unix:virtualization:xen:shutdownnonstandard
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
— | unix:virtualization:xen:shutdownnonstandard [2020/02/19 14:39] (current) – ↷ Page moved from unix:linux:xen:shutdownnonstandard to unix:virtualization:xen:shutdownnonstandard rodolico | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Gracefully Shut down non-standard virtuals ====== | ||
+ | I like Xen. A lot. For me it is the best virtualization software out there. There is one pesky thing, however; if you don't have the right tools installed, Xen can not shut down your virtual (DOMU) nicely. Instead, it ends up doing a " | ||
+ | |||
+ | I call these my " | ||
+ | |||
+ | However, there is usually a way for the underlying DOM0 to shut down a running machine. With a unix style virtual, you could ssh to it and execute the halt command. With a windows virtual, you can use rpc to issue a remote shutdown command. | ||
+ | |||
+ | So, how to get it to work. Note: This is based on Debian and its successor in the server world, [[https:// | ||
+ | |||
+ | My first attempt was to create a script that shut down the virtual first, then called shutdown (or reboot) for the DOM0. However, I wanted something more seamless, so I began investigating adding something to the init.d script for xen; / | ||
+ | |||
+ | ===== Modify xen shutdown script ===== | ||
+ | |||
+ | First, edit the script / | ||
+ | |||
+ | < | ||
+ | do_stop_shutdown() | ||
+ | { | ||
+ | # add following code | ||
+ | if [ -x / | ||
+ | then | ||
+ | / | ||
+ | fi | ||
+ | # end of modification | ||
+ | while read id name rest; do | ||
+ | </ | ||
+ | This basically says //"if the file / | ||
+ | |||
+ | **Warning**: | ||
+ | |||
+ | ===== Create script to manage shut down ===== | ||
+ | |||
+ | Now, create the file / | ||
+ | |||
+ | <code bash shutdown_nonstandard_domains> | ||
+ | mkdir -p / | ||
+ | chmod 700 / | ||
+ | chown root:root / | ||
+ | echo '# | ||
+ | echo "echo Shutting Down Nonstandard DOMUs" >> / | ||
+ | chmod 700 / | ||
+ | chown root:root / | ||
+ | </ | ||
+ | |||
+ | At this point, you have a null script that will be executed (but doesn' | ||
+ | |||
+ | ===== Add shutdown scripts as needed ===== | ||
+ | |||
+ | I have some auxiliary scripts you can put in here. I'd suggest simply using shutdown_nonstandard_domains to call them, so, if you were using the IPFire version, you would modify your shutdown_nonstandard_domains to look like this. | ||
+ | |||
+ | <code bash> | ||
+ | #! /bin/env bash | ||
+ | echo Shutting Down Nonstandard DOMUs | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | That way, you can test each script in turn for your machine, and add/remove whatever you need. For example, if you want to test the windows_down script, copy it to the / | ||
+ | |||
+ | ===== Sample scripts ===== | ||
+ | |||
+ | Following are a couple of sample scripts. I am definitely not the best bash coder, so laughing is not allowed. But, they work. They all have some serious security breaches, in that root/ | ||
+ | |||
+ | ==== IPFire Shutdown Script ==== | ||
+ | Here is a sample script for IPFire. | ||
+ | |||
+ | <code bash ipfire_down> | ||
+ | #! /bin/env bash | ||
+ | |||
+ | # safe shutdow of IPFire as a Xen DOMU | ||
+ | # this also works for opnSense/ | ||
+ | # ' | ||
+ | # Author: R. W. Rodolico | ||
+ | |||
+ | # Copyright: 20151021 Daily Data, Inc. | ||
+ | # This program is free software: you can redistribute it and/or modify | ||
+ | # it under the terms of the GNU General Public License as published by | ||
+ | # the Free Software Foundation, either version 2 of the License, or | ||
+ | # (at your option) any later version. | ||
+ | # | ||
+ | # This program is distributed in the hope that it will be useful, | ||
+ | # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
+ | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | ||
+ | # GNU General Public License for more details. | ||
+ | # | ||
+ | # You should have received a copy of the GNU General Public License | ||
+ | # along with this program. | ||
+ | |||
+ | # script will call an IPFire installation and request it shut | ||
+ | # itself down. It will then wait until the router is shut down | ||
+ | # then terminate the DOM0 itself | ||
+ | |||
+ | # assumes root on DOM0 has ssh access to IPFire via public key | ||
+ | # and assumes private key has no password. To do this: | ||
+ | # ssh-keygen -t rsa -b 4096 | ||
+ | # then, when it asks for a passphrase, just hit enter. | ||
+ | # copy / | ||
+ | # as root from DOM0, then ssh to IPFire IP address and you should get in with no passphrase. | ||
+ | # IPFire must be configured to allow ssh access via public key | ||
+ | |||
+ | # WARNING: this decreases security on your IPFire install. Anyone who gains root access to your DOM0 | ||
+ | # has root access to your firewall. Protect your scripts and at the first sign of a problem | ||
+ | # kill your passphrase-less ssh access | ||
