On Sat, Feb 17, 2007 at 05:06:46PM -0700, Archive wrote: > I put your text below mine. Yes, it does sound neat. Did you do a > special compile for the RAID so it was built into the kernel or do you > have a hardware raid controller, or what? I use the in-kernel software RAID and mdadm, bog standard linux RAID. > > Perhaps I am wrong but I think Dom0 should contain (but not with the > purpose of executing) all applications that the DomU virtualizations > execute. This is one reason why software RAID implementations should be > avoided with respect to Dom0 -- the primary Xen system. I'm not sure I follow this. Why not use software RAID in Dom0? the partitions in a DomU get mounted into the DomU just as they would in a Dom) or a regular operations (so far as I know). There is no toruble running software RAID for a regular system, I don't see why its a problem with xen. That way Dom0 > (which is the basic Xen virtualization) can be used to check out > integrity issues with a flaky DomU. This means that these applications > need to initially be tested on Dom0. Often the DomU virtualization will > be heavily modified or at least tuned whereas Dom0 can demonstrate that > the application out of the box works even if the virtualization does'nt > or has stopped working properly. This is important when doing any kind > of development where the development effort extends from the basic > package resident on Dom0. Sure. If you're doing dev work, then it makes sense to keep pristine packages in Dom0 where you can easily get them, but for running a simple mailserver and firewall as I'm doing? seems overly redundant to me. I'm using standard debian packages for all the services running on the DomU servers with security updates, cron-apt, tiger etc, so I sleep well at night. There is nothing "custom" about what I'm doing in the DomU's other than getting discrete operating evironments for my more publicly accessible machines. It essentially a security hack. If someone hacks into my mail server, all they've got is a barebones machine with nothing on it but some mail. The firewall prevents any traffic out of the mailserver into the rest of my system. If someone kills one of my DomU's, big deal. I keep a back-up image of the DomU, I can kill the infected on and restart the back-up at will and my main server remains unfased by all this. >Personally, I think DomU (the secondary > systems) virtualizations exist only for the purpose of dedicated servers > and applications operating on a minimal code base. yes. > The rule is one > application per virtualization. well, how about one general purpose per DomU? but yes. > Whereas, I see Dom0 inflated and fat > like an overfed pig serving not only as the Xen base architecture but > also upgradeable (where this does not have to be the case with the DomU > -- secondary virtualizations). hmm... I think the DomU's in my situation are definitely upgradable for security reasons. > > There are of course those that would disagree but debate on these issues > will clarify these issues over time. > > Thanks for your virtualization details -- have fun!!! Yes, it is all > yours! :) A > > Thanks, Ted -- hope there were no typos because a typo on this subject > can be the opposite of what is intended when U is accidentally used for > 0. That's why I keep sticking in comments regarding the primary versus > the secondary systems. > > Here is what you said: > > "I now have the following setup: > > Dom0 P4 based server with approx 450 gigs of RAID-5 storage in one big > lvm volume-group alongside .5gig RAID-10 swap and RAID-1 / partitions > (spread over 4 disks). I know its a monster for a home server, but > hey, its mine-all-mine baby! > > Okay, Dom0 is on the LAN and serves up music, video, photos and pulls > backups (rdiff-backup with password-less login) from the other > machines on my LAN. > > I have two DomU's. DomU1 is my firewall running a standard 3 interface > shorewall installation and dhcp/dns for the LAN. My net interface is > brought up directly in the DomU by hiding it from Dom0 > (pciback-hide). It gets ip from my cable modem. My loc interface is > bridged with eth0 in Dom0 to put the server (bigmomma) and my local > machine all on the same subnet (192.168.1.0). My DMZ interface is a > "phantom" bridge connecting DomU1 (firewall) to DomU2 (mail). That's > the hard part, getting that bridge configured. DomU2 is my mail server > and uses fetchmail to pull mail from various accounts, processes it > through clamav, and spamassassin finally dumping it to individual > users procmail recipes for storage in maildirs and served up by > dovecot imap. " > > > >
Attachment:
signature.asc
Description: Digital signature