Pros and cons of running zentyal as KVM host or as KVM guest

[chuzzy]

I was a ClearOS user, drawn by the greater features zentyal seems to have ..

I have a question on the best way to deploy zentyal as a soho server, especially as I need to use virtualization to maximize the use of the hardware I am setting up as a gateway. 

I hope this is not a duplicate topic but I have searched the forum and seen questions relating to KVM, but none addressing usage scenario and best practices.

Basically, I would like to use Zentyal as a gateway and general fileserver, and my gut instincts suggest having Zentyal as guest and using bridged networking expose the VM to both networks.  However, given my understanding of how bridging works, I am concerned that I may not have easy network access to the host if Zentyal is installed as a guest.  I would really apprectiate feedback from anyone who has tried this ..

Additionally, I see Zentyal now integrates KVM, but the only docs I found about using KVM in this way were for version 3.0 of Zentyal, and the docs seem rather for basic host creation with no mention of the more advanced things one could attempt with KVM .. which prompts the following questions:
-- Is KVM still integrated in the current Zentyal 3.2?
-- Are the more advanced features of KVM (including command line management via virtsh) still possible having zentyal as host?

Apologies for the lengthy post .. just thought I might save myself sometime, by sounding out folks on the subject.

All comments and responses very much appreciated ..

[innocenti_jr]

Personally, I'd setup something like Proxmox on the host and install two VMs to keep things separated. One as the file server and the other one as the gateway (be it Zentyal or something more lightweight like Zeroshell or IpCop).

To answer your questions:
* KVM is not supported anymore in Zentyal 3.2
* Yes, it should be possible to use KVM via command line on a Zentyal host

Cheers - Oliver

[chuzzy]

Million thanks for the response .. and the really helpful information ..

I have used proxmox a long time ago, and I must say I was impressed with its simplicity and versatility .. and being able to do kvm means I can still do kvm even while using containers for other things .. So, I am sold on this as a solution.  Thanks for suggesting it ..

I am just fishing for greater insight with the following questions ..

In your opinion, what is the particular reason why proxmox (presumably using containers) may hold some advantage over a full virtualization solution like kvm?   Perhaps, it is easier to segregate the networking?  ..

Also, in relation to networking zentyal for fileserver and gateway functions in different containers/VMs, what is the high level overview of how to configure the networking of the gateway system in this containerized proxmox setup ? 

Thanks in advance for responding ..

[chuzzy]

forgot to add, in terms of lightweight systems focused on routing/gateway features, pfsense is my preferred solution .. But I would also like to test out zentyal gateway features first before moving onto pfsense as gateway if I still feel a need to replace zentyal gateway features

[innocenti_jr]

In your opinion, what is the particular reason why proxmox (presumably using containers) may hold some advantage over a full virtualization solution like kvm?   Perhaps, it is easier to segregate the networking?

No, I meant to install KVM-VMs with Proxmox (it supports both: KVM and OpenVZ containers). KVM is the way to go as Zentyal doesn't like to be installed inside a container.

what is the high level overview of how to configure the networking of the gateway system in this containerized proxmox setup ?

Dunno, this depends on your concrete network setup. Usually a gateway has two (virtual) NICs, one for the intranet/LAN and the other for internet access.

PS: This topic might be interesting for you:
http://forum.zentyal.org/index.php?topic=18270.0

[half_life]

I am with  innocenti_jr.  I run two Proxmox clusters.  One at work and one at home.  Zentyal is the gateway tool for both.  My recommended setup is to setup bridges  as you suggested already.  Unless you have more than 1 public IP address only connect the WAN side bridge to Zentyal. I run my home system with 1 public IP and an asterisk server behind Zentyal.  Feel free to fire off questions as you go along.  I have been perfecting my setups for several years now.

[chuzzy]

Million thanks half_life and innocent_jr .. that is mighty useful info.  Been tied up, but will have a good go at this tomorrow .. Will be back with some feedback one way or another.

I have two NICs, and was planning on tying the zentyal VM to a bridge atop each physical interface, and thus even having the host route wan bound traffic via the internal bridge and out via the external bridge.

That is the logical idea .. not sure how challenging this would be to implement .. fingers crossed ..

[half_life]

Precisely.  2 physical nics.

 One hooked to the cable modem (WAN) or whatever serves as your internet uplink.

The other nic hooks into your local network (switch) etc. 

Machines that need direct WAN access are connected to the WAN side bridge.

Machines that need access to local side are connected to the local bridge. 

Proxmox itself only has an address on the local side (unless you have more than 1 public IP and you want to take on the additional exposure) 

This is exactly how I am configured at home.  I am configured the same at work with the exception that each Node has a public IP that is accessible even if Zentyal is down.

[chuzzy]

Finally got round t installing zentyal and replacing an existing gateway .. and yes, on proxmox VE .. and it went fairly smoothly and straight-forward .. Its now managing dns, dhcp, and other gateway functions ..

Half_life, thanks for the encouragement and tips ..

I have one puzzling challenge though about configuring its DNS .. The only interfaces I see relating to DNS all revolve around configuring the name server.  I have been looking for how to add A and PTR and CNAME  entries, and there seems no way to do this on the GUI.  Must I do this from the CLI?

I am experienced with bind, so this is not an issue if that is the intention.  Just seeking clarification here.  Perhaps I am missing something?

[half_life]

I assume that you have looked at the dns module but did you click into hostnames on your domain?  I can't help you with PTR records though.

[chuzzy]

Yeah, finally worked out how they intend it to work .. not very intuitive though.  You first create a hostname, and then you can add IP address(es) and aliase(s) ..

