Authenticating Against Active Directory
Following on from last week’s post on authenticating the QVD against LDAP, this week we turn to Active Directory, another common single sign-on authentication service provided by companies. Since AD makes use of Lightweight Directory Access Protocol (LDAP) versions 2 and 3, the process is pretty similar.
Testing Your Active Directory Server
As with LDAP, it’s probably a good idea to make sure you can connect to your AD server from the command line of your QVD node before you begin any configuration changes. This will narrow the scope of your troubleshooting should you run into problems down the line. To do you will need to have the ldap-utils (Ubuntu) or the openldap2-client (SLES) package installed as it provides a series of useful tools for communicating with an LDAP instance. That done, run the following command from your QVD node command line:
ldapsearch -LLL -H ldap://example.com:389 -b ‘dc=example,dc=com’ -D ‘EXAMPLE\jdoe’ -w ‘password’ ‘(sAMAccountName=jdoe)’
Of course, point the host (after the -H flag) to your own LDAP server (and change ldap to ldaps if you have a secure setup) and alter the search base (-b) and account name as is appropriate for your setup. This should return something similar to the following:
dn: CN=John Doe,CN=Users,DC=example,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: John Doe sn: Doe givenName: John distinguishedName: CN=John Doe,CN=Users,DC=example,DC=com instanceType: 4 whenCreated: 20130417152557.0Z whenChanged: 20130417152612.0Z displayName: John Doe uSNCreated: 20553 memberOf: CN=Users,CN=Builtin,DC=example,DC=com uSNChanged: 20563 name: John Doe objectGUID:: r7URCgubR0GGxTnxDQkdTg== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130106859571806640 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAbhS4Tz7BzIZCZsndUgQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: jdoe sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com dSCorePropagationData: 20130417152557.0Z dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 130106859725400390
So once you have successfully logged into the AD server and retrieved the account information for a user on your domain you are ready to continue.
Basic Active Directory Configuration
As with the LDAP configuration, you will need to install the LDAP Authentication Plugin on your node server to connect to Active Directory. For Ubuntu, that will mean installing perl-qvd-l7r-authenticator-plugin-ldap, and for SLES 11 perl-QVD-L7R-Authenticator-Plugin-Ldap. These should be available through your package manager since you installed the node server.
That done, you will need to configure your QVD node to authenticate against Active Directory. Use the administration tool qa for each of these settings and remember to enclose all values inside single quotes to prevent any shell expansion issues with brackets and the other special characters.
qa config set l7r.auth.mode='ldap'qa config set auth.ldap.host='ldap://example.com:389'
qa config set auth.ldap.base='OU=People,DC=example,DC=com'
qa config set auth.ldap.scope='sub'
qa config set auth.ldap.binddn='CN=Administrator,CN=Users,DC=example,DC=com'
qa config set auth.ldap.bindpass='password'
qa config set auth.ldap.filter='(sAMAccountName=%u)'
l7r.auth.mode simply tells QVD that you wish to authenticate against an LDAP server (Active Directory in this case), whilst will point to your LDAP server. You may wish to use ldaps if you are using SSL.
The LDAP base tells QVD where in the directory tree to begin searching and setting the scope to sub tells it to look anywhere below the base. The Bind DN will be a user on the AD server permitted to search the directory within the defined search base, in this instance the Administrative user. You may well opt to add another user for this purpose to increase security. The bindpass key is then used to authenticate this user.
Finally you tell QVD to match the user’s name against sAMAccountName 
which, as you can see in the above example, is the logon name for Windows user. If AD finds a match against this user, it will authenticate the user to access the QVD.
Once you have configured your LDAP settings, restart the l7r service (service qvd-l7r restart) and QVD is ready to start authenticating against Active Directory.
Auto Provisioning of Desktops
Whilst the above setup will allow you to authenticate users against Active Directory, you will still need to create a machine for each user in the directory. So QVD comes with an automatic user provisioning plugin that creates desktops for your users on the fly when they authenticate successfully against LDAP or Active Directory.
You’ll need to install the plugin, again with your package manager. It’s called perl-qvd-l7r-authenticator-plugin-auto for Ubuntu, for SLES, install perl-QVD-L7R-Authenticator-Plugin-Auto. Make the necessary changes with the qa tool:
qa config set l7r.auth.plugins='auto,ldap'qa config set auth.auto.osf_id=1
The plugins setting tells your QVD installation that you wish to provide auto provisioning (along with LDAP), whilst 
will configure your install to use OSF id 1 which you should adjust accordingly. Restart the l7r service and the next time a user successfully authenticates against your LDAP server, QVD will create a VM for them using the OSF you have set, and and serve it to them seamlessly.
