Installing a Virtual Machine

How to install a Linux KVM virtual machine in preparation for OSCAR

Prerequisites:

You have prepared your clinic for self-hosting a Local Server.

Read: Hypervisor Host Server if you have not completed the following Prerequisites:

• You have a server installed with Linux KVM.
• You are using Virtual Machine Manager (virt-manager) to create and manage your Virtual Machines (you can also use command line, but its a lot harder)
• You have bridge networking enabled on your server
• You have downloaded the ISO file for Linux - Ubuntu Server and copied to your host server.

Step 1: Manage your Hypervisor Server

If you followed the previous instructions on setting up a baremetal hypervisor server with Linux KVM, you can now start to access your host server and create guest Virtual Machines (VM) of which OSCAR can be one of them.

You have different options on accessing your host server:

Option A: Directly on the server

If you have a monitor, keyboard and mouse directly attached to the server, you can log in to the server by typing in your username and password.

Then enter the XFCE graphical user interface:

$ startx & or $ sudo xfce4-session &

 

Start the Virtual Machine Manager by accessing it in the Menu -> System Tools -> Virtual Machine Manager

or by starting a terminal session and typing:

$ virt-manager &

 

Option B: SSH to your server

SSH is a protocol of securely accessing the server through an encrypted channel. It allows you to connect to the server from another computer or location.

Use your favourite SSH program and ssh to the server IP. You can consider downloading and use SmarTTY.

Run the program and click on "Setup a new SSH Connection..."

Create a new connection profile:

 

Change the IP Host Name, and server User name for what applies to your situation.Click "Connect" You should be connected to your server now. You can run Linux command lines or start the Virtual Machine Manager:

$ virt-manager &

Note: The "&" backgrounds the command (it runs the command in the background and lets your continue to work at the command line)

Copy the latest Ubuntu Server ISO to the host server

Download the latest Linux Ubuntu Server and copy it to your host server home directory ~/ such as "/home/administrator".

If you are using SmarTTY, you can go to menu "SCP -> Upload a file".

Upload a File with SCP Local file name: find the ISO file that you downloaded own your computer Remote directory: /home/administrator        (* Or whatever your administrator username is)

 

Click Upload.

* If you run in to problems and get error messages, it means you are trying to upload to a directory that your username does not have permissions to access. Please check that you are uploading to your home directory.

Step 2: Create a virtual disk

Once you have Virtual Machine Manager running, start by creating a virtual disk which you will install Linux server and then OSCAR.

Edit menu -> Connection Details -> Storage tab

Click on "New Volume".

Name the virtual disk file whatever you want "oscar-server.img".

Choose Format: qcow2

Max Capacity: 50 GB (or any size you want)

Allocation: 50 GB

Click "Finish"

Step 3: Create a virtual machine

Inside Virtual Machine Manager, click on the icon "New".

Give a name to your virtual machine, ie. "OSCAR"

Choose "Local install media (ISO image or CDROM)".

Click Forward.

Choose "Use ISO image" and browse to find the ISO image of Linux Ubuntu Server.

Choose OS Type "Linux" (Find the closest version that matches, otherwise choose the highest Ubuntu version shown)

Click Forward.

Enter an amount of Memory: 2000 MB (or more if you like)

Enter how many CPU you want to assign to this VM: 2

Click Forward.

Select "Select managed or other existing storage", click Browse and select your previously created virtual disk "oscar-server.img", click "Choose Volume"

Click Forward.

You may adjust the setting before booting up the virtual machine by checkmark enable "Customize configuration before install".

Click the "Advanced Options" arrow to thos the ethernet device to use. Choose the bridge network that you created previously, or use "Specify shared device name" and type in the name of the bridge network that you created previously, ie. Bridge name: br0

* Write down the MAC address of this virtual network interface. You should create a fixed IP address attached to this MAC address on your router, so you can know where to access your OSCAR server later.

Click Finish.

If you entered "Customize configuration before install" you can make some final changes and then click the icon 'Install".

The virtual machine server should show a window and start the Linux Ubuntu install process. Go through he same process (as explained in a previous post on installing Linux) and install a basic Linux server.

Some considerations when installing this Linux server for OSCAR:

• Consider using full disk encryption using LVM-LUKS. This protects your OSCAR virtual disk data in case someone steals the server.
• However, if you choose to encrypt the whole disk, you will need to be able to access the server console directly (or via SSH and the graphical Xming server) to type in the administrator password before you can boot up the OSCAR server. This may be an issue, if you experience power outages and the server restarts. Or if you shut down the server on purpose for maintenance, you will need to remember to check if OSCAR virtual machine is running and if the administrator password was typed in to continue the boot up sequence.
• It will also be complicated if you run out of space and you want to expand the qcow2 disk that holds the encrypted LVM-LUKS system. If you used just a simple qcow2 disk, it is easier to expand the virtual disk, if you run out of space.

Next Steps:

Now that you have installed a bare Linux server with Ubuntu server in a virtual machine, you can now install other Linux packages.

Read Next: Instructions on installing OSCAR 19

Read Next: Preparation for Jitsi Meet

Hypervisor Host Server

Setting up host Linux KVM virtualization server

Before you start installing OSCAR or any other server applications, consider using a virtualization platform. Virtualization uses a host server that manages various guest servers. There are many options out there to choose from, such as VMware, Windows Hyper-V, Oracle VM VirtualBox, Proxmox VE, Linux KVM, or even Mac Parallels. Consider using an open source virtualization platform such as Proxmox VE and Linux KVM.

Virtualization allows you to save time, money and hardware. It allows for easier hardware management, without the need to reinstall the server software each time you want to upgrade hardware. Instead of installing one server application on one hardware server, you can set up one main server that acts as the hypervisor, on which you can install individual guest servers as virtual machines that run within the host hypervisor. For example, if you set up OSCAR as a virtual machine, the entire OSCAR can be encapsulated on a single image/container file. You can startup or shutdown the OSCAR image without ever having to physically turn off your actual server hardware. If you packed your physical host server with lots of CPU, hard drives, and RAM to start, you can then divvy up how much of these resources to OSCAR and how to much to another server (ie. Windows Server, email server, webserver etc). You can reassign and reallocate CPU cores, RAM, and other hardware resources at will. If you need to move to another more powerful server, it is as simple as copying over the virtualized image/container file. You can also make copies of the server, and test out any changes for practice, before you commit to any actual real changes on the live server.

Examples of other virtual servers running on the hypervisor server:

• pfSense (virtual firewall appliance)
• Windows Server: Active Directory, File Server, Remote Desktop environment
• OSCAR electronic medical record system
• Hylafax (fax server)
• Owncloud/Nextcloud (private Dropbox/Google Drive like file server)
• Asterisk/FreePBX (VoIP PBX system)
• LDAP server
• MySQL server
• ZoneMinder (security system DVR)
• OpenVPN (VPN server)
• Zimbra (email server)
• UCS Univention Corporate Server
• Xibo (digital signage)
• Wordpress/Joomla/Drupal (web page server)
• Any test copies of servers

Linux KVM Virtualization Host Server

Setting up the Linux bare metal (Type 1 hypervisor) host server

Before you set up the server, you need to buy a physical server. There are alot to choose from and depending on your needs, it can range from a few  hundred dollars to several thousand dollars. Once you have bought a server that fits your current needs (you can always upgrade to better server later, and easily since with virtualization, you can just move the image/container file), come back to this article on setting up the virtualization server. Read Choosing Server Hardware

There are three main server operating systems: Windows, Mac OS or Linux. The majority of the Internet runs on some form of Linux. There are many flavours of Linux, some are commercial, some are open source. The most popular Linux server distributions are: Ubuntu, Red Hat, SUSE, CentOS, Debian, and Oracle Linux. Choose a Linux distribution that works for you. Many big companies also use Red Hat or CentOS. We find Ubuntu Linux the easiest to use.

If you decide to use Proxmox VE as the baremetal hypervisor, then you can skip this section on Linux KVM Virtualization Host Server.

However, here is an example of how to set up Linux KVM on an Ubuntu Server. We install from scratch because it allows you minimize the host server resources (limiting waste and reserving more resourcs for the guest server), and also to reduce the attack surface for vulnerabilities and insecurities.

Step 1: Download Ubuntu Server LTS (Long Term Server)

Go to Canonical's Ubuntu website and download the latest ISO image.

Burn the ISO to a DVD or make a bootable USB stick with a utility like BalenaEtcher.

Step 2: Enable Virtualization hardware in the BIOS of the server.

If you bought a CPU with VT-x or AMD-V, then you can run virtual servers on one machine. Determine the key to press in order to enter the BIOS screen for the motherboard by Googling the manufacturer name and "BIOS". Turn on the computer and press the key to enter the BIOS (usually Esc or one of the Function keys). Find the option that says "Intel VT-x" or" Intel Virtualization Technology" or "AMD-V" or "Virtualization Extensions" and enable it. This option may be under a submenu under Processor, or Chipset, or Advanced CPU Configuration or Northbridge. One you have enabled the option, "Save the settings to CMOS and Exit the BIOS".

Step 3: Install the server with the Ubuntu DVD or bootable USB stick.

You may need to enter the BIOS again and enable the "Boot Order" so the server computer can boot with the DVD drive or a USB. Otherwise, the BIOS may only allow booting from the hard drives (security feature). You can disable this after you finish installing the server.

There are many great online tutorials on how to install Ubuntu Server. Follow these tutorials and customize your installation with the following considerations:

Customization Considerations:

• Install the baremetal hypervisor server on to a separate SSD (you can hardware RAID that if you are extra careful) that is different than your main RAID hard drives that will store your virtual machines and other files. This way, if you need to replace the much used hard drives, you don't need to to reinstall the bare metal server.
• Partition your installation with separate root, boot, mount, and swap partitions:
  • /boot =  1 GB (ext4 file system)
  • swap = 2 GB (if you have lots of RAM, you don't need much swapfile space)
  • /mnt = 100 MB (ext4 file system) * This prevents backup scripts from filling up the root partition if copying to improperly mounted network drives
  • / = leftover space on the disk (ext4 file system)
• If you use whole disk encryption at this stage, you run the risk of needing to physically present to manually typing in your root password everytime the server restarts or reboots after a power outage.
• If you encrypt the "Home" directory, you run the risk of some things stored in your "Home" directory not running until you log in as the user. So don't store scripts or virtual machine images in your Home directory if you choose to encrypt.
• Allow Ubuntu to "install important security updates automatically".
• If you have the option of runing tasksel during the installation phase, consider installing these at this point (if not, we will show you how later):
  • Virtual Machines KVM
  • OpenSSH server

Various Tutorials and Resources on installing Ubuntu Server

Canonical

LinuxTechi

FossLinux

Step 4: Perform some initial housekeeping items

Once the server is installed, you can remove the installation media and boot in to the server. Using the administrator username and password you created when you installed the server, log in to the server.

Update and upgrade the server:

$ sudo apt-get update && apt-get upgrade

 

Allow the server to automatically remove unused dependencies (to keep the /boot from filling up). Edit the config file with nano:

$ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Find the line that looks like the following and remove the "//" characters in the beginning of the line (uncomment), and change the parameter to "true":

Unattended-Upgrade::Remove-Unused-Dependencies "true";

Press Ctrl-O to save, Ctrl-X to exit.

Lower the wait time "Raising networking interfaces...." when booting the server, in case you have multiple network interfaces and not all are connected to a network with DHCP:

$ sudo nano /etc/dhcp/dhclient.conf

Step 5: (Optional) Install a lightweight graphical user interface

Sometime, navigating and operating a server with command line only is difficult. If you prefer a graphical user interface (and you installed the Ubuntu Server edition, and not the Desktop edition) you can install the lightweight GUI XFCE desktop.

$ sudo apt-get update $ sudo apt-get install xfce4

Whenever you want to start the GUI, type the command:

$ startx & or $ sudo xfce4-session &

Now you can use the graphical desktop to load a Terminal window and continue working on your installations.

Step 6: Install OpenSSH Server

If you did not install this originally with Tasksel, then install and configure it now.

$ sudo apt-get update $ sudo apt-get install openssh-server $ sudo systemctl enable ssh

Edit the configuration file:

$ sudo nano /etc/ssh/sshd_config

Read Next: Install Virtual Machine

 

Other Optional Installation:

• terminator
• fail2ban
• google-chrome-stable
• gnome-system-monitor
• gedit
• ifmetric

 

 

Choosing Server Hardware

Server specifications for electronic medical record system

This is a difficult topic to write about when giving you advice on what kind of server you will need to get without knowing your specific current needs and future needs. It also depends on your risk tolerance for failure and how much you want to spend. However, here are some points for discussion.

