We’ve been building out a new development environment at work – virtualised using KVM, and managed with Chef and MCollective. It has made it so easy to try out new things that I found myself wishing I had the same facilities for my own projects.

An article on Hacker News had me taking another look at Hetzner, which was followed a few days later by an order for a dedicated server with a quad-core i7, 32GB memory, and a pair of 3TB SATA disks. Hetzner gets mixed reviews, but the negatives weren’t enough to put me off – the prices are good, and I’m not planning to host any critical services. I’ll try not to complain when I get what I pay for.

The rest of this post describes the initial configuration of the server for use as a KVM host.

Initial (Re)Installation

Hetzner’s default partitioning is a little questionable – with mirrored 3TB disks, I was given a system with a 1TB root and 1.7TB /home. Fortunately, this is easy to customise using installimage after booting into the Hetzner rescue image.

The following installimage configuration allocates most of the space to LVM, and creates a 10GB volume for the root filesystem. Ubuntu 11.10 is the most recent version currently supported by Hetzner.

1
2
3
4
5
6
7
8
9
10
11

DRIVE1 /dev/sda
DRIVE2 /dev/sdb
SWRAID 1
SWRAIDLEVEL 1
BOOTLOADER grub
HOSTNAME illuminati.cryptocracy.com
PART /boot ext3 512M
PART lvm vg0 all
LV vg0   root   /        ext4         10G
LV vg0   swap   swap     swap          4G
IMAGE /root/.oldroot/nfs/install/../images/Ubuntu-1110-oneiric-64-minimal.tar.gz

Upon booting into the newly provisioned machine, I found that the firewall wasn’t enabled. That is easily fixed:

1
2

# ufw allow ssh
# ufw enable

I then used do-release-upgrade to bring the system up to 12.04.

Creating a NAT network

Although libvirt can be used to manage a NAT network for guests (and does this out of the box), its simplicity comes at a cost. I want to create a VPN that gives my workstation an address on the same network as the guests, and that requires custom iptables rules. I couldn’t figure out a clean way of doing this with libvirt managing the interface, so I set it up manually instead.

Define a detached bridge by appending to /etc/network/interfaces:

1
2
3
4
5
6
7

# detached bridge for VMs and VPN
auto nat0
iface nat0 inet static
 address 192.168.42.1
 netmask 255.255.255.0
 pre-up brctl addbr nat0
 post-down brctl delbr nat0

Install brctl, and bring it up.

1
2
3
4
5

# apt-get install bridge-utils
# ifup nat0
# brctl show
bridge name   bridge id           STP enabled     interfaces
nat0          8000.fe5400f3c41d   no

Enabling IP masquerading (NAT)

To complete the setup of our new network, we need enable IP forwarding and configure the firewall. I followed the instructions in the Ubuntu firewall documentation and they worked as written.

Conclusion

At this point, we have Ubuntu 12.04 installed under LVM, with a manually created network ready for use by our VMs and VPN. In the next post, we’ll configure a VPN and confirm that the nat0 network works as intended.