Server Assignment
- SuperMicro #: 31 (
super31) - IPMI (temporary):
...
IPMI
- IPMI address:
... - Username:
ADMIN - Password:
...
ESXi
- Hostname:
super31.cyber.local - Static IP:
192.168.7.44- Gateway:
192.168.7.250 - DNS (Cyber):
192.168.4.4192.168.4.5
- Gateway:
ESXi Installation
IPMI Access
IPMI was accessed through a web browser, and a remote console was opened via Remote Control → iKVM/HTML5. In this iKVM window, the server can be restarted with Power Control → Set Power Reset.
Upon boot, press F11 with either the physical or virtual keyboard to enter the one-time boot menu, and select the removable ESXi drive.
ESXi Install
Follow the prompts in the ESXi installer to install. My server (super31) only has one drive, so ESXi was installed there. After the installation is complete and the root password has been set, reboot into ESXi.
Note
ESXi will require a connection to LAN, which must be on a separate interface than that used for IPMI.
After booting into ESXi, setup can be entered with F2, and the network settings can be changed. In this instance, the “production” LAN interface is vmnic1, as opposed to the first NIC vmnic0. The following settings were configured for this milestone:
- Hostname:
super31 - Static IP:
192.168.7.44 - Gateway:
192.168.7.250 - DNS:
192.168.4.4192.168.4.5
- DNS domain:
cyber.localOnce configuration of the management network is complete, the settings can be applied and the management network restarted. The ESXi interface can then be accessed athttps://<server IP>.
ESXi Configuration
Enabling SSH
To access the server through SSH, it may be enabled in the ESXi client under Actions → Services → Enable Secure Shell (SSH). Once access is no longer required, it may be disabled in the same menu.
Datastores
Renaming
Once logging into the ESXi interface using the previously created root password, the default datastore can be renamed to something more descriptive. In the case of this milestone, the format datastoreX-super31 was used.
Creating Additional
If a second drive is installed in the server, an additional datastore can be created using this drive. In the case of my server, there is not currently a second drive, though this may change at a later date.
To create a datastore, select Storage → New datastore. Create a new VMFS datastore, configure the name and drive to use, and preserve the default options for the rest of the dialog.
Adding Files (ISOs)
To create directories and upload files, select the desired datastore under the Storage menu in ESXi, then select Datastore browser. Here, directories can be created.
At this point, if file upload is desired, enable SSH on ESXi, and connect to the server via SSH. Each datastore is accessible on the host at /vmfs/volumes/<datastore>, which is symlinked to the datastore’s directory in UUID format. Files can then be easily downloaded to the datastore using wget.
For this milestone, a folder isos was created on datastore1 (the only datastore currently present, as only one drive is installed). VyOS and Xubuntu ISOs were then downloaded to this folder in the datastore, via wget from Devin’s HTTP ISO server.
Virtual Networks
Virtual Switches
Under the Networking menu in ESXi, within the Virtual switches tab, virtual switches can be created to manage virtual networks.
For this milestone, the 480-WAN network was created, and the uplink was removed. As our VyOS VM will be handling routing for this virtual network, an uplink in ESXi is unnecessary.
Port Groups
Port groups allow for policy application and VM assignment within a virtual switch. As the virtual switch that was just created does not have any port groups, new groups must be created from the Port groups tab within the Networking menu.
For this milestone, the port group was named 480-WAN, and the virtual switch associated with it was set to 480-WAN (previously created).
Firewall Creation
At this point, a VyOS virtual machine can be created and configured to route traffic out of the virtual network created previously.
VM Creation
Under the Virtual Machines menu, Create / Register VM allows us to create new VMs on the ESXi host.
For this milestone, the following settings were used in the Create / Register VM dialog:
- Creation Type
- Create a new virtual machine
- Select a name and guest OS
- Name:
480-fw - Compatibility:
ESXi 7.0 virtual machine- In a large environment, ensuring compatibility with hypervisors running previous versions
- Guest OS:
Linux / Debian 10 (64-bit)
- Name:
- Select storage
- Ideally a datastore/drive separate from that running ESXi itself
- In this instance,
datastore1as only one drive is installed
- Customize settings
- Add network adapter
- Memory:
1024 MB - Hard disk 1:
- Size:
8 GB - Disk Provisioning:
Thin provisioned- Will only take the storage it needs, so size on disk will likely be less than assigned disk size
- Thick provisioning reserves all space assigned to drive, even if the space is not in use
- Size:
- Network Adapter 1:
VM Network - New Network Adapter:
VM Network- This is kept generic to allow this to act as a base image that can be extracted and reused in e.g. vCenter in the future
- CD/DVD Drive 1:
Datastore ISO file- Navigate to ISO on datastore, select VyOS
VyOS Installation
The default VyOS credentials are vyos:vyos. At the shell prompt, type install image to install VyOS. The default configuration options can be used. After installation is complete, reboot.
