[opensuse] Re: linux virtualisation
jdd wrote:
an other solution is vserver (http://linux-vserver.org/Welcome_to_Linux-VServer.org). I know this works very well on high end HW (I use it as a client, not configured by me).
But this have to run on distant hosted HW, with openSUSE 11 or any other linux/bsd that can be managed (and installed) remotely.
Does somebody here have *practical* experience of such thing? I have no need of graphical interface, most hosts will use somesort of wiki od SPIP CMS. I will have only one IP.
I have 6 vservers running on a Celeron 2.6 GHz w/ 1 GB main memory, without any performance problems. The host system provides no public services at all, just iptables, ntpd, and a heavily restricted ssh. The vservers are used to encapsulate a Web server, a mail server, a DNS server, and a VPN gateway; all of them Internet-facing, and two vservers with internal backend functionality (PostgreSQL and an application server) that are used by the other vservers. The installation works like a charm and is very low-maintenance. The system is headless and managed purely via ssh. A tip: It is very important to put upfront thought in update and patch management; that's independent from any virtualization solution. The problematic point with vservers is IMHO that there's a lot of documentation -- but no good one ... one has a lot to experiment when one sets up the stuff. Oh yeah, and there are no vserver packages for OpenSUSE, AFAIK. (My setup uses Debian, both for available packages and also for its much longer release cycle.) HTH, Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joachim Schrod wrote:
I have 6 vservers running on a Celeron 2.6 GHz w/ 1 GB main memory, without any performance problems. The host system provides no public services at all, just iptables, ntpd, and a heavily restricted ssh. The vservers are used to encapsulate a Web server, a mail server, a DNS server, and a VPN gateway;
I'm curious Joachim - why did you opt for individual vservers for these services? Admin? Security? I've got one or two boxes that are overdue to replacement, and they currently run mail+DNS+Web+other, but all as one server. I was just wondering what the advantage of them each running in its own virtual server would be? /Per -- Per Jessen, Zürich (1.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote: Hi,
I have 6 vservers running on a Celeron 2.6 GHz w/ 1 GB main memory, without any performance problems. The host system provides no public services at all, just iptables, ntpd, and a heavily restricted ssh. The vservers are used to encapsulate a Web server, a mail server, a DNS server, and a VPN gateway;
I'm curious Joachim - why did you opt for individual vservers for these services? Admin? Security?
Security is the only reason. With that setup I'm able to associate local exploits a lower risk than remotely exploitable vulnerabilites. If I would run the services on one single (logical) host, a remote exploit for one service would be able to use the local exploits of other services to gain full admin access. With my setup; I can confine that risk to one vserver. Still bad, but not as bad as the alternative. Of course, it takes some shielding of the vservers against each others; that's also the reason why the backend services (database and (non-Java :-) app server) run in their own vserver again; to separate remote and local vulnerabilities in my risk management. But: Your question about administration gives me a nice opportunity for a rant: Virtualization is often sold as an _easy_ way to have a flexible way to handle one's services. E.g., being able to move them from one physical host to another, backup them completely, maybe having snapshots (VMware), etc. Well, the term _easy_ is garbage here -- in general, separating services into virtualized systems means *more* admin work. One has to setup more systems, one has to backup them, update them, monitor them, check their log files, keep their configuration consistent. After all, each virtualized host is a fully installed host in its own right that needs almost all the administration. Therefore, if one goes along that road, one should have an infrastructure that supports that work. E.g., something like cfengine to keep configurations of all systems consistent and up to date. Automatic log collection and survey systems (logwatch is a pain to set up properly, though) -- please note that this can partly be done more securely without syslog on the virtual hosts. Monitoring (e.g., with Nagios) where the configuration is not written by hand but generated somehow, to be able to easily add yet another host to monitoring. etc.pp. (I refrain from naming the proprietery alternatives for system management... ;-)) It is a pity that one has to create this kind of environment oneself and that most of our open source management tools are not sufficiently ready to approach this task. Thus, for many small shops, who don't have the necessary skills, server virtualization is a double-edged sword where the sharp side is often overlooked. Joachim PS: My company makes virtualization concepts / data center consolidation for big companies for a living; that's why I have the infrastructure ready for my own small 6-person shop as well... -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joachim Schrod a écrit :
for a rant: Virtualization is often sold as an _easy_ way to have a flexible way to handle one's services. E.g., being able to move them from one physical host to another, backup them completely,
I understand this versus having each service on a different HW, not versus having all on the same box :-) jdd -- http://www.dodin.net http://valerie.dodin.org http://www.youtube.com/watch?v=t-eic8MSSfM http://www.facebook.com/profile.php?id=1412160445 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
jdd
-
Joachim Schrod
-
Per Jessen