Restrictions of QVD and Active Directory
It’s important to note, as with the LDAP configuration, that QVD’s Active Directory support is read-only. QVD is not able to make changes to your Active Directory, so once you’ve enabled AD support, all user and password management must take place therein. With the notable exception of the QVD WAT admin user, changes or additions to user accounts and passwords in the QVD database will be ignored by the system. This is by design, we couldn’t take the risk that the QVD would interfere with an existing Active Directory setup tools that you already have in place.
Troubleshooting
If you run into trouble, ensure that you can authenticate against your Active Directory server directly from the command line in your QVD node, as described above. Also take a look at the log file /var/log/qvd/qvd.log – it will contain any authentication errors that have happened.
For a man page style list of all available AD and LDAP configuration settings, please refer to the perldoc of the QVD LDAP plugin as follows:
/usr/lib/qvd/bin/perldoc QVD::L7R::Authenticator::Plugin::Ldap
Also refer to our administration guide for additional information and feel free to contact us if you need any assistance.
Authenticating Against LDAP
QVD comes with user management built into the database, and adding them through the Web Administration Tool is really simple. However, for larger organisations, the chances are you’ll already have some kind of central authentication in place, commonly LDAP or Active Directory. In the first of a two part series, let’s look at getting your system authenticating against an LDAP server first, and next week we will look at AD.
Testing Your LDAP Server
The first thing you will need to do is ensure that the your node server can successfully connect to your LDAP server from the command line. Doing this first will ensure that you don’t run into problems that may be hard to identify later. Make sure you have the ldap-utils (Ubuntu) or the openldap2-client (SLES) package installed as it provides a series of useful tools for communicating with an LDAP instance.
ldapsearch -xLLL -H ldap://example.com -b "dc=example,dc=com" cn=admin cn
Of course, point the host (after the -H flag) to your own LDAP server (and change ldap to ldaps if you have a secure setup) and alter the search base (-b) as is appropriate for your setup. This should return something similar to the following:
dn: cn=admin,dc=example,dc=com cn: admin
At this point you should be satisfied that read access to your LDAP server is possible from your QVD node and you are ready to continue.
Basic LDAP Configuration
Next you will need to install the LDAP Authentication Plugin on your node server. For Ubuntu, that will mean installing perl-qvd-l7r-authenticator-plugin-ldap, and for SLES 11 perl-QVD-L7R-Authenticator-Plugin-Ldap, so go ahead and install that using apt-get or zypper.
That done, you will need to configure your QVD node to authenticate against LDAP. Use the administration tool qa for each of these settings as the QVD database takes precedence over /etc/qvd/node.conf file and will ensure that all nodes will see the changes. Enclose settings in single quotes to save yourself the trouble of having to escape all those brackets and other special characters that an LDAP schema throws up.
qa config set l7r.auth.mode='ldap'
Let’s walk through some of those options. simply tells QVD that you wish to authenticate against LDAP, whilst points it to your LDAP server. Next you want to tell QVD where the base of the Directory Information Tree, or DIT is, and that is exactly what you do with step does. Next you tell QVD how you would like to filter against the database, in this instance by inetOrgPerson (your users) and using their common name, assuming that this is their username. Finally you instruct QVD to use the LDAP scope of sub which permits it to look down the subtree until it finds the cn.
That done, restart the l7r service (service qvd-l7r restart) and QVD is ready to start authenticating against LDAP, it’s that simple.
Auto Provisioning of Desktops
However, this method is not quite the full picture and perhaps a little simplistic for a real world example, as you will still need to create each machine for each user and it’s unlikely that this is desirable. So QVD comes with an automatic user provisioning plugin that creates desktops for your users on the fly when they authenticate successfully against LDAP.
You’ll need to install the plugin, again with your package manager. It’s called perl-qvd-l7r-authenticator-plugin-auto for Ubuntu, for SLES, install perl-QVD-L7R-Authenticator-Plugin-Auto. Again with the administrative tool, make the following changes:
qa config set l7r.auth.plugins='auto,ldap'
tells your QVD installation that you with to provide auto provisioning (along with LDAP), whilst will configure your install to use OSF id 1 which you should adjust accordingly. Restart the l7r service and the next time a user successfully authenticates against your LDAP server, QVD will create a VM for them using the OSF you have set, and and serve it to them seamlessly.
Restrictions of QVD and LDAP
QVD’s LDAP implementation provides an extremely powerful tool for enterprises to roll out desktops to their users quickly and painlessly, particularly in the event that you already have an LDAP server up and running and populated with your user data. However, we were very careful to make sure that we don’t have any negative effects on your existing systems, so the QVD software is not able to make any write access to your data store. This means that the user management inside QVD Web Administration Tool becomes read only, and adding and changing credentials therein will have no effect. Data will be stored inside the QVD database but since it is configured to authenticate against LDAP, that data is effectively ignored by the system. This is absolutely by design, we couldn’t take the risk that the QVD would interfere with existing LDAP tools that you already use, and it is to these you will now need to turn to manage your users.
