Tuesday, May 27, 2014

Install and run a full functional VMware ESX Hypervisor within a KVM virtual machine

This post is about how to setup and configure a VMware ESX Hypervisor within a KVM virtual machine. The resulting ESX Host is going to be fully functional allowing to create (nested) virtual machines with a working network connection. 

Some (funny) facts:

  • Running VMware ESX within a KVM virtual machine allow memory over-commitment. That means even if your KVM Host system only has 2 GB memory you can assign e.g. 4 GB memory to the ESX Host VM.
  • KVM provides the hardware requirements for VMware ESX even if ESX does not supports the KVM Hosts hardware e.g. it allows to install and run a VMware ESX system on almost any kind of Desktop hardware which is normally not supported by ESX e.g. because of an unsupported network card model.

 Steps to setup VMware ESX within a KVM VM

  • Install Linux on a physical system (I used latest Ubuntu 14.04)
  • Install the qemu/kvm package 
                            apt-get install qemu-kvm
  •  Edit /etc/modprobe.d/kvm-intel (or kvm-amd for AMD cpus) and add

                            options kvm ignore_msrs=1
                            options kvm-intel nested=y ept=y
   pc_basic_device_init(isa_bus, gsi, &rtc_state, &floppy, xen_enabled(),

   pc_basic_device_init(isa_bus, gsi, &rtc_state, &floppy, TRUE,

  • Configure the qemu 2.0.0 source with the following command:
./configure --enable-kvm --target-list=x86_64-linux-user,x86_64-softmmu
  • Create /usr/local/etc/qemu/bridge.conf
                     allow all
  • Install the bridge-utils package
                    apt-get install bridge-utils
  • Configure a network bridge in /etc/network/interfaces as following:
auto br0
iface br0 inet static
bridge_ports eth0
bridge_fd 0
bridge_hello 2
bridge_maxage 12
bridge_stp off

 Please notice that your ip-configuration may be different
  • Choose a directory for the KVM virtual machine and create the virtual machine harddisk with the following qemu-img command:
                     qemu-img create -f raw esxi00.img 16G
  • Download VMware ESX Hypervisor 5.5 from the VMware website and put the install iso file (VMware-VMvisor-Installer-5.5.0.update01-1623387.x86_64.iso) into the same directory as the harddisk file was created a step before
  • Start the KVM virtual machine with:
/usr/local/bin/qemu-system-x86_64 -enable-kvm -cpu host -m 4096 -smp 2 -cdrom VMware-VMvisor-Installer-5.5.0.update01-1623387.x86_64.iso -netdev tap,helper=/usr/local/libexec/qemu-bridge-helper,id=hostnet0 -device vmxnet3,netdev=hostnet0,id=net0 -hda esxi00.img

Please notice the "vmxnet3" virtual network device type!
  • Go through the (normal) VMware ESX installation procedure
  • After the installation enable the SSH service on the ESX Host with is now running with the KVM VM. Then ssh into the ESX Host and set the following two parameters in /etc/vmware/config:
                      vhv.allow = "TRUE"

Now please reboot the ESX Host system to activate the new configuration!
  • When creating a virtual machine on the (nested virtualized) ESX Host please make sure to add the following two parameters to the VM's vmx configuration file:

                       vhv.enable = "TRUE"
                       vmx.allowNested = "TRUE"


You have successfully virtualized a VMware ESX Hypervisor with KVM!

I hope you now enjoy your fully functional VMware ESX Host

Additional informations on the VMware parameters used in this howto
  • vhv.allow = "TRUE" does nothing on ESX 5.1 and later
  • vhv.enable = "TRUE" is only going to be useful if you want to run VMs under the VMs running under ESXi running under kvm
  • You can add vmx.allowNested = "TRUE" to /etc/vmware/config in the ESXi VM to avoid having to put it in every nested VM's configuration file.
This quick howto was created with informations from https://communities.vmware.com/thread/451412
Special thanks to jmattson for the additional details on the VMware parameters

Friday, April 4, 2014

A working OpenStack configuration for a single network card

 After some longer trouble to get OpenStack running on a system which just has one network card I found a proper solution. 

