Manage your hosts

This article describes some of the actions that you can take to manage your individual XenServer hosts.

To manage actions related to resource pools, see Manage your pools.

Disable SSH access

If you want to disable SSH access to your XenServer host, you can do this action in xsconsole.

1. From XenCenter, open the host console and log in as root.
2. Type xsconsole.

3. In xsconsole, go to Remote Service Configuration > Enable/Disable Remote Shell.

   The console displays whether the remote shell is enabled.

4. To change whether the remote shell is enabled or disabled, press Enter.

Install a TLS certificate on your host

The XenServer host comes installed with a default TLS certificate. However, to use HTTPS to secure communication between XenServer and Citrix Virtual Apps and Desktops, install a certificate provided by a trusted certificate authority.

This section describes how to install certificates by using the xe CLI. For information about working with certificates by using XenCenter, see the XenCenter documentation.

Ensure that your TLS certificate and its key meet the following requirements:

• The certificate and key pair are an RSA key.
• The key matches the certificate.
• The key is provided in a separate file to the certificate.
• The certificate is provided in a separate file to any intermediate certificates.
• The key file must be one of the following types: .pem or .key.
• Any certificate files must be one of the following types: .pem, .cer, or .crt.
• The key is greater than or equal to 2048 bits and less than or equal to 4096 bits in length.
• The key is an unencrypted PKCS #8 key and does not have a passkey.
• The key and certificate are in base-64 encoded ‘PEM’ format.
• The certificate is valid and has not expired.
• The signature algorithm is SHA-2 (SHA256).

The xe CLI warns you when the certificate and key you choose do not meet these requirements.

Where do I get a TLS certificate?

• You might already have a trusted certificate that you want to install on your XenServer host.

• Alternatively, you can create a certificate on your server and send it to your preferred certificate authority to be signed. This method is more secure as the private key can remain on the XenServer host and not be copied between systems.

  Creating a TLS certificate has the following steps:

  1. Generate a certificate signing request
  2. Send the certificate signing request to a certificate authority
  3. Install the signed certificate on your XenServer host

1. Generate a certificate signing request

First, generate a private key and certificate signing request. On the XenServer host, complete the following steps:

1. To create a private key file, run the following command:

   openssl genrsa -des3 -out privatekey.pem 2048
   <!--NeedCopy-->
   

   You are prompted for a pass phrase. This pass phrase is removed in a following step.

2. Remove the pass phrase from the key:

   openssl rsa -in privatekey.pem -out privatekey.nop.pem
   <!--NeedCopy-->
   

3. Create the certificate signing request by using the private key:

   openssl req -new -key privatekey.nop.pem -out csr
   <!--NeedCopy-->
   

4. Follow the prompts to provide the information necessary to generate the certificate signing request.

   • Country Name. Enter the TLS Certificate country codes for your country. For example, CA for Canada or JM for Jamaica. You can find a list of TLS Certificate country codes on the web.
   • State or Province Name (full name). Enter the state or province where the pool is located. For example, Massachusetts or Alberta.
   • Locality Name. The name of the city where the pool is located.
   • Organization Name. The name of your company or organization.
   • Organizational Unit Name. Enter the department name. This field is optional.
   • Common Name. Enter the FQDN of your XenServer host. We recommend specifying either an FQDN or an IP address that does not expire.
   • Email Address. This email address is included in the certificate when you generate it.

   The certificate signing request is saved in the current directory and is named csr.

5. Display the certificate signing request in the console window by running the following command:

   cat csr
   <!--NeedCopy-->
   

6. Copy the entire certificate signing request and use this information to request the certificate from the certificate authority.

   Example certificate signing request:

   -----BEGIN CERTIFICATE REQUEST-----
   MIIDBDCCAewCAQAwgYsxCzAJBgNVBAYTAlVLMRcwFQYDVQQIDA5DYW1icmlkZ2Vz
   aGlyZTESMBAGA1UEBwwJQ2FtYnJpZGdlMRIwEAYDVQQKDAlYZW5TZXJ2ZXIxFTAT
   ...
   SdYCkFdo+85z8hBULFzSH6jgSP0UGQU0PcfIy7KPKyI4jnFQqeCDvLdWyhtAx9gq
   Fu40qMSm1dNCFfnACRwYQkQgqCt/RHeUtl8srxyZC+odbunnV+ZyQdmLwLuQySUk
   ZL8naumG3yU=
   -----END CERTIFICATE REQUEST-----
   <!--NeedCopy-->
   

2. Send the certificate signing request to a certificate authority

Now that you have generated the certificate signing request, you can submit the request to your organization’s preferred certificate authority.

