Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: vshaulsk on July 15, 2011, 03:03:53 pm
-
I am looking into virtualize different components of my test Zetnyal server (beta 2.1 version). However I am not sure which functions I should virtualize.
I know that creating a VM web-server that host content for the outside world is a good idea for security. I would assume making your file server virtual will also be a good idea.
However I do not know if I should split up other server functions.
When I look at Zentyal I see that it is split up into 5 categories. Gateway, UTM, infrastructure, file server, communications server. Should I install one of them on the physical machine and virtualize the rest or only virtualize some of them?
What do you guys think???
-
Hi,
now vmware ESXi 4.1 is free.
You could install Esxi on your physical server, and virtualize zentyal as you want.
i have 3 zentyal server, and 1 ubuntu server for my dmz. each one is a VM
-
ok on your zentyal servers which modules do you have running on each one?? I am trying to figure out what is the best way to split it up.
For instance should I run one server with the gateway, utm, and DHCP functions and the second server as Zentyal Samba and another one as the mail or web server???
I guess that is really at the heart of my questions. To have a very good functioning machine which is secure, how should I split up the functions of Zentyal????
Thank you !!!
-
i dont know if is the best choice :
1 physical server : ESXI 4.1
4 VM:
1 zentyal Gateway with : proxy; vpn; mailserver; slave ldap
1 zentyal ldap master : juste ldap master
1 zentyal DHCP and PDC : DHCP; slave ldap, file and printer sharing and Webmin to manage files
1 ubuntu server 10.04 : LAMP; Bind and webmin to manage Bind.
If you have a better idea, share it
-
I think different people have different ideas about these things, making an "ideal" setup hard to quantify. For example, I prefer to keep gateway- and infrastructure-type services on physical machines. I don't see any benefit to virtualizing small business network infrastructure and some benefit to not having everything on one server (though having multiple facilities influences me there). Virtualizing the desktop, mail servers, web servers--the stuff I think of as user-facing network services--makes sense to me, just as keeping the backbone of the network on physical servers makes sense to me. But of course, that's just how I think.
The only real practical limitation, it seems to me, is the server hardware. What can the server effectively virtualize? At least some of the rest of the deployment decisions are about administration philosophy and preference.
Just for what it's worth.
-
Ok Thank you for your input and information !!!
This is what I was looking for.
For my personal use.... I have had no problem just installing all the functions of Zentyal on the physical machine along with subsonic + truecyrpt + webmin. Everything works and since it is not critical if the machine goes down it is the one server in my house.
However I have been helping my friend out by setting up an office server for his chiropractor/physical therapy office (before this they had nothing setup and found out later that one of their employes gave herself remote access to the systems and was stealing from them). They basically have 4 people full time and another 6 part time people.
They are using a system very close to mine. Just basic desktop components. AMD 1090T hexacore cpu + 8 gigs of ram. They have 4 disk drives basically split into two software raid1 arrays. They use one for the OS and the second of storing files. They also have an external that they use for backup. The serer has and UPS as well.
With the next version of zentyal having a VM module I was thinking of splitting up their server for better function and security. (first will learn on my own system). This is why I am trying to figure out the best way of performing this task. I am not sure for that few people there will be any advantages, but what do you think?
-
i dont know how work VM module in zentyal. i installed one day, and just see an option to start VM in auto after boot. Now i use stable release.
I dont know if you need virtual box.
I cant help you tu use this module. But i could help if you want use vmware esxi.
-
I was thinking of using esxi since you can install it directly on the bare metal components.
However I think I might run into a problem because I am just using desktop components and esxi does not seem to be compatible with them. Maybe I will give it a try and see what happens :)
-
I'm not sur to understand what you are saying for "desktop component". I'm french.
In fact you just need install esxi on your physical server. You put a local ip static. after install you never need keyboard, mouse or screen. you can unplug everything.
on your client pc : install vSphere hypervisor 4.1 (free also) and connect it with esxi server.
Now you can manage your server with your windpws desktop and your VM.
Its really easy. a game for children !
-
When I say desktop components I mean.... my server uses regular hardware you would buy for a desktop pc. I am using a regular AMD 1090T processor on an MSI desktop motherboard with 8 gigs of DDR3-1600 ram. I have one 160 gig drive, two 500 gig drives, and seven 2 TB drives.
When I look at the website for esxi I don't see my hardware on the compatible list.......
