One of the real beauties of hosting your own Proxmox server is the flexibility it gives you to create and load a wide variety of virtual machines that each appear to users to be dedicated servers. This could include a dozen Asterisk servers, or it might be a mix of a dedicated Apache server, a Windows Server, an Asterisk server or two, as well as Joomla, Drupal, Zimbra, and many others from this list. The other obvious advantage is cost. Individual Asterisk servers can be had for $300 or less to host a small branch office. But a Proxmox server such as Dell's current offerings can host a dozen dedicated systems for about $50 per server.
Today we have two really terrific OpenVZ templates for PBX in a Flash to introduce. One features CentOS 5.5, and the other includes the just released CentOS 5.7. The choice is yours! Both allow you to create unlimited PIAF virtual machines in exactly 1 minute per server! And you can boot your new virtual machines in less than 90 seconds apiece. These new PIAF-OpenVZ templates include the usual PBX in a Flash Feature Set with some extra bells and whistles: Asterisk 18.104.22.168, FreePBX 2.8, Google Voice for free calling in the U.S. and Canada, Tom King's latest Apache, PHP, PHPMyAdmin security updates, Andrew Nagy's EndPoint Manager and CallerID Superfecta, as well as AsteriDex, Telephone Reminders, and Hotel WakeUp Call modules for FreePBX.
If you haven't heard of OpenVZ templates before, you've missed one of the real technological breakthroughs of the last decade. Rather than wading through the usual 30-60 minute ISO installation drill, with an OpenVZ template, all of the work is done for you. And it's quick. You can build a dozen PIAF-Purple systems using an OpenVZ template in the time it takes to bake a pan of slice-and-bake cookies. And it's incredibly easy to then tie all of these systems together using either SIP or IAX trunks. Just follow our previous tutorial. For resellers and developers that want to try various Asterisk configurations before implementation and for trainers and others that want to host dedicated Asterisk systems for customers, the OpenVZ platform is a perfect fit.
We'll start with the bad news before we get to the really exciting new Asterisk platform we're introducing today. All of the current Proxmox server software that supports OpenVZ virtual machines has a serious security flaw. For that reason, you would only want to run Proxmox behind a hardware-based firewall with no Internet port exposure. If you fail to heed this warning, you run the very real risk of having not only your Promox server compromised but also all of the virtual machines running on it. The good news is that this security flaw does not appear to affect the PBX in a Flash virtual machines which we are introducing today. Since no direct Internet access is required to have a perfectly functioning PIAF server, we still strongly recommend never exposing any server to direct Internet access. MORAL: No Internet port exposure for any of your servers means you can sleep like a baby. We recommend Proxmox 1.8 which is a free download from the Proxmox VE web site. To get optimum use from a Proxmox, you'll also want a processor in your server that supports Kernel-based Virtual Machines (KVMs). This full virtualization solution requires an x86 processor containing virtualization extensions (Intel VT1 or AMD-V CPU2 is needed). HINT: Most of Dell's servers are not a problem. Regardless of the server you choose, make certain that you check the CPU specs before you buy. Also be aware that, in addition to Proxmox, there are many other OpenVZ platforms from which to choose.
Installing Proxmox. If you go the Dell route, you'll need an external USB CD or DVD drive to install Proxmox. Dell's optical drives aren't supported in the Proxmox boot image. So begin by downloading the Proxmox VE 1.8 ISO image and create your CD. Then boot your new server from the CD (by pressing F11 for the boot selection screen and choosing your USB external drive on Dell servers). Press Return to begin the install, agree to the license agreement, and click Next on the installer screen to begin. Choose your country, time zone, and keyboard layout. Next choose a secure password and provide a valid email address which is used to send you critical alerts from your Proxmox server. Finally, choose a hostname, specify a fixed IP address, netmask, gateway, and DNS servers and then press Next. Three minutes later, you'll have a new Proxmox server. Log in to your server as root and create a directory for your backups: mkdir /backup.
Enabling IPtables Firewall. IPtables works a little differently in the OpenVZ environment. It actually runs on the Proxmox host. There are just two steps to get it working. First, shut down every running VM on your Proxmox server using the web interface. When you're sure they're all stopped and while logged into your Proxmox server as root carefully enter the following two commands. Note that, because of the length, the sed command stretches to several lines which should be unraveled into a single line for the command to execute properly! Using a block-copy from a desktop machine to your SSH session is the safest method.
sed -i 's|ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length|ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp|' /etc/vz/vz.conf
Don't forget to set the system time on your server: dpkg-reconfigure tzdata
You're finished on the CLI at this point. Now you'll be able to configure IPtables within each of your OpenVZ virtual machines as explained below.
OpenVZ vs. ISO Images. One of the beauties of Proxmox is that it supports two different types of images to create virtual machines. An OpenVZ template is akin to a snapshot of an existing system while an ISO image is identical to the installer you normally would burn onto a CD in order to install a software application on your server. In short, you still have to go through the installation scenario when you create a virtual machine (KVM) from an ISO image. A virtual machine created from an OpenVZ image is ready for use the moment it is created. If you remember when instant-on televisions first were introduced, you'll also appreciate the difference in boot times between OpenVZ and KVM machines which boot an application installed from an ISO in much the same manner as you would experience on a standalone machine.
As with life, there's a dark cloud lurking behind every silver lining, and this is especially true in the Asterisk environment. OpenVZ containers rely upon a shared kernel, the one that actually boots the Proxmox server. KVM containers created from ISO images are self-contained with their own complete operating system and kernel. Thus, zaptel or dahdi cannot be loaded directly from an OpenVZ container. Instead one must rely upon a shared version of zaptel or dahdi loaded on the Proxmox server itself. As it turns out, this is no small feat and certainly not a task for mere mortals. Bottom Line: If you need conferencing or otherwise need a timing source for your Asterisk deployment, you will not want to use the OpenVZ approach at least for now. If you want to try it later, here is the message thread on the PBX in a Flash Forum. On the other hand, if you have more traditional VoIP requirements for your PBX, then the ease of installation and use of the OpenVZ image makes perfect sense. So let's start there assuming you understand the limitations.
Installing PIAF-OpenVZ Template. Using a web browser, download one of the new PIAF-OpenVZ images to your Desktop. Once you have the OpenVZ image in hand, point your web browser to your Proxmox server: https://ipaddress. Accept the default certificate and login as root. You'll get a Welcome screen that looks something like what's shown above. Click on the Appliance Template option. In the Upload File section, choose the PIAF-OpenVZ image on your Desktop and click Upload. Be patient. It's a big file. So go have a cup of coffee. You'll get a prompt when it's completed. You can also do this directly within the Proxmox server by logging in as root and issuing the following commands to install the latest CentOS 5.7 PIAF-OpenVZ template:
To install the CentOS 5.5 PIAF-OpenVZ template, here are the commands:
Creating OpenVZ Virtual Machines. Once installed, you can build Asterisk 22.214.171.124 virtual machines to your heart's content... in about a minute apiece. Just choose Virtual Machine, Create to create a new virtual machine using the OpenVZ template you just uploaded. In the Configuration section, choose OpenVZ for the Type and pick your new OpenVZ template from the pulldown list. Fill in a Host Name, Disk Space maximum (in GB), and a very secure (root) Password. The other defaults should be fine. In the Network section of the form, change to the Bridged Ethernet (veth) option which means the VM will obtain its IP address from your DHCP server. Make sure your DNS settings are correct for your LAN. Here's how a typical OpenVZ creation form will look. Just click on the image to enlarge.
Once the image is created, start up the virtual machine, wait about 90 seconds for the system to load, and then click on Open VNC Console. Asterisk will be loaded and running. You can verify this on the status display. You can safely ignore the status messages pertaining to IPtables assuming iptables -nL shows that IPtables is functioning properly. You now have a PIAF-Purple base platform running Asterisk 126.96.36.199 and FreePBX 2.8.1. REMINDER: Be sure you always run both Proxmox AND your virtual machines behind a hardware-based firewall with no port exposure to the Internet!
The FreePBX login credentials are username: maint and password: password11. This is anything but secure. Before you do anything else, log into your virtual machine using SSH and run passwd-master to secure the passwords for FreePBX GUI access to your system. Also be sure to set the correct time zone on your virtual machine: system-config-date.3 Don't forget!
Once you have secured your passwords, you're ready to set up Asterisk to make and receive calls. For the complete 5-minute tutorial, see this Nerd Vittles article. The steps are identical with Asterisk 188.8.131.52 and Asterisk 10. REMINDER: Once you have set up a Google Voice account, created an extension with a secure password, and created an inbound route for your incoming calls, don't forget to reload Asterisk from the CLI or Google Voice calling will fail: amportal restart.
Asterisk CLI Change. Finally, just a heads up that (once again) the Asterisk Dev Team appears to have changed the default behavior of the Asterisk CLI. With Asterisk 1.8, if you make outbound calls after loading the CLI, you will notice that call progress no longer appears in the CLI. To restore the standard behavior (since Moses), issue the following command: core set verbose 3.
