Author Topic: Virtualizing the Server  (Read 5039 times)

miko-edv

  • Zen Apprentice
  • *
  • Posts: 25
  • Karma: +0/-0
    • View Profile
    • MiKo-EDV
Re: Virtualizing the Server
« Reply #15 on: July 26, 2011, 02:22:42 pm »
Hi,

pardon me jumping in.

I also have become a great fan of Virtualization, and by this I try to have any installation at my customers' sites as little as possible on "real" machines. Be it only for the interchangeability in case of host hardware damage.

As I read your planning, one question hops immediately into my mind: if the Samba server is on the host - how can it participate in the user/group management which will only be available after the VMs are up ...?

I do understand your concerns regarding the RAID.
On my larger hosts, I have vendor supplied Hardware RAID (Dell, 3Ware), which is configured in its BIOS and seen as one disk by ESXi.
On the other, more PC-like servers, the built-in "pseudo-RAIDs" are switched off to give me separate disks, which I use for internal copying/mirroring on a "semi-manual" basis. These machines do not run ESXi either, but VMserver on Linux or Windows, and also VirtualBox. That makes the mentioned semi-manual tasks more easy to perform, and performance is not really an issue there, too.

Greets and Good Luck with your project
Michael


christian

  • Guest
Re: Virtualizing the Server
« Reply #16 on: July 26, 2011, 02:55:14 pm »
I'm not sure to understand exactly what you target and why but you should pay attention to various limitations may still have because of modules either conflicting or requiring to run on same Zentyal server.

Look carefully at LDAP, Samba and mail before spreading modules on different Zentyal servers (virtualized or not, debate being, to me, the same).

As an example, and as far as I understand, you must run MDA and MTA on same server running also LDAP master.

This said, if you have only one hardware, what does it bring to run it in a virtualized mode (except if you also need this host to run beta or other instance)?

I share Sam's statement and also Milo's view in large deployments but can't see this fitting with SMB: virtualization fully makes sense, to me, if you store data on secure (from disk standpoint) NAS or SAN on which you can store virtual server images. In such a case, when facing hardware failure, you can easily relaunch your services because server image is stored somewhere else. If everything is local, what is the real added value of virtual server here? Of course, I do not discuss capability to have multiple servers in parallel on same hardware but having this specific need in mind, I don't think Zentyal is really designed for such purpose. I definitely need to think a bit more about this.

Last but not least, virtualization will bring some security by segregating services on multiple isolated servers, even if running on same hardware. OK fine but is it worth the cost in term of performance impact, complexity, management overhead...?  Keep in mind that every Zentyal occurrence will run its own Apache and database. With Cherokee, Nginx or Lighttpd, impact will be lighter, although still present but with Apache  ???

vshaulsk

  • Zen Samurai
  • ****
  • Posts: 477
  • Karma: +9/-1
    • View Profile
Re: Virtualizing the Server
« Reply #17 on: July 26, 2011, 04:09:31 pm »
Thank you for the feedback !!!  This is exactly the kind of information and thoughts I was looking for.  I am new to linux and in general complete server/infrastructure management. 

The Zentyal system I have currently running is all completely on one physical machine with all the services enabled (except VOIP and Jabber).... the system runs well and really takes up no resources on my machine.  Basically the 6 core cpu is idle and I don't see the system using much over 2gigs of ram (I have 8)

I guess I originally started thinking of virtualizing some of the components after I read an article about security.  Something along the lines that a mail and webserver should be split from the intranet systems (since they are components accessed from outside.  This got me thinking about virtualizing certain pieces of Zentyal in order to make them complete separate systems.  Maybe this is not really needed in a small business or home environment???  Maybe the security risks are not really that great when it is such a small layout.  What do you guys think from a pure security stand point??  Full business infrastructure layout???

Another thing I wanted was to have an intranet based website and also an external website..... currently from what I understand Zentyal is really made to be an intranet type infrastructure system and you would VPN into the system in order to get on the intranet.  However if I install something like Alfresco shouldn't I have that open to the outside world the same way I currently have subsonic access or the zarafa webaccess???

I welcome all view points.... suggestions... thoughts... anything !!!  I am learning and trying new things...and I don't mind reinstalling my system a hundred times if it means I learn all that I can and have a secure well functioning infrastructure !!




Sam Graf

  • Guest
Re: Virtualizing the Server
« Reply #18 on: July 26, 2011, 04:44:57 pm »
This actually touches indirectly on a discussion or two we've had here about what Zentyal should look like--focusing on "infrastructure" or trying to be a "kitchen sink" solution.

