8.1. KVM Hypervisor Host Installation

8.1.1. System Requirements for KVM Hypervisor Hosts

KVM is included with a variety of Linux-based operating systems. Although you are not required to run these distributions, the following are recommended:

CentOS / RHEL: 6.3
Ubuntu: 12.04(.1)

The main requirement for KVM hypervisors is the libvirt and Qemu version. No matter what Linux distribution you are using, make sure the following requirements are met:

libvirt: 0.9.4 or higher
Qemu/KVM: 1.0 or higher

In addition, the following hardware requirements apply:

Within a single cluster, the hosts must be of the same distribution version.
All hosts within a cluster must be homogenous. The CPUs must be of the same type, count, and feature flags.
Must support HVM (Intel-VT or AMD-V enabled)
64-bit x86 CPU (more cores results in better performance)
4 GB of memory
At least 1 NIC
When you deploy CloudStack, the hypervisor host must not have any VMs already running

8.1.2. KVM Installation Overview

If you want to use the Linux Kernel Virtual Machine (KVM) hypervisor to run guest virtual machines, install KVM on the host(s) in your cloud. The material in this section doesn't duplicate KVM installation docs. It provides the CloudStack-specific steps that are needed to prepare a KVM host to work with CloudStack.

Warning

Before continuing, make sure that you have applied the latest updates to your host.

Warning

It is NOT recommended to run services on this host not controlled by CloudStack.

The procedure for installing a KVM Hypervisor Host is:

Prepare the Operating System
Install and configure libvirt
Configure Security Policies (AppArmor and SELinux)
Install and configure the Agent

8.1.3. Prepare the Operating System

The OS of the Host must be prepared to host the CloudStack Agent and run KVM instances.

Log in to your OS as root.
Check for a fully qualified hostname.
```
$ hostname --fqdn
```
This should return a fully qualified hostname such as "kvm1.lab.example.org". If it does not, edit /etc/hosts so that it does.
Make sure that the machine can reach the Internet.
```
$ ping www.cloudstack.org
```
Turn on NTP for time synchronization.
Note
NTP is required to synchronize the clocks of the servers in your cloud. Unsynchronized clocks can cause unexpected problems.
1. Install NTP
```
$ yum install ntp
```
```
$ apt-get install openntpd
```
Repeat all of these steps on every hypervisor host.

8.1.4. Install and configure the Agent

To manage KVM instances on the host CloudStack uses a Agent. This Agent communicates with the Management server and controls all the instances on the host.

First we start by installing the agent:

In RHEL or CentOS:

$ yum install cloud-agent

In Ubuntu:

$ apt-get install cloud-agent

The host is now ready to be added to a cluster. This is covered in a later section, see Section 6.5, “Adding a Host”. It is recommended that you continue to read the documentation before adding the host!

8.1.5. Install and Configure libvirt

CloudStack uses libvirt for managing virtual machines. Therefore it is vital that libvirt is configured correctly. Libvirt is a dependency of cloud-agent and should already be installed.

In order to have live migration working libvirt has to listen for unsecured TCP connections. We also need to turn off libvirts attempt to use Multicast DNS advertising. Both of these settings are in /etc/libvirt/libvirtd.conf
Set the following paramaters:
```
listen_tls = 0
```
```
listen_tcp = 1
```
```
tcp_port = 16059
```
```
auth_tcp = "none"
```
```
mdns_adv = 0
```
Turning on "listen_tcp" in libvirtd.conf is not enough, we have to change the parameters as well:
On RHEL or CentOS modify /etc/sysconfig/libvirtd:
Uncomment the following line:
```
#LIBVIRTD_ARGS="--listen"
```
On Ubuntu: modify /etc/init/libvirt-bin.conf
Change the following line (at the end of the file):
```
exec /usr/sbin/libvirtd -d
```
to (just add -l)
```
exec /usr/sbin/libvirtd -d -l
```

Restart libvirt

In RHEL or CentOS:

$ service libvirtd restart

In Ubuntu:

$ service libvirt-bin restart

8.1.6. Configure the Security Policies

CloudStack does various things which can be blocked by security mechanisms like AppArmor and SELinux. These have to be disabled to ensure the Agent has all the required permissions.

