, or some other remote connection device. If the screen above does appear then select "Yes" when it asks if you want it to detect your keyboard layout. You will be prompted with a series of choices of keys to strike. At the end of this series the installer will attempt to select the keyboard layout it deems the most appropriate based on your selections. If the installer has not selected your preferred keyboard layout, don't worry, you have the option of starting the process over.
After you have selected a keyboard layout, the installer will ask how you wish to configure the server's network interfaces. The screen that appears will look similar to the following:
The server this screenshot was taken from has one on-board Intel NIC and two Broadcom NICs on a PCI expansion card. It is quite common that PCI cards have a lower PCI ID than on-board devices and get listed first. If you have multiple NICs as in the screenshot, try to select the one that you want to dedicate to being this server's management interface NIC. If you do not have the luxury of having multiple NICs you will obviously have to select the only one available, and this is okay. Before selecting a NIC, please write down the NIC IDs that the installer has assigned the NICs. In the above screenshot they are "eth0", "eth1", and "eth2". These values are important, and we will need them later. Select a NIC and hit "Enter" to continue.
If the server is unable to obtain a DHCP lease, (as should be the case since no Ethernet cables should be plugged into the server at this time,) on the NIC you selected the following screen will appear:
This is okay. Just hit "Enter" to continue. Now the installer will ask you to enter an IP address. Enter this server's intended IP address and hit "Enter." The next screen will ask for the server's Netmask value. Enter the Netmask and hit "Enter." You will be prompted for the server's Gateway address. Enter the Gateway address and hit "Enter." Next the installer will prompt for the DNS server addresses this server will use. Enter the DNS address value(s) and hit "Enter."
As seen in the image below the installer will now prompt for the server's host name:
It is important to note that just as the installer says, you should only enter the host name, not the fully qualified domain name of the host. For example, in the above screenshot I only entered "vms02" even though the FQDN of the host is "vms02.lostcreations.com". Once you have entered the host name hit "Enter".
It is now time to partition the server's hard drives. We want to manually edit the partition table, so select the option "Manually edit partition table" and hit "Enter." You should adhere as closely as possible to the following partition scheme:
mount_point, size, file_system_type, options /boot, 200 MB, ext3, boot flag /, 6 GB, ext3 swap, 1.5x physical RAM, swap /tmp, 1.5x physical RAM, ext3 /var, rest of disk, ext3
Okay, I know I have just thrown kerosene on the flame war that is Linux partition schemes, but hear me out. The boot partition does not need to be that large, and 200 MB will give you room to update your kernels without always worrying about removing older ones (although after about 1.5 years you will have to start removing the oldest kernels if you update your kernel often). For an Ubuntu server install, 6 GB is plenty of space for the slash (/) partition. The swap space and temp (/tmp) should both be set to 1.5 times the amount of physical RAM in the server. I did not just pull this number out the air, this is VMware's recommendation as stated on page 154 of the VMware Server Administration Manual. Also, if possible, it is a good idea to put the /var file system on a separate disk than the rest of the file systems. For example, if your RAID configuration provides you with two containers, dedicate one of them to /var. This will increase the performance of your VMs since the VM files will live in /var.
Once you have completed the partitioning, you should hit "Enter" and be presented with a screen similar to the following:
If you are happy with the allocated file systems, go ahead and select "Finish partitioning and write changes to disk" and hit "Enter." The installer will ask you once more to confirm your partition table. If you are still happy with your choices then select "Yes" and hit "Enter." If not, then boy, are you fickle, and I can offer you no help what-so-ever. Just kidding. Selecting "No" will let you take another swing at setting up your file systems. Once you are ready to commit to your file systems we can proceed.
Time zones and users
The installer will prompt you to select a time zone. Choose the appropriate time zone and hit "Enter." Before you can proceed, the installer may ask if your system clock is set to UTC. Most are, so if you are not sure you should probably select "Yes" and hit "Enter."
Now it is time to create the system's first user account. The first user account is special because it will automatically be added to the "admin" group, which in turn is configured in the sudoers file as "ALL=(ALL) ALL". This means that users in the "admin" group can invoke sudo on any command from any host. It is important that as an Ubuntu user you are familiar with sudo, because the "root" user does not have a password set by default, which means you cannot log into the server as root. To become the root user you will type "sudo su". Sudo will prompt you for your passphrase and after confirmation, voila, you are root! For more information on sudo, type "man sudo" at the shell.
The first screen that appears to assist you in creating the first user will look like this:
Please notice that I have typed my full name here, not my user name. It is okay to use your user name here, but I recommend you type your full name. I mean, Ubuntu is asking for it very politely. It would be rude to refuse. Type your full name and hit "Enter" to continue.
Now is the time to enter your user name. For example, I entered "akutz." Enter your user name and hit "Enter" to continue.
The next two screens will ask you to enter and confirm your passphrase. This is very important, especially if you did not disconnect your server from the network because we will enable SSH later without first restricting it. Contrary to popular belief, a password's complexity has little to do with how long it takes to crack it. The idea of a complex password stems from the fact that many years ago most UNIX systems could not handle passwords longer than 8 characters and therefore administrators drummed the ideas into users' heads that their passwords should be complex. Well congratulations you old computer hippies (said with a twinkle of respect and jealousy in my eye). you've made my job harder for the next… well, rest of my life. So forget passwords, think passphrases.
Passwords versus passphrases
A passphrase that is 32 or more characters long will take exponentially longer to crack than a password that is 8 characters long and complex, even though 32 is only 8 x 4. Complexity does help, but length is the real deciding factor on how long it takes to crack a password. If you want examples, then email me, it will take too much time to explain all of this here. Some people may think that 32 characters is way too long to remember. This is why you should not think of it is a password, but as a passphrase - a sentence that has relevancy to your life. For example, one of my old passphrases that I no longer use (I promise, so try to crack my data in vain) is "I first met my wife when she was my college T.A. and she hates it when I reveal that information " That passphrase is 100 characters long and no computer in my lifetime will ever crack it. Notice that there are two spaces at the end of the passphrase. If someone had sniffed that passphrase there is a good chance they would not have noticed the two trailing spaces and the passphrase would have been useless to them. It doesn't have to be spaces. It can be any character that is not visually represented, such as a tab character.
Once you have confirmed your passphrase, it will be time to complete the installation.
Completing the installation
The installer will now copy the files to the server's hard drive that are necessary to install Ubuntu Server. After the copy process is completed the installer will instruct you to eject the CD-ROM. Do not eject the CD-ROM! Let the installer reboot the server, and proceed to the next step.
Linux components required by VMware Server
Because we left the CD-ROM in the server, the server will boot into the Ubuntu installer. This is okay. Simply select the last option "Boot from first hard disk" and hit "Enter." This will boot into the system we just installed. :)
Once you are confronted with a logon prompt, logon with the user name and passphrase you created towards the end of the installation.
There are several components that VMware Server requires and one that is just good to have.
VMware Server uses xinetd to host its authorization daemon, and we will need build-essential and the Linux-headers packages to build the modules that come with VMware Server.
To install xinetd type the following at the shell:
sudo apt-get install xinetd
You will be prompted for your passphrase. Enter it and then apt-get will proceed to install the xinetd package from the CD-ROM media that we left in the server. See? I wasn't just trying to rebel against the nice folks at Canonical, I have my reasons.
You will be asked to confirm xinetd's installation by pressing "Y". Press "Y" to finish installing xinetd.
Now, when it comes to installing build-essential, it is important to note that the build-essential package is just a meta-package. That is, when you install build-essential, you are actually installing several packages, not just one. Type the following:
sudo apt-get install build-essential
Depending on how long it took you to read the last few sentences, sudo will probably still have your passphrase cached and will not prompt you for it this time. Aside from cached passphrases, you will notice that Ubuntu will inform you that the following packages will be installed:
binutils build-essential cpp cpp-4.1 dpkg-dev g++ g++-4.1 gcc gcc-4.1 libc6-dev libstdc++6-4.1-dev linux-libc-dev make patch
The reason I took the time to explain meta-packages is that if you ever want to remove all of the packages that get installed when you install build-essential, you cannot just type:
sudo dpkg --purge build-essential
You will have to type:
sudo dpkg --purge binutils build-essential cpp cpp-4.1 dpkg-dev g++ g++-4.1 gcc gcc-4.1 libc6-dev libstdc++6-4.1-dev linux-libc-dev make patch
It is a good idea to keep track of what packages are actually getting installed when you install a meta-package. Hit "Y" to continue and the packages will be installed.
Next we need to install the linux-headers package. Type:
sudo apt-get install linux-headers
Ubuntu will inform you that linux-headers is a virtual package and that we need to explicitly pick an installation candidate. The candidates will be listed, and you will want to pick the package named "linux-headers-2.6.17-10-server". To install this package type:
sudo apt-get install linux-headers-2.6.17-10-server
Notice again that this command actually installs two packages:
So to completely uninstall the Linux headers later you will have to type:
sudo dpkg --purge linux-headers-2.6.17-10 linux-headers-2.6.17-10-server
Press "Y" to finish installing the linux-headers package.
Finally it is time to install the ssh daemon. To install sshd type:
sudo apt-get install ssh
You will be prompted to install the following packages:
Press "Y" to finish installing the ssh daemon.
I have mentioned this before, but it is very important so I will mention it again. Prior to installing the ssh daemon the server was completely secure because there were no ports open, but now, after installing the ssh daemon, the server is listening on port 22 (the ssh daemon port) for incoming connections. If you did not take your server off the network prior to beginning this guide, try typing the following command:
sudo tail -f /var/log/auth.log
Is the terminal scrolling? If so, this is because some machine on your network (or the internet) is unintentionally, or maliciously, hammering away at your machine with ssh attacks. The auth.log file is where you will see ssh logon attempts. To stop tailing the log file type CTRL-C.
Finally, we must install various packages that VMware Server will complain about if it does not find. To install these type:
sudo apt-get install libx11-6 libxtst6 libice-dev libsm-dev libxrender-dev libxi-dev
Press "Y" to install all the packages. For the record, the following packages were installed by the above command:
libx11-6 libx11-data libxau6 libxdmcp6 libxext6 libxtst6 libice6 libsm6 libxt6 libice-dev x11proto-core-dev libsm-dev libx11-dev libxau-dev libxdmcp-dev libxext-dev libxrender-dev libxrender1 x11proto-input-dev x11proto-kb-dev x11proto-render-dev x11proto-xext-dev xtrans-dev libxi-dev libxi6
Now that we have installed all necessary components, we can proceed with configuring and securing this Ubuntu installation.
About the author: Andrew Kutz is deeply embedded in the dark, dangerous world of virtualization. Andrew is an avid fan of .NET, open source, Terminal Services, coding and comics. He is a Microsoft Certified Solutions Developer (MCSD) and a SANS/GIAC Certified Windows Security Administrator (GCWN). Andrew graduated from the University of Texas at Austin with a BA in Ancient History and Classical Civilization and currently lives in Austin, TX with his wife Mandy and their two puppies, Lucy and CJ.