. _xenserver:

XenServer (XCP-NG)

XenServer Setup & Lockdown (XCP-NG, Citrix XenServer).

Securing Xenserver

Basic steps to harden an out of box installation of xenserver. Required.

Console non-root User Setup

Create a non-root user account with sudo access.

Add a non-root account.
useradd {USER}
passwd {USER}
visudo
visudo
{USER}  ALL=(ALL)  ALL
Confirm sudo works as new user.
sudo su -

SSHD Linux Setup to setup sercure SSH cert-only logins.

Explicitly enable access only for users, not ssh group.

0644 root root /etc/ssh/sshd_config
allowusers {USER}
Restart SSHD to apply changes.
service sshd restart

Disable Utils Webpage

Set index.html to empty file.
cp /opt/xensource/www/XCP-ng-index.html /home/{USER}/original-index.html
echo '' > /opt/xensource/www/XCP-ng-index.html

Note

Citrix-index.html is used for XenServer.

Restrict XAPI to Pre-defined Hosts

Only allow explicit hosts access to the API.

0644 root root /etc/hosts.deny
xapi:ALL
0644 root root /etc/hosts.allow
xapi:{IP} {IP}

Disable TLS < 1.2 for SSL Connections

Disable TLS < 1.2 via CLI.
xe pool-disable-ssl-legacy

Note

This can be done in the GUI via XenPool › Properties › Security › TLS 1.2 only.

Only Keep 2 Days of Logs

Keep 2 days of log rotations, instead of 31 by default.

0644 root root /etc/logrotate.conf
rotate 2

Creating A Local ISO Repository

This will allow the use of ISO’s on dom0 to be used during VM creation. From an SSH session, create a directory and create a Storage Repository on top of it.

Create Local ISO repository.
mkdir -p /var/opt/xen/iso_import
xe sr-create name-label=LocalISO type=iso device-config:location=/var/opt/xen/isos device-config:legacy_mode=true content-type=iso
Refresh ISO library contents.
xe sr-list
xe sr-scan uuid={UUID OF ISO REPOSITORY}

Convert VM to a Template

  • Clear command history from root/user.

  • shutdown cleanly.

  • VM: set vCPU priority to lowest (if reasonable).

  • VM: set Memory to dynamic, 512-1024MB (if reasonable).

  • VM: {RMB} › Convert to Template.

  • Template: Custom Fields: add custom fields as needed.

Modifying a VM Template

  • Copy the UUID from the template image General › Properties › UUID

  • SSH to the XenServer, change to root.

  • Convert template to VM and start it.

    Start a Template VM.
    xe vm-param-set uuid={UUID} is-a-template=false
xe vm-start uuid={UUID}

  • After changes, convert back to a template in the GUI.

Manually Creating New VM from Template

Determine the template name, and create a new VM from that template, start it.

Create a new VM from Template.
xe template-list
xe vm-install template="{TEMPLATE NAME}" new-name-label="{NEW VM}"
xe vm-start uuid={NEW VM}

Copy VM to New Storage Repository

Copy VM

VM › 🖱 › Copy VM

Full copy

{NEW SR}

Updated: None

Warning

MAC addresses are not copied; update VM with existing MAC address if needed.

Warning

Snapshots must be individually copied or exported to a template on the new repository.

PCI Passthrough for Direct Hardware Access

Used for direct hardware access needs, like disks for ZFS and GPU’s for plex.

Find Device IDs

On XenServer as root, list PCI devices and determine the device ID’s that you want. They are in the format B:D.f (beginning of line). You can see current drives attached to these PCI devices by listing system block devices.

List block devices.
lspci
ls -a /sys/block

Prevent dom0 Driver Binding

This prevents dom0 from binding to hardware and presenting via a meta-layer.

Prevent dom0 from binding to specific PCI hardware.
/opt/xensource/libexec/xen-cmdline --set-dom0 "xen-pciback.hide=(04:00.0)"

Note

For multiple devices.
/opt/xensource/libexec/xen-cmdline --set-dom0 "xen-pciback.hide=(04:00.0)(00:02.0)"

Reboot XenServer.

Add PCI Device Passthrough

With target VM off, determine UUID of vm with xe vm-list, then passthrough PCI devices. You only have to do this once.

Add PCI device passthrough to a specific VM.
xe vm-param-set other-config:pci=0/0000:{B:D.f} uuid={VM UUID}

Note

For multiple PCI devices.
xe vm-param-set other-config:pci=0/0000:{B:D.f},0/0000:{B:D.f} uuid={VM UUID}

Fix / Upgrade Missing OS Templates

If there are missing OS templates when creating a VM, it generally means that the create-guest-templates script hasn’t been run. Running it manually as root on the server will add/update all OS templates and populate the dropdown.

Re-create guest templates.
/usr/bin/create-guest-templates
Newer guest VM templates can be added via the testing repository.
yum update guest-templates* --enablerepo=xcp-ng-testing

Auto Start VM on Boot

Start VM when Hypervisor is booted.

Both the pool that the VM is in and the VM need to be enabled.
xe pool-list
xe vm-param-set uuid={POOL} other-config:auto_poweron=true
xe vm-list
xe vm-param-set uuid={VM} other-config:auto_poweron=true

USB Local Storage

Useful for migrations and where the local storage repository needed to be fully rebuilt.

Determine USB block device and ID mapping
fdisk -l
ls -l /dev/disk/by-id
Determine host UUID
cat /etc/xensource-inventory | grep -i installation_uuid
Add USB device as new Storage Repository
xe sr-create type=lvm content-type=user device-config:device=/dev/disk/by-id/{USB BY-ID} name-label='USB Storage' host-uuid={HOST UUID} shared=false
Detach and forget USB SR
xe sr-list name-label='USB Storage'
xe pbd-list sr-uuid={UUID USB SR}
xe pbd-unplug uuid={PBD UUID}
xe sr-forget uuid={UUID USB SR}

Exporting VM Disks

Disks can be exported in standard formats for other hypervisor consumption.

Export VM disk to file.
xe vdi-list
xe vdi-export uuid={UUID} filename={FILE}.raw format=raw

Note

vhd can be used as well.

References

  1. XenServer 7.0 release notes