[kart]

Hi,

I have a similar question to the original post by chuzzy.

I'm setting up a server for my small business. The server has 2 NIC. My goal is to run Alfresco, an ERP system, a mail server and a webserver hosting the company website. Security is my first priority followed by quick recovery time in case of disaster and then ease of maintenance.  I'm running Ubuntu 12.04 server on the server. I would prefer running Alfresco, ERP and webserver all in dedicated KVM VM.

I'm new to Zentyal, I read the documentation and installed an instance in a KVM VM to learn more and put in practice what I read in the doc. I will probably use the following services from Zentyal: DHCP, DNS, VPN, Firewall, IPS, openLDAP, email, groupware, printer sharing, log files monitoring, UPS. I might use the backup module but I have to test it first. 

I'm wondering what are the best practice for achieving my goals (security, quick recovery, ease of maintenance). Should I install some services on the KVM host and remaining in VM(s)? I was thinking of perhaps installing the gateway, firewall, DHCP, DNS and VPN directly on the KVM host then creating a VM for the emails, groupware, openLDAP and the rest. Where the webserver install will fit best?

I will appreciate any comments or suggestions you may have. Does it make sense running some Zentyal directly on the KVM host or everything could be run in VM with the same security level? Does it makes sens to separate the services in two or more VM? 

Thank you

[half_life]

Hi,

I have a similar question to the original post by chuzzy.

I'm setting up a server for my small business. The server has 2 NIC. My goal is to run Alfresco, an ERP system, a mail server and a webserver hosting the company website. Security is my first priority followed by quick recovery time in case of disaster and then ease of maintenance.  I'm running Ubuntu 12.04 server on the server. I would prefer running Alfresco, ERP and webserver all in dedicated KVM VM.

I'm new to Zentyal, I read the documentation and installed an instance in a KVM VM to learn more and put in practice what I read in the doc. I will probably use the following services from Zentyal: DHCP, DNS, VPN, Firewall, IPS, openLDAP, email, groupware, printer sharing, log files monitoring, UPS. I might use the backup module but I have to test it first. 

I'm wondering what are the best practice for achieving my goals (security, quick recovery, ease of maintenance). Should I install some services on the KVM host and remaining in VM(s)? I was thinking of perhaps installing the gateway, firewall, DHCP, DNS and VPN directly on the KVM host then creating a VM for the emails, groupware, openLDAP and the rest. Where the webserver install will fit best?

I will appreciate any comments or suggestions you may have. Does it make sense running some Zentyal directly on the KVM host or everything could be run in VM with the same security level? Does it makes sens to separate the services in two or more VM? 

Thank you

I am going to answer this a little out of order.  First, if you run services directly on the machine providing hypervisor (compute services in cloud speak)  it becomes less of a commodity server and more customized complicating your disaster recovery and maintenance activities.  Being able to isolate services is also a strong argument for running virtualized.

Think about this scenario:
Your CMS solution that you run your website from has a flaw discovered and before you can patch it,  it is exploited on your deployed system.  If that service is deployed directly on your hypervisor machine, you now have a malicious attacker with a foothold on your local network.  If that CMS system is on a VM that only has a virtual NIC attached to the WAN side of the network, the attacker has not gained a foothold and only operates until he is discovered.  A quick restore from backup and patch before exposure to the outside world and you are back in business.

How about this scenario:
Your building is struck by a tornado and your data center is a total loss.  You have your offsite backup (you do have these RIGHT?) and a credit card to buy replacement hardware with.  You buy a replacement machine and re-install your Server OS of choice and set about reloading your backed up virtual machines.  The virtual machines are happy because they are abstracted from the physical hardware so minor changes in the physical server aren't an issue.  The real server however, is going to be a little touchy (possibly) about you laying down a copy of your backup of the host machine over top of your brand new install.  This will introduce complexity that doesn't need to be.

As I discussed earlier,  connect virtual machines to the Wan that NEED connectivity to the WAN bridge.  Connect VMs that NEED connectivity to the LAN bridge.  The only machine that should probably be attached to both is the Gateway machine (Zentyal VM).  Separating email etc from the Zentyal machine probably doesn't serve a purpose  unless you are using some other solution besides the Zentyal provided one.

I would like to plug Proxmox as a good solution and complimentary to a Zentyal install.  It is a KVM openVZ hybrid with a very good web interface.  It's features work very well for the small to medium datacenter needs.

If your web hosting needs get complicated I would suggest a dedicated tool like Cherokee web server but if your needs are smaller then configuring apache or nginx as a reverse proxy would work as well.

The last suggestion I would make is to do image level backups on a regular basis.  My nightly backup disk then becomes my offsite backup and is "ready to use" as it is completely self sufficient.  All I need is a working copy of my hypervisor (Proxmox) which I can get off of the internet and a machine (or many small machines) to run my VMs on.

This is my opinion of best practices based on several years designing/testing/running these systems for commercial use.  I might change some of my opinions as time goes forward being as that I am going to work for a very large cloud hosting company working in their hybrid group but I doubt that it will be a significant change.

[ChrisZ]

I've been running Proxmox for a couple of years now but have been having issues with certain VMs (running Zentyal or Debian Wheezy) suddenly going to 100%+ CPU usage (at least once per week) and having to reset the VMs because they're inaccessible. I've been testing with Citrix Xenserver for a month or so now and haven't had any trouble whatsoever.

Chris

[half_life]

You have been running the same VM for a couple of years?  You wouldn't happen to be running Zarafa, would you?  I would have to say that it is more complicated than Proxmox+Zentyal causing problems because I run them here and have for multiple years.