Troubleshooting
If you run into trouble, ensure that you can authenticate against your LDAP server directly from the command line in your QVD node, as described above. Also take a look at the log file /var/log/qvd/qvd.log – it will contain any authentication errors that have happened.
For a man page style list of all available AD and LDAP configuration settings, please refer to the perldoc of the QVD LDAP plugin as follows:
/usr/lib/qvd/bin/perldoc QVD::L7R::Authenticator::Plugin::Ldap
Active Directory
Next time we will take a look at Active Directory. AD is of course a very common directory service amongst enterprises the QVD offers full support for it along with LDAP. Inspired by LDAP, configuration is somewhat similar and, like the QVD LDAP setup, it’s easy when you know how.
For further information including a full list of all the LDAP options, please refer to our administration guide or get in touch.
Documentation Update: Creating Disk Images for QVD
Creating a disk image for the QVD is incredibly simple and customizing each image for your users similarly so. We’ve updated our documentation section to include new sections on this important task for a QVD administrator with dedicated sections for disk image creation for SLES and 0penSUSE (pdf) and Ubuntu ((pdf):
- QVD Disk Image Creation (SLES 11 SP2) (html) (pdf)
- QVD Disk Image Creation (Ubuntu 12.04) (html) (pdf)
The guides will walk you through installing a base system using KVM and then either customizing that system for use as a Virtual Desktop, or going on to use that base system to build an LXC container for the same. We’ve used the Lightweight X11 Desktop Environment or LXDE as it provides a stable and intuitive environment with a low memory footprint and thus makes an excellent base for your customized environment.
As you will see, customizing a disk image is very simple. Before you roll it out to your users, you will be running each image locally and from there your imagination is the limit. All the software and
customizations you make to each image will be rolled out to every user who makes used of that image. So you can install the things that are important to your users once, and rest assured that they will have that software available immediately you deploy the image.
Once your image is ready, deploying it is a simple matter of unzipping it into QVD’s staging folder and rolling it out using the Web Administration Tool we provide.
We finish up the guides with a few tips and tricks – remote logging of your desktops with syslog and installing a couple of commonly used apps as well as optimizing the image by removing unnecessary services. Again, nothing that anyone with a modicum of Linux experience would find challenging, the whole process is painless and easy.
QVD Desktop Shortcuts
QVD’s VDI uses the excellent NX protocol to deliver desktops to users. It provides fast delivery of remote desktops, even over the slowest of network connections, and is each connection is fully secured over SSL. QVD benefits from NX in another way, as the QVD client inherits the NX desktop shortcuts, providing a few simple but powerful shortcuts your users to interact with their desktop.
The shortcuts allow users to toggle between full screen and windowed modes, terminate sessions, and offers encoding featues amongst others, along with more advanced debugging options for administrators. Let’s look at some of them:
Fullscreen mode
To minimize a full screen session you can click on the “magic pixel” of the upper right corner.
- Ctrl + Alt + F to toggle fullscreen/windowed on all monitors
- Ctrl + Alt + Shift + F to toggle fullscreen/windowed on active monitor
- Ctrl + Alt + M to minimize or maximize a fullscreen window
In full screen mode, the client will automatically catch keyboard shortcuts like Alt + Tab, allowing the user to readily move between applications within the QVD desktop. In full screen mode, the client will automatically catch keyboard shortcuts like Alt + Tab, allowing the user to readily move between applications within the QVD desktop.
Viewport mode
In auto-resize mode (default) the desktop can be resized by resizing the window. In “viewport” mode the visible part of the desktop can be scrolled.
- Ctrl + Alt + R to toggle “auto-resize/viewport” mode.
- Ctrl + Alt + arrow keys to viewport navigation
- Ctrl + Alt + keypad arrow keys to viewport navigation
Terminating or suspending
- CTRL+Alt+Shift+Esc to get rid of a session that is not responding
- Ctrl + Alt + T to terminate a session
- Alt + F4 suspend or terminate a session (when a window manager is present)
Toggling options
- Ctrl + Alt + K toggle catching of Alt+Tab and Print Screen keys (Windows only)
- Ctrl + Alt + E toggle the lazy encoding (enables defer mode)
- Ctrl + Alt + J force a drawable’s synchronization, to fix a visualization problem (sets the internal nxagentForceSynchronization variable to 1)
The following can be used if nxagent has been compiled with options/macros*:
- Ctrl + Alt + Q doDebugTree (if compiled with DEBUG_TREE)
- Ctrl + Alt + A nxAgentRegionsOnScreen (if compiled with DUMP)
- Ctrl + Alt + X toggle nxagentDebugInputDevices (if compiled with NX_DEBUG_INPUT)
- Ctrl + Alt + Y deactivate input device grab (if compiled with NX_DEBUG_INPUT)
* Note that the QVD packages are not compiled with debugging support by default so these options will only be available if you compile yourself and set the relevant compiler directives.