VyOS Configuration
Once the VM above has been created, power it on and connect to the browser console.
Removing Hardware IDs
Warning
VyOS sets hardware addresses of interfaces on first boot. Thus, cloning a VyOS VM can result in conflicting MAC addresses, and steps need to be taken to prevent this.
Once logged into VyOS, use configure to enter configuration mode. show interfaces will reveal that hw-id is set for each interface; these must be removed if we wish to use this as a base image and clone it in the future. For each interface, enter delete interfaces ethernet <interface> hw-id in configure mode. Finally, commit; save to save the configuration changes. The full command flow may look as follows:
configure
delete interfaces ethernet eth0 hw-id
delete interfaces ethernet eth1 hw-id
commit; saveEth0 DHCP Addressing
While in configure mode, use the following command to enable DHCP on an interface:
set interfaces ethernet <interface> address dhcp
For this milestone, the first available interface is used, eth0.
Enable SSH
While in configure mode, use the following command to allow VyOS to listen for SSH connections on all interfaces:
set service ssh listen-address 0.0.0.0
At this point, commit; save, exit configuration mode, and shut down the VM, using e.g. poweroff.
ESXi Post Configuration
Remove attached ISO
As installation has completed, Right click → Edit settings on the VM, and set the ‘CD/DVD Drive 1’ to Host device. This detaches the ISO that was previously attached to this drive.
Snapshot Creation
Finally, select Actions → Snapshots → Take snapshot. This will be the base state of our VM, which can be used to create clones in the future.
For this milestone, the snapshot name Base was used. It would be beneficial to keep this name consistent across VMs, as it can be referenced e.g. in code without needing a unique name for each template.
Environment-Specific Configuration
At this point a base state has been saved, and the VM can be further configured specific to this environment. From the VM settings, change the second network adapter to use the 480-WAN network, then power the VM on.
This time, it may be accessed via SSH instead of the browser console if desired. This is a result of two steps above: allowing eth0 to obtain an IP using DHCP, and configuring SSH to listen on all interfaces. The current IP can be accessed using show interfaces from the console.
(Optional) Add SSH Key
To add SSH key authentication to a VyOS user, the public key must first be copied to (or accessible e.g. via scp by) the VyOS machine. A public key can be copied to VyOS using the following command on a host with access to the key:
scp path/to/key.pub vyos@<IP Address>:/home/vyos/.ssh
Then, the commands needed to add the key can be generated in op mode (not configure mode) with the following command:
generate public-key-command user vyos path ~/.ssh/key.pub
Run all commands provided by the output of the above generate command, at which point key-based authentication for the vyos user will be functional.
Change Password
The password for this VM may be changed from the default in the snapshot with the below command. This must be done from configure mode:
set system login user vyos authentication plaintext-password <password>
Eth0 Configuration
Static IP Address
Although DHCP was useful for initial access, we now wish to set eth0 to the static IP provided in the course network assignments. To do this, we will first delete the DHCP assignment, then set the static IP, as shown below:
configure
delete interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 address <IP Address>/<CIDR>
For this milestone, the IP address is set to 192.168.7.71/24.
(Optional) Description
For readability, a description may be added to an interface:
set interfaces ethernet eth0 description <description>
Eth1 Configuration
Set the IP address for the 480-WAN default gateway, eth1, to 10.0.17.2/24.
