You are here: Home» Documentation» First Steps

Recommended First Steps

These steps will guide you through the necessary configuration of Aventurin{e} 6110R in order to be able to use Incus: 

"Preflight Checklist":

Before you start using the "Manage Incus" GUI pages in your BlueOnyx 5211R to create Instances, you should take a look around. Let's start with the "Settings" menu entry:

You can see that "Enable Incus" is already ticked and this means Incus is running and available for usage. However: As you can see here, there are two red notices. One informs you that this is the Demo Version of Aventurin{e} 6110R. This notice will be prominently shown for as long as you don't have the purchasable "AventurineLicense" PKG from the BlueOnyx Shop linked to and installed on your BlueOnyx 5211R.

The second redline item might inform you that this BlueOnyx 5211R has the Bind 9 DNS server enabled and that this conflicts with the "dnsmasq" service of Incus. So if you are serious about testing or using Incus, then you might want to disable the built in BlueOnyx 5211R DNS server. You can do so under "Server Management" / "Network Services" / "DNS":

Once that is done, there are also some security considerations:

Security Considerations:

Incus has three natively built in management methods:

  • From the command line via the "incus" command.
  • API port on 0.0.0.0:8443 or 127.0.0.1:8443.
  • Linux Socket under /home/incus/unix.socket

Usage of the shell command "/usr/bin/incus" requires not only local shell access, but also sufficient privileges. Or that the user in question is allowed to use the command like having him assigned to the "incus-admin" or "incus" Linux group(s). So this is fairly safe.

The Incus API running on port 8443 requires authentication. Either via a valid SSL certificate that has been made known to Incus beforehand. Or an authentication token that has been created beforehand. So this is also fairly secure. Even if you run the Incus API on 0.0.0.0:8443? The service Firewalld is running by default on BlueOnyx 5211R and it does not have port 8443/TCP open by default.

What's not so secure is the unavoidable Unix socket under /home/incus/unix.socket. In theory any local user or application could access the Unix socket and "talk" to Incus. Therefore: If you have untrusted user accounts directly on your BlueOnyx 5211R virtualization node and/or Vsites with PHP or other script functions enabled? Then you should not be using Aventurin{e} 6110R and Incus in this fashion.

Instead: Have the untrusted Users and Vsites inside Incus instances and run only essential and trustworthy services on the virtualization node itself.

Anything else should be inside virtualized Incus instances to isolate them from the host system that runs Incus.

Network Preparation:

The most common usage case for Aventurin{e} 6110R will probably be the hosting of virtual servers that you want to make externally available. Like hosting one or more (virtualized) BlueOnyx instances with Incus. Or the occasional Debian or Ubuntu instance or what not. In order to be able to make these directly available from outside of your virtualization node, you must switch the primary network interface of your BlueOnyx 5211R virtualization node to "bridged networking".

You can do so either by running the script /root/network_settings.sh (as "root") from the shell:

Or you can do so via the BlueOnyx 5211R GUI interface under "Server Management" / "System Settings" "TCP/IP":

Once you have enabled "Bridged Networking" your primary network interface will become "slave" of the bridge device "br0". And "br0" will have the proper network configuration that your primary network interface had before (IP and Netmask).

In Incus Management under "Network" you can see the new realities then, too:

There you should see three network interfaces:

  • br0
  • eth0 (name of your physical primary network inteface)
  • incusbr0

If you want to make Incus instances publicly available you will need to bind them to "br0" during Instance creation and/or configuration. If you just want the Incus instance to be available internally from within your BlueOnyx 5211R itself? In that case you would bind it to "incusbr0" instead. The "incusbr0" network also has a DHCP server running and an automatically assigned private IP address range. You can use the edit button to modify the "incusbr0" network. As well as you can modify any network that you create through the "Network" management pages of the Incus Management. You however cannot use these GUI pages to change the network settings of "br0", "eth0" or any other network interface that is NOT managed by Incus, but is managed by the OS instead. Just keep that in mind.

Now you are ready to use Aventurin{e} 6110R and Incus! Enjoy!

You might want to continue to the next manual page, which explains Instance creation

 
Previous page: 6110R Installation Instructions Next page: Instance Creation