Configuring a High Availabilty Database with QVD
The PostgreSQL database is a core component of the QVD system. Postgres provides a robust and flexible base and the QVD-DB is the glue that binds the VDI together, keeping track of both configuration and runtime information. As such, it’s essential to keep the QVD-DB operable at all times, preferably with automatic failover. Combined with the sturdy core of the QVD system, a rock solid database will give you a dependable VDI that you and your users can rely upon.
Configuring a High Availability Database with QVD (html) (pdf) is a new addition to our documentation page with this in mind. It’s a guide to configuring QVD with a High Availability Postgres cluster using Pacemaker with Corosync and DRBD.
The system will be set up for automatic failover, meaning that a passive server will take over the operation of the database in the event of a failure on the active node.
The cluster HOWTO was written and tested on SUSE Linux Enterprise Server 11 SP2 but should be readily adaptable to Ubuntu, our other supported platform, with a little care and consideration.
The cluster uses DRBD which provides something similar to a network based RAID 1, mirroring a disk or partition containing the database data and configuration across the network. Due to the critical nature of this syncing, and to avoid the so called “split-brain” scenario whereby each node thinks itself the primary resource of the data, we strongly recommend using a crossover cable for this network, to take potential network and switch failures out of the equation.
Pacemaker provides resource management across the nodes, starting and stopping services and, equally importantly, making sure that the services are only running on the active node to prevent data corruption. To do that, it uses Corosync, which acts as a messaging layer between the nodes, something akin to a network dbus. The cluster also uses STONITH to ensure that any node that is not responding properly is shut down immediately, avoiding data corruption.
The setup itself can be fairly convoluted but is easy enough to understand once the role of each component is fully understood. We have used a wealth of documentation to compile our own guide and you are encouraged to read the articles in the resources section for a better understanding of this important topic.
QVD OS X Client (Beta) Released
One of the great benefits of VDI is the ability to ensure a consistent user experience across multiple devices and QVD is no different in this respect. To add to our Windows, Linux and Android clients, we’ve just released our first (beta*) OS X client. It’s available immediately from our download page or directly using this link: QVD OS X Client (Beta)
Once downloaded, simply run the downloaded package and click through the simple install process. When this is done, you will have the QVD Client available in the Applications. You may of course wish to copy it to the dock or desktop if you anticipate regular use.
To use the application, simply start it up and enter your credentials for your QVD server, as supplied by your administrator or, if using the demo, as per the confirmation email from QVD.
Once you have successfully logged in, the QVD client will initiate a connection with your QVD desktop which will be displayed within the client, for use as with other clients of the QVD.
* As the client is currently in Beta and undergoing further please note that it may be a little rough around the edges. We have a couple of known issues that we intend to fix in future versions:
- At this time only Mac OS X Lion (10.7) and above are supported but we are working to make it available for users of Snow Leopard (10.6)
- Sound is not currently working
Nonetheless, the client should be suitable for everyday use minus these two issues, so please try it out email us if you would like assistance or if you would like to make any suggestions. Bugs can be reported on our GitHub issue tracker as usual.
QVD 3.2 with BTRFS Support
QVD 3.2 has been released, featuring support for the BTRFS file system. This is something we have been working on in earnest since the release of 3.1, and it’s something we are pretty excited about as it brings considerable performance gains to larger QVD deployments.
ADVANTAGES OF BTRFS
With BTRFS support, we further underpin the infrastructure savings of a VDI deployment by spreading the IOPS across the shared storage and the local storage of each node reducing load on the shared storage by up to 75%.
By moving the overlay (usually non persistent data such as logs and temporary files) to local storage, the system reduces the load on the shared storage by some magnitude. This means potential savings on NFS hardware which will be able to cope better and with greater demands than previously.
As well as reducing the load on the shared storage, QVD performance is enhanced by reducing network overhead. Using fuse-unionfs or aufs in order to provide a private Read-Write copy of the base image to the LXC containers over the network can become a performance bottleneck and BTRFS provides a simple and cost effective solution by keeping some of that data local.
Additionally, VM creation now leverages the powerful Copy-on-Write (CoW) technology of BTRFS to create snapshots of existing VMs in near real time delivering a further performance boost.
