From cd55e6867eb4705f234fe2d36117b1b472b674bc Mon Sep 17 00:00:00 2001 From: Pierre HUBERT Date: Wed, 20 Dec 2023 09:44:54 +0100 Subject: [PATCH] Add deploy prod instructions --- README.md | 121 +---------------------- virtweb_docs/SETUP_DEV.md | 23 +++++ virtweb_docs/SETUP_PROD.md | 193 +++++++++++++++++++++++++++++++++++++ 3 files changed, 219 insertions(+), 118 deletions(-) create mode 100644 virtweb_docs/SETUP_DEV.md create mode 100644 virtweb_docs/SETUP_PROD.md diff --git a/README.md b/README.md index d162259..9edf992 100644 --- a/README.md +++ b/README.md @@ -1,123 +1,8 @@ # VirtWEB WIP project -## Development requirements -1. The `libvirt-dev` package must be installed: - -```bash -sudo apt install libvirt-dev -``` - -2. Libvirt must also be installed: -```bash -sudo apt install qemu-kvm libvirt-daemon-system -``` - -3. Allow the current user to manage VMs: -``` -sudo adduser $USER libvirt -sudo adduser $USER kvm -``` - -> Note: You will need to login again for this change to take effect. - +## Setup for dev +Please refer to this guide: [virtweb_docs/SETUP_DEV.md](virtweb_docs/SETUP_DEV.md) ## Production requirements -### TODO -TODO - -### Manual port forwarding without a LibVirt HOOK -* Allow ip forwarding in the kernel: edit `/etc/sysctl.conf` and uncomment the following line: - -``` -net.ipv4.ip_forward=1 -``` - -* To reload `sysctl` without reboot: - -``` -sudo sysctl -p /etc/sysctl.conf -``` - -* Create the following IPTables rules: - -``` -UP_DEV=$(ip a | grep "192.168.1." -B 2 | head -n 1 | cut -d ':' -f 2 | - tr -d ' ') -LOCAL_DEV=$(ip a | grep "192.168.25." -B 2 | head -n 1 | cut -d ':' -f 2 | tr -d ' ') -echo "$UP_DEV -> $LOCAL_DEV" - -GUEST_IP=192.168.25.189 -HOST_PORT=8085 -GUEST_PORT=8085 - -# connections from outside -sudo iptables -I FORWARD -o $LOCAL_DEV -d $GUEST_IP -j ACCEPT -sudo iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT -``` - -* Theses rules can be persisted using `iptables-save` then, or using a libvirt hook. - - -### Manual port forwarding with a LibVirt HOOK -* Allow ip forwarding in the kernel: edit `/etc/sysctl.conf` and uncomment the following line: - -``` -net.ipv4.ip_forward=1 -``` - -* To reload `sysctl` without reboot: - -``` -sudo sysctl -p /etc/sysctl.conf -``` - -* Get the following information, using the web ui or `virsh`: - * The name of the target guest - * The IP and port of the guest who will receive the connection - * The port of the host that will be forwarded to the guest - -* Stop the guest if its running, either using `virsh` or from the web ui - -* Create or append the following content to the file `/etc/libvirt/hooks/qemu`: - -```bash -#!/bin/bash - -# IMPORTANT: Change the "VM NAME" string to match your actual VM Name. -# In order to create rules to other VMs, just duplicate the below block and configure -# it accordingly. -if [ "${1}" = "VM NAME" ]; then - - # Update the following variables to fit your setup - GUEST_IP= - GUEST_PORT= - HOST_PORT= - - if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then - /sbin/iptables -D FORWARD -o virbr0 -p tcp -d $GUEST_IP --dport $GUEST_PORT -j ACCEPT - /sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT - fi - if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then - /sbin/iptables -I FORWARD -o virbr0 -p tcp -d $GUEST_IP --dport $GUEST_PORT -j ACCEPT - /sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT - fi -fi -``` - -* Make the hook executable: - -```bash -sudo chmod +x /etc/libvirt/hooks/qemu -``` - -* Restart the `libvirtd` service: - -```bash -sudo systemctl restart libvirtd.service -``` - -* Start the guest - - -> Note: this guide is based on https://wiki.libvirt.org/Networking.html \ No newline at end of file +Please refer to this guide: [virtweb_docs/SETUP_PROD.md](virtweb_docs/SETUP_PROD.md) \ No newline at end of file diff --git a/virtweb_docs/SETUP_DEV.md b/virtweb_docs/SETUP_DEV.md new file mode 100644 index 0000000..5e1edc6 --- /dev/null +++ b/virtweb_docs/SETUP_DEV.md @@ -0,0 +1,23 @@ +# Setup for developpment +1. The `libvirt-dev` package must be installed: + +```bash +sudo apt install libvirt-dev +``` + +2. Libvirt must also be installed: +```bash +sudo apt install qemu-kvm libvirt-daemon-system +``` + +3. Allow the current user to manage VMs: +``` +sudo adduser $USER libvirt +sudo adduser $USER kvm +``` + +> Note: You will need to login again for this change to take effect. + +4. Install required developpment tools: +* Rust: https://www.rust-lang.org/learn/get-started +* NodeJS: https://nodejs.org/en/download/current \ No newline at end of file diff --git a/virtweb_docs/SETUP_PROD.md b/virtweb_docs/SETUP_PROD.md new file mode 100644 index 0000000..328281b --- /dev/null +++ b/virtweb_docs/SETUP_PROD.md @@ -0,0 +1,193 @@ +# Setup for prod + +## Build VirtWeb for production +Open a terminal in