Configure SELinux (RHEL and CentOS)
1. Check to see whether SELinux is installed on your machine. If not, you can skip this section.
  In RHEL or CentOS, SELinux is installed and enabled by default. You can verify this with:
```
$ rpm -qa | grep selinux
```
2. Set the SELINUX variable in /etc/selinux/config to "permissive". This ensures that the permissive setting will be maintained after a system reboot.
  In RHEL or CentOS:
```
vi /etc/selinux/config
```
  Change the following line
```
SELINUX=enforcing
```
  to this
```
SELINUX=permissive
```
3. Then set SELinux to permissive starting immediately, without requiring a system reboot.
```
$ setenforce permissive
```

Configure Apparmor (Ubuntu)

Check to see whether AppArmor is installed on your machine. If not, you can skip this section.
In Ubuntu AppArmor is installed and enabled by default. You can verify this with:
```
$ dpkg --list 'apparmor'
```

Disable the AppArmor profiles for libvirt

$ ln -s /etc/apparmor.d/usr.sbin.libvirtd /etc/apparmor.d/disable/

$ ln -s /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper /etc/apparmor.d/disable/

$ apparmor_parser -R /etc/apparmor.d/usr.sbin.libvirtd

$ apparmor_parser -R /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper

8.1.7. Configure the network bridges

Warning

This is a very important section, please make sure you read this thoroughly.

In order to forward traffic to your instances you will need at least two bridges: public and private.

By default these bridges are called cloudbr0 and cloudbr1, but you do have to make sure they are available on each hypervisor.

The most important factor is that you keep the configuration consistent on all your hypervisors.

8.1.7.1. Network example

There are many ways to configure your network. In the Basic networking mode you should have two (V)LAN's, one for your private network and one for the public network.

We assume that the hypervisor has one NIC (eth0) with three tagged VLAN's:

VLAN 100 for management of the hypervisor
VLAN 200 for public network of the instances (cloudbr0)
VLAN 300 for private network of the instances (cloudbr1)

On VLAN 100 we give the Hypervisor the IP-Address 192.168.42.11/24 with the gateway 192.168.42.1

Note

The Hypervisor and Management server don't have to be in the same subnet!

8.1.7.2. Configuring the network bridges

It depends on the distribution you are using how to configure these, below you'll find examples for RHEL/CentOS and Ubuntu.

Note

The goal is to have two bridges called 'cloudbr0' and 'cloudbr1' after this section. This should be used as a guideline only. The exact configuration will depend on your network layout.

8.1.7.2.1. Configure in RHEL or CentOS

The required packages were installed when libvirt was installed, we can proceed to configuring the network.

First we configure eth0

vi /etc/sysconfig/network-scripts/ifcfg-eth0

Make sure it looks similair to:

DEVICE=eth0
HWADDR=00:04:xx:xx:xx:xx
ONBOOT=yes
HOTPLUG=no
BOOTPROTO=none
TYPE=Ethernet

We now have to configure the three VLAN interfaces:

vi /etc/sysconfig/network-scripts/ifcfg-eth0.100

DEVICE=eth0.100
HWADDR=00:04:xx:xx:xx:xx
ONBOOT=yes
HOTPLUG=no
BOOTPROTO=none
TYPE=Ethernet
VLAN=yes
IPADDR=192.168.42.11
GATEWAY=192.168.42.1
NETMASK=255.255.255.0

vi /etc/sysconfig/network-scripts/ifcfg-eth0.200

DEVICE=eth0.200
HWADDR=00:04:xx:xx:xx:xx
ONBOOT=yes
HOTPLUG=no
BOOTPROTO=none
TYPE=Ethernet
VLAN=yes
BRIDGE=cloudbr0

vi /etc/sysconfig/network-scripts/ifcfg-eth0.300

DEVICE=eth0.300
HWADDR=00:04:xx:xx:xx:xx
ONBOOT=yes
HOTPLUG=no
BOOTPROTO=none
TYPE=Ethernet
VLAN=yes
BRIDGE=cloudbr1