WHAT IS BTRFS?
BTRFS is a relative newcomer to the world of Linux file systems that offers excellent performance through its specialised Copy-on-Write snapshotting features. For QVD this means a major gain in the speed of deployment of each new VM alongside the ability to significantly offset disk operations across the nodes in a QVD install.
BTRFS also provides other convenient features, such as the ability to resize a live filesystem, as well as excellent built-in storage pool capabilities, allowing you to quickly and easily administer and add space to your nodes should this be necessary.
QVD 3.2 BTRFS support was written with a goal of having the system use some of the performance enhancing features of the file system without you having to get your hands dirty managing the sub volumes of the file system. To all intents and purposes, it should function just like any other QVD install, albeit with greatly enhanced performance if deployed as intended. That’s not to say you shouldn’t do some reading up on BTRFS before you attempt to use the feature.
HOW IT WORKS
Let’s start with a whistle-stop tour of the QVD storage directories in a typical LXC install. Each QVD Disk Image that is uploaded is extracted out of the staging directory into the images directory, which may well be shared remotely via NFS between multiple nodes and should be considered read-only to ensure the integrity of the images. From here the node extracts this shared image (really, just a Linux root file system) the first time it is used by a new VM to create the base file system from which the VM is run. This extraction is into basefs, which is also treated as a read-only filesystem by QVD.
For components of the system such as log data, runtime PIDs, lock files and temporary files that by their very nature can not to be read-only, we need to create an overlay, typically stored in overlayfs. Each virtual machine has its own overlay directory inside overlayfs, and this is named by combining the name of the Disk Image and the id of the VM.
The homefs directory stores all the user’s home data (assuming this is persistent) and should be stored remotely and accessed over NFS for anything other than the smallest deployments of QVD.
With all the directories present and correct, the QVD House Keeping Daemon (HKD) will perform a union mount, using either the fuse-unionfs or the aufs module, of the image in the basefs folder with the automatically generated overlay file system and home file system. This mount is performed inside the rootfs folder in the shared storage. The HKD will then load the newly mounted image into an LXC container.
With BTRFS configured, this differs in subtle ways. Every image is unpacked into its own subvolume in basefs which will be reused by each VM that uses this disk. When a container is started, the overlayfs is also created inside its own btrfs subvolume. For each subsequent VM using this disk image, QVD creates a snaphot of this subvolume and the snapshot is used as the container root file system. Given BTRFS’ remarkable ability to create Copy-on-Write (CoW) snapshots and subvolumes cheaply with little overhead this is almost instant.
The BTRFS snapshots can be seen as directories using the normal coreutils tools such as ls. They can also be listed using the btrfs-tools command btrfs, as follows:
# btrfs sub list /var/lib/qvd/storage/ ID 256 top level 5 path basefs/2-2-openSUSE-12.2-desktop.i386.tar.gz ID 258 top level 5 path overlayfs/2-3-overlayfs ID 259 top level 5 path overlayfs/2-5-overlayfs
Here we can see the basefs subvolume, along with two additional subvolumes for two VMs that have been created and run using the same basefs.
LIMITATIONS
Because BTRFS is a local file system unlike NFS, the overlay and rootfs data is visible only to the local node. This means this data cannot be perisistent across the nodes, so if a VM changes nodes, changes to this data are lost. (Note that making overlay data is optional in QVD, so this may not matter at all). So, too, the overlay and rootfs data will be lost a new default disk image is created for the same Operating System Flavor.
A concern you may have about BTRFS is that it is still marked as experimental. This is not viewed as a particular concern as we have deployed it in QVD in a manner that only transient, non-important data, should ever be stored on BTRFS. Your home data, and your images, should still be stored on NFS using a more mature file system. QVD has been designed to recover gracefully from any BTRFS hiccups, indeed, simply recreating a BTRFS file system on your designated storage should be sufficient should be sufficient.
Finally, please note that only SUSE Linux Enterprise Server 11 SP2 is officially supported at this time. SUSE have historically been a strong supporter of BTRFS and their OS has specific BTRFS patches that are unavailable in the stock Ubuntu 12.04 kernel. Happily, those patches have made it into later kernels, so getting QVD 3.2 BTRFS to work under Ubuntu 12.04 is simply a matter of upgrading the kernel to at least 3.5 (or use a later version of Ubuntu such as 12.10). We cannot provide official support for Ubuntu at this time, however feel free to contact us with any questions if you do run into trouble.