Also what about raid setup? Currently my seven 2TB disks are setup in a software raid6 and my two 500gig disks are also setup in a software raid1 for the OS and /Home directory. How is raid implemented under esxi ?
-
i understand your question.i can't help you about raid. i dont use it. I just know Virtual disk limited to 256GB maximum.
-
That is a problem. Maybe I can't even create a system atleast for myself using my current functions.
At the very least I was hoping that I could create a virtual file server and mount under /mnt my software raid6 (not as virtual disk).... maybe this is not possible to do. I really don't have any experience with VM.
-
Most of the other hypervisors allow you to use LVM partitions for the virtual machine instead of container files. I have a production systems that use the KVM hypervisor (Ubuntu server) and a Xen hypervisor (Centos server) at home. Both play well when using LVM. Did I mention it is much faster this way compared to a container file? On both setups, Zentyal (2.0) with almost all services installed is virtualised. LVM and fast hardware RAID are very important to running Zentyal well virtualised. Also, just a note, if virtualising Zentyal it is important to give it enough ram to avoid using swap. My production systems are using 4 processors and 6 gig of ram to support a 27 seat office. I do not use Zentyals VOIP solution and instead have Elastix installed alongside in another VM (one cpu and one gig of ram). I haven't had a look at Zentyals 2.2 beta yet, but plan on looking into it this week.
-
ESXi 4.1 is quite picky on hardware. You better check the vmware esxi 4.x whitebox hcl (http://www.vm-help.com/esx40i/esx40_whitebox_HCL.php)
But to create an esxi 4.x compatible server, it shouldn't cost too much money. For about 300 euro you should be able to buy the Servercase, Powersupply, Motherboard, CPU and Memory. If you already have the diskdrives, you have a decent ESXi4.1 server.
-
Unfortunately for me creating a new server is not an option. I will have to go with the hardware I already have.... I checked an it is not compatible with the vmware ESXi.
I will have to stick with either virtualbox or KVM.
After some searching and reading the replies to this post I think I will try the following setup.
On the physical machine I will install Samba PDC and print server since I already have a software raid6 made of physical disks which is used just for data (I could not find a way to mount a physical array on a virtual machine... very possible it is just from inexperience)..... On that same machine I will install my UPS management interface and VM module(Zentyal 2.2)
I will create a VM machine which just runs LDAP as a master
another VM machine running Gateway, DNS, DHCP, and VPN
I will try to create a 3rd VM for mail server and a 4th for webserver
I do however have some questions.
1) does this sound possible and is this an alright setup?
2) Would I install the firewall and IDS modules on all the servers or just the one which contains the gateway??
3) Would I install the zarafa module on the mail server or one of the other ones?
2) I also currently run subsonic and would like to retain that function.... any idea which server I would install it under? Would it be the web server or would it be the samba server?
3) Also I was thinking of installing something like Alfresco or Joomla (have never used anything like these programs before, but would like to see what they are about)... from what I understand I would install them on the webserver?
Thank you for any and all feedback and help !!!!
-
Hi,
pardon me jumping in.
I also have become a great fan of Virtualization, and by this I try to have any installation at my customers' sites as little as possible on "real" machines. Be it only for the interchangeability in case of host hardware damage.
As I read your planning, one question hops immediately into my mind: if the Samba server is on the host - how can it participate in the user/group management which will only be available after the VMs are up ...?
I do understand your concerns regarding the RAID.
On my larger hosts, I have vendor supplied Hardware RAID (Dell, 3Ware), which is configured in its BIOS and seen as one disk by ESXi.
On the other, more PC-like servers, the built-in "pseudo-RAIDs" are switched off to give me separate disks, which I use for internal copying/mirroring on a "semi-manual" basis. These machines do not run ESXi either, but VMserver on Linux or Windows, and also VirtualBox. That makes the mentioned semi-manual tasks more easy to perform, and performance is not really an issue there, too.
Greets and Good Luck with your project
Michael
-
I'm not sure to understand exactly what you target and why but you should pay attention to various limitations may still have because of modules either conflicting or requiring to run on same Zentyal server.
Look carefully at LDAP, Samba and mail before spreading modules on different Zentyal servers (virtualized or not, debate being, to me, the same).
As an example, and as far as I understand, you must run MDA and MTA on same server running also LDAP master.
This said, if you have only one hardware, what does it bring to run it in a virtualized mode (except if you also need this host to run beta or other instance)?