I have yet to play with 2.2rc (downloaded for testing, but not installed :'( ), so I don't know what it brings to the discussion (I'm thinking of the VM management features). But IMHO, out-of-the-box, Zentyal is best at providing a pretty robust network environment. It's been less strong, IMHO, at being a "kitchen sink" solution. I don't think of Zentyal when I want to set up a LAMP server, for example. So it may be that at least some SMB/SOHO systems relying on Zentyal will have at least two physical servers--one for "infrastructure," and one for the "kitchen sink."

From an SMB or SOHO security standpoint, I would consider anything I'm at all willing to run on Zentyal as being secure on one physical server. In a small network environment, surely the connections that tie everything together form a vulnerability chain. Compromise from the inside is still a possibility in a virtual environment. And Christian's point about complexity seems to me to be valid. At some point the system's complexity and robustness stops paying dividends, and in SMB and SOHO environments, that happen way sooner than later, I think.
« Last Edit: July 26, 2011, 04:46:31 pm by Sam Graf »

christian

  • Guest
Re: Virtualizing the Server
« Reply #19 on: July 26, 2011, 04:49:39 pm »
hehe, you're maybe new to infrastructure management but you are raising, from my standpoint, the right question  8)
"How to provide secure services for SMB?", meaning not deploying complex and heavy to manage infrastructure.

Virtualization doesn't make it lighter btw. To me it's even the opposite: for the one really understanding what each component provides, virtualization might help. If you don't, it only makes everything confused, adding on top of that the extra overhead because of virtualization environment  :-\

Yes, in an ideal world, internet, intranet and extranet should be kept "isolated", with firewall in the middle plus some services on DMZ to control flows at application level (e.g. mail relay, HTTP proxy) but this results in rather complex design that is often not fitting with SMB scope (too much complex and therefore expensive). This is why Zentyal approach is very appealing.

Still with such target in mind, is Zentyal the right solution?

I don't have the absolute answer but feel that we will quickly try to achieve something complex with something designed to be easy and simple first.

Let's take 2 example that will show why, to me, Zentyal doesn't aim at providing such design:
- LDAP server: services running on DMZ should rely on internal LDAP server so that LDAP server containing internal accounts is not exposed on internet. Zentyal design doesn't really expose LDAP on internet (LDAP ports are blocked at firewall level) but LDAP service runs on Zentyal and there is no way you can split it easily.
- mail gateway: secure design supposed on run mail gateway (MTA) on DMZ along with anti-virus and spam filtering and then deliver mail to mailboxes hosted internally. This can't be achieved (again as far as I know) with Zentyal. The best you can do is to forward mail port (e.g. 25) to internal server, which is not as secure.

Does it mean that Zentyal out-of-the-box is not secure?
Not at all! I'm using it while I'm an IT architect focusing on infrastructure design  8) but I use it at home and also for small domains where I feel it fits perfectly. I would not use it for a company for which security is worth the extra cost compare to easiness.  Motto is SMB. It says it all. Then border being fuzzy, some questions make sense but the ideal "state of the art" secure design doesn't.

Well, my own view only  ;)  :-X I'd like to get Zentyal staff view too...

On additional point: VPN is not the only way to provide access to internal services: reverse proxy is very useful and secure when it come to access, from outside, to web based services running internally. I even promote this rather than VPN. Here again it depends on your constraints in term of security...

I'm reading Sam's reply now... fully in line as usual :-)
« Last Edit: July 26, 2011, 04:51:51 pm by christian »

vshaulsk

  • Zen Samurai
  • ****
  • Posts: 477
  • Karma: +9/-1
    • View Profile
Re: Virtualizing the Server
« Reply #20 on: July 26, 2011, 05:46:48 pm »
Very interesting and gives me a lot to think about !!!  Thank you !!!

Let me ask you directly Christian, Sam, others how you would setup Zentyal giving this small home office environment.

I have 2 computers, PS3 and TV wired directly to a gigabit switch.  I have a wireless access point to which my laptop and phone connect.  Also to the wireless access point anyone else who comes over also connects.  The switch than connects to one of the NIC on the server (running Zentyal).  The second NIC of the server connects to the modem provided by my ISP.  All devices connected internally stream media from the server.  I used DynDNS to have a name from the outside.