the root directory of the VirtWeb project, and run the following command: + +```bash +make +``` + +The release file will be available in `virtweb_backend/target/release/virtweb_backend`. + +This is the only artifcat that must be copied to the server. It is recommended to copy it to the `/usr/local/bin` directory. + +## Install requirements +In order to work properly, VirtWeb relies on `libvirt`, `qemu` and `kvm`: + +```bash +sudo apt install qemu-kvm libvirt-daemon-system libvirt0 libvirt-clients libvirt-daemon bridge-utils +``` + +## Dedicated user +It is recommended to have a dedicated non-root user to run LibVirt: + +```bash +sudo adduser --disabled-login virtweb +sudo adduser virtweb libvirt +sudo adduser virtweb kvm +``` + +When executing this command as this user, it is possible to use the following command:; + +```bash +sudo -u virtweb bash +``` + +## Create Virtweb configuration & storage directory +Inside the newly created user, create an environment file that will contain the configuration of the VirtWeb software: + +```bash +sudo touch /home/virtweb/virtweb-env +sudo chmod 600 /home/virtweb/virtweb-env +sudo chown virtweb:virtweb /home/virtweb/virtweb-env + +sudo mkdir /home/virtweb/storage +sudo chown virtweb:kvm /home/virtweb/storage +``` + +Edit the configuration content: + +```conf +LISTEN_ADDRESS=0.0.0.0:8000 +WEBSITE_ORIGIN=http://localhost:8000 +SECRET= +AUTH_USERNAME=user +AUTH_PASSWORD=changeme +DISABLE_OIDC=true +STORAGE=/home/virtweb/storage +``` + +## Register Virtweb service +Before registering service, check that the configuration works correctly: + +```bash +sudo -u virtweb virtweb_backend -c /home/virtweb/virtweb-env +``` + +Create now a service in the file `/etc/systemd/system/virtweb.service`: + +```conf +[Unit] +Description=VirtWeb +After=syslog.target +After=network.target + +[Service] +RestartSec=2s +Type=simple +User=virtweb +Group=virtweb +WorkingDirectory=/home/virtweb +ExecStart=/usr/local/bin/virtweb_backend -c /home/virtweb/virtweb-env +Restart=always +Environment=USER=virtweb +HOME=/home/virtweb + +[Install] +WantedBy=multi-user.target +``` + +Enable and start the created service: + +```bash +sudo systemctl enable virtweb +sudo systemctl start virtweb +``` + +You should now be able to create VMs! + +### Manual port forwarding without a LibVirt HOOK +* Allow ip forwarding in the kernel: edit `/etc/sysctl.conf` and uncomment the following line: + +``` +net.ipv4.ip_forward=1 +``` + +* To reload `sysctl` without reboot: + +``` +sudo sysctl -p /etc/sysctl.conf +``` + +* Create the following IPTables rules: + +``` +UP_DEV=$(ip a | grep "192.168.1." -B 2 | head -n 1 | cut -d ':' -f 2 | + tr -d ' ') +LOCAL_DEV=$(ip a | grep "192.168.25." -B 2 | head -n 1 | cut -d ':' -f 2 | tr -d ' ') +echo "$UP_DEV -> $LOCAL_DEV" + +GUEST_IP=192.168.25.189 +HOST_PORT=8085 +GUEST_PORT=8085 + +# connections from outside +sudo iptables -I FORWARD -o $LOCAL_DEV -d $GUEST_IP -j ACCEPT +sudo iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT +``` + +* Theses rules can be persisted using `iptables-save` then, or using a libvirt hook. + + +### Manual port forwarding with a LibVirt HOOK +* Allow ip forwarding in the kernel: edit `/etc/sysctl.conf` and uncomment the following line: + +``` +net.ipv4.ip_forward=1 +``` + +* To reload `sysctl` without reboot: + +``` +sudo sysctl -p /etc/sysctl.conf +``` + +* Get the following information, using the web ui or `virsh`: + * The name of the target guest + * The IP and port of the guest who will receive the connection + * The port of the host that will be forwarded to the guest + +* Stop the guest if its running, either using `virsh` or from the web ui + +* Create or append the following content to the file `/etc/libvirt/hooks/qemu`: + +```bash +#!/bin/bash + +# IMPORTANT: Change the "VM NAME" string to match your actual VM Name. +# In order to create rules to other VMs, just duplicate the below block and configure +# it accordingly. +if [ "${1}" = "VM NAME" ]; then + + # Update the following variables to fit your setup + GUEST_IP= + GUEST_PORT= + HOST_PORT= + + if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then + /sbin/iptables -D FORWARD -o virbr0 -p tcp -d $GUEST_IP --dport $GUEST_PORT -j ACCEPT + /sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT + fi + if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then + /sbin/iptables -I FORWARD -o virbr0 -p tcp -d $GUEST_IP --dport $GUEST_PORT -j ACCEPT + /sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT + fi +fi +``` + +* Make the hook executable: + +```bash +sudo chmod +x /etc/libvirt/hooks/qemu +``` + +* Restart the `libvirtd` service: + +```bash +sudo systemctl restart libvirtd.service +``` + +* Start the guest + + +> Note: this guide is based on https://wiki.libvirt.org/Networking.html \ No newline at end of file