I share Sam's statement and also Milo's view in large deployments but can't see this fitting with SMB: virtualization fully makes sense, to me, if you store data on secure (from disk standpoint) NAS or SAN on which you can store virtual server images. In such a case, when facing hardware failure, you can easily relaunch your services because server image is stored somewhere else. If everything is local, what is the real added value of virtual server here? Of course, I do not discuss capability to have multiple servers in parallel on same hardware but having this specific need in mind, I don't think Zentyal is really designed for such purpose. I definitely need to think a bit more about this.
Last but not least, virtualization will bring some security by segregating services on multiple isolated servers, even if running on same hardware. OK fine but is it worth the cost in term of performance impact, complexity, management overhead...? Keep in mind that every Zentyal occurrence will run its own Apache and database. With Cherokee, Nginx or Lighttpd, impact will be lighter, although still present but with Apache ???
-
Thank you for the feedback !!! This is exactly the kind of information and thoughts I was looking for. I am new to linux and in general complete server/infrastructure management.
The Zentyal system I have currently running is all completely on one physical machine with all the services enabled (except VOIP and Jabber).... the system runs well and really takes up no resources on my machine. Basically the 6 core cpu is idle and I don't see the system using much over 2gigs of ram (I have 8).
I guess I originally started thinking of virtualizing some of the components after I read an article about security. Something along the lines that a mail and webserver should be split from the intranet systems (since they are components accessed from outside. This got me thinking about virtualizing certain pieces of Zentyal in order to make them complete separate systems. Maybe this is not really needed in a small business or home environment??? Maybe the security risks are not really that great when it is such a small layout. What do you guys think from a pure security stand point?? Full business infrastructure layout???
Another thing I wanted was to have an intranet based website and also an external website..... currently from what I understand Zentyal is really made to be an intranet type infrastructure system and you would VPN into the system in order to get on the intranet. However if I install something like Alfresco shouldn't I have that open to the outside world the same way I currently have subsonic access or the zarafa webaccess???
I welcome all view points.... suggestions... thoughts... anything !!! I am learning and trying new things...and I don't mind reinstalling my system a hundred times if it means I learn all that I can and have a secure well functioning infrastructure !!
-
This actually touches indirectly on a discussion or two we've had here about what Zentyal should look like--focusing on "infrastructure" or trying to be a "kitchen sink" solution.
I have yet to play with 2.2rc (downloaded for testing, but not installed :'( ), so I don't know what it brings to the discussion (I'm thinking of the VM management features). But IMHO, out-of-the-box, Zentyal is best at providing a pretty robust network environment. It's been less strong, IMHO, at being a "kitchen sink" solution. I don't think of Zentyal when I want to set up a LAMP server, for example. So it may be that at least some SMB/SOHO systems relying on Zentyal will have at least two physical servers--one for "infrastructure," and one for the "kitchen sink."
From an SMB or SOHO security standpoint, I would consider anything I'm at all willing to run on Zentyal as being secure on one physical server. In a small network environment, surely the connections that tie everything together form a vulnerability chain. Compromise from the inside is still a possibility in a virtual environment. And Christian's point about complexity seems to me to be valid. At some point the system's complexity and robustness stops paying dividends, and in SMB and SOHO environments, that happen way sooner than later, I think.
-
hehe, you're maybe new to infrastructure management but you are raising, from my standpoint, the right question 8)
"How to provide secure services for SMB?", meaning not deploying complex and heavy to manage infrastructure.
Virtualization doesn't make it lighter btw. To me it's even the opposite: for the one really understanding what each component provides, virtualization might help. If you don't, it only makes everything confused, adding on top of that the extra overhead because of virtualization environment :-\
Yes, in an ideal world, internet, intranet and extranet should be kept "isolated", with firewall in the middle plus some services on DMZ to control flows at application level (e.g. mail relay, HTTP proxy) but this results in rather complex design that is often not fitting with SMB scope (too much complex and therefore expensive). This is why Zentyal approach is very appealing.
Still with such target in mind, is Zentyal the right solution?
I don't have the absolute answer but feel that we will quickly try to achieve something complex with something designed to be easy and simple first.
Let's take 2 example that will show why, to me, Zentyal doesn't aim at providing such design:
- LDAP server: services running on DMZ should rely on internal LDAP server so that LDAP server containing internal accounts is not exposed on internet. Zentyal design doesn't really expose LDAP on internet (LDAP ports are blocked at firewall level) but LDAP service runs on Zentyal and there is no way you can split it easily.
