How-to : 3 virtual machines on a server

Hi everybody!

I am completely noob in this area, so bare with me guys. :wink:

As an introduction, let me explain what I must do. I only have one IP adress to access the server. But the server will host 3 web sites and I want them to be hosted in a vm. So, I want to setup 3 virtual machines to do it and use apache reverse proxy and vhosts to redirect the domain requested to the right vm.

Now. I understand the concept, but I am not an expert to set that upā€¦ :shame:

I have an openSUSE 11.3 server. So, I have to set a virtual machine server, is that right? I have been told that I cannot do it with VMware server in oS 11.3.

Can I use virtualbox for this? I only have to install virtual box? Is there a special version to install?

Once the virtual machine server is install, is it trivial to create 3 vm?

So, I want to know wich are the steps I have to take to set that up.

Thanks in advance for helping me with this.

Iā€™ll ask the other questions about the reverse proxy on another thread. :slight_smile:

VirtualBox will do what you want but it is not the only virtualisation technology. Itā€™s quite a heavyweight approach.

At one site we use Linux vserver to partition the kernel into multiple spaces. OpenVZ also does something similar. This shares the kernel amongst the guests, leading to efficient use of memory.

You might also ask yourself why you want each vhost to be in a vm.

And yes, the reverse proxy thing is very doable.

Hi ken_yap,

Ok, wich one is the best and the least complex to deploy and to create vm?

You might also ask yourself why you want each vhost to be in a vm.

For security reasons of each project. Everyone has sensible data and I donā€™t want to bear the responsabilities if something happen. So, if something happen (a breach or else), the sysadm of each vm will be responsible, not me.

On 2010-12-11 02:06, DaaX wrote:

>> You might also ask yourself why you want each vhost to be in a vm.
> For security reasons of each project. Everyone has sensible data and I
> donā€™t want to bear the responsabilities if something happen. So, if
> something happen (a breach or else), the sysadm of each vm will be
> responsible, not me.

Ja! - as admin of the host system, you can actually read and write inside
any of the guests virtual machines.

>;-)

In Linux, the root is allpowerful. Users may be set as to not be able to
read one another folders, data, email. But root can. You would need to have
no rootā€¦

ā€“
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 ā€œEmeraldā€ at Telcontar)

Of course, I know that.

In Linux, the root is allpowerful. Users may be set as to not be able to
read one another folders, data, email. But root can. You would need to have
no rootā€¦

If thereā€™s no root on the host machine, how can you administer it, that is, installing new stuff, updating for security patch, etc.? You gave those permissions to a useradmin, kind of?

On 2010-12-11 04:36, DaaX wrote:
>
> robin_listas;2264625 Wrote:

>> You would need to have no rootā€¦

> If thereā€™s no root on the host machine, how can you administer it, that
> is, installing new stuff, updating for security patch, etc.? You gave
> those permissions to a useradmin, kind of?

I simply donā€™t know. It was left as a kind of question.

One way would be to setup sudo to do all operations, but using a user
password (a ā€œprivilegedā€ user), not rootā€™s password. If that works, then a
super-administrator changes the root password and tells no one. It can be
kept in a safe or a sealed envelope, in case of need. The envelope is on
the care of the security staff of the building, and they log the giving of
the envelope and you sign for it.

Something like that :slight_smile:

(I heard of a setup with rotating daily passwords, but never saw such a beast)

However, those users having access to sudo can do anything, same as root
(unless you restrict what operations each one can do, which is a very
complicated, tedious thing, unless somebody else has done it already). But
what they do is logged, which is a safeguard.

However, again, they can also delete the log. So the next paranoid step is
to send a copy of syslog to another machine controlled by a different admin.

Or two machines on different rooms, with alarmed, hardened steel cable ducts.

Howeverā€¦ :stuck_out_tongue:

No, I will not go on. Iā€™m kidding, but Iā€™m sure some more faults can be found.

But I have worked on machines with similar lines of work, but which were
already designed to work this way. There was no access to the shell, only
to a very complex control and command interface, and each person had access
to different groups of commands. Each command was logged and by whom and on
which terminal, on a separate log. One of the permissions was the changing
of users, passwords, and groups (me was one). Another was the access to the
unix shell - once there tracks could disappear, so the person needed to be
trusted.

It is possible that setups as I described are implemented somewhere,
perhaps commercially.