Zentyal OS is installed on a software raid1(/swap /home /root) ... under /mnt I have a software raid 6 mounted for storage
I have every service running except instant messaging and VOIP.  I set my domain to HOME.lan and have roaming profiles enabled.  I also use Zarafa for email and groupware since it has z-push to sync with my sisters, girlfriends, brother (lives in england), parents and my phone.  My entire emidiate family which is scattered across the US and the world has an account on the system and VPN access.  I have also installed subsonic and given all of them access to that (opened port 4040 and created a service).  From the outside currently each user can access the standard FTP site and also each users H: drive through FTP. 

SSH, HTTPS or HTTP is not accessible from outside the LAN.  You have to VPN in order to access it. I have transparent proxy turned out with filtering.  Everything works correctly except maybe the DNS module (I don't think I have my DNS host names setup correctly or maybe the DNS lookup...actually I feel just lost when it comes to DNS).

I would like to have an external webpage plus an extranet.  Also I would like to install Alfresco or joomla (which would give me an extranet correct????.)
My question is would you keep this setup and just simply add some features to it or would you create a virtual machine running a LAMP server or some other setup????????? 

Sam Graf

  • Guest
Re: Virtualizing the Server
« Reply #21 on: July 28, 2011, 06:48:51 pm »
I'm not sure I'm smart enough to answer your question properly. Also, I tend to take a different approach than you have, and my approach isn't necessarily a good approach.

Zentyal's Web server is great for static pages, but obviously your CMS preferences mean a full LAMP server. That would be a cool place to try out Zentyal 2.2's VM tools, I'm thinking. That would be my preference over installing an unmanaged LAMP server on my Zentyal machine. Of course, than requires the right hardware (I think), to support KVM.

Since you have a family full of VPN users, I would also play with Zentyal's Jabber service. We use it (with Pidgin) on our site-to-site VPN as an internal chat (no external connection) and it works very well for us.

vshaulsk

  • Zen Samurai
  • ****
  • Posts: 477
  • Karma: +9/-1
    • View Profile
Re: Virtualizing the Server
« Reply #22 on: July 28, 2011, 07:48:09 pm »
Thank you !!!  I actually sort of came to your conclusion as well.  After drawing up multiple scenarios and going over how everything works today I think setting up a virtual machine to run a LAMP server is probably the way to go. 

I think this will let me use the Zentyal server itself for everything it does now + plus some of the new features of the 2.2 release.  I will setup my intranet which will have static webpage content on Zentyal.....  I will create a VM which will run the LAMP server and on it install Alfresco. 

The only question I have is how would I configure the ports??  I know that Elfrasco upon installation tries to bind itself to certain ports which I think Zentyal currently uses..... like port 21 for FTP service and port 8080.  Also I have no idea how I would set up Alfresco in this scenario to use the Zentyal LDAP.  Questions ...Questions...Questions... hahahaha !!!

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Virtualizing the Server
« Reply #23 on: July 29, 2011, 01:57:00 am »
Somebody pipe in here to correct me but , if I am recalling correctly,  the Zentyal staff selected Convirt to handle their VM management.  It is a good tool.  To answer your question about adding a lamp server to your setup via a VM, it might help you to think of the virtual machine as a real machine.  How would you go about setting up a real machine to do that?  I would use a reverse proxy to allow access to my web based services as another poster has mentioned.   Actually I already use virtualisation both at home and at work.  For my needs it made the most sense to install the host OS and hypervisor on the metal (Ubuntu server 10.10 and KVM for the hypervisor).  I bridged my internal and external lan connections to simplify connecting the vms to the needed lan resources.  I did not configure the external lan interface on the host machine at home  for security reasons ( I only have one external IP at home anyways).  I installed Zentyal in a vm and gave it access to the outside and the inside lans so that it could act as the gateway.  I need more features than the stock VOIP module in Zentyal provides so I installed Elastix in another vm and utilised port forwarding to get SIP connectivity inside my lan.  VPN is my tool of choice to give elevated access to the local network.  I have a copy of XP virtualised on one of the local machines to give me something to RDP into from work.  I also installed X2Go on the hypervisor system to give me gui access to the machine.  At work the setup is slightly more complex since I use two hypervisor machines that create a high availability cluster.  I use DRBD to keep all the virtual machine drives in sych so that if one goes down it is started on the other physical machine.  I do not provide any services on the two physical machines outside of ssh to allow X2go to function.  Again I use Zentyal for the gateway to the local network.  I use Elastix for phone service at work but have a separate static ip for the phone system , the Zentyal gateway, and each of the physical servers.  I would suggest that you think about whether it makes sense to have Zentyal on the metal and also acting as the hypervisor or if it would make sense to separate them.  Hardware resources and what your needs actually are will predict how you setup your system.  The home system is a 2.6ghz quad core processor with 8g of ram and 3tb on a software raid 5 arrangement with each VM using an LVM volume as its hard disk (vs an image file) for speed. 2 cpus assigned to zentyal with 3gig of ram and 1cpu and 1gig of ram assigned to the phone system.  The work servers are monsters weighing in with 16 cores (2ghz) and 48 gig of ram.  They also have 3tb of drive space on a hardware (fast) raid controller setup for raid 5.