- mail gateway: secure design supposed on run mail gateway (MTA) on DMZ along with anti-virus and spam filtering and then deliver mail to mailboxes hosted internally. This can't be achieved (again as far as I know) with Zentyal. The best you can do is to forward mail port (e.g. 25) to internal server, which is not as secure.
Does it mean that Zentyal out-of-the-box is not secure?
Not at all! I'm using it while I'm an IT architect focusing on infrastructure design 8) but I use it at home and also for small domains where I feel it fits perfectly. I would not use it for a company for which security is worth the extra cost compare to easiness. Motto is SMB. It says it all. Then border being fuzzy, some questions make sense but the ideal "state of the art" secure design doesn't.
Well, my own view only ;) :-X I'd like to get Zentyal staff view too...
On additional point: VPN is not the only way to provide access to internal services: reverse proxy is very useful and secure when it come to access, from outside, to web based services running internally. I even promote this rather than VPN. Here again it depends on your constraints in term of security...
I'm reading Sam's reply now... fully in line as usual :-)
-
Very interesting and gives me a lot to think about !!! Thank you !!!
Let me ask you directly Christian, Sam, others how you would setup Zentyal giving this small home office environment.
I have 2 computers, PS3 and TV wired directly to a gigabit switch. I have a wireless access point to which my laptop and phone connect. Also to the wireless access point anyone else who comes over also connects. The switch than connects to one of the NIC on the server (running Zentyal). The second NIC of the server connects to the modem provided by my ISP. All devices connected internally stream media from the server. I used DynDNS to have a name from the outside.
Zentyal OS is installed on a software raid1(/swap /home /root) ... under /mnt I have a software raid 6 mounted for storage
I have every service running except instant messaging and VOIP. I set my domain to HOME.lan and have roaming profiles enabled. I also use Zarafa for email and groupware since it has z-push to sync with my sisters, girlfriends, brother (lives in england), parents and my phone. My entire emidiate family which is scattered across the US and the world has an account on the system and VPN access. I have also installed subsonic and given all of them access to that (opened port 4040 and created a service). From the outside currently each user can access the standard FTP site and also each users H: drive through FTP.
SSH, HTTPS or HTTP is not accessible from outside the LAN. You have to VPN in order to access it. I have transparent proxy turned out with filtering. Everything works correctly except maybe the DNS module (I don't think I have my DNS host names setup correctly or maybe the DNS lookup...actually I feel just lost when it comes to DNS).
I would like to have an external webpage plus an extranet. Also I would like to install Alfresco or joomla (which would give me an extranet correct????.)
My question is would you keep this setup and just simply add some features to it or would you create a virtual machine running a LAMP server or some other setup?????????
-
I'm not sure I'm smart enough to answer your question properly. Also, I tend to take a different approach than you have, and my approach isn't necessarily a good approach.
Zentyal's Web server is great for static pages, but obviously your CMS preferences mean a full LAMP server. That would be a cool place to try out Zentyal 2.2's VM tools, I'm thinking. That would be my preference over installing an unmanaged LAMP server on my Zentyal machine. Of course, than requires the right hardware (I think), to support KVM.
Since you have a family full of VPN users, I would also play with Zentyal's Jabber service. We use it (with Pidgin) on our site-to-site VPN as an internal chat (no external connection) and it works very well for us.
-
Thank you !!! I actually sort of came to your conclusion as well. After drawing up multiple scenarios and going over how everything works today I think setting up a virtual machine to run a LAMP server is probably the way to go.
I think this will let me use the Zentyal server itself for everything it does now + plus some of the new features of the 2.2 release. I will setup my intranet which will have static webpage content on Zentyal..... I will create a VM which will run the LAMP server and on it install Alfresco.
The only question I have is how would I configure the ports?? I know that Elfrasco upon installation tries to bind itself to certain ports which I think Zentyal currently uses..... like port 21 for FTP service and port 8080. Also I have no idea how I would set up Alfresco in this scenario to use the Zentyal LDAP. Questions ...Questions...Questions... hahahaha !!!
