[CentOS-virt] xen setup documentation for centos?

Mon Jun 2 17:01:45 UTC 2014
lee <lee at yun.yagibdah.de>

Nico Kadel-Garcia <nkadel at gmail.com> writes:

> On Sun, Jun 1, 2014 at 8:45 PM, lee <lee at yun.yagibdah.de> wrote:
>> Hi,
>>
>> what is the proposed way to create domU guests on centos 6.5?  At first
> [...]
>>
>> Then I followed redhat documentation which suggests to use virt-manager
>> --- which doesn`t work because servers don`t have GUIs.  So I finally
>> managed to create a guest with virt-install.  I can start and stop the
>> guest (which is also running centos), though I don`t think this is the
>> right way to create one.
>>
>> So how exactly are you supposed to create guests?
>
>
> Servers *can* have GUI's. Even if you don't want to install the full
> Gnome/KDE/display manager toolkits, it's possible to set up enough to
> run X based applications form another host.

Yes, they /can/, and IMO a server shouldn`t have and shouldn`t need one.

> And virt-manager can be run from a client, with authenticated access
> to the libvirt server, though I've generally not done that.

Yes, I tried that and it didn`t work.

> If you don't want to bother with that, you'll need to learn 'virsh',
> which is the actual tool that libvirt uses to do almost everything.

That`s what I`m using now.  Is virsh what centos users are supposed to
use?  The documentation on the xen project wiki seems to indicate that
xen users are supposed to use xl.

> [...]
>> Do I have to set up shorewall (or the like) on dom0 to be able to handle
>> network access for guests?  Would I need to create a bridge for every
>> guest to be able to handle them separately for firewalling purposes
>> because otherwise packets circumvent firewall rules by directly going
>> over the bridge?  If so, why are bridges needed?
>
> You need to pick. One approach is to set up a bridged connection with
> one VM, with a second localized VLAN connection,

How do you make such a localised connection?

In this case, the VM with the firewall needs to have access to an
ethernet interface to do pppoe, a second interface to the LAN and to a
third one for a DMZ.  The VM with the firewall will be on the same
physical host as the VMs in the DMZ.  There will also be VMs in the LAN
on the same physical host.

This seems to require three bridges, and the firewall VM would need
access to all of them, unless the dom0 is doing some of the routing.
How do you enable access to several bridges for a VM?

ATM, I`m trying to understand how this networking stuff with bridges
basically works.

> and run shorewall or other firewalls on that VM to manage connections
> to the rest of the VM's. This leaves your bandwidth trapped at the
> capacity of that firewall VM, but it's not an uncommon soluiton,
> especially when running complex firewalls and/or proxies in small
> environments.

Hm, I never thought of that.  What kind of limit do I have to imagine?
For external connections, the highest bandwidth is 1GB LAN.  So a
limiting factor for internal connections is probably much more
important, like a VM accessing a database running in another VM.  The
database will probably be so small that it can be kept mostly in memory,
so disk access won`t slow things down much.

How much information does the host system have available about the VMs
for scheduling purposes?  Like when there is a VM for
firewalling/routing, a VM with a database and another VM with an
application accessing the database, all three VMs need resources.  Delay
any of them or give them resources at the wrong moment, and in the end
performance will be diminished.

Suppose each of the three VMs has one CPU assigned, and more CPUs are
physically available while other VMs happen to be idle.  So three CPUs
are busy and another five CPUs remain idle so that they are available
just in case one of the idle VMs needs to do something?  Or will they be
used to speed up the running VMs?

Are there situations in which overcommitment of CPUs is advisable?  Like
when I have 8 CPUs and 4 VMs, I could assign 2 CPUs to each VM.  But
when I can expect that 95% or so of the time 2 VMs will be idle when 2
others are running, won`t I be better off to assign 4 CPUs to each VM?
Or is this done automatically, and the number of CPUs specified for a VM
is only a minimum?

> Whether you need bridges then depends on where your firewall is. If it
> lives on another host on your network, yes, your guests need bridges.
> If it's on a VM with two connections, as I described above, it's
> potentially much easier to set up on a single firewall VM. But
> migrating the firewall among multiple VM servers means establishing,
> and maintaining, a multiple VM server internal network, and if doing
> that, *THOSE* might mandate bridges.

Moving is another thing I haven`t thought about yet.  It`s not a
requirement in this case, though it would be a good option to have.

How do you deal with memory overcommitment?  Suppose I set up a VM that
does the firewalling and routing.  Memory requirements for this are low.

I also want to use squid (2.7), with a fairly large cache and url
rewriting (which hasn`t been ported to 3.x yet).  That requires memory
(and file I/O).

I also need a file server.

So what do I do?  Use one VM for firewall, one for squid, one for a file
server that also provides squid with its cache?  Or run the file server
directly on the host?  Or run firewall and squid in the same VM and give
this VM some more memory?  Or don`t use the file server to supply squid
and keep the cache in the same VM squid runs in, perhaps giving it even
more memory?

I could also have the firewall in it`s own VM (which might be a good
idea due to security) and use another VM for the routing and to run
squid, an MTA and other basic services which are accessible from the LAN
only.  Hm, this actually makes the most sense to me.  But then, what do
I do with the web server?

What is good practise?

>> I would understand doing things like adding those guests that are
>> visible to the LAN only to the same bridge to have them all reachable
>> likewise.  When doing that, it would seem to make sense to use a
>> different subnet for guests in the DMZ.
>
> It Depends(tm).

Depends on? ;)

>> All the documentation tells you many different things, none of them work
>> and it`s totally confusing.  Is there any /good/ documentation
>> somewhere?
>
> I suggest what you need to accomplish first. Do you have, or want to
> build, firewalls? Are you isolating DMZ hosts or public facing
> webservers that need heightened isolation and security?

Well, I don`t really want to build firewalls; having one is merely a
requirement, and being able to do some traffic shaping can be nice.  I`m
running a web server which is reachable from the outside (on a
non-default port, so it`s not exactly public) and needs to be isolated,
and I`m running an MTA.  I`m thinking about adding IMAPs so clients can
get their mail through that.

How isolated does a web server need to be?  I`m thinking of adding some
game servers in their own VM later on, too.  But CPU and memory are
limited resources ...

Since I need to start somewhere, what needs to be accomplished is
probably something like this:


dom0
        use that as file server directly, or use a VM as file server?

dom1
        pppoe, firewall

dom2
        dns, router, squid, MTA, IMAPs, perhaps DHCP

dom3
        webserver
        game server(s)
        mumble server

dom4
        internal use (like distcc, a multi-user X server for clients to
                connect to, experimentation ...)
        mysql server


The server has 2x4 CPUs and 8GB of RAM.  Unless something speaks
against it, I`d prefer to use dom0 as file server because it seems
easier to set up, with direct access to the storage volume.

As to resources:

|------+------------------------------+-----------+------------|
| dom  | RAM                          | CPUs      | scheduling |
|------+------------------------------+-----------+------------|
| dom0 | how do I assign memory here? |           | ++         |
| dom1 | 512--768 MB                  | 1 CPU     | -          |
| dom2 | 2GB?                         | 1 CPUs    | -          |
| dom3 | 2GB?                         | 1--3 CPUs | =          |
| dom4 | 4GB?                         | 3--5 CPUs | =          |
|------+------------------------------+-----------+------------|
| 5    | 9GB                          | 8 CPUs    | ==         |
|------+------------------------------+-----------+------------|

The file server would run on dom0.  What should I set for dom0_mem?
1--4GB?

Dom4 doesn`t need to be up all the time.  From what I`ve been reading,
you can overcommit memory and it`s a bad idea to overcommit CPUs.

It it better to give VMs less memory (to some point) and let them use
their swap files, or is it better to give them a bit more and
overcommit in total (to some point) so that dom0 may swap?

It also seems that scheduling means that VMs /can/ get more time when
they need it and don`t get it when not.  How does that interfere with
CPU assignments?

The VMs only need to sustain a very low minimum throughput because
usage will be more like short-term spikes on one or another.  Would it
make sense to overcommit CPUs in this szenario?

Does this make sense or should I do things differently?


-- 
Knowledge is volatile and fluid.  Software is power.