Some Linux questions

etienne_marais

etienne_marais

Honorary Master
Joined
Mar 16, 2008
Messages
16,250
Reaction score
19,740
Location
Centurion
3 to be exact:

1) Is it feasible to run a virtual image (say 64GB RAM, half of the cores using KVM) on a dedicated server (128GB RAM) simply for the sake of added security. My understanding is that the knock of the performance is not all that significant when using virtualization when the host does not run under heavy load, the virtual image running will run the main intended task of the dedicated server and account for most of the strain on the server. There are 5 static public ip's and I intend to open the 1'st to the dedicated server itself (only), and the second to the virtual image instance using a bridge (only), with only the relevant port of the daemon running on the virtual image open.

2) If so, which linux distribution is suggested for the virtual image, it does not need X/GUI but does need gcc and common development libraries. Host is Ubuntu 16.04 LTS

3) If you have a volume mounted (ignore virtualization for now), say on /datadir, and the daemon which stores its data there can not be stopped, reconfigured and is intensely and constantly writing and reading to /datadir, is it possible to extend the capacity of /datadir when a new hard disk is added to the server. As the service can not be reconfigured/restarted etc. and subdirectories of /datadir won't be a solution, neither is unmounting and remounting (in a conventional manner at least), is there any way to add to the capacity of /datadir ? My guess is no, but curious of something like this can be done...
 
Last edited:
1) I've never heard of anyone adding a VM for the sake of "Added security" as there is no benefit to security, at least to my knowledge, from running something in a virtual environment as supposed to directly on the tin. Security is security, and if you think you get additional security by running a VM, then your current security specialist need to be fired because they don't know what they're talking about.

2) This is almost like asking if white girls are better than black or asian girls. It's all up to your preference and what suit your business (or personal) requirements. gcc can run on any Linux environment, so you have to have a chat with yourself or your sysadmin to ask the question, which Linux OS will give you the best bang for buck on your current hardware. Personally I would go for Debian, but again, just because I prefer chicks with average sized boobs, doesn't mean you do, so ... yea...

3) I would love to know what application/service is constantly writing to drives, but this is where you sysadmin can step in and help with some advice. You have TONS of solutions that you can go for. GlusterFS for example allows you to scale the way you want and add more capacity, but I'm unsure if any addition would need a restart of the service or not, you could possibly research that. Another would be a LUN setup (SAN) where your datadir is on an array that could scale, again, if this is dynamic or not, I'm not sure, and up to you to decide. Again. It's up to you to decide what/how you would like to scale, especially considering the scenario you placed where you can't afford downtime, always have the disk busy and can't unmount/remount it for any reason whatsoever.

With 128GB ram, I'm surprised that daemon stores the data on disk and read/writes to it constantly, and not use the RAM (which is way faster) and then just have periodic writes to the disk, which could afford you to expand it later on.

Either way, I would google for some suggestions regarding this, I know you asked on the forum, but there's way more qualified articles and setup guides out there discussing these type of things, and since you didn't go into specifics, neither can I.
 
etienne_marais said:
1) Is it feasible to run a virtual image (say 64GB RAM, half of the cores using KVM) on a dedicated server (128GB RAM) simply for the sake of added security.
Click to expand...
Yes it is feasible, virtual machines where you are not trying to emulate a foreign CPU architecture are pretty fast.
If your VM gets hosed, you can quickly restore from a backup.
etienne_marais said:
2) If so, which linux distribution is suggested for the virtual image, it does not need X/GUI but does need gcc and common development libraries. Host is Ubuntu 16.04 LTS
Click to expand...
Including GCC in the virtual image is a security risk. Why do you think you need this?

Have you looked at containers? They may work better for you than a VM.
https://www.ubuntu.com/containers
 
ginggs said:
Yes it is feasible, virtual machines where you are not trying to emulate a foreign CPU architecture are pretty fast.
If your VM gets hosed, you can quickly restore from a backup.

Including GCC in the virtual image is a security risk. Why do you think you need this?
Click to expand...

Thanks, actually just needed in initial phases, or I can build binaries elsewhere so can skip gcc.

Have you looked at containers? They may work better for you than a VM.
https://www.ubuntu.com/containers
Click to expand...

Ah yes, recently, and briefly came across containers. Very interesting and relatively easy from what I understand.
 
envo said:
1) I've never heard of anyone adding a VM for the sake of "Added security" as there is no benefit to security, at least to my knowledge, from running something in a virtual environment as supposed to directly on the tin. Security is security, and if you think you get additional security by running a VM, then your current security specialist need to be fired because they don't know what they're talking about.
Click to expand...