-
Somebody pipe in here to correct me but , if I am recalling correctly, the Zentyal staff selected Convirt to handle their VM management. It is a good tool. To answer your question about adding a lamp server to your setup via a VM, it might help you to think of the virtual machine as a real machine. How would you go about setting up a real machine to do that? I would use a reverse proxy to allow access to my web based services as another poster has mentioned. Actually I already use virtualisation both at home and at work. For my needs it made the most sense to install the host OS and hypervisor on the metal (Ubuntu server 10.10 and KVM for the hypervisor). I bridged my internal and external lan connections to simplify connecting the vms to the needed lan resources. I did not configure the external lan interface on the host machine at home for security reasons ( I only have one external IP at home anyways). I installed Zentyal in a vm and gave it access to the outside and the inside lans so that it could act as the gateway. I need more features than the stock VOIP module in Zentyal provides so I installed Elastix in another vm and utilised port forwarding to get SIP connectivity inside my lan. VPN is my tool of choice to give elevated access to the local network. I have a copy of XP virtualised on one of the local machines to give me something to RDP into from work. I also installed X2Go on the hypervisor system to give me gui access to the machine. At work the setup is slightly more complex since I use two hypervisor machines that create a high availability cluster. I use DRBD to keep all the virtual machine drives in sych so that if one goes down it is started on the other physical machine. I do not provide any services on the two physical machines outside of ssh to allow X2go to function. Again I use Zentyal for the gateway to the local network. I use Elastix for phone service at work but have a separate static ip for the phone system , the Zentyal gateway, and each of the physical servers. I would suggest that you think about whether it makes sense to have Zentyal on the metal and also acting as the hypervisor or if it would make sense to separate them. Hardware resources and what your needs actually are will predict how you setup your system. The home system is a 2.6ghz quad core processor with 8g of ram and 3tb on a software raid 5 arrangement with each VM using an LVM volume as its hard disk (vs an image file) for speed. 2 cpus assigned to zentyal with 3gig of ram and 1cpu and 1gig of ram assigned to the phone system. The work servers are monsters weighing in with 16 cores (2ghz) and 48 gig of ram. They also have 3tb of drive space on a hardware (fast) raid controller setup for raid 5.
-
Hi.
2 Christophe.
...
4 VM:
1 zentyal Gateway with : proxy; vpn; mailserver; slave ldap
1 zentyal ldap master : juste ldap master
1 zentyal DHCP and PDC : DHCP; slave ldap, file and printer sharing and Webmin to manage files
1 ubuntu server 10.04 : LAMP; Bind and webmin to manage Bind.
...
Has read your post - I have come to the same decision.
I as do now. I use server Proxmox, and the guest - Zentyal.
1 - LDAP-master, DNS, has adjusted, well works
2 - LDAP-slave, proxy, firewall, the mail, a web-mail - too has adjusted,
3 - LDAP-slave, samba-pdc - here there were problems.
Synchronization ldap-master <-> ldap-slave transits ok.
But to create file sharing to new users - I can not, it is interrupted with an error.
If the user is created before setting samba-pdc, file resources open, but if after (the new user) - is interrupted with an error.
You have error reports or not? How you installed and adjusted ldap-slave + samba?
OlegRa
-
In my scenario, VMware ESXi is a problem rather a solution: I need purchase at least three new boxes to run ESXi: production, backup and a Windows box to manage ESXi.
From SAI point of view too, this means at least two connected boxes (ESXi server + workstation) during an outage, shortening battery duration to a 50%
In the other hand, KVM or VirtualBox can run on top of an Linux box, wich is more efective in some situations.
By the way, I appreciate ideas about wich services must be dropped from main/phisical server for security reasons.
Thanks.
Miquel
-
Hi OlegRa,
Synchronization ldap-master <-> ldap-slave transits ok.
But to create file sharing to new users - I can not, it is interrupted with an error.
If the user is created before setting samba-pdc, file resources open, but if after (the new user) - is interrupted with an error.
You have error reports or not? How you installed and adjusted ldap-slave + samba?
I never report any issue with my configuration.
Are you sur, have you set up your dns correctly to resolve its hostname ?
-
for a quick hint... dont ever run a fileserver as a Virtual machine Uless its connected to a real beefy file-cluster, san, or iscsi target...
not if performance matters that is...
in your case i could settle for 1 zentyal to rulle them all only running a mini linux lamp stack for your extra-net (www) service....
-
have looked into proxmox? quite a reliable system to manage KVM (that is my experience)
but there are other alternatives - if you are looking to deploy it on mass, have a look at opennebula.
i have had proxmox working on two machines really well.
hope it helps