Production Setup
Complete guide for deploying Noid in production environments with high availability and security.
Prerequisites
Hardware Requirements
Minimum:
- CPU: 4 cores with KVM support
- RAM: 16GB
- Storage: 100GB SSD
- Network: 1Gbps
Recommended:
- CPU: 8+ cores with KVM support
- RAM: 32GB+
- Storage: 500GB+ NVMe SSD (btrfs)
- Network: 10Gbps
Software Requirements
- Ubuntu 22.04 LTS or newer
- Linux kernel 5.10+
- KVM enabled
- systemd
Installation
1. Install Dependencies
# Update system
sudo apt-get update && sudo apt-get upgrade -y
# Install required packages
sudo apt-get install -y \
build-essential \
curl \
git \
btrfs-progs \
qemu-kvm \
libvirt-daemon-system \
bridge-utils
# Verify KVM
lsmod | grep kvm
2. Install Firecracker
# Download Firecracker
ARCH="$(uname -m)"
VERSION="v1.6.0"
curl -L https://github.com/firecracker-microvm/firecracker/releases/download/${VERSION}/firecracker-${VERSION}-${ARCH}.tgz \
-o firecracker.tgz
# Extract and install
tar -xzf firecracker.tgz
sudo mv release-${VERSION}-${ARCH}/firecracker-${VERSION}-${ARCH} /usr/local/bin/firecracker
sudo chmod +x /usr/local/bin/firecracker
# Verify installation
firecracker --version
3. Install Noid Server
# Download Noid server binary
curl -L https://github.com/noid-one/noid/releases/latest/download/noid-server-linux-amd64 \
-o noid-server
# Install
sudo mv noid-server /usr/local/bin/
sudo chmod +x /usr/local/bin/noid-server
# Verify
noid-server --version
Configuration
1. Storage Setup
Create btrfs filesystem for fast snapshots:
# Format partition with btrfs
sudo mkfs.btrfs /dev/nvme0n1p1
# Mount
sudo mkdir -p /var/lib/noid
sudo mount /dev/nvme0n1p1 /var/lib/noid
# Add to /etc/fstab for persistence
echo "/dev/nvme0n1p1 /var/lib/noid btrfs defaults 0 0" | sudo tee -a /etc/fstab
2. Server Configuration
Create /etc/noid/config.toml:
[server]
host = "0.0.0.0"
port = 7654
tls_cert = "/etc/noid/certs/cert.pem"
tls_key = "/etc/noid/certs/key.pem"
[storage]
base_path = "/var/lib/noid"
base_rootfs = "/var/lib/noid/base/rootfs.ext4"
[limits]
max_vms = 100
max_vcpus_per_vm = 8
max_memory_per_vm = 16384 # MB
max_vms_per_user = 10
[network]
bridge_name = "noid0"
subnet = "172.16.0.0/16"
ip_pool_start = "172.16.0.10"
ip_pool_end = "172.16.255.254"
[logging]
level = "info"
file = "/var/log/noid/server.log"
audit = true
audit_file = "/var/log/noid/audit.log"
[auth]
token_length = 64
3. TLS Certificate Setup
Using Let's Encrypt:
# Install certbot
sudo apt-get install -y certbot
# Get certificate
sudo certbot certonly --standalone -d noid.example.com
# Link certificates
sudo mkdir -p /etc/noid/certs
sudo ln -s /etc/letsencrypt/live/noid.example.com/fullchain.pem \
/etc/noid/certs/cert.pem
sudo ln -s /etc/letsencrypt/live/noid.example.com/privkey.pem \
/etc/noid/certs/key.pem
# Auto-renewal
sudo crontab -e
# Add: 0 3 * * * certbot renew --quiet && systemctl restart noid-server
4. Network Configuration
# Create bridge network
sudo ip link add noid0 type bridge
sudo ip addr add 172.16.0.1/16 dev noid0
sudo ip link set noid0 up
# Enable NAT for VM internet access
sudo iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -j MASQUERADE
sudo iptables -A FORWARD -i noid0 -j ACCEPT
# Save iptables rules
sudo iptables-save | sudo tee /etc/iptables/rules.v4
# Enable IP forwarding
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
Systemd Service
Create /etc/systemd/system/noid-server.service:
[Unit]
Description=Noid MicroVM Server
After=network.target
Wants=network-online.target
[Service]
Type=simple
User=noid
Group=noid
ExecStart=/usr/local/bin/noid-server --config /etc/noid/config.toml
Restart=always
RestartSec=5
StandardOutput=journal
StandardError=journal
# Security hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/noid /var/log/noid
# Resource limits
LimitNOFILE=65536
LimitNPROC=32768
[Install]
WantedBy=multi-user.target
Create service user:
sudo useradd -r -s /bin/false noid
sudo chown -R noid:noid /var/lib/noid /var/log/noid
Enable and start service:
sudo systemctl daemon-reload
sudo systemctl enable noid-server
sudo systemctl start noid-server
sudo systemctl status noid-server
Base Image Preparation
Create optimized base rootfs:
# Create base directory
sudo mkdir -p /var/lib/noid/base
# Download Ubuntu cloud image
curl -L https://cloud-images.ubuntu.com/minimal/releases/jammy/release/ubuntu-22.04-minimal-cloudimg-amd64.img \
-o /tmp/ubuntu.img
# Convert to ext4
sudo qemu-img convert -f qcow2 -O raw /tmp/ubuntu.img /tmp/rootfs.img
sudo resize2fs /tmp/rootfs.img 10G
# Move to base location
sudo mv /tmp/rootfs.img /var/lib/noid/base/rootfs.ext4
sudo chown noid:noid /var/lib/noid/base/rootfs.ext4
High Availability Setup
Load Balancer
Using HAProxy:
# /etc/haproxy/haproxy.cfg
frontend noid_frontend
bind *:7654 ssl crt /etc/haproxy/certs/noid.pem
default_backend noid_servers
backend noid_servers
balance roundrobin
option httpchk GET /health
server noid1 10.0.1.10:7654 check ssl verify none
server noid2 10.0.1.11:7654 check ssl verify none
server noid3 10.0.1.12:7654 check ssl verify none
Shared Storage
Using NFS for checkpoint sharing:
# NFS server setup
sudo apt-get install -y nfs-kernel-server
echo "/var/lib/noid/checkpoints 10.0.1.0/24(rw,sync,no_subtree_check)" \
| sudo tee -a /etc/exports
sudo exportfs -ra
# NFS client setup (on Noid servers)
sudo apt-get install -y nfs-common
sudo mount -t nfs nfs-server:/var/lib/noid/checkpoints \
/var/lib/noid/checkpoints
Security Hardening
Firewall Configuration
# Allow only necessary ports
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 7654/tcp # Noid server
sudo ufw allow 22/tcp # SSH
sudo ufw enable
Token Management
# Generate admin token
noid-server token create --name admin --role admin > /etc/noid/tokens/admin.token
# Generate user tokens
noid-server token create --name user1 --role user > /etc/noid/tokens/user1.token
# Rotate tokens quarterly
noid-server token rotate --name admin
SELinux/AppArmor
AppArmor profile for Firecracker:
# Create profile
sudo cat > /etc/apparmor.d/firecracker << 'EOF'
/usr/local/bin/firecracker {
# Allow Firecracker binary
/usr/local/bin/firecracker mr,
# Allow VM resources
/var/lib/noid/** rw,
# Network access
network inet stream,
network inet dgram,
# KVM device
/dev/kvm rw,
}
EOF
# Load profile
sudo apparmor_parser -r /etc/apparmor.d/firecracker
Monitoring Setup
Metrics Collection
# Install Prometheus node exporter
wget https://github.com/prometheus/node_exporter/releases/download/v1.7.0/node_exporter-1.7.0.linux-amd64.tar.gz
tar xvf node_exporter-1.7.0.linux-amd64.tar.gz
sudo mv node_exporter-1.7.0.linux-amd64/node_exporter /usr/local/bin/
See Monitoring Guide for complete setup.
Backup Strategy
Automated Backups
#!/bin/bash
# /usr/local/bin/backup-noid.sh
BACKUP_DIR="/backup/noid"
DATE=$(date +%Y%m%d-%H%M%S)
# Backup checkpoints
rsync -av /var/lib/noid/checkpoints/ \
${BACKUP_DIR}/checkpoints-${DATE}/
# Backup configuration
cp -r /etc/noid ${BACKUP_DIR}/config-${DATE}
# Cleanup old backups (keep 7 days)
find ${BACKUP_DIR} -mtime +7 -delete
Cron schedule:
0 2 * * * /usr/local/bin/backup-noid.sh
Troubleshooting
Check Service Status
sudo systemctl status noid-server
sudo journalctl -u noid-server -f
Verify Network
# Check bridge
ip addr show noid0
# Test connectivity
curl -k https://localhost:7654/health
Resource Usage
# Memory usage
free -h
# Disk usage
df -h /var/lib/noid
# Running VMs
ps aux | grep firecracker
Next Steps
- Monitoring - Set up monitoring
- Security - Security best practices
- CLI Reference - Using Noid CLI