Thanks, I'm obviously not the guru, nor intend to become. I was thinking around the concept that on the host there will be a variety of open ports, including ssh. On the guest there will a bridged ip which can't be used to access any services on the host, and only one on the guest, no direct network access except via the host. I would think this cuts out amateur port scanning haxors that may not even realize the two different static ip's relate to the same physical machine. A person who gains root access on the host may inspect the image file of the guest of course but will have to spend more time figuring out what is going on there and breaching it.
[/quote]

2) This is almost like asking if white girls are better than black or asian girls. It's all up to your preference and what suit your business (or personal) requirements. gcc can run on any Linux environment, so you have to have a chat with yourself or your sysadmin to ask the question, which Linux OS will give you the best bang for buck on your current hardware. Personally I would go for Debian, but again, just because I prefer chicks with average sized boobs, doesn't mean you do, so ... yea...
Click to expand...

Seems I should not have asked, seems a bit of a standard response. I was hoping for added insight regarding effective image size, viability and even possibly performance or just general suggestions or discussion.

3) I would love to know what application/service is constantly writing to drives, but this is where you sysadmin can step in and help with some advice. You have TONS of solutions that you can go for. GlusterFS for example allows you to scale the way you want and add more capacity, but I'm unsure if any addition would need a restart of the service or not, you could possibly research that. Another would be a LUN setup (SAN) where your datadir is on an array that could scale, again, if this is dynamic or not, I'm not sure, and up to you to decide. Again. It's up to you to decide what/how you would like to scale, especially considering the scenario you placed where you can't afford downtime, always have the disk busy and can't unmount/remount it for any reason whatsoever.
Click to expand...

Thanks for the suggestions.

With 128GB ram, I'm surprised that daemon stores the data on disk and read/writes to it constantly, and not use the RAM (which is way faster) and then just have periodic writes to the disk, which could afford you to expand it later on.
Click to expand...

This is of course what happens, I was rather trying to enforce a conceptual scenario so as to get to the point whether it is theoretically possible or not and from what I gather (thanks to you) there may be a chance.

Either way, I would google for some suggestions regarding this, I know you asked on the forum, but there's way more qualified articles and setup guides out there discussing these type of things, and since you didn't go into specifics, neither can I.
Click to expand...

At times google is not my friend, nor time on my side.
 
Last edited:
etienne_marais said:
Thanks, I'm obviously not the guru, nor intend to become. I was thinking around the concept that on the host there will be a variety of open ports, including ssh. On the guest there will a bridged ip which can't be used to access any services on the host, and only one on the guest, no direct network access except via the host. I would think this cuts out amateur port scanning haxors that may not even realize the two different static ip's relate to the same physical machine. A person who gains root access on the host may inspect the image file of the guest of course but will have to spend more time figuring out what is going on there and breaching it.
Click to expand...

I get what you're saying, make SSH to the VM inaccessible, except from the host, I think. But you could achieve the same thing with some firewall rules and/or VPN without the overhead of a hosted VM?? The VM would be good for DR, but for security maybe just complicates things unnecessarily? A common config is to only allow ssh access to your servers from a VPN IP.
 
garp said:
I get what you're saying, make SSH to the VM inaccessible, except from the host, I think. But you could achieve the same thing with some firewall rules and/or VPN without the overhead of a hosted VM?? The VM would be good for DR, but for security maybe just complicates things unnecessarily? A common config is to only allow ssh access to your servers from a VPN IP.
Click to expand...

Thanks garp, I think I'm going to test a couple of different approaches and scenarios. I'm not in enmity with the initial response by envo, I just lack the insight on what does and what does not constitute security and good practice.
 
garp said:
I get what you're saying, make SSH to the VM inaccessible, except from the host, I think. But you could achieve the same thing with some firewall rules and/or VPN without the overhead of a hosted VM?? The VM would be good for DR, but for security maybe just complicates things unnecessarily? A common config is to only allow ssh access to your servers from a VPN IP.
Click to expand...

+1

But I do understand what you were after in security now.

Do you only 1 server with 128gb RAM? Because you would have 1 point of failure, possibly bringing down your entire service regardless of how many VM's you're running.

I usually have 3 separate server's (or at least 3 separate VM's on 3 separate tins), any VM that is only accessible on the local network, I use firewall rules to block all traffic except incoming traffic to whatever other VM I say is okay to access.

