Re: Which virtualization is the best for Debian?
On Thu Jan 14, 2010 at 19:32:16 +0700, Sthu Deus wrote:
> I want to separate diver services and make NAT to them - so that
> it be more secure in case if one of them will be hacked - I still
Right so you want a host which has a public IP (or more than one)
and each guest will have private IPs on seperate ranges, such that
they cannot talk to each other?
That sounds like a good setup.
If you're going to assume that a machine will be hacked, and then
assume a kernel bug will come into play on one of the guests that
strongly suggests you want to ensure that they aren't sharing a
single kernel - ie. Don't choose vserver.
> I know that KVM offers much less respond comparing w/
> vserver. How about Xen? Can I turn the guests on/off on the fly?
Both Xen and KVM will let you start/stop guests independently of
each other.
KVM works as a process, so you just stop it.
Xen has a lot of magic behind the scenes, but ultimately you can
do things like list the running guests with "xm list", start one
that is stopped with "xm create blah.cfg" and stop a running one
with "xm shutdown blah".
> I want them to use for email, web, and do not know if proxy
> is any worth of to put in separate guest? - Nothing special.
Probably not worth the overhead I'd have thought; historically the
common squid proxy has had a good security record.
> Ok, what is the best here (relating for my tasks)? - If any
> had experience w/ several of them?
Best is still going to be a personal preference. I'd choose KVM,
then Xen, then vmware then vserver.
> Why nobody says about packaging problem in Debian, net
> interfaces at guests turning off?!
If you use something like Xen/vmware/kvm you'd not concern yourself
with the interfaces. Instead you'd shutdown a guest if you wanted it
to be unreachable and disabled.
Leaving it running but dropping the traffic would work, but it would
be an odd thing to do. (e.g. it would still run cronjobs and try to
send email, etc.)
> I guess that KVM takes a lot of overload comparing w/ vserver -
> for for example spam filtering, virus scanning.
It will take overhead, yes. But not a lot.
Certainly a virtual KVM guest can handle spam filtering just fine,
assuming your setup is sane. (ie. Make lightweight tests before the
heavier ones.)
Steve
--
Debian GNU/Linux System Administration
http://www.debian-administration.org/
Reply to: