This article describes how to prepare your commodity server for use with the Corsa Security hypervisor, a "type 2" hypervisor running KVM installed on top of the Ubuntu Server operating system.
These steps must be completed prior to setting up the hypervisor (Hypervisors > Hypervisor Actions > Setup Hypervisor...).
Step 1 - Install Ubuntu Server 20.04.4 LTS
This article does not attempt to describe how to install Ubuntu Server as this is a well documented process. That said, it is important to ensure that the following tasks below are completed during the Ubuntu installation.
Networking
Your server will require at least one network interface that it can use to reach an appropriate management network. This management network must provide connectivity to the Corsa Security Orchestrator (CSO) as well as other services for your servers software and security updates.
At a minimum, Corsa Security recommends that this interface be a 1 Gbps interface. This task can be completed during the Ubuntu Server installation as part of configuring your server networking.
Install and enable OpenSSH
The Corsa Security Orchestrator (CSO) requires the ability to login to your server using the Secure Shell (SSH). Therefore, OpenSSH must be installed and enabled.
In step 3 below you will create a user for the CSO to use.
Create a \vm disk partition
A disk partition named \vm must be created that will be used to store VM data. This task should be completed during the Ubuntu Server installation as part of configuring storage on your server. Corsa Security recommends that this disk partition be created on a dedicated physical disk and ideally should be physically redundant (RAID).
Please ensure to plan ahead for the physical disk requirements of your virtual machines.
Step 2 - Server Resource Allocation
After Ubuntu Server is installed there are a few steps to follow.
CPU Allocation
A number of virtual CPUs (CPU) offered by your server must remain available to the operating system as well as the Corsa Security hypervisor. In other words, these CPUs must remain available to the kernel scheduler.
Corsa Security requires that 8 CPUs (0-7) are reserved for the Corsa Security hypervisor. CPUs 0-7 remain available to the kernel scheduler while the remaining CPUs (8-n) will be isolated for use by VMs.
Example
For instance, if your server offers 48 CPUs (0-47) we require that you reserve 8 CPUs (0-7) for the operating system as well as the Corsa Security hypervisor. In this example, CPUs 0-7 remain available to the kernel scheduler while the remaining CPUs (8-47) will be isolated for use by VMs.
This is accomplished by identifying the isolated CPU list for your server and assigning that CPU list to the following parameters. These parameters isolate the CPUs from the kernel scheduler and activate performance related features on those CPUs.
isolcpus=8-47
nohz_full=8-47
rcu_nocbs=8-47
This configuration will be applied below.
Memory Allocation
Hugepages are required when deploying VMs to ensure that appropriate I/O accelerators can be used or to generally achieve optimal performance.
Corsa Security recommends reserving approximately 75% of your servers total memory for 1G hugepages. To determine how many 1G hugepages that is please use the formula illustrated below.
Example
# Hugepagesize is 1G which equals 1048576 kB
user@myserver:~$ echo "1024 * 1024" | bc
1048576
# MemTotal is 230357612 kB
user@myserver:~$ cat /proc/meminfo | grep MemTotal
MemTotal: 230357612 kB
# HugePages_Total = (MemTotal * 0.75) / Hugepagesize
user@myserver:~$ echo "(230357612 * 0.75) / 1048576" | bc
164
This value will be applied to the HugePages_Total in step 2c.
Apply Configuration
#1234567890123456789012345678901234567890123456789012345678901234567890123456789
#
# The commands below require a root login shell
sudo su -
# The following command prepares Ubuntu bootloader settings specific to the
# Corsa Security hypervisor
# The values in bold require input from the operator
#
echo 'GRUB_CMDLINE_LINUX_DEFAULT="${GRUB_CMDLINE_LINUX_DEFAULT} \
intel_iommu=on \
iommu=on \
iommu=pt \
vfio.enable_unsafe_noiommu_mode=1 \
intremap=no_x2apic_optout \
isolcpus=8-47 \
nohz=on \
nohz_full=8-47 \
rcu_nocbs=8-47 \
default_hugepagesz=1G \
hugepagesz=2M hugepages=1048 \
hugepagesz=1G hugepages=164 \
"' > /etc/default/grub.d/70_corsa-virt-opts.cfg
# The following command generates Ubuntu bootloader configuration based on the
# settings above, a reboot is required to apply the configuration
grub-mkconfig -o /boot/grub/grub.cfg
reboot
Step 3 - Add a CSO user to the server
The Corsa Security Orchestrator requires the ability to login to the server using the Secure Shell (SSH). Corsa Security recommends adding a new user for the CSO.
sudo adduser cso
In addition, the new CSO user must be able to run sudo commands without being asked for a password. This article does not describe how to provide the CSO user with this type of sudo privilege but ultimately the following line must appear in the /etc/sudoers file.
cso ALL=(ALL) NOPASSWD: ALL
Example
An example of
sudo su -
echo "test ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers