Friday, November 20, 2015

Installing ESXi in a QEMU-KVM virtual machine, under libvirt / virt-manager

For a test setup, it may be useful to install VMware ESXi in a QEMU-KVM guest. If, like me, you're using libvirt (using virt-manager) to manage your VMs, here's some information to get this set up. I'm using Fedora 22, and ESXi 5.5.0.

There are other posts explaining how to set this up, but I wanted to share my experience, which is specific to virt-manager, and the newer QEMU.

Here's a step-by-step procedure for getting this working.

Add required KVM kernel module parameters:

  1. Edit (or create) /etc/modprobe.d/kvm-intel.conf to look like this:
    options kvm ignore_msrs=1
    options kvm-intel nested=y ept=y
  2. Remove the KVM module and re-load it with the new parameters:
    # modprobe -r kvm-intel kvm; modprobe kvm kvm-intel

Setup ESXi VM guest configuration:

  1. Create your ESXi VM using virt-manager.
  2. Change the NIC to vmxnet3. You'll have to manually type this in; it won't be in the drop-down.
  3. You'll need at least 2 GiB of RAM. (During install it actually came back with:
    <MEMORY_SIZE ERROR: This host has 2.00 GiB of RAM. 3.97 GiB are needed>
  4. Edit the config for this VM (named "esxi-test" here):
    # virsh -c 'qemu:///system' edit esxi-test
  5. Edit the first line of the XML file to be:
    <domain type='kvm' xmlns:qemu=''>
  6. Change the CPU type:
    <cpu mode='host-passthrough'/>
  7. Add this block anywhere inside of <domain>...</domain>:
        <qemu:arg value='-machine'/>
        <qemu:arg value='vmport=off'/>
  8. Save and quit
Boot into the ESXi installer, and enjoy!

In dmesg, I see kvm spewing these messages, which probably have to do with ignroe_msrs:

kvm [3864]: vcpu0 ignored rdmsr: 0x34
kvm [3864]: vcpu0 ignored rdmsr: 0x34

ESXi 6.0.0 Notes:

I tried to use ESXi 6.0.0, but it didn't seem to find a network card, even though I specified vmnet3. These notes apply to 6.0.0:

  • Note that the installer appears to hang at "user loaded successfully." for about 110 seconds. "Running nfcd start" also takes a while. I have no idea why.


Thursday, July 9, 2015


Every geek has his/her favorite set of tools for accomplishing various tasks. Here are mine.

I tend to split my time between Linux and Windows so where possible there will be solutions for both. Preference is of course given to cross-platform FOSS projects.

This will be updated as I run across new tools or inventory the ones I use.

Wednesday, January 28, 2015

"Installing" Zotero

I've been playing with a new research tool called Zotero, which helps you keep track of research papers, etc. as you come across them.

I'm using their standalone version, which Chrome can push to via an extension. So far it seems really nice.

Zotero doesn't come with an installer on Linux, and I wanted to put it somewhere more permanent than my Downloads directory. So I did the following which makes Zotero feel very at home on my Centos 7 machine.

  1. Download the Linux tar.bz2 file
  2. Switch to root, and move the tar.bz2 file to /opt and extract it. Then rename the output directory:
    $ sudo su -
    # mv Zotero- /opt
    # cd /opt
    # tar xf Zotero-
    # rm Zotero-
    # mv Zotero_linux-x86_64 zotero
  3. Retrieve the Zotero icon and add it to the icons/ directory:
    # wget -O zotero/icons/zotero-new-z-48px.png
  4. Now as your user, create the desktop shortcut, using this .desktop file I put together:
    # exit
    $ wget -O ~/.local/share/applications/zotero.desktop
Note that the standalone version of Zotero keeps its local data in ~/.zotero. That's it! Enjoy!

Sunday, January 25, 2015

Installing rdesktop on Centos 7

I'll briefly summarize this blog post on installing rdesktop on Centos 7.

First, we'll set up the RPM build environment (as your local user):

$ sudo yum install rpm-build make gcc
$ mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
$ echo '%_topdir %(echo $HOME)/rpmbuild' > ~/.rpmmacros

Now, fetch and install the source package:

$ wget
$ rpm -i rdesktop-1.8.2-0.1.rfx.src.rpm

Install devel dependencies and build:

$ sudo yum install openssl-devel libXt-devel libsamplerate-devel pcsc-lite-devel
$ rpmbuild -ba ~/rpmbuild/SPECS/rdesktop.spec 
$ sudo yum localinstall ~rpmbuild/RPMS/x86_64/rdesktop-1.8.2-0.1.el7.centos.x86_64.rpm

Saturday, January 24, 2015

Connecting to a Cisco ASA VPN with DoD CAC on CentOS 7

Update: I've created scripts to automate much of this process. You can find them on GitHub.

I often need to connect to a VPN with a Cisco ASA box at the head-end, using a DoD CAC (smart card) for authentication.

On Windows, this is often accomplished using Cisco's AnyConnect VPN client software. On Linux however, that option would never work for me. I tried to download it from the VPN https site, but it wouldn't load.

On Linux, we have an open-source alternative, called openconnect. The difficult part is getting it to use our smart card, and present the correct certificate to the VPN.

I found the following pages very useful in trying to get this all to work:

openconnect uses p11-kit to interact with PKCS #11 modules. (PKCS #11 is the standard for interfacing with cryptographic tokens, like smart cards.) The first thing we need to do is tell p11-kit to use the libcoolkey pkcs11 module. Do this by creating a new file named /etc/pkcs11/modules/libcoolkey.module, and adding the following line to it:


Next, we'll use p11tool --list-tokens to list all of the tokens on our system. You should see your smart card in this list. Mine showed up like this (along with others):

$ p11tool --list-tokens
Token 6:
 URL: pkcs11:model=;manufacturer=;serial=;token=REINHART.JONATHON.RICHARD.xxxxxxxx

Now, we want to look at all of the certificates available on our smart card. We'll use p11tool --list-all-certs [url], where [url] is the URL of our smart card token from the previous step:

$ p11tool --list-all-certs pkcs11:model=;manufacturer=;serial=;token=REINHART.JONATHON.RICHARD.xxxx
Object 0:
 URL: pkcs11:model=;manufacturer=;serial=;token=REINHART.JONATHON.RICHARD.xxxxxx;id=%01;object=CAC%20ID%20Certificate;object-type=cert
 Type: X.509 Certificate
 Label: CAC ID Certificate
 ID: 00:01

Object 1:
 URL: pkcs11:model=;manufacturer=;serial=;token=REINHART.JONATHON.RICHARD.xxxxxx;id=%02;object=CAC%20Email%20Signature%20Certificate;object-type=cert
 Type: X.509 Certificate
 Label: CAC Email Signature Certificate
 ID: 00:02

Object 2:
 URL: pkcs11:model=;manufacturer=;serial=;token=REINHART.JONATHON.RICHARD.xxxxxx;id=%03;object=CAC%20Email%20Encryption%20Certificate;object-type=cert
 Type: X.509 Certificate
 Label: CAC Email Encryption Certificate
 ID: 00:03
So we can see the three certificates available on our smart card.

The Windows AnyConnect software will pop-up a dialog asking you to select the certificate for authentication when the server asks for a client certificate. openconnect currently has no such functionality, so we need to explicitly tell openconnect which certificate to use. In my case, I already knew it was the certificate with ID: 00:02, the "CAC Email Signature Certificate". So I pass the -c option, with the minimal URL to unambiguously refer to that certificate:

$ sudo openconnect -c 'pkcs11:token=REINHART.JONATHON.RICHARD.xxxxxx;id=%02'

Note that I had to use sudo because openconnect will invoke some scripts to set up the tun device and routing.

At this point, openconnect should ask for your PIN, and then successfully connect to the VPN! If not, you may need to try the other certificates, by changing the id= part of the certificate URL.

Finally, there are still a few outstanding warnings that occur during this process:

  • Certificate from VPN server "" failed verification. Reason: signer not found - I need to determine which certificate this is exactly, and how to add it to my trusted certificate store.

Note: I've had to install various packages and make various changes in playing with my smart card, so if something isn't working for you, or I've skipped a step, please leave a comment so I can make this post more accurate. Thanks!

Update: Additional steps - I'll work these in above at some point:

  • yum install coolkey
  • service pcscd start (on Fedora 21)

Adding storage to Proxmox VE

The 1 TB drives for my HP server came today. Scott at All Computer Parts was very helpful and quick to reply. I quickly went to hot-plugging them into my server running Proxmox VE.

After the drives spun-up, I logged into the HP System Management Homepage (download) and opened the HP Array Configuration Utility. From there, I selected 3 of the unassigned drives and created an array. I then crated a RAID 5 logical drive using all of the space available on the array (1.8 TB). Finally, I added the remaining drive as a hot-spare, by selecting the array, and clicking "Spare Management". This way, if one drive goes offline, the hot-spare will immediate take its place, and the array will be rebuilt.

The logical disk is immediately detected by the Linux kernel, evidenced by /var/log/messages:

Jan 23 22:38:40 dragster kernel: hpsa 0000:04:00.0: Direct-Access     device c0b0t0l1 added.
Jan 23 22:38:40 dragster kernel: scsi 0:0:0:1: Direct-Access     HP       LOGICAL VOLUME   6.40 PQ: 0 ANSI: 5
Jan 23 22:38:40 dragster kernel: sd 0:0:0:1: Attached scsi generic sg3 type 0
Jan 23 22:38:40 dragster kernel: sd 0:0:0:1: [sdb] 3906918832 512-byte logical blocks: (2.00 TB/1.81 TiB)
Jan 23 22:38:40 dragster kernel: sd 0:0:0:1: [sdb] Write Protect is off
Jan 23 22:38:40 dragster kernel: sd 0:0:0:1: [sdb] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
Jan 23 22:38:40 dragster kernel: sdb: unknown partition table
Jan 23 22:38:40 dragster kernel: sd 0:0:0:1: [sdb] Attached SCSI disk

Proxmox works well with LVM. It actually works directly with LVM volume groups, creating logical volumes on-the-fly for new VMs, etc. You can find detailed information on the Proxmox wiki, but the procedure was quite simple:

  1. Create the LVM physical volume on the physical disk: (In this case, the "physical disk" was a RAID logical disk)
    # pvcreate /dev/sdb
    Physical volume "/dev/sdb" successfully created

    Note that I created the physical volume directly on the block device, without partitioning the drive. LVM does not require a partition table, and I'm not booting to the disk, so there was no need.
  2. Create a LVM volume group from that single physical volume:
    # vgcreate raid5vg /dev/sdb
      Volume group "raid5vg" successfully created

And we're ready to go! List the LVM volume groups with the vgs command:

# vgs
  VG      #PV #LV #SN Attr   VSize  VFree
  pve       1   3   0 wz--n- 67.83g 8.50g
  raid5vg   1   1   0 wz--n-  1.82t 1.80t

Now it's time to tell Proxmox about the new storage. Log into the Proxmox web UI, and select the "Datacenter" node in the tree. On the Storage tab, select Add > LVM. On that dialog, we select the new volume group and given it a name (I made it the same as the vg).

And your storage is made available to Proxmox!

I went ahead and moved the couple VMs I had from the old main storage to the new array. You can do this by highlighting the Hard Disk on the VM's Hardware tab, and clicking "Move disk".

Saturday, January 10, 2015

Add Suspend and Hibernate to GNOME 3 shell status menu in CentOS 7

I spent days searching for the Suspend option in my new CentOS 7 installation.

Well, I finally found it, but it wasn't as easy as you'd expect.

First you need to install the gnome-shell-extension-alternative-status-menu extension, as well as gnome-tweak-tool:

    $ sudo yum install gnome-shell-extension-alternative-status-menu gnome-tweak-tool

Next, log-out and log back in.

Then, use gnome-tweak-tool to enable the fancy new extension:

And there you have it; a menu that Windows has had by default for a decade.

Saturday, January 3, 2015

Dual Booting with GRUB2 (CentOS 7) and Windows 7

TL;DR:You need to install the ntfs-3g package, in order for os-prober to detect Windows installations. This allows grub2-mkconfig to automatically generate an entry for dual-booting into Windows.

Doing a lot more hardware hacking these days, I've felt constrained running Linux in a VM all the time. I was especially disappointed that VirtualBox doesn't expose nested Intel VT-x features to its guests. So I've decided to try dual-booting again, going with the very stable CentOS 7.

Not willing to sacrifice any space on my Windows SSD, I put another Crucial SSD in my machine - this time the 256 GB version of their newer MX100 series. Downloading the NetInstall ISO and pointing at a relatively close mirror gave a very satisfying install experience. Having the whole drive made things quite easy as well - except for the actual Dual-Booting part.

I wasn't terribly surprised that the setup process didn't automatically add a GRUB 2 entry for booting to my Windows 7 drive. Everything I read indicated that simply running grub2-mkconfig should set up the GRUB config script to include Windows. Yet, it wasn't working for me. Supposedly GRUB 2 uses os-prober to automatically detect other OSes and generate boot entries for them. However, running os-prober showed no Windows install, even though my drive was clearly visible.

After stumbling across this post on, it turns out that the NTFS-3g package (for mounting NTFS volumes) isn't installed by default, and os-prober needs this the mount the drive and detect the installed OS. After installing ntfs-3g (from the EPEL repository), I was able to run grub2-mkconfig -o /boot/grub2/grub.cfg and successfully add an entry for Windows 7.