ā€“
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 ā€œEmeraldā€ at Telcontar)

On Fri December 10 2010 10:17 pm, Carlos E. R. wrote:

> On 2010-12-11 04:36, DaaX wrote:
>>
>> robin_listas;2264625 Wrote:
>
>>> You would need to have no rootā€¦
>
>> If thereā€™s no root on the host machine, how can you administer it, that
>> is, installing new stuff, updating for security patch, etc.? You gave
>> those permissions to a useradmin, kind of?
>
> I simply donā€™t know. It was left as a kind of question.
>
> One way would be to setup sudo to do all operations, but using a user
> password (a ā€œprivilegedā€ user), not rootā€™s password. If that works, then a
> super-administrator changes the root password and tells no one. It can be
> kept in a safe or a sealed envelope, in case of need. The envelope is on
> the care of the security staff of the building, and they log the giving of
> the envelope and you sign for it.
>
> Something like that :slight_smile:
>
> (I heard of a setup with rotating daily passwords, but never saw such a
beast)
>
>
> However, those users having access to sudo can do anything, same as root
> (unless you restrict what operations each one can do, which is a very
> complicated, tedious thing, unless somebody else has done it already). But
> what they do is logged, which is a safeguard.
>
> However, again, they can also delete the log. So the next paranoid step is
> to send a copy of syslog to another machine controlled by a different admin.
>
> Or two machines on different rooms, with alarmed, hardened steel cable
ducts.
>
> Howeverā€¦ :stuck_out_tongue:
>
> No, I will not go on. Iā€™m kidding, but Iā€™m sure some more faults can be
found.
>
>
> But I have worked on machines with similar lines of work, but which were
> already designed to work this way. There was no access to the shell, only
> to a very complex control and command interface, and each person had access
> to different groups of commands. Each command was logged and by whom and on
> which terminal, on a separate log. One of the permissions was the changing
> of users, passwords, and groups (me was one). Another was the access to the
> unix shell - once there tracks could disappear, so the person needed to be
> trusted.
>
> It is possible that setups as I described are implemented somewhere,
> perhaps commercially.
>
Of course, whoever creates the password will know what it is. su and itā€™s
variants, just mean ā€œSet Userā€ or ā€œSubstitute Userā€. You cannot sudo or su
without a user 0 (AKA root). Well not quite correct, you could ā€œsu JDoeā€ but
then you only have the same rights as JDoe. see:
http://en.wikipedia.org/wiki/Su_(Unix)
and ā€œinfo suā€

ā€“
P. V.
ā€œWeā€™re all in this together, Iā€™m pulling for you.ā€ Red Green

Just set up a normal Apache with 3 vhosts and give each admin ownership of their website directories as a normal account but nothing else. You run Apache for them but they manage their own site.

Giving them root of a VM is more problematic because they can do silly things like have weak passwords. And a VM Linux is just as dangerous as a real one if rootkitted.

Yeah, I could do that. But I want to give he opportunity to my clients to install whatever distribution they like, services they want and apps they prefer. That is why I want to set up a scheme like that.

I am not worry about my clients, do know what they are doing. :wink:

So, vmlinux or openVZ?

Is openVZ available for openSUSE? Linux V-server?

Is the solution integrated in openSUSE is good, that is the hypervisor and xen thing???

In openVZ and vserver, there isnā€™t a separate kernel. The guest shares the same kernel as the host, but has a separate process space. This leads to very efficient memory use. So they canā€™t install their own kernel. Also you need a specially patched kernel. You may have to compile it yourself.

Ouch!

OK, is there an easier solution? I am not sure I want to compile another kernelā€¦

Probably vbox or vmware. Maybe xen, I donā€™t have much experience of it.

I heard that since openSUSE 11.3, vmware cannot be used to do this. Iā€™ll have to check xenā€¦

Hi
Why not look at ESXi?

ā€“
Cheers Malcolm Ā°ĀæĀ° (Linux Counter #276890)
SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.32.24-0.2-default
up 3:20, 2 users, load average: 0.21, 0.08, 0.02
GPU GeForce 8600 GTS Silent - Driver Version: 260.19.21

Hi malcolmlewis,

From your experience, is it hard to set up and manage?

Hi
Iā€™ve never run it, no VT hardware hereā€¦ just use vmware workstation.
From what I have read from other users using it, they have no issues.

ā€“
Cheers Malcolm Ā°ĀæĀ° (Linux Counter #276890)
SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.32.24-0.2-default
up 14:26, 2 users, load average: 0.05, 0.05, 0.01
GPU GeForce 8600 GTS Silent - Driver Version: 260.19.21

Hi everyone,

I am back from holidays.

So, I chose to use the integrated solution in openSUSE, that is, yhe Xen hypervisor.

It is installed so far, but I am not sure I understand how it works.

Anyway, itā€™ll be the subject of another thread. :wink: