I’m running openSUSE 11.1 as my host and I also have a openSUSE as a guest. I only want to expose the guest to the internet and my Dynex Router with only ports 80 and 443 open forwarding to my guest VM.
This guest VM is my Production Drupal configured as a multisite, and is the only VM that will recieve incoming connections from the internet. I have other guests VM serving different purposes on the same host.
Now, I want all VM’s and the host on the same Workgroup using Samba, but my question is do I need more security beside my Dynex and SuSe firewall to protect my Drupal VM?
Am just a small company with just only me for now, so I want to start securing my system now before my company grows to where I have multiple users.
I would like to start with securing my internet access to this single VM and then work on Proxies, AppArmor and so forth.
There are a few ways you could do this; he’s how I do it.
In the VirtualBox config for the guest, set the networking mode to “Bridged Adapter.”
When you start the guest, run Yast inside the guest and configure the network to have a static IP address suitable for your local network. For example, if the host has IP address 200.200.200.10 with a netmask of 255.255.255.0, give the guest 200.200.200.11. It should be an IP that’s different from that of the host.
Now, when the guest is running, you can directly access it at that IP address. Use your DSL router/modem (assuming that’s what you use) to NAT the appropriate ports to the guest.
If you have the host connected directly to the Internet, you can easily NAT ports 80 to 443 into the guest. In that case, configure guest networking for NAT and read the documentation for VirtualBox. I tried this when I first started using VirtualBox, but found the bridged approach with static IP addresses to be a lot more flexible. I can’t remember how to do it, but I know it’s fairly easy. The documentation covers it in detail.
Best of all, learn to use the “VBoxHeadless” command and you can run the guest unattended, in the background. The command line I use is something like
VBoxHeadless -startvm "Name_Of_VM" &
The “&” at the end, of course, runs it in the background so that you can get your prompt back. By default, this starts an RDP server on port 3389. You can then do
rdesktop localhost
On the host machine and watch the guest boot normally. To kill it, I use
VBoxManage controlvm "Name_Of_VM" savestate
You can put all of these things in a standard /etc/init.d script and have your guest automatically start/stop at boot and shutdown. VirtualBox is pretty cool … especially considering that it’s a free package!
Hey that’s pretty cool! Yea, I’m very impressed with VB, because I came over from testing Windows 2008 Data Center for the last serveral months, and didn’t have the extra money to accomplish my goals, so I’m here with openSuSe.
I had SuSe Enterprise 7.0 years back and decided to re-research what’s going on SuSe world and found this OS. Now I can accomplish my goals because everything I wanted to do in Windos Server I can do here.
Now I’m a happy camper! And, I’m slowly getting my linux skills back. Thanks for departing into me some of your skills! I will use it!
> I had SuSe Enterprise 7.0 years back … Now I can accomplish my goals
> because everything I wanted to do in Windos Server I can do here.
one thing to think about is the way SuSE has changed and how openSUSE
is not like the SuSE Enterprise of years past…and, that is openSUSE
has a MUCH shorter life span…
openSUSE 11.2 will be on the streets next week and will die in about
18 months…if you are gonna run a business on openSUSE you will be
either installing new software every year, OR running without
updates…see: http://en.opensuse.org/SUSE_Linux_Lifetime
before you sink a lot of effort into getting 11.1 just as you want it
you might back up and do the math, and check out the other side…my
guess it is that unless you work for free (you time is worth nothing)
you save money by purchasing the longer living SUSE Linux Enterprise
Desktop/Server…but, that is for you to decide…(i just didn’t wanna
see you back here moaning this time next year because your ability to
patch 11.1 ends with 2010…there are folks right now crying that the
repos for 10.3 are history…)
VirtualBox is going to revolutionize this. Because it’s an excellent VM manager for free, lots and LOTS of people are moving to virtualization. Yes, there are and have been other free VM managers, but frankly, they’re not nearly as easy to use – requiring special kernels and other hoops through which one must jump. On the other side of the aisle, the pay-to-play versions tend to be prohibitively expensive for smaller businesses.