Static Route
Additionally, set the static route to Joyce’s default gateway:
set protocols static route 0.0.0.0/0 next-hop 192.168.7.250
Nameservers
The nameservers can be set to cyber.local’s with the following commands (one for each DNS server):
set system name-server 192.168.4.4
set system name-server 192.168.4.5
DNS Forwarding
DNS forwarding for the 480-WAN network can be configured as follows. These commands first set the address on which to listen when forwarding DNS requests, then sets a source IP rule for which requests will be forwarded, and finally sets the system nameservers (configured above) as the forwarding location:
set service dns forwarding listen-address 10.0.17.2
set service dns forwarding allow-from 10.0.17.0/24
set service dns forwarding system
NAT
NAT forwarding for the 480-WAN network can be configured as shown below. Note that 10 is simply the rule ID.
set nat source rule 10 source address 10.0.17.0/24
set nat source rule 10 outbound-interface eth0
set nat source rule 10 translation address masquerade
Hostname
The hostname can be changed as follows:
set system host-name 480-fw
Xubuntu Workstation Creation
Once VyOS is configured properly, we can continue with the next video, which details creation and setup of an Xubuntu workstation VM.
VM Creation
Any VM settings changed from the defaults are listed below. For a more detailed breakdown of setting locations, see VM Creation.
- Name:
xubuntu-wan - Compatibility:
ESXi 7.0 virtual machine - Guest OS:
Linux / Ubuntu Linux (64-bit) - CPU:
2 - Memory:
3 GB - Hard disk:
30 GB- Thin provisioned
- Network adapter:
VM Network- This is temporary, to enable WAN access for updating system
- CD/DVD Drive: Datastore ISO (Xubuntu ISO)
Xubuntu Installation
Start the VM, and proceed through the standard Xubuntu installation steps. Select the Minimal installation. Be sure to create a generic user (e.g. champuser) for the base snapshot.
Xubuntu Configuration
Once installation is complete, log in as the generic user account and perform the following configuration steps.
Post-Install Script
Download or copy and run the following post-install script on the machine, as root. This script prepares the VM for linked cloning by installing some helpful tools, removing extraneous files, and modifying the machine ID to prevent duplicate IP assignments using DHCP.
#!/bin/sh
#script to prepare ubuntu desktop vm for linked cloning
apt-get update
apt-get upgrade
#chrome remote desktop
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
sudo apt install --assume-yes ./google-chrome-stable_current_amd64.deb
wget https://dl.google.com/linux/direct/chrome-remote-desktop_current_amd64.deb
sudo apt install --assume-yes ./chrome-remote-desktop_current_amd64.deb
#open ssh
apt-get install -y open-vm-tools-desktop openssh-server
#logs
cat /dev/null > /var/log/wtmp
cat /dev/null > /var/log/lastlog
rm -rf /tmp/*
rm -rf /var/tmp/*
#ssh and misc
rm -f /etc/ssh/ssh_host*
rm -f /etc/udev/rules.d/70-persistent-net.rules
cat <<EOL | sudo tee /etc/rc.local
#!/bin/sh -e
test -f /etc/ssh/ssh_host_dsa_key || dpkg-reconfigure openssh-server
exit 0
EOL
echo xubuntu > /etc/hostname
apt-get clean
chmod +x /etc/rc.local
#disable updates
systemctl stop apt-daily-upgrade.timer
systemctl disable apt-daily-upgrade.timer
systemctl stop apt-daily.timer
systemctl disable apt-daily.timer
sudo apt autoremove -y
#truncate the machine id to avoid duplicate dhcp
echo > /etc/machine-idIt is also available for download at this link, which can be retrieved directly using curl/etc.
Once the script execution is complete, remove the two .deb files, and the script itself, from the working directory.
ESXi Post Configuration
Once the script has finished running and the resultant files have been removed, poweroff the VM. Enter the settings in ESXi, and remove the attached ISO Then, create a Base snapshot for xubuntu-wan.
Environment-Specific Configuration
Once the base snapshot has been created, configuration of xubuntu-wan for the current milestone’s environment can begin.
Network Adapter
Edit the VM settings, and change the Network adapter to 480-WAN.
User Creation
Create a new user, e.g. user, with a unique password. This user will be added to the sudo group, and will be used to delete the champuser generic account once complete. The commands for performing these operations are as follows:
sudo adduser user
sudo usermod -aG sudo userLog out of champuser, log in as user, and delete the champuser account:
sudo deluser champuserThe group may be in use by a process, in which case the machine can be restarted or the process can be killed with kill -9 <PID>.
Network Configuration
As the machine is now connected to 480-wan, which doesn’t currently have a DHCP server, a static network configuration must be set through NetworkManager, nmtui, or whatever network configuration management tool is preferred. The following settings were used for this milestone:
- IP Address:
10.0.17.100 - Gateway:
10.0.17.2 - DNS:
10.0.17.2 - Search domains:
480.local