If you are thinking of running other server applications (such as Windows Server, firewall appliances, virtual desktop environments etc), consider getting a bigger server with more CPU and RAM, and then use virtualization (read Hypervisor Server) to save yourself from buying a separate hardware server for each type of server.

There are people who have installed OSCAR on a $50 Raspberry Pi computer (although we would not recommend this). There is a physician who runs his 2-doctor clinic on a re-purposed Mac Mini (running Parallels). Some physicians may try to install OSCAR on a Windows OS or on an Ubuntu Desktop computer and keep that running all the time. You can even use a good quality desktop computer (with a CPU that supports virtualization) to run a server. All this is possible, however, it may not fit your specific circumstance.

Some examples for server hardware:

Server for OSCAR EMR with 40 providers:

• Dell PowerEdge Server
• Dual CPU Xenon processors
• iDRAC SSD PERC RAID controller for hard drives
• 72 GB ECC (error-correcting) RAM
• Dual power supply
• Dual NIC (network interfaces)

Server for 10 providers:

• HP Proliant Server
• Single CPU Xenon processor
• HPE Dynamic Smart Array B120i RAID controller for hard drives
• 32 GB ECC RAM
• Single power supply (but a spare one on hand in case it needs to be replaced quickly)
• Dual NIC

Server for 2 providers:

• Mac Mini

Some General Advice on Picking a Server

• Choose a CPU that has Virtualization hardware features (Intel VT-X or AMD-V)
• Use error-correcting memory (ECC RAM). Get as much RAM as you afford and need.
• Use a RAID controller (hardware is preferable, but you can also use Linux software RAID)
• Buy at least 2 hard drives and RAID them for protecting against data loss with hard drive failure. Consider using enterpise grade hard drive such as SAS drives (instead of regular SATA drives). Besides the traditional mechanical drives (SAS or SATA), consider using SSD if you want even faster server performance.
• Have a backup power supply unit (either built-in redundant power supply or a spare one on hand you can install quickly)
• Dual ethernet NIC (or you can buy a separate network card or a multi-NIC network card to install in the expansion slots)

* Keep in mind that OSCAR will run decently on a regular desktop computer (any CPU) with 2-4 GB of RAM, and 50 GB of hard drive space.

Read Next: Hypervisor Host Server

Firewall Setup

Setting up the network firewall

The network firewall is the most important piece of your router. This acts as a gateway to protect your clinic from outside bad-actors that try to infiltrate and enter your network infrastructure and do damage. Although the firewall is not the only thing that protects you, it is an important piece of the overall security practice. The firewall essentially blocks outside requests to enter the office network, and only allows "authorized connections". However, anything inside the network can request to access something outside the network (ie. a webpage), and then that connection can be considered an "authorized connection". Even with the best firewall, social engineering techniques can trick you and your staff in to allowing malware to infiltrate your system. Therefore, safe security practices not only include hardware and software, but also policies & procedures that are adhered to, and adequate training of all your computer users.

Depending on what kind of firewall you use (whether built-in to the router, or a separate appliance), it can go from simple to very complicated to setup and manage. There are probably manuals written on how to set up a firewall. Ask your IT person, computer-savvy friend, or Google for how to do it properly.

Here are some settings you should consider configuring:

• Turn on Stateful Packet Inspection (SPI)
• Disable external SSH management of the router
• Disable external web management of the router
• Disable external telnet management of the router
• Disable WPS
• Disable UPnP
• Block anonymous WAN requests (ping)
• Block WAN SNMP acccess
• Block all ports (by default) from accessing the network from the outside and only enabling the ones you want and know should be allowed to enter without being requested from inside the network. Only open the ports when you need them, for specific applications within your clinic.
• "Open ports" and use "port forwarding" to redirect external access requests to the internal IP address of your device/server application:
  • 80: if you have a webserver that serves web pages
  • 443: if you have a SSL encrypted webserver
  • 8443 (or whatever port your want): if you plan on using this for your OSCAR server
  • 1194: OpenVPN server
  • 25, 143, 587, 993, 995: if you have a email server
• You do NOT need to open ports if all you want to do is surf the web.

Read Next: Choosing Server Hardware