Server setup for AfNOG SS-E virtualisation

Install Ubuntu Desktop (not Server) 16.04 AMD64, then:

sudo apt install vim

Create /etc/network/iptables with the following contents:

# Generated by iptables-save v1.6.0 on Fri May 27 17:09:25 2016
*filter
:INPUT DROP [3:152]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [256:31110]
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i lo -p udp -m udp --dport 53 -m comment --comment "Allow local dnsmasq" -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i br0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 196.200.208.0/20 -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "Apache"
-A INPUT -s 196.200.208.0/20 -p tcp -m tcp --dport 3142 -j ACCEPT -m comment --comment "apt-cacher-ng"
-A INPUT -s 196.200.208.0/20 -p tcp -m tcp --dport 3141 -j ACCEPT -m comment --comment "devpi-server"
-A INPUT -d 255.255.255.255/32 -m comment --comment "Drop multicast without logging" -j DROP
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "Rejected INPUT: "
-A FORWARD -o br0 -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
COMMIT
*nat
-A POSTROUTING -s 196.200.219.0/24 -j MASQUERADE
COMMIT
*mangle
-A POSTROUTING -p udp --dport bootpc -j CHECKSUM --checksum-fill
COMMIT
# Completed on Fri May 27 17:09:25 2016

Add the following lines to /etc/rc.local before the line exit 0:

echo cfq > /sys/block/sda/queue/scheduler
# Mac Mini only: power on automatically after a power failure
setpci -s 0:1f.0 0xa4.w=0:1
/sbin/iptables-restore /etc/network/iptables

And execute /etc/rc.local.

Setup a local APT cache:

sudo apt install apt-cacher-ng

Following https://help.ubuntu.com/lts/serverguide/lxc.html, but modified for VLAN bridging:

sudo apt install bridge-utils vlan

Edit /etc/network/interfaces and make it look like this, to enable bridging for LXC containers:

# https://help.ubuntu.com/lts/serverguide/network-configuration.html#bridging

auto lo
iface lo inet loopback

auto enp1s0f0
iface enp1s0f0 inet static
	# Please check the following values are appropriate for your network:
	address 196.200.223.144
	netmask 255.255.255.0
	gateway 196.200.223.1

auto br0
iface br0 inet static
	# Please check the following values are appropriate for your network:
	address 196.200.219.2
	netmask 255.255.255.0
	bridge_ports enp1s0f0.219
	bridge_fd 0
	bridge_hello 2
	bridge_maxage 12
	bridge_stp off

auto enp1s0f0.219
iface enp1s0f0.219 inet static
	address 0.0.0.0
	vlan-raw-device enp1s0f0

Then bring the interface down and up again:

sudo ifdown enp1s0f0
sudo ifup br0

Check that you can access the Internet, and then reboot the box and check that it comes up OK.

Enable IP forwarding, but only if you expect the server to be used as a router for the virtual machines or containers, e.g. if they will need to be NATted to access the Internet during setup week.

echo net.ipv4.ip_forward=1 | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

To stop NetworkManager from editing /etc/resolv.conf, edit /etc/NetworkManager/NetworkManager.conf and set dns=none, and restart it. Then edit /var/run/resolvconf/interface/custom and add your own DNS settings, and run resolvconf -u to install them.

Setup a PIP caching server for Ganeti web manager installation:

sudo apt install virtualenv
virtualenv devpi
devpi/bin/pip install devpi-server
nohup devpi/bin/devpi-server --host 0.0.0.0 &