+ | # WARNING: I did not write a timeout for this script. It just checks every 5 seconds to see if the | ||
+ | # virtual shut down, from now until eternity. | ||
+ | |||
+ | |||
+ | # modify the following three variables for your installation | ||
+ | # must be the IP of your IPFire firewall | ||
+ | IPFIRE_IP=ip.of.router.here | ||
+ | # this must be the name as seen by your DOM0 of the IPFire firewall as seen from xl list command | ||
+ | DOMU_NAME=ipfire | ||
+ | # the port your IPFire virtual listens on for ssh. 222 is the default | ||
+ | IPFIRE_PORT=222 | ||
+ | |||
+ | |||
+ | # checks to see if IPFire still running using xl list and parsing it for $DOMU_NAME | ||
+ | check_shutdown () | ||
+ | { | ||
+ | xl list | grep $DOMU_NAME > /dev/null || return 1 | ||
+ | | ||
+ | } | ||
+ | |||
+ | echo " | ||
+ | # if the domain not running, simply exit | ||
+ | if check_shutdown | ||
+ | then | ||
+ | # send halt command to virtual | ||
+ | ssh -p $IPFIRE_PORT $IPFIRE_IP ' | ||
+ | # Check every 5 seconds to see if it has gone away | ||
+ | while check_shutdown | ||
+ | do | ||
+ | echo -n '. ' | ||
+ | sleep 5 | ||
+ | done | ||
+ | fi | ||
+ | echo | ||
+ | echo " | ||
+ | </ | ||
+ | |||
+ | As it says in the comments, you need to do some legwork. The basic idea for this is to create an ssh key without a passphrase, then tell IPFire to accept that coming from root. **This is bad stuff security wise** as if your DOM0 gets cracked, they have full root access to your router. So, secure the fire out of the DOM0. | ||
+ | |||
+ | The important part is the line which reads | ||
+ | |||
+ | < | ||
+ | |||
+ | The rest of it is just something that waits until the domain actually stops (possibly waiting forever, which is a deficiency in the script). Matter of fact, I may decide to rewrite the primary one a little differently, | ||
+ | |||
+ | ==== Windows Shutdown Script ==== | ||
+ | |||
+ | To modify the script to shut down Windows machines, you add variables named username and PASSWORD, then change the ssh line above to use samba' | ||
+ | |||
+ | < | ||
+ | |||
+ | <code bash windows_down> | ||
+ | #! /bin/env bash | ||
+ | |||
+ | # remote shutdown of windows machine | ||
+ | # Author: R. W. Rodolico | ||
+ | # | ||
+ | # Copyright: 20151021 Daily Data, Inc. | ||
+ | # This program is free software: you can redistribute it and/or modify | ||
+ | # it under the terms of the GNU General Public License as published by | ||
+ | # the Free Software Foundation, either version 2 of the License, or | ||
+ | # (at your option) any later version. | ||
+ | # | ||
+ | # This program is distributed in the hope that it will be useful, | ||
+ | # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
+ | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | ||
+ | # GNU General Public License for more details. | ||
+ | # | ||
+ | # You should have received a copy of the GNU General Public License | ||
+ | # along with this program. | ||
+ | # | ||
+ | # see http:// | ||
+ | # Requires samba. Under Debian | ||
+ | # apt-get install samba-common | ||
+ | # see notes at bottom about how to set up the Windows machine | ||
+ | |||
+ | # modify the following for your installation | ||
+ | # ip of windows machine | ||
+ | IPADDRESS=ip.of.windows.server | ||
+ | # this user must have remote shutdown permission, generally a member of the Adminmistrators group | ||
+ | USERNAME=username_of_admin_on_server | ||
+ | # the password for that user. This is a serious breach of security, so think safe | ||
+ | PASSWORD=password_of_USERNAME | ||
+ | # this must be the name as seen by your DOM0 of the Windows machine as seen from xl list command | ||
+ | DOMU_NAME=my-windows-server | ||
+ | |||
+ | # checks to see if virtual still running using xl list and parsing it for $DOMU_NAME | ||
+ | check_shutdown () | ||
+ | { | ||
+ | xl list | grep $DOMU_NAME > /dev/null || return 1 | ||
+ | | ||
+ | } | ||
+ | |||
+ | echo " | ||
+ | # if the domain not running, simply exit | ||
+ | if check_shutdown | ||
+ | then | ||
+ | # send halt command to virtual | ||
+ | net rpc shutdown -f -I $IPADDRESS -U $USERNAME%$PASSWORD | ||
+ | # Check every 5 seconds to see if it has gone away | ||
+ | while check_shutdown | ||
+ | do | ||
+ | echo -n '. ' | ||
+ | sleep 5 | ||
+ | done | ||
+ | fi | ||
+ | echo | ||
+ | echo " | ||
+ | |||
+ | # For Windows 7, it doesn' | ||
+ | # http:// | ||
+ | # http:// | ||
+ | # A. shut down the firewall | ||
+ | # B. Add | ||
+ | # HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | ||
+ | # LocalAccountTokenFilterPolicy | ||
+ | |||
+ | </ | ||
+ | |||
+ | Again, see the attached script windows_down below for this. It has links to how I figured out how to do it and some caveats for Windows XP/Vista/7. Again, you have PASSWORD defined in the script, so anyone gaining access to this script then knows an administrators password on the server. | ||
+ | |
unix/virtualization/xen/shutdownnonstandard.txt · Last modified: 2020/02/19 14:39 by rodolico