A certificate authority (CA) is a service that provides digital certificates, you might have a CA available within your organization or, alternatively, you can use a trusted third party. Some certificate authorities require the certificates to be hosted on a system that is accessible from the internet. We recommend not using a certificate authority with this requirement.

The certificate authority responds to your signing request and provides the following files:

• the signed certificate
• if applicable, an intermediate certificate

You can now install all these files on your XenServer host.

3. Install the signed certificate on your XenServer host

After the certificate authority reponds to the certificate signing request, complete the following steps to install the certificate on your XenServer host:

1. Get the signed certificate and, if the certificate authority has one, the intermediate certificate from the certificate authority.
2. Copy the key and certificates to the XenServer host.

3. Run the following command on the host:

   xe host-server-certificate-install certificate=<path_to_certificate_file> private-key=<path_to_private_key> certificate-chain=<path_to_chain_file>
   

   The certificate-chain parameter is optional.

For extra security, you can delete the private key file after the certificate is installed.

Manage the administrator password

When you first install a XenServer host, you set an administrator or root password. You use this password to connect XenCenter to your host or (with user name root) to log into xsconsole, the system configuration console.

If you join a host to a pool, the administrator password for the host is automatically changed to match the administrator password of the pool coordinator.

Note:

XenServer administrator passwords must contain only printable ASCII characters.

Change the password

You can use XenCenter, the xe CLI, or xsconsole to change the administrator password.

XenCenter

To change the administrator password for a pool or standalone host by using XenCenter, complete the following steps:

1. In the Resources pane, select the pool or any host in the pool.
2. On the Pool menu or on the Server menu, select Change Server Password.

To change the root password of a standalone host, select the host in the Resources pane, and click Password and then Change from the Server menu.

If XenCenter is configured to save your host login credentials between sessions, the new password is remembered. For more information, see Store your host connection state.

After changing the administrator password, rotate the pool secret. For more information, see Rotate the pool secret.

xe CLI

To change the administrator password by using the xe CLI, run the following command on a host in the pool:

  xe user-password-change new=<new_password>
<!--NeedCopy-->

Note:

Ensure that you prefix the command with a space to avoid storing the plaintext password in the command history.

After changing the administrator password, rotate the pool secret. For more information, see Rotate the pool secret.

xsconsole

To change the administrator password for a pool or a standalone host by using xsconsole, complete the following steps:

1. On the pool coordinator, go to the console.
2. Log in as root.
3. Type xsconsole. Press Enter. The xsconsole is displayed.
4. In xsconsole, use the arrow keys to navigate to the Authentication option. Press Enter.
5. Navigate to Change Password. Press Enter.
6. Authenticate with the administrator password.
7. In the Change Password dialog:
   1. Enter your current password.
   2. Enter a new password.
   3. Enter the new password again to confirm it.

   The Password Change Successful screen is displayed. Press Enter to dismiss.

If the host is pool coordinator, this updated password is now propagated to the other hosts in the pool.

After changing the administrator password, rotate the pool secret. For more information, see Rotate the pool secret.

Reset a lost root password

If you lose the administrator (root) password for your XenServer host, you can reset the password by accessing the host directly.

1. Reboot the XenServer host.

2. When the GRUB menu shows, press e to edit the boot menu entry.

3. Add init=/sysroot/bin/sh to the line that starts with module2.

4. Press Ctrl-X to boot into a root shell.

5. At the command shell, run the following commands:

   chroot /sysroot
   passwd
   
   (type the new password twice)
   
   sync
   /sbin/reboot -f
   <!--NeedCopy-->
   

If the host is pool coordinator, this updated password is now propagated to the other hosts in the pool.

After changing the administrator password, rotate the pool secret. For more information, see Rotate the pool secret

Change the NTP configuration on a server

You can update the NTP configuration for your server from xsconsole.

1. In the host console, type xsconsole.
2. In xsconsole, go to Network and Management Interfaces > Network Time (NTP).
3. Enter your password to proceed.
4. From the Configure Network Time menu, choose the option you want to configure.

Prepare a pool of XenServer hosts for maintenance

Before performing maintenance operations on a host that is part of a resource pool, you must disable it. Disabling the host prevents any VMs from being started on it. You must then migrate its VMs to another XenServer host in the pool. You can do this by placing the XenServer host in to Maintenance mode using XenCenter. For more information, see Run in maintenance mode in the XenCenter documentation.

Backup synchronization occurs every 24 hrs. Placing the pool coordinator in maintenance mode results in the loss of the last 24 hrs of RRD updates for offline VMs.