HOW TO SET IT UP
To take advantage of the new BTRFS features in QVD 3.2 you’ll need either a fresh install or you will need to upgrade an existing (LXC only) installation using the 3.2 repositories. For a guide to installing an LXC instance, please refer to the QVD Administration Manual. The 3.2 repo for SLES 11 SP2 is available here:
http://download.opensuse.org/repositories/home:/qvd:/qvd-3.2.0/SLE_11_SP2/
The Ubuntu PPA is here:
https://launchpad.net/~qvd-qindel/+archive/qvd-3.2.0
Both overlayfs and rootfs need to be stored on a BTRFS volume. One way to achieve this would be to mount the entire QVD storage folder (by default /var/lib/qvd/storage) on a BTRFS volume. If you are upgrading a previous install, you could of course convert your file system from Ext3/4, exercising due caution and ensuring you have backups of everything before you commence. The images and homefs directories should not be on the relatively unstable BTRFS and so may be mounted on top of this directory, either to local disk or using an NFS attached network disk. The setup in this instance is trivial:
# qa config set path.storage.btrfs.root = ${path.storage.root}
# qa config set path.storage.overlayfs = ${path.storage.btrfs.root}/overlayfs
# qa config set path.storage.rootfs = ${path.storage.btrfs.root}/rootfs
Alternatively, offload the overlayfs and rootfs onto a local BTRFS volume within the node and amend the above settings to point QVD to the locations for these folders.
Next, you will need to configure QVD to use BTRFS, which can be done with the following command:
# qa config set vm.lxc.unionfs.type=btrfs
If this is an upgrade of a previous install, you will need to restart the QVD House Keeping Daemon:
# service qvd-hkd restart
From here you are ready to add new VMs to your QVD install. Please note that previous VMs on an upgrade install will not be able to run without manual intervention, both to the filesystems and to the QVD database, so we wouldn’t advise upgrading unless you are happy to lose these or prepared to spend some time recovering them manually.
QVD Demo
The QVD demo allows you to try out the software with nothing more than a copy of one of the various clients we provide. As well as experiencing the use of a Virtual Desktop through the client, the latest demo enables you to administer a separate instance of the QVD demo and experience the Web Administration tool. So you can get a feel for creating disk images of your own, and and adding users and virtual machines. This way you get to experience QVD administration with very little in the way of setup overhead.
To try the demo, you’ll need to head over to the registration page and sign up for an account which should take no more than a minute or two. We will send your account details to the email address, so check that in due course. Once you have your user name and password, start up the QVD client of your choosing. We will use the Linux client for this tutorial, but the Windows client experience is almost identical. Enter the host demo.theqvd.com, the email address you used, and the password that we have sent you.
Click Connect and welcome to your new VDI desktop environment! You should now have is a fully functional Linux desktop running LXDE. This is an example of the type of desktop that you could provide to your users using our software, with your own customisation and branding (indeed, desktop environment) of course.
If we go one step further, on the desktop you will find two icons, WAT and QVD Client. WAT provides you a link to the QVD Web Administration tool that we have set up for your evaluation of the administration of the QVD software. To do so, double click the WAT icon which will open up the Chromium browser and direct it straight to the login screen of our Web Administration demo.
Log in using admin as both the user name and password which will place you at the WAT welcome page. This will give you an overview of the QVD installation, telling you how many nodes you are running (one for the purposes of this demo), how many virtual machines you have running, along with other useful figures such as the number of users you have, how many sessions are running, and so on. Note that as others may have been using the demonstration, it may already contain other users, images and virtual machines that they have created. The nested demonstration is automatically reset every morning around 6AM CET so changes are not persistent.
The demo QVD server will have one server by default, as well as an OSF and Disk Image. You will find one node in the Nodes tab. There’s no point in adding any to this instance as they won’t work, but this is where you would scale up your install by adding additional nodes to serve desktops in a real world situation. However, the point of this nested demonstration is to go further than that and show you how to add your own user, disk image, user and virtual machine, so let’s dive right in.
Go to the OSF tab, and click the New link. Give your OSF a name (let’s say demo), and allocate RAM and disk space. Moving on to the Disk Images tab, create a new disk image by selecting the appropriate link and choosing your new OSF and the provided image file which will create a new disk image. Select the Create button and give it a few seconds.
Once that is done, take a look at the Users tab. Here you can add a new user using the provided link, and choose a password for the user in the next screen. Now you are ready to create a virtual machine for your user, so select the magnifying glass next to your desired user’s ID and, alongside any other virtual machines that user may have, select New Virtual Machine. Choose a name, and the disk image you have created and QVD will create the virtual machine.
Start up the QVD client on the desktop. It will be pointing towards the correct QVD server, so concern yourself only with the username and password. Enter the credentials for any user that you have created and provisioned with a VM. Click Connect and within a few seconds you will be inside the new VM that you have created.
Feel free to explore the demo Web Administration Tool and create disk images, users, and virtual machines. You will find that in a configured QVD environment that this is very simple, and note how each user can have multiple VMs for different use cases.