Here it is:

  • Install a fresh Ubuntu 12.04 LTS
  • Install bridge-utils and configure a br100 bridge on your single network card eth0
    • Here the config part for br100 in /etc/network/interfaces
# Internal Network
auto br100
iface br100 inet static
bridge_ports eth0
bridge_fd 0
bridge_hello 2
bridge_maxage 12
bridge_stp off
  •  Create a VLAN network interface on eth0 using VLAN ID 0
    • Run:
modprobe 8021q
vconfig add eth0 0
ifconfig eth0.0:1 netmask up
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    •  This creates a eth0.0 device with the ip
  • Check that the new eth0.0 device got created with "ifconfig -a"
  • Now follow the regular Devstack instructions
    • Add a stack user with sudo permissions
    • Check out OpenStack with git
    • Create a /home/stack/devstack/localrc as following
  • Now run stack.sh
su - stack
cd devstack

Shortly after that OpenStack will be up + running and you can connect to the OpenStack Horizion Dashboard at

With this network configuration this setup allows to successfully launch OpenStack instances which are then reachable from the controller.

Devstack, a documented shell script to build complete OpenStack development environments. More about Devstack at: http://devstack.org

Sunday, February 23, 2014

Ultra secure remote access to home network with a raspberry pi

This post is about setting up an ultra secure remote access to home- (or a cooperated) network with a raspberry pi.

We have all heard of the security holes in many DSL routers. Because of that it is important to keep the firmware up2date. Anyway I personally do not really trust the "remote-access" capabilites and the eventual built-in VPN functionalities of those DSL boxes.
Still, eventually I would like to get remote access to e.g. my home network. The idea is to use a raspberry pi as secure bridge into the remote network.

Sure, we can setup VPN on the raspberry pi, anyway most raspberry related VPN howtos require a "logmein" account for an easy VPN setup. I personally prefer to use standard utilities without the need to create an account on a commercial site with all my traffic routed to that site. Also, for me pure "ssh" access is completely sufficiant. This enables the capability for remote-port-forwarding through ssh which is enough for me.

But for any "port-forwarding" on the DSL router at least one open TCP port would be required, how bad!
... but wait, here the "better" idea:

We can use an "active port forwarder" (such as "afp-server/afp-client) to forward the ssh port of the raspberry pi to a remote server (accessible in the internet) through the outgoing connection/communication. 

Here how this basically looks like : 
Please see also http://gray-world.net/images/af.gif

The raspberry pi creates a outgoing connection (allowed through the firewall) to the remote server using "afclient". On the remote server "afserver" picks up this connection and uses it to actively foward the ssh port of the raspberry pi to a port on the remote server.

-> This setup does not even require a single open port on the DSL router!

Howto configure the raspberry pi for "Ultra secure remote access":

  1. Setup a raspberry pi with the standard raspian OS image.
  2. install "apf-client"
  3. make the apf-client (afclient is the binary name) automatically at startup.
Add the following line to /etc/rc.local

                         afclient --ignorepkeys -m 50001 --pass [secure-password] -n [remote-public-server] -p 22 --ar-start --ar-quit

I am using the port 50001 for the af-communication in this example. 
This will connect to a "afserver" on [remote-public-server] via port 50001 using a SSL encryted comminication secured by [secure-password]

Please notice:
The "--ar-start --ar-quit" parameters allowing the afclient to start even when the afserver on the remote server is not accessible or not started yet. In case the network the raspberry pi is located in does not allow direct internet access the afclient/afserver also supports tunneling the af-connection to standard http/https proxy server. For more options please check http://manpages.ubuntu.com/manpages/precise/man1/afserver.1.html

Now the setup on the remote (public accessible) server:

  1. Install "apf-server" (afserver is the binary name)
  2. Start "afserver" to allow and pick up the connection from the client

                         afserver -m 50001 --pass [secure-password] -l 40001


This picks up the afclient on port 50001 and forwards the ssh port from the raspberry pi to port 40001 on the remote (public accessible) server using the same password as given for the afclient.

-> you can now ssh to port 40001 on the remote (public accessible) server which will login to the raspberry pi!

From there you can e.g. use "wakeuponlan" to power on systems in the remote network.

More security for this setup:

  • install "failtoban" on the raspberry pi to harden the ssh login - http://www.fail2ban.org/
  • disable "root" ssh-access to the raspberry pi and only permit to use ssh-keys (not passwords)
  • use "iptables" to secure the remote forwarded ssh port on the remote (public accessible) server.
e.g. when you start the "afserver" on the remote server run the following lines to only allow your current IP address to connect to the forwared ssh port

/sbin/iptables -A INPUT -p tcp -m tcp -s [the-IP-address-from-where-you-come-from] --dport 40001 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp -s --dport 40001 -j DROP

  • only start the "afserver" when you need it. When it is not start the forwarded ssh port of the raspberry pi won't be picked up so it won't be accessible.
Links: apf-server homepage and download - http://gray-world.net/pr_af.shtml

Hope its useful for you! Security IS important!

