[opensuse-factory] updating virtual host
Hello, It's a bit a theoretical question, because I don't manage virtual machines at the moment, but I just noticed one of my host vendor do provide several IP for cheap servers, and this may be very handy to have virtual machines (http://www.soyoustart.com/fr/offres/e3-sat-1.xml). I see theses days a lot of kernel updates. For what I know, updating kernel needs rebooting. but rebooting a *host* means switching off then on any virtual machine, ins't it? on the same time, I see some servers with uptime of one year and more. https://en.wikipedia.org/wiki/Uptime so my question: how do you manage the security of servers acting as host for, say, 10 virtual machines. any pointer to answer on the web welcome :-) thanks jdd -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
jdd wrote:
Yes.
on the same time, I see some servers with uptime of one year and more.
per@kzinti:~> uptime 08:13 up 1168 days 23:42, 1 user, load average: 0.00, 0.04, 0.10
so my question: how do you manage the security of servers acting as host for, say, 10 virtual machines.
Surely not a topic for opensuse-factory? Anyway, my xen hosts simply have no external connectivity. Second, when a xen host needs maintenance, we migrate the DomUs off to another host.
any pointer to answer on the web welcome :-)
http://wiki.xenproject.org/wiki/Migration -- Per Jessen, Zürich (7.1°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Le 09/02/2016 08:20, Per Jessen a écrit :
jdd wrote:
oh, yes. My sevrers are hosted, so I have to keep a minimal one Second, when a xen host needs
maintenance, we migrate the DomUs off to another host.
great, I will study that thanks -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
jdd wrote:
It is incredibly easy. Take two xen hosts, "paris" et "lyon". Create a xen guest on paris, "g1". Once it's running, you can move g1 from paris to lyon with this: xl migrate g1 lyon. Take a few seconds on GigE. -- Per Jessen, Zürich (7.5°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
jdd wrote:
Yes, the virtual hosts doesn't even know it's been moved. Of course, your two xen hosts have to be on the same network. Oh, and very important - you need shared disk. -- Per Jessen, Zürich (6.9°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 09.02.2016 um 10:17 schrieb Per Jessen:
Depends on the size of the domU and its activity. Mine will take hours to days :-P Where do you store your VM images? Locally on your xen hosts? -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Le 14/02/2016 12:37, Stefan Seyfried a écrit :
Where do you store your VM images? Locally on your xen hosts?
Probably, but I could use two servers. Is 100Mb/s enough as network bandwith to do so? I didn't even imagine to do so :-)) enyway it's almost the same, one have to update the disk server, or do you speak about having on a local network one host for disk space without internet access? all may servers are hosted on the web, so... brainstorming :-) jdd -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 14.02.2016 um 12:49 schrieb jdd:
Le 14/02/2016 12:37, Stefan Seyfried a écrit :
Where do you store your VM images? Locally on your xen hosts?
I was asking Per, because in practice it is not as easy as he is making you believe. You need your disk images stored on a third server / storage host, exported by NFS or ISCSI or whatever. Only then is migration easy. If you are storing the VM images on your virtualization host (does not really matter if it is KVM or Xen), then you need to employ an additional, rather complicated setup to allow them to migrate over to the other host.
Probably, but I could use two servers. Is 100Mb/s enough as network bandwith to do so?
if your vm's are not too big, that should be enough. And if it is acceptable if they are stopped for a short amount of time (not down, just paused), then network bandwidth is even less of a concern. But if you need real live migration without any network outage for busy big VMs (> 256GB RAM), then it gets really hard to achieve.
Well yes, probably that's the easiest setup: VM host1 -----+ eth0 -> access lan -> internet + eth1 -> storage lan VM host2 -----+ eth0 -> access lan -> internet + eth1 -> storage lan Storage host -+ eth0 -> storage lan, serving the images to vm host1/2 + eth1 -> access lan, for maintenance stuff With such a setup, migration is rather easy. If the virtual machines are not too big. And not too busy.
all may servers are hosted on the web, so...
whatever this means :-) -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Le 14/02/2016 12:59, Stefan Seyfried a écrit :
Well yes, probably that's the easiest setup:
(...) yes, I get it
all may servers are hosted on the web, so...
whatever this means :-)
they are on http://www.kimsufi.com/fr/index.xml, somewhere in a adat center. I probably could have a gigabit link between then, but not at a reasonable price (for me :-), and the standard link is 100Mb. I noticed recently than this provider gives 10 Ip for some pretty cheap servers, and this could be a good way to manage virtual servers. I tied similar thing not so long ago and stopped because update headache... we have these days pretty often kernel updates and I don't like to reboot my main server too often, on all services do restart gracefully each time, but it's 13.1, so I have to plan update this year thanks jdd -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 14.02.2016 um 14:26 schrieb jdd:
Well, you could of course just judge if the fixes in the kernel update are affecting your setup at all. If there is a security bug in some obscure driver you are not even using at all -- just remove the module and make sure it is not yet loaded. If there is some local privilege escalation, but you do not have any local users, then that update might not be as important to your setup (but beware of unsafe webapps where a user might escape to exploit local privilege escalation bugs). The really urgent security updates for kernels are fortunately not happening that often. And in general: 13.2 has had 5 kernel updates since its release. Does not look that frequent to me... Leap has received two updates. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Le 14/02/2016 14:41, Stefan Seyfried a écrit :
And in general: 13.2 has had 5 kernel updates since its release. Does not look that frequent to me... Leap has received two updates.
13.1 had one just now. I'm not experienced enough to know if it's important jdd -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 14.02.2016 um 14:44 schrieb jdd:
I have no 13.1 to check back, but I do not think that it only got one kernel update since its release. You must be doing something seriosuly wrong. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
jdd wrote:
Yes.
on the same time, I see some servers with uptime of one year and more.
per@kzinti:~> uptime 08:13 up 1168 days 23:42, 1 user, load average: 0.00, 0.04, 0.10
so my question: how do you manage the security of servers acting as host for, say, 10 virtual machines.
Surely not a topic for opensuse-factory? Anyway, my xen hosts simply have no external connectivity. Second, when a xen host needs maintenance, we migrate the DomUs off to another host.
any pointer to answer on the web welcome :-)
http://wiki.xenproject.org/wiki/Migration -- Per Jessen, Zürich (7.1°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Le 09/02/2016 08:20, Per Jessen a écrit :
jdd wrote:
oh, yes. My sevrers are hosted, so I have to keep a minimal one Second, when a xen host needs
maintenance, we migrate the DomUs off to another host.
great, I will study that thanks -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
jdd wrote:
It is incredibly easy. Take two xen hosts, "paris" et "lyon". Create a xen guest on paris, "g1". Once it's running, you can move g1 from paris to lyon with this: xl migrate g1 lyon. Take a few seconds on GigE. -- Per Jessen, Zürich (7.5°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
jdd wrote:
Yes, the virtual hosts doesn't even know it's been moved. Of course, your two xen hosts have to be on the same network. Oh, and very important - you need shared disk. -- Per Jessen, Zürich (6.9°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 09.02.2016 um 10:17 schrieb Per Jessen:
Depends on the size of the domU and its activity. Mine will take hours to days :-P Where do you store your VM images? Locally on your xen hosts? -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (3)
-
jdd -
Per Jessen -
Stefan Seyfried