Securing IPtables with a WhiteList. If you're running your virtual machines behind a hardware-based firewall with no Internet port exposure AND all of those on your private LAN are trusted, you can quit here. Otherwise, you need to lock down the IPtables firewall on your virtual machines to only permit access from trusted IP addresses. As delivered, all private IP addresses are authorized and a number of dangerous Internet services also are accessible. Here's how to fix it. Log into each VM and edit /etc/sysconfig/iptables: nano -w iptables. Change the section of entries that look like the following by inserting a # at the beginning of each entry. Once you've added the # characters, your entries should look like this:
#-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 9080 -j ACCEPT
#-A INPUT -p udp -m udp --dport 4569 -j ACCEPT
#-A INPUT -p udp -m udp --dport 5000:5082 -j ACCEPT
#-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 4445 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 5038 -j ACCEPT
Now scroll down a bit in the file and find the entries that look like the following:
-A INPUT -s 192.168.0.0/255.255.0.0 -j ACCEPT
-A INPUT -s 172.16.0.0/255.240.0.0 -j ACCEPT
-A INPUT -s 10.0.0.0/255.0.0.0 -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -j ACCEPT
Immediately below these private network entries, enter the actual IP addresses that are needed to administer your virtual machine. Also include the IP addresses of any remote telephones that are not covered by the private LAN entries above. Each entry should look like the following using the actual IP addresses needed:
-A INPUT -s 184.108.40.206 -j ACCEPT
IMPORTANT: Make sure you've included an entry for the IP address from which you currently are accessing your server, or you will lock yourself out of your server. Then restart IPtables: service iptables restart. Verify that the entries are the way you expect: iptables -nL. Now, with a browser, attempt to access the IP address of your virtual machine from an untrusted IP address, e.g. your cellphone. Then repeat from a trusted IP address. If all is well, you're done.
Solving One-Way Audio Problems. If you experience one-way audio on some of your phone calls, you may need to adjust the settings in /etc/asterisk/sip_custom.conf. Just uncomment the first two lines by removing the semicolons. Then replace 220.127.116.11 with your public IP address, and replace 192.168.0.0 with the subnet address of your private network. There are similar settings in gtalk.conf that can be activated although we've never had to use them. In fact, we've never had to use any of these settings. After making these changes, save the file(s) and restart Asterisk: amportal restart.
Quirks, Gotchas, and Updates. The only quirk you will notice in the current virtual machines is that the status display incorrectly shows IPtables is not running. This is because it actually is hosted on the Proxmox host. For the latest breaking news and updates about PIAF-OpenVZ, visit this thread on the PIAF Forum. Enjoy!
Originally published: Tuesday, September 20, 2011
Breaking News. Google Plus is now available to everyone. Sign up here and join us. And wait 'til you read the Google Hangouts News. Now it's easy to view the Asterisk feed or PBX in a Flash feed on Google+.
Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.
whos.amung.us If you're wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what's happening. It's a terrific resource both for us and for you.
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you're seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity's DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here's a deal you can't (and shouldn't) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won't get the special pricing! After the free hour of outbound calling, Vitelity's rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
Some Recent Nerd Vittles Articles of Interest...
- Be very careful choosing Intel processors. Even some high-end processors do not support Intel Virtualization Technology. Here's the official list. [↩]
- And here is a useful reference for AMD-compatible processors. The AMD WIKI provides the following list of AMD-V compatible processors: "AMD's x86 virtualization extension to the 64-bit x86 architecture is named AMD Virtualization, also known by the abbreviation AMD-V, and is sometimes referred to by the code name 'Pacifica'. AMD processors using Socket AM2, Socket S1, and Socket F include AMD Virtualization support. AMD Virtualization is also supported by release two (8200, 2200 and 1200 series) of the Opteron processors. The third generation (8300 and 2300 series of Opteron processors) will see an update in virtualization technology..." [↩]
- Getting the correct time in your VMs can be problematic with Proxmox. If you continually see the wrong time when you issue the date command after starting up your VMs, try this. Log into the Proxmox host and issue the following commands using the correct container number and your local time zone city for your virtual machine:
vzctl stop 108
vzctl set 108 --capability sys_time:on --save
vzctl start 108
vzctl enter 108
mv /etc/localtime /etc/localtime.old
ln -s /usr/share/zoneinfo/America/New_York /etc/localtime