From 96d264d15fb4f5ff60040aa27fa2ab3f10207ab0 Mon Sep 17 00:00:00 2001 From: Pierre HUBERT Date: Thu, 11 Jan 2024 19:38:27 +0100 Subject: [PATCH] Update setup configuration --- virtweb_docs/SETUP_PROD.md | 84 ++++---------------------------------- 1 file changed, 7 insertions(+), 77 deletions(-) diff --git a/virtweb_docs/SETUP_PROD.md b/virtweb_docs/SETUP_PROD.md index 1cf2d15..76d6fa4 100644 --- a/virtweb_docs/SETUP_PROD.md +++ b/virtweb_docs/SETUP_PROD.md @@ -102,7 +102,8 @@ sudo systemctl start virtweb You should now be able to create VMs! -### Manual port forwarding without a LibVirt HOOK + +## Configure port forwarding * Allow ip forwarding in the kernel: edit `/etc/sysctl.conf` and uncomment the following line: ``` @@ -115,85 +116,14 @@ net.ipv4.ip_forward=1 sudo sysctl -p /etc/sysctl.conf ``` -* Create the following IPTables rules: +* Configure apparmore service. Create or update a file named `/etc/apparmor.d/local/usr.sbin.libvirtd` with the following content: ``` -UP_DEV=$(ip a | grep "192.168.1." -B 2 | head -n 1 | cut -d ':' -f 2 | - tr -d ' ') -LOCAL_DEV=$(ip a | grep "192.168.25." -B 2 | head -n 1 | cut -d ':' -f 2 | tr -d ' ') -echo "$UP_DEV -> $LOCAL_DEV" - -GUEST_IP=192.168.25.189 -HOST_PORT=8085 -GUEST_PORT=8085 - -# connections from outside -sudo iptables -I FORWARD -o $LOCAL_DEV -d $GUEST_IP -j ACCEPT -sudo iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT +/usr/local/bin/virtweb_backend ux, ``` -* Theses rules can be persisted using `iptables-save` then, or using a libvirt hook. - - -### Manual port forwarding with a LibVirt HOOK -* Allow ip forwarding in the kernel: edit `/etc/sysctl.conf` and uncomment the following line: - -``` -net.ipv4.ip_forward=1 -``` - -* To reload `sysctl` without reboot: - -``` -sudo sysctl -p /etc/sysctl.conf -``` - -* Get the following information, using the web ui or `virsh`: - * The name of the target guest - * The IP and port of the guest who will receive the connection - * The port of the host that will be forwarded to the guest - -* Stop the guest if its running, either using `virsh` or from the web ui - -* Create or append the following content to the file `/etc/libvirt/hooks/qemu`: +* Update Apparmor configuration: ```bash -#!/bin/bash - -# IMPORTANT: Change the "VM NAME" string to match your actual VM Name. -# In order to create rules to other VMs, just duplicate the below block and configure -# it accordingly. -if [ "${1}" = "VM NAME" ]; then - - # Update the following variables to fit your setup - GUEST_IP= - GUEST_PORT= - HOST_PORT= - - if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then - /sbin/iptables -D FORWARD -o virbr0 -p tcp -d $GUEST_IP --dport $GUEST_PORT -j ACCEPT - /sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT - fi - if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then - /sbin/iptables -I FORWARD -o virbr0 -p tcp -d $GUEST_IP --dport $GUEST_PORT -j ACCEPT - /sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT - fi -fi -``` - -* Make the hook executable: - -```bash -sudo chmod +x /etc/libvirt/hooks/qemu -``` - -* Restart the `libvirtd` service: - -```bash -sudo systemctl restart libvirtd.service -``` - -* Start the guest - - -> Note: this guide is based on https://wiki.libvirt.org/Networking.html \ No newline at end of file +sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.libvirtd +``` \ No newline at end of file