Warning:

We highly recommend rebooting all XenServer hosts before installing an update and then verifying their configuration. Some configuration changes only take effect when the XenServer host is rebooted, so the reboot might uncover configuration problems that can cause the update to fail.

To prepare a host in a pool for maintenance operations by using the CLI

1. Run the following command:

   xe host-disable uuid=XenServer_host_uuid
   xe host-evacuate uuid=XenServer_host_uuid
   <!--NeedCopy-->
   

   This command disables the XenServer host and then migrates any running VMs to other XenServer hosts in the pool.

2. Perform the desired maintenance operation.

3. Enable the XenServer host when the maintenance operation is complete:

   xe host-enable
   <!--NeedCopy-->
   

4. Restart any halted VMs and resume any suspended VMs.

Configure host power-on

Powering on hosts remotely

You can use the XenServer host Power On feature to turn a host on and off remotely, either from XenCenter or by using the CLI.

To enable host power, the host must have one of the following power-control solutions:

• Wake on LAN enabled network card.

• Intelligent Platform Management Interface (IPMI).

• A custom script based on the management API that enables you to turn the power on and off through XenServer. For more information, see Configuring a custom script for the Host Power On feature in the following section.

Using the Host Power On feature requires two tasks:

1. Ensure the hosts in the pool support controlling the power remotely. For example, they have Wake on LAN functionality or support IPMI, or you have created a custom script.

2. Enable the Host Power On functionality using the CLI or XenCenter.

Use the CLI to manage host power-on

You can manage the Host Power On feature using either the CLI or XenCenter. This section provides information about managing it with the CLI.

Host Power On is enabled at the host level (that is, on each XenServer).

After you enable Host Power On, you can turn on hosts using either the CLI or XenCenter.

To enable host power-on by using the CLI

Run the command:

xe host-set-power-on-mode host=<host uuid> \
    power-on-mode=("" , "wake-on-lan", "IPMI","custom") \
    power-on-config=key:value
<!--NeedCopy-->

To turn on hosts remotely by using the CLI

Run the command:

xe host-power-on host=<host uuid>
<!--NeedCopy-->

Configure a custom script for the Host Power On feature

If your host’s remote-power solution uses a protocol that is not supported by default (such as Wake-On-Ring or Intel Active Management Technology), you can create a custom Linux Python 3 script to turn on your XenServer computers remotely. However, you can also create custom scripts for IPMI and Wake on LAN remote-power solutions.

This section provides information about configuring a custom script for Host Power On using the key-value pairs associated with the XenServer API call host.power_on.

When you create a custom script, run it from the command line each time you want to control power remotely on a XenServer host. Alternatively, you can specify it in XenCenter and use the XenCenter UI features to interact with it.

The XenServer API is documented in the XenServer Management API.

Warning:

Do not change the scripts provided by default in the /etc/xapi.d/plugins/ directory. You can include new scripts in this directory, but you must never change the scripts contained in that directory after installation.

Key-value pairs

To use Host Power On, configure the host.power_on_mode and host.power_on_config keys. See the following section for information about the values.

There is also an API call that lets you set these fields simultaneously:

void host.set_host_power_on_mode(string mode, Dictionary<string,string> config)
<!--NeedCopy-->

host.power_on_mode

• Definition: Contains key-value pairs to specify the type of remote-power solution.

• Possible values:

  • An empty string, representing power-control disabled.

  • “IPMI”: Lets you specify Intelligent Platform Management Interface.

  • “wake-on-lan”: Lets you specify Wake on LAN.

  • Any other name (used to specify a custom power-on script). This option is used to specify a custom script for power management.

• Type: string

host.power_on_config

• Definition: Contains key-value pairs for mode configuration. Provides additional information for IPMI.

• Possible values:

  • If you configured IPMI as the type of remote-power solution, you must also specify one of the following keys:

    • “power_on_ip”: The IP address that you specified configured to communicate with the power-control card.

    • “power_on_user”: The IPMI user name associated with the management processor, which you might have changed from its factory default settings.

    • “power_on_password_secret”: Specifies using the secrets feature to secure your password.

  • To use the secrets feature to store your password, specify the key “power_on_password_secret”. For more information, see Secrets.

• Type: Map (string, string)

Sample script

The sample script imports the XenServer API, defines itself as a custom script, and then passes parameters specific to the host you want to control remotely. You must define the parameters session in all custom scripts.

The result appears when the script is unsuccessful.

import XenAPI
def custom(session,remote_host,
power_on_config):
result="Power On Not Successful"
for key in power_on_config.keys():
result=result+''
key=''+key+''
value=''+power_on_config[key]
return result
<!--NeedCopy-->

Note:

After creating the script, save it in /etc/xapi.d/plugins with a .py extension.