If you’d like to explore further, you can take a look at the QVD Appliance in the downloads section, or install the software for yourself and browse the administration manual. If you have any questions or need help, don’t hesitate to get in touch.
Creating LXC Images for QVD
Following on from our tutorial creating KVM images for QVD, we now move on to creating an LXC image for QVD. LXC is a lightweight virtualisation technology that enables the sharing of the host machine’s kernel with guest operating system. This provides a boost in performance over traditional technologies, as well as being less resource intensive. For VDI technology, that means greater density, or the ability to server more desktop environments per server core, and subsequent reductions in hardware that that suggests. All in all it’s pretty exciting technology that’s new to QVD 3.1 and one that we expect to go from strength to strength.
You will need at least 5GB of disk space to install the virtual machine that will used to create the LXC image. An internet connection is also needed to download the iso and also for the LXC userspace tools to fetch the core packages for the system. The process can be broken down into a few distinctive steps:
- Create an LXC container
- Add the QVD repositories and install the Virtual Machine Agent (VMA)
- Tailor the desktop to your requirements and add an administraive user
- Shut down and tar the image
- Ensure your QVD environment is set up for LXC
- Load the image in QVD
To create our LXC container, we will use a clean install of the Lubuntu Desktop to ensure our base environment is uncontaminated by configuration changes that may be problematic down the line. We will use Lubuntu 12.04 as it provides the excellent Lightweight X11 Desktop Environment (LXDE), and to ensure compatibility with the Ubuntu Ubuntu 12.04 LTS release which makes an ideal node server and for which we release QVD packages. As we will be sharing the kernel with the host machine, it is of course strongly advisable to ensure that our hosts and our guests are identical or near identical systems so using a different distro to the host machine is all but out of the question.
The Lubuntu iso can be found on the Lucuntu Precise Alternate download page , or using this direct link. Once downloaded, check the md5sum of the iso which should match a277a7d3b8a6fc1dd98e65adb5262493, and proceed with a basic install. You may of course do this inside the freely available KVM or Virtualbox, that is beyond the scope of this guide. Let’s just assume that you have a fresh install of Lubuntu 12.04 , and the means to access it via the command line.
Log in to your fresh install and the LXC userspace tools. We will assume you are root throughout the course of this tutorial, so sudo -s before you start out.
# apt-get install lxc
That done, create a file called lxc.conf somewhere convenient, and populate it with the following network settings:
lxc.network.type=veth lxc.network.link=lxcbr0 lxc.network.flags=up
The first line will tell lxc that we wish to use a virtual ethernet device which is an ethernet-like device that can be used inside a container. The second line gives lxc the name of the network bridge that we want the container to utilise to connect to the network. Finally, we set the network as up.
Now let’s create a new Linux container:
# lxc-create -n qvd-vm -t ubuntu -f lxc.conf
This will download and cache the Ubuntu core packages into /var/cache/lxc/precise/rootfs-amd64 (assuming 64 bit). The first time you do this it will take a little extra time compared to subsequent builds as it will pull down the core packages from the Ubuntu servers to install inside the container. The next time you create a container using the same template (in this case ubuntu), these packages will be reused so it will be quite a bit quicker.
Once downloaded, lxc-create will install the packages into /var/lib/lxc/qvd-vm/rootfs which is effectively the root folder of the container. Above that folder, in /var/lib/lxc/qvd-vm you will find the file config which will contain the conf settings you created, lxc.conf, should you need to change anything.
When the install is complete, start the container:
# lxc-start -n qvd-vm
Log in using ubuntu as both username and password. This account has sudo rights, so go ahead and sudo -s to continue as root. Next you need to add the QVD 3.1 PPA so that you can install the QVD Virtual Machine Agent which enables each desktop to communicate with the client via the QVD node.
# apt-get install python-software-properties # apt-add-repository ppa:qvd-qindel/qvd-3.1 # apt-get update # apt-get install perl-qvd-vma
| Note | To add the PPA as per the previous step you will need to install python-software-properties. This will however add this will add about 27MB to the install, so if space is an concern, rather add the following to /etc/apt/sources.list.d/qvd-qindel-qvd-3_1-precise.list
deb http://ppa.launchpad.net/qvd-qindel/qvd-3.1/ubuntu precise main deb-src http://ppa.launchpad.net/qvd-qindel/qvd-3.1/ubuntu precise main |
It is essential that the Virtual Machine Agent starts on boot or the desktop will not be accessible. To do that, we add a symlink to runlevel 2:
# ln -s /etc/init.d/qvd-vma /etc/rc2.d/S99qvd-vma
Although LXC has copied the rudimentary system over to the container, the template does not allow for a desktop environment, so we will need to install that.