OlegRa

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Virtualizing the Server
« Reply #24 on: August 10, 2011, 02:47:30 pm »
Hi.

2 Christophe.

...
4 VM:
1 zentyal Gateway with : proxy; vpn; mailserver; slave ldap
1 zentyal ldap master : juste ldap master
1 zentyal DHCP and PDC : DHCP; slave ldap, file and printer sharing and Webmin to manage files
1 ubuntu server 10.04 : LAMP; Bind and webmin to manage Bind.
...

Has read your post - I have come to the same decision.
I as do now. I use server Proxmox, and the guest - Zentyal.
1 - LDAP-master, DNS, has adjusted, well works
2 - LDAP-slave, proxy, firewall, the mail, a web-mail - too has adjusted,
3 - LDAP-slave, samba-pdc - here there were problems.

Synchronization ldap-master <-> ldap-slave transits ok.
But to create file sharing to new users - I can not, it is interrupted with an error.
If the user is created before setting samba-pdc, file resources open, but if after (the new user) - is interrupted with an error.
You have error reports or not? How you installed and adjusted ldap-slave + samba?

OlegRa

miquel

  • Zen Apprentice
  • *
  • Posts: 38
  • Karma: +1/-0
    • View Profile
Re: Virtualizing the Server
« Reply #25 on: August 10, 2011, 05:51:50 pm »
In my scenario, VMware ESXi is a problem rather a solution: I need purchase at least three new boxes to run ESXi: production, backup and a Windows box to manage ESXi.

From SAI point of view too, this means at least two connected boxes (ESXi server + workstation) during an outage, shortening battery duration to a 50%

In the other hand, KVM or VirtualBox can run on top of an Linux box, wich is more efective in some situations.

By the way, I appreciate ideas about wich services must be dropped from main/phisical server for security reasons.

Thanks.
Miquel



Christophe

  • Zen Warrior
  • ***
  • Posts: 170
  • Karma: +6/-1
    • View Profile
Re: Virtualizing the Server
« Reply #26 on: August 23, 2011, 02:04:30 pm »
Hi OlegRa,

Quote
Synchronization ldap-master <-> ldap-slave transits ok.
But to create file sharing to new users - I can not, it is interrupted with an error.
If the user is created before setting samba-pdc, file resources open, but if after (the new user) - is interrupted with an error.
You have error reports or not? How you installed and adjusted ldap-slave + samba?

I never report any issue with my configuration.

Are you sur, have you set up your dns correctly to resolve its hostname ?
DELL PowerEDGE R210 - ESXi 4.1 - 4 VM Zentyal

ichat

  • Zen Hero
  • *****
  • Posts: 795
  • Karma: +28/-16
  • RTFM!
    • View Profile
Re: Virtualizing the Server
« Reply #27 on: August 23, 2011, 05:20:16 pm »
for a quick hint...  dont ever run  a  fileserver as a Virtual machine  Uless its connected to a real beefy file-cluster,  san, or iscsi target... 

not if performance matters that is...

in your case i could settle for   1 zentyal to rulle them all  only running a mini linux lamp stack for your extra-net  (www) service....
All tips hints and advices are based on my personal experience.
As I try my best to be as accurate as possible, following my advice is always at your own risk,
I claim absolutely NO responsibility in any way!

nicolasdiogo

  • Forum Moderator
  • Zen Samurai
  • *****
  • Posts: 263
  • Karma: +3/-0
  • a pessimist, but trying out optimism
    • View Profile
    • BrainPowered Business Intelligence Consultancy - UK
Re: Virtualizing the Server
« Reply #28 on: August 24, 2011, 12:03:47 pm »
have looked into proxmox? quite a reliable system to manage KVM (that is my experience)

but there are other alternatives - if you are looking to deploy it on mass, have a look at opennebula.

i have had proxmox working on two machines really well.

hope it helps
my opinions and suggestion expressed on this forum are my own as a user.
please note that i am not part of the Zentyal Development Team

www.brainpowered.net - supporting open-source Business Intelligence in Europe