| View previous topic :: View next topic |
| Author |
Message |
gerni
Tux's lil' helper
Joined: 14 Jul 2002
Posts: 107
Location: Austria
|
 Posted: Wed Aug 06, 2008 10:07 pm Post subject: HomeServer + KVM - does this setup make sense or am i crazy? |
 |
|
I want to assemble a new homeserver and thought about using KVM with some dedicated VMs.
In comparison to my traditional server where every service runs on the same system i want to gain:
- security
- flexibility
Please tell me if this make sense or is it better to do this another way.
I've also have to say that i'm a bit paranoid and i like playing with linux *g*
As host system i'd like to use a very minimal gentoo system. This system should simply forward all traffic to my first guest system where i want to run an IPCop-Firewall. I Like IPCop because ist's so easy and powerfull. The guestsystem also should manage my RAID+LVM setup. The IPCop host routes the traffic to the corresponding other hosts and the other way.
I thought about a virtual machine that only serves scalix (the Groupware Software), another dedicated VM that serves my personal data and other sensitive things where i am the only one that has access to the host, and one VM where "insecure" services can run (like teamspeak, some httpd, ftp...)
Illustrated:
| Code: |
--------> VM: insensitive Data, untrusted services and users
|
WAN+LAN --> HOST --> VM: IPCop ---> VM: personal Data, trusted services and users
|
--------> VM: some Groupeware Software (openSBS or Scalix)
|
does this setup make sense for you? Do you have suggestions for a possibly better setup? |
|
| Back to top |
|
 |
poly_poly-man
Advocate
Joined: 06 Dec 2006
Posts: 2477
Location: RIT, NY, US
|
| Posted: Thu Aug 07, 2008 1:12 am Post subject: |
|
|
If you are going the virtualization route, I must suggest XEN - apparently, that can get nearly 100% performance with one client and no host software running.
If you're alright with a slight performance loss and a huge load of setup, it's a good idea - think about what happens if one crashes!
Leave ssh open to the host, tho.
poly-p man
_________________
iVBORw0KGgoAAAANSUhEUgAAA
avatar: new version of logo - see topic 838248. Potentially still a WiP. |
|
| Back to top |
|
|
gerni
Tux's lil' helper
Joined: 14 Jul 2002
Posts: 107
Location: Austria
|
| Posted: Thu Aug 07, 2008 8:15 am Post subject: |
|
|
| Quote: | | If you are going the virtualization route, I must suggest XEN - apparently, that can get nearly 100% performance with one client and no host software running. |
According to some recent benchmarks i should also get nearly 100% performance with kvm (at least CPU-Power):
http://www.phoronix.com/scan.php?page=article&item=ubuntu_virt_benchmarks&num=2
So the host should only cost a very little performance. Or is there something i didn't consider?
Could it be that KVM is the more promising technology!? Maybe i'm wrong - i'm very new to virtualzation, but after readine lots of articles i got this impression. Another reason why i've chosen kvm is because it seems to be easier to setup.
Correct me if i'm wrong.
Thank you! |
|
| Back to top |
|
|
poly_poly-man
Advocate
Joined: 06 Dec 2006
Posts: 2477
Location: RIT, NY, US
|
| Posted: Thu Aug 07, 2008 2:40 pm Post subject: |
|
|
By kvm, you do mean qemu with KVM, right?
KVM, kernel virtual machine, is simply an interface between userspace, the kernel, and ultimately to the virtualization extensions in the cpu. The most common system to use with this is qemu (the kvm command on the command-line starts qemu with kvm extensions), however things like virtualbox and vmware (AFAIK) support kvm.
First off, what processor are you planning to run on this server? If it has no virtualization extensions, I must highly recommend XEN instead... if it does, as long as you get decent performance and can set it up like you want, go for a kvm system.
But above all I must recommend leaving ssh open to the host OS - Keep in mind, if one VM crashes, you should be able to remotely restart it; also, from the host box, you can ssh into the other VM's and do direct maintenance there.
poly-p man
_________________
iVBORw0KGgoAAAANSUhEUgAAA
avatar: new version of logo - see topic 838248. Potentially still a WiP. |
|
| Back to top |
|
|
gerni
Tux's lil' helper
Joined: 14 Jul 2002
Posts: 107
Location: Austria
|
| Posted: Tue Aug 19, 2008 1:08 pm Post subject: |
|
|
| poly_poly-man wrote: |
By kvm, you do mean qemu with KVM, right?
|
Yes, you are right.
| poly_poly-man wrote: |
First off, what processor are you planning to run on this server? If it has no virtualization extensions, I must highly recommend XEN instead... if it does, as long as you get decent performance and can set it up like you want, go for a kvm system.
|
I've an Intel Core 2 Duo 8400 which supports "intel-VT"
I've done some performance tests with KVM - At first i thougt i can forget my plans because of the bad I/O Performance (bad ping times, very bad HDD performance compared to the native System).
But after some investigation i tried the "virtio" driver for my block devices (HDD) and network devices. Instead of "user networking" i switched to a bridged configuration. With this configuration performance increased significantly!
I only did some basic tests:
bridged networking increased network ping-times from ~25ms to ~1ms
hdd read performance increased from ~25MB/s to ~80MB/s - nearly as good as native << i mean WOW, not bad! (is simply did "hdparm -tT") (I'll do more detailed benchmarks if the whole server is running.)
Now i'm trying to setup my system step by step.
First i want to setup ipcop, but i think my chosen network configuration is not the best.
Here i've put a picture of my current config: http://www.gernot-klingler.net/my_files/server_qemu_ipcop.pdf
I've a "lan bridge" which connects my lan nic (eth1) and my tunneling device tap_lan.
tap_lan is connected to the trusted (green) interface of the ipcop running in qemu.
tap_wan is connected to the untrusted (red) interface of the ipcop running in qemu.
What works for now:
- redirecting lan traffic through ipcop works
Problem:
- Processes on the host system are using tap_wan for connecting to the internet directly.
Ok, this can be solved by setting an other default gateway.
BUT: Host services like ssh which are running on the host gentoo system are reachable from the WAN side because of the bridged wan_interface.
How can i avoid reaching the host system from the wan/internet directly? From outside only the ipcop system should be reachable.
Can you give me an advice how to solve this problem?
thanks! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Other Things Gentoo