# apt-get install lubuntu-desktop
This would also be a good time to install any additional desktop software that our users may need, so go ahead and install any office software, graphics software and so on using apt as above. That done, it’s time to configure the Virtual Machine Agent. Create the qvd directory:
# mkdir /etc/qvd
And then create the file /etc/qvd/vma.conf and populate it with the following options:
vma.audio.enable: 1 vma.printing.enable: 1 command.x-session: /usr/bin/startlubuntu
This will share the node’s printers with the desktops and enable audio. Finally, command.x-session uses the startlubuntu xsession script. This defaults to /etc/X11/Xsession for regular editions of Ubuntu and SUSE.
| Important | We have discovered that startlubuntu does not honour the /etc/default/locale settings, so if our locale needs to be changed from the default, we create the wrapper script /usr/local/bin/startlubuntu. In there, we source the /etc/default/locale variables, export them, only then invoking startlubuntu:
#!/bin/bash [ -r /etc/default/locale ] && . /etc/default/locale export LANG LANGUAGE LC_MESSAGES LC_ALL /usr/bin/startlubuntu |
Before we log out, we will need to add a user other than the default ubuntu user on the container, and give that user sudo permissions for maintenance:
# adduser qvd # usermod -aG sudo qvd
Now we log out and back in with our new user and (as root) remove the default user and home directory:
# deluser ubuntu # rm -rf /home/ubuntu
| Note | At this point we could delete the user with the –remove-home switch but this requires the perl-modules package which brings, along with dependencies, another 32MB to the install. It’s up to to the use case and space constraints of course. |
Branding and customisation of the desktop environment is beyond the scope of this guide, but there is a list of resources at the end to assist with this.
Once you have desktop that you want for your users, you can close down the container in preparation for zipping up the image.
# poweroff
Back in your host machine we zip up (as root) the root file system of the container for deployment in QVD:
# tar czf ubuntu-12-04.tar.gz -C /var/lib/lxc/qvd-vm/rootfs .
We now have the our gzipped and tarred image. Upload it to your node server if you have built it on another machine, and then copy the file over to the directory /var/lib/qvd/storage/staging which it will be available as an image file in the QVD Web Administration Tool, ready for deployment as a Disk Image. You should also ensure that your QVD installation is set up for LXC virtualisation as it’s a binary decison, you cannot serve both KVM and LXC desktops at the same time. This can be achieved by invoking the QVD admin tool as follows:
# qa config set vm.hypervisor=lxc
And that concludes our creation of an LXC disk image for QVD. As you can see, it’s a really quick and easy process and allows for almost endless customisation of the desktop you wish to provide your end user. Another of the many benefits of choosing the QVD as your VDI solution.
Resources:
To make your customisation and branding global, rather than use the home directory for your user account (which is really just your administrative account for the image), changes need to be made in the /etc/skel directory, which acts as a template for new users’ home directories when new users are added. QVD conforms to this practice, so each new Virtual Machine will create a home directory based on this folder in the Disk Image. For the PCManFM use /etc/skel/.config/pcmanfm/lubuntu/pcmanfm.conf and for LXPanel use /etc/skel/.config/lxpanel/Lubuntu/panels/panel. What follows are a couple of links to resources on configuring these components.
Guide to LXPanel on the LXDE:
http://wiki.lxde.org/en/LXPanel
Guide to PCManFM (the LXDE file manager but also used for wallpaper settings and other customisations) on the Arch Wiki
https://wiki.archlinux.org/index.php/PCManFM
:)
QVD Comes To GitHub
One of our major goals after the release of QVD 3.1 was to make the source code of the QVD more easily accessible to the wider world. GitHub has seen a meteoric (and much deserved) rise as the destination for open source coders over the last few years and, as such, we have decided to make the QVD trunk available in its own GitHub repository.
The repository will replicate nightly from our internal VCS, and thus will contain an up to date snapshot of trunk. Lead development will still take place on our internal systems, so by all means check out the code base and hack away but we will not at this time be accepting pull requests in GitHub itself. If you’d like to contribute to the project, please see our How to Contribute page.
The project itself is coded almost exclusively in Perl, and relies on several other open source projects to bind it together. If you have any questions about the project or getting started with the code, please see our Community page.
Along with the QVD, we hope to publish any other interesting open source side projects and offshoots of our daily work within the QVD GitHub account. One project that we are particularly excited about, Xvnc Pro X/X11 Server (our implementation of X for Android) which will be available in the next few days.
With this move the issue tracking for non-customers of the QVD moves away from our Trac system and into the GitHub Issue Tracker for our project. If you come across any bugs, or have suggestions, please file them there – all contributions gratefully received.