situation normal all fucked up

At work I had to set up a Windows 2003 VPS on a Debian Etch server running Xen. I had performance and stability problems both with Xen 3.0.3 and 3.0.4, but 3.1.0 seems to be working fine so far. It’s not yet available in Debian, but fortunately there’s an unofficial repository:

deb http://packages.debianbase.de/etch/i386/xen3.1 ./

In addition to the Xen hypervisor and utils, you also need to install the xen-ioemu package.

Here’s a sample config I use:

builder = "hvm"
kernel = "/usr/lib/xen-3.1.0-1/boot/hvmloader"
device_model = "/usr/lib/xen-3.1.0-1/bin/qemu-dm"

name = "foobar"
vcpus = 2
memory = 1024

vif = [ "type=ioemu, bridge=xenbr0" ]
disk = [ "phy:/dev/vserver/foobar-disk,hda,w", "phy:/dev/hda,hdb:cdrom,r" ]
boot = "c"
usbdevice = "tablet"

vnc = 1
sdl = 0

Because there’s still very little documentation on HVM guests, and the Xen logfiles suck, I encountered lots of problems:

• all tutorials I’ve seen said you need to add a ioemu: prefix in the disk specification (before @hda@), but it only works if I leave it out.
• the cdrom = "/dev/whatever" option doesn’t seem to work anymore in 3.1, you need to add it as an additional disk device with a :cdrom suffix.
• boot can be a, c or d, for booting from floppy, disk and CD-ROM, respectively.
• -the vcpus option doesn’t seem to work yet, the guest always has one CPU.- It works now, I don’t know what the problem was…
• when using VNC, the guest cursor isn’t synchronized correctly with the client cursor. The usbdevice = "tablet" option solves this by providing a virtual USB tablet device, which Windows picks up without problems.
• you don’t need to install a VNC server, the xen-ioemu uses a modified QEMU which includes its own and seems to get confused by an existing VNC installation. If the VNC server is running correctly, there should be a qemu-dm process listening on port 5900 or higher.
• for SDL, you need to create the domain inside an X11 session, or configure SDL to use another output mode (such as DirectFB, svgalib etc.).
• network performance is slow. The official Xen versions include special drivers for Windows which are supposed to solve this, but I can’t get them running with the Open Source version. See this post if you want to try it yourself.

There are a lot of howtos for this on the net, but most of them are far too in-depth, and left me just more confused. So here’s my version:

1. Install the openssl package.
2. Run the following command to generate a self-signed certificate which will expire in about 10 years:
   

   openssl req -new -x509 -days 3650 -nodes \
    -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.pem

3. Fill in the fields as you like, just make sure the server name (“Common Name”) matches your actual domain.
4. The certificate will be saved in /etc/apache2/ssl/apache.pem. You can rename it if you want, and also delete the symlink. Just make sure the file is only readable by root.
5. Enable the SSL module with a2enmod ssl.
6. Add the line Listen 443 to /etc/apache2/ports.conf if it isn’t already there.
7. Now here’s where I got stuck at first. There are two things you have to keep in mind:
   • You can only have one SSL-enabled virtual host per IP address. This is a limitation of SSL itself.
   • You need to have a separate vhost for the SSL-enabled site.
8. If you’re like me, you just want everything to be also available through SSL, but don’t want to maintain two separate configurations. Fortunately you can move all settings into a separate file and Include them inside the virtual host:
   1. Create a new file in /etc/apache2/sites-available with all your current settings (without the enclosing <VirtualHost> tag).
   2. Replace your default site configuration with something like this (make sure to change the Include lines and the path to your certificate):
      

      NameVirtualHost *:80
      <VirtualHost *:80>
          Include /etc/apache2/sites-available/snafu-base
      </VirtualHost>
       
      NameVirtualHost *:443
      <VirtualHost *:443>
          SSLEngine On
          SSLCertificateFile /etc/apache2/ssl/snafu.selfip.org.pem
          Include /etc/apache2/sites-available/snafu-base
      </VirtualHost>

9. Restart Apache with invoke-rc.d apache2 restart.

Now you should be able to access your site over HTTPS. Your browser will probably display a warning because the certificate is self-signed.