Now we have the VLAN interfaces configured we can add the bridges on top of them.

vi /etc/sysconfig/network-scripts/ifcfg-cloudbr0

Now we just configure it is a plain bridge without an IP-Adress

DEVICE=cloudbr0
TYPE=Bridge
ONBOOT=yes
BOOTPROTO=none
IPV6INIT=no
IPV6_AUTOCONF=no
DELAY=5
STP=yes

We do the same for cloudbr1

vi /etc/sysconfig/network-scripts/ifcfg-cloudbr1

DEVICE=cloudbr1
TYPE=Bridge
ONBOOT=yes
BOOTPROTO=none
IPV6INIT=no
IPV6_AUTOCONF=no
DELAY=5
STP=yes

With this configuration you should be able to restart the network, although a reboot is recommended to see if everything works properly.

Warning

Make sure you have an alternative way like IPMI or ILO to reach the machine in case you made a configuration error and the network stops functioning!

8.1.7.2.2. Configure in Ubuntu

All the required packages were installed when you installed libvirt, so we only have to configure the network.

vi /etc/network/interfaces

Modify the interfaces file to look like this:

auto lo
iface lo inet loopback

# The primary network interface
auto eth0.100
iface eth0.100 inet static
    address 192.168.42.11
    netmask 255.255.255.240
    gateway 192.168.42.1
    dns-nameservers 8.8.8.8 8.8.4.4
    dns-domain lab.example.org

# Public network
auto cloudbr0
iface cloudbr0 inet manual
    bridge_ports eth0.200
    bridge_fd 5
    bridge_stp off
    bridge_maxwait 1

# Private network
auto cloudbr1
iface cloudbr1 inet manual
    bridge_ports eth0.300
    bridge_fd 5
    bridge_stp off
    bridge_maxwait 1

With this configuration you should be able to restart the network, although a reboot is recommended to see if everything works properly.

Warning

Make sure you have an alternative way like IPMI or ILO to reach the machine in case you made a configuration error and the network stops functioning!

8.1.8. Configuring the firewall

The hypervisor needs to be able to communicate with other hypervisors and the management server needs to be able to reach the hypervisor.

In order to do so we have to open the following TCP ports (if you are using a firewall):

22 (SSH)
1798
16509 (libvirt)
5900 - 6100 (VNC consoles)
49152 - 49216 (libvirt live migration)

It depends on the firewall you are using how to open these ports. Below you'll find examples how to open these ports in RHEL/CentOS and Ubuntu.

8.1.8.1. Open ports in RHEL/CentOS

RHEL and CentOS use iptables for firewalling the system, you can open extra ports by executing the following iptable commands:

$ iptables -I INPUT -p tcp -m tcp --dport 22 -j ACCEPT

$ iptables -I INPUT -p tcp -m tcp --dport 1798 -j ACCEPT

$ iptables -I INPUT -p tcp -m tcp --dport 16509 -j ACCEPT

$ iptables -I INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT

$ iptables -I INPUT -p tcp -m tcp --dport 49152:49216 -j ACCEPT

These iptable settings are not persistent accross reboots, we have to save them first.

$ iptables-save > /etc/sysconfig/iptables

8.1.8.2. Open ports in Ubuntu

The default firewall under Ubuntu is UFW (Uncomplicated FireWall), which is a Python wrapper around iptables.

To open the required ports, execute the following commands:

$ ufw allow proto tcp from any to any port 22

$ ufw allow proto tcp from any to any port 1798

$ ufw allow proto tcp from any to any port 16509

$ ufw allow proto tcp from any to any port 5900:6100

$ ufw allow proto tcp from any to any port 49152:49216

Note

By default UFW is not enabled on Ubuntu. Executing these commands with the firewall disabled does not enable the firewall.