1. Prepare a Xen VM with a minimal install of CentOS/RHEL 5 (64bit or 32bit).
    1. Make sure you have set your host name and IP Addressing etc. The VM should have internet access (obviously).
  2. Install HyperVM following these instructions.
    1. Be sure to append [–virtualization-type=openvz] (omit the square brackets) to the install command.
  3. At the end of the installer, don’t reboot!
    1. The default OpenVZ kernel installed by the HyperVM installer won’t work inside of a Xen VM (it will work on a normal bare metal server). Download the proper kernel for your architecture: 32bit (i686) or 64bit (x86_64). At the time of writing, the current OpenVZ kernel was 2.6.18-384.4.1.
    2. You are specifically looking to download and install the kernel that starts with: ‘ovzkernel-xen’ anything else will likely install, but will not boot!
    3. Install using this command [# rpm -ivh ovzkernel-xen-*.rpm] – Don’t use [# rpm -Uvh] you will upgrade the installed kernel instead and you will lose the ability to roll back to a known working kernel should things go wrong.
    4. Open your /boot/grub/grub.conf file (in vi or nano) and make sure you are able to differentiate between the existing kernel and the ovzkernel-xen kernel. Perhaps append something to the title line, like ‘OpenVZ-Xen’. I saw three kernels in mine, the original CentoS 5 kernel, the OpenVZ kernel (installed by the HyperVM installer) and the OpenVZ-Xen kernel.
  4. Now it’s time to reboot. How you perform this step will be dependant on a couple of things.
    1. If you have console access to your VM (it may be via an alternate SSH connection or applet if your hosting provider has one), I suggest not editing your grub.conf file just yet. Connect to the console and reboot the VM. You can then catch the grub boot loader and choose the OpenVZ-Xen kernel (not to be confused with the similar named OpenVZ kernel). If all goes well, you can edit the grub.conf file later and set grub to boot from the OpenVZ-Xen kernel by default. If things break, you’ll either be able to reboot and choose a different ‘known working’ kernel, or your VM won’t boot at all. In this case you’ll have to ask your hosting provider to switch your default kernel back to the original kernel. If you have Dom0 access (you’ll know what this if you do) you can edit grub.conf via pyGrub and try again.
    2. If you don’t have console access, you’ll need to edit the grub.conf file first and set the OpenVZ-Xen kernel as the default kernel and reboot, hoping all goes well. As above, if all does go well, you’ll be able to login via SSH and also to the HypeVM control panel. If things break and you lose access to your VM, you’ll have to contact your hosting provider and have them investigate for you. You can assist them be asking them to configure grub to boot from the standard normal CentOS kernel again. Afterwards, when you have access, you can try again ūüėČ
  5. By default, HyperVM wants to use the ‘Xen driver’ as the virtualisation method. This won’t work, you can’t run xen VMs inside of a Xen VM. Why Xen is the default ‘driver’ when you chose OpenVZ at the very beginning? I have no idea.
    1. Use the following commands to switch the system from Xen to OpenVZ [#. /scripts/directory] [#¬†lphp.exe ../bin/common/setdriver.php –server=localhost –class=vps –driver=openvz] (omit the square brackets of course). There are two commands, the first changes the current working directory, the second changes the virtualisation driver.
    2. After a few moments, you’ll see a confirmation message.
  6. You’re done! You can now login to the HyperVM control panel, add IP Addresses and create VMs!

Comments, Suggestions, Requests, all welcome ūüėČ

After installing ConfigServer Security and Firewall, many of us try to achieve as many ‘green’ results as possible. The often tricky one (or two) options to achieve, is mounting /tmp and /var/tmp as ‘separate’ file systems. On a bare metal linux installation (no virtualisation) this is easy to achieve by creating a file system (partition or¬†pseudo¬†file system) and mounting it accordingly. Under virtualisation (openvz, virtuozzo etc) this is not so easy, in fact, it’s not actually supported at all. However, there are two things you can try.

  1. Nothing. Just leave it. After all, the message at the bottom of the check security page says ‘This scoring does not necessarily reflect the security of your server or the relative merits of each check’ In other words, getting all green doesn’t¬†necessarily¬†mean your server is secure.
  2. You can set up pretend mount points (this works on bare metal installations as well). Delete the /var/tmp directory and symlink it to /tmp (ln -s /tmp /var/tmp). Next, edit your /etc/fstab file and all the following line: /tmp /tmp   ext3    defaults,usrquota,bind,noauto,noexec,nosuid        0 0 Finally, be sure to change the permissions to 1777 (chmod -R 1777).

The second option above doesn’t really achieve anything except the green ‘OK’ from CSF. Traditionally, the /tmp and /var/tmp directory have been located on a separate file system, due to the volatile nature of the files and content that are temporarily stored there. If the server was compromised via this directory, it could be easy to stop the compromise by un-mounting the file system. Better still, if the file system itself was hacked or damaged, it would only be the /tmp and /var/tmp that was damaged, both of which are easily replaced and can be deleted, removed and recreated all while the system is still running, not to mention that no important data is ever stored in these directories either.