As a result, what plenty of us are doing, as a cost-saving measure, is using the long-term-supported Enterprise version as the host, and then just installing community/free software in “VirtualBoxes.” When it comes time to upgrade, you only need to down that one VM for about an hour or two. Do it at night or on a weekend and it’s minimal downtime with maximum return on limited dollars.
How this is going to affect the Enterprise Linux marketplace, I can’t say. Microsoft has been keeping a beady (read: “worried”) eye on virtualization for some time, and for good reason. No longer do you need a separate mail server, Web server, NAS server, etc., etc. – each with its own ($$$) enterprise operating system. You just buy one killer, maxed-out PC (we use Dell Poweredges with dual quad cores, several NICs, RAID and a truckload of RAM) and put all servers on that one machine.
Yes, the argument could be made that if that one PC fails, ALL servers are down, but (a), that doesn’t happen very often if you carefully choose your host machine and (b), it’s a moot point, anyway. For the small enterprise, losing the DSL or T1 line is far more likely (speaking from experience), at which point you lose the server “farm” anyway.
thank you for that info, but if you have 20 (or 200/2000) VM’s running
11.1 won’t you still have to do 20/200/2000 new installs a year?
and, (still i have no idea, and haven’t looked) wouldn’t Novell like
to sell 2000 SLESs to you at something a LOT less than what one copy
would cost me?
i have to guess they would, and at some point administrative cost will
far exceed software cost…but, truth is i have not looked for an
envelope back to figure on…
mmmmmmmmmmmm! have you found http://susestudio.com/ yet, where you can
custom build an iso, and go…but, still you have to do that every year…
I was speaking of smaller enterprises. In our case, we have three.
But even if it was 20, it would still be cheaper. I doubt if the quantity discount would make up the difference, too.
mmmmmmmmmmmm! have you found Welcome – SUSE Studio yet, where you can
custom build an iso, and go…but, still you have to do that every year…
And again, it all comes down to the math. I have the time to spare to maintain 10 VMs. Even if everything goes wonky and I have to spend a full day upgrading each one, every two years, I come out WAY ahead. We did the math, and that’s what we concluded.
Also again, it’s not just me who’s worried about this. I mentioned Microsoft for a reason. They’ve run the numbers and are genuinely worried. Their empire depends on new licenses sold with new machines – if people start virtualizing and/or running their software “on the cloud,” that directly impacts their bottom line … … .
smpoole7 wrote:
> Even if everything goes wonky and I have to spend a
> full day upgrading each one, every two years
with a new release every 8 months, and each release aging out in 18
months you can’t plan to upgrade every two years…unless you plan to
run unpatched for six months…
just saying, not trying to sell anything, or change your mind…
Thanks for the info on OS lifetime. I lost my Suse Enterprise on my last relocation. So, that is why I ended up with openSuse as my host and guests.
I’m not conern about downtime due to upgrades in any varies degrees. Just happy I can accomplish my goals without the big expense going with the Windows Server.
I will however look into getting Suse Enterprise as my host, but not anytime soon. If anything, first get everything running to production quality with openSuse.
There are efforts being made to improve zypper, so as to be able to update to new openSUSE versions without having to do a clean re-install.
In fact, that is possible now, albeit it is probably only something for the more advanced openSUSE Linux users who do not have a lot of 3rd party packages.
I suspect, though, there will be teething problems with the improved zypper capabilities for updating from one openSUSE to another, and eventually a set of guidelines, tips, tricks, etc … will evolve to make it more possible to successfully conduct such updates.
For the guest, you start the VM, use “rdesktop localhost” on the host, as mentioned above, then log into your OpenSUSE desktop. Assuming you have the new-style Suse menu, click on the KMenu button (the “start” button at the lower left, by default.) Select Computer -> Administrator Settings -> Network Devices -> Network Settings.
I don’t recommend KNetworkManager for something that will become a server. If it was me, I’d click the “traditional method with ifup” checkbox on the window that pops up. Then you can enter the IP Address, netmask and other information manually.
As for the host machine, you set that network up the way you normally would – if it’s Windows, with Control Panel -> Networking -> etc., etc.
If you have problems, post back and someone will help you.