Wednesday, January 22, 2014

What a MP3 player and Cloud Computing have in common

When thinking of IaaS Cloud Computing most of the time it is like a MP3 player. You can easily let users create and start, stop and destroy their own VMs and ... not really much more.

If this is not enough for you


If you like Cloud but still would like to deploy your systems (VMs and "bare-metal") in a regular (non-AMI) way


If you are looking for 100% IT service automation including automatic highavailability, automatic monitoring, automatic backup+restore, automatic IT-documentation, automatic DNS/Network/DNS/DHCP/VLAN management, automatic out-of-band management (including Green IT), automatic application deployment and configuration etc.

... then you should take a look at the openQRM Enterprise datacenter infrastructure and IaaS Cloud Computing solution!

Compared to the MP3 player you can think of openQRM as a full featured Music-Studio application. It can play all kinds of music files (not just MP3s), it lets you record, cut, paste and re-arrange different tracks and song parts, it gives you full control and lets you adjust every bit and pinch of the songs you play and provides you with "super hero power" for your complete music collection.

openQRM Enterprise Datacenter Infrastructure is the "magic potion" for system administrators. It provides a generic Server deployment work-flow which integrates and combines common and custom system administration tools and solutions into a powerful single management console for your complete IT-service Infrastructure; from "A" as in Ansible to "Z" as in Zabbix.

On top of that openQRM Enterprise IaaS Cloud Automation turn your existing openQRM Enterprise Datacenter Infrastructure into a flexible and 100% automated private, public and hybrid Cloud Computing environment including an user-friendly "VM and Bare-Metal Server" Self-Service - no matter which virtualization, storage or network technologies you use.

More infos at http://www.openqrm-enterprise.com/

Monday, January 20, 2014

Was ein MP3-Player und Cloud Computing gemeinsam haben

Oftmals ist IaaS Cloud Computing wie ein MP3-Player. Man kann einfach Benutzern ermöglichen ihre eigenen VMs zu erstellen, zu starten/stoppen und zu entfernen ... und nicht wirklich viel mehr.

Wenn das für Sie nicht genug ist 


Wenn Sie nach einer Cloud Lösung suchen, die Ihre Systeme (VMs und "bare-metal") in einer herkömmlichen Weise (nicht AMI Image basiert) bereitstellt.


Wenn Sie es auf eine 100% automatisierte IT-Service Umgebung abgesehen haben die automatische Hochverfügbarkeit, automatische System- und Service Überwachung, automatisches Backup/Wiederherstellung , automatische IT-Dokumentation, automatisches DNS / Netzwerk / DNS / DHCP / VLAN-Management , automatisches Out-of-Band Mangement (einschließlich Green IT) und automatische Anwendungsbereitstellung und Konfiguration bietet

... dann sollten Sie einen Blick auf die openQRM Enterprise Datacenter-Infrastruktur und IaaS Cloud Computing Lösung werfen!

Im Vergleich zum MP3-Player kann man sich openQRM als voll ausgestattete Ton-Studio Musik Anwendung vorstellen, die alle Arten von Musikdateien abspielen kann und mit der man aufnehmen, zuschneiden und neu mixen kann. Es gibt Ihnen die volle Kontrolle über jedes Bit, jeden Takt und jede Note Ihrer Songs und macht Sie zum "Super Helden" Ihrer komplette Musiksammlung.

openQRM Enterprise Datacenter-Infrastruktur ist der "Zaubertrank" für Systemadministratoren. Es bietet einen generischen Server-Bereitstellungs Work-Flow der unabhängig von der Virtualisation Technologie auch physikalische Systeme ("bare-metal") voll unterstützt. Zudem beinhaltet openQRM Enterprise Datacenter-Infrastruktur eine Integration mit Standard Systemadministrations-Werkzeugen die zusammen mit eigenen Tools in einer leistungsfähigen Management-Konsole für Ihre komplette IT-Service Infrastruktur zusammengefasst werden, von "A" wie in Ansible bis "Z" wie in Zabbix.

Als Aufsatz für openQRM Enterprise Datacenter-Infrastruktur verwandelt openQRM Enterprise IaaS Cloud Datacenter Automation Ihre IT Umgebung in ein flexibles, zu 100% automatisiertes Selbstbedienungs-Portal für VM- und "bare-metal" Systeme, unabhängig welche Virtualisierungs- oder Storage-Technologie Sie verwenden.

Mehr Infos unter http://www.openqrm-enterprise.com/

(cliparts von http://openclipart.org)