SSH goes to a random 4 digit port instead of port 22. I also use private/public keys and disable the root user (create another user as root) and I disable password login (forcing the private/public keys, so without it, someone can't login)

This enables me to add SSH to all servers for direct access if I want to, or I just keep 1 open with SSH and make sure the other VM's accept local-network-only SSH requests
 
etienne_marais said:
3 to be exact:

1) Is it feasible to run a virtual image (say 64GB RAM, half of the cores using KVM) on a dedicated server (128GB RAM) simply for the sake of added security. My understanding is that the knock of the performance is not all that significant when using virtualization when the host does not run under heavy load, the virtual image running will run the main intended task of the dedicated server and account for most of the strain on the server. There are 5 static public ip's and I intend to open the 1'st to the dedicated server itself (only), and the second to the virtual image instance using a bridge (only), with only the relevant port of the daemon running on the virtual image open.

2) If so, which linux distribution is suggested for the virtual image, it does not need X/GUI but does need gcc and common development libraries. Host is Ubuntu 16.04 LTS

3) If you have a volume mounted (ignore virtualization for now), say on /datadir, and the daemon which stores its data there can not be stopped, reconfigured and is intensely and constantly writing and reading to /datadir, is it possible to extend the capacity of /datadir when a new hard disk is added to the server. As the service can not be reconfigured/restarted etc. and subdirectories of /datadir won't be a solution, neither is unmounting and remounting (in a conventional manner at least), is there any way to add to the capacity of /datadir ? My guess is no, but curious of something like this can be done...
Click to expand...

1.) Sure - why not - having it virtualized has some perks (cheaper licensing for some things, easier to backup, restore etc)
2.) Whatever Linux distribution you want to use (the one's with biggest support based (and ease of use) being Debian / Ubuntu / CentOS)
3.) LVM - you can just extend the existing LVM partition and add a new disk on the fly.
 
envo said:
+1

But I do understand what you were after in security now.

Do you only 1 server with 128gb RAM? Because you would have 1 point of failure, possibly bringing down your entire service regardless of how many VM's you're running.

I usually have 3 separate server's (or at least 3 separate VM's on 3 separate tins), any VM that is only accessible on the local network, I use firewall rules to block all traffic except incoming traffic to whatever other VM I say is okay to access.

SSH goes to a random 4 digit port instead of port 22. I also use private/public keys and disable the root user (create another user as root) and I disable password login (forcing the private/public keys, so without it, someone can't login)

This enables me to add SSH to all servers for direct access if I want to, or I just keep 1 open with SSH and make sure the other VM's accept local-network-only SSH requests
Click to expand...

The server I am currently busy with will be one of two (on different premises) eventually, the fallback server will be lower spec. but will be a hotswap failover.

Could somebody help me assign a public ip to a virtual machine, I was somehow hoping that I would figure it out once I get there but no go.

ip's changed to random values:

main server public ip: 41.180.30.18
public ip I wish to assign to virtual machine and only virtual machine (currently also live to main server): 41.180.30.19

bridge adapter/ip: 192.168.134.1

virbr0 Link encap:Ethernet HWaddr 77:77:00:CC:e5:ee
inet addr:192.168.134.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:29 errors:0 dropped:0 overruns:0 frame:0
TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2424 (2.4 KB) TX bytes:2602 (2.6 KB)


IP On virtual machine instance: 192.168.134.192

So what I would like is to have all incoming/outgoing traffic for virtual machine 192.168.134.192 routed via public ip 41.180.30.19

My current routing table looks like this (ip's randomly changed) by only using the route command to edit routes:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 41.180.30.17 0.0.0.0 UG 0 0 0 eno1
41.180.30.16 * 255.255.255.248 U 0 0 0 eno1
41.180.30.19 192.168.134.192 255.255.255.255 UGH 0 0 0 virbr0
192.168.134.0 192.168.134.1 255.255.255.255 UGH 0 0 0 virbr0
192.168.134.0 * 255.255.255.0 U 0 0 0 virbr0
192.168.134.192 192.168.134.1 255.255.255.255 UGH 0 0 0 virbr0

If you gather that I don't really know what I am doing, you are completely right :P

When on the 'main'/host server, the routing works using ip 192.168.134.192 (I tested using a temp. ssh daemon running on the virtual machine), connecting using the public ip 41.180.30.19 does not work from outside nor from on the host server.
 
Last edited:
jsheed_sa said:
1.) Sure - why not - having it virtualized has some perks (cheaper licensing for some things, easier to backup, restore etc)
2.) Whatever Linux distribution you want to use (the one's with biggest support based (and ease of use) being Debian / Ubuntu / CentOS)
3.) LVM - you can just extend the existing LVM partition and add a new disk on the fly.
Click to expand...

Thanks for info, I think having snapshots of a VM is a major plus.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X