On 09/16/2011 11:11 AM, Ed Heron wrote: > On Fri, 2011-09-16 at 10:46 -0700, Eric Shubert wrote: >> ... >> Now, take all of your ideal logical servers (and the networking which >> ties them all together), and make them VMs on your host. I've done this, >> and these are the VMs I presently have (the list is still evolving): >> .) net (IPCop distro, provides network services, WAN/DMZ/LAN) >> .) web (DMZ/STOR) >> .) ftp (DMZ/STOR) >> .) mail (DMZ/STOR) >> .) domain control (LAN/STOR) >> .) storage (LAN/STOR) >> >> One aspect that we haven't touched on is network topology. I have 2 nics >> in the host, one for WAN and one for LAN. These are both bridged to the >> appropriate subnet. I also have host-only subnets for DMZ and STORage. >> The DMZ is used with IPCop port forwarding giving access to services >> from the internet. The STOR subnet is sort of a backplane, used by >> servers to access the storage VM, which provides access to user data via >> SMB, NFS, AFP, and SQL. All user data is accessed via this storage VM, >> which has access to raw (non-virtual) storage. >> ... > > If I'm understanding you, if you split this out to multiple physical > hosts, you would need to convert DMZ and STOR from virtual to physical > segments; increasing the number of required network interfaces in each > host to 4. Correct. I have done this with DMZ to provide wireless access (putting a wireless router on the DMZ). > Are you concerned that your hosts are connected to WAN without a > firewall? I am not concerned. The only machine connected/accessible to WAN is the IPCop VM. Everything from/to the WAN goes through IPCop. > I assume you bridge the interface without assigning IP > address? Right, there is no IP address (169.254.x.x or 0.0.0.0) on the WAN interface of the host. The WAN interface on the host is not accessible, only bridged to IPCop red/wan interface. > What software do you use for storage. I'd think having the host > handle integrated storage would be simpler, but, of course, that doesn't > scale to multiple hosts... I simply use a linux host, with nfs, samba, netatalk and mysql. Whatever you prefer would do. Although the host handles the physical i/o, I still like having a separate storage VM. I think it simplifies things a bit when it comes to monitoring and tuning, and it's better security-wise too. I don't think it's a good idea to have any more services than needed running on the host. Thanks for the questions. I'm sure I left out a few things. ;) -- -Eric 'shubes'