On 2/23/06, Michael Best <mbest at pendragon.org> wrote: > > > I documented the experiences I had with Xen-unstable (pre-3.x) at: > http://www.pendragon.org/mywiki/Xen > > It's mostly the same for Xen 3.x > > There is also this page where we did a bit of work and recompiled glibc > for Centos 4.2. > > http://www.karan.org/blog/index.php/2005/12/06/xen3_on_centos4 Thanks, will study these and get back. Feel free to ask me any questions, I will try to answer what I know. > My query to the Xen List was: I have a small network with an IPtables firewall with a DMZ and a Lan Server subnets. There are four servers on Lan & one on the DMZ. DMZ uses centos 4.2, PIII 550 MHz, 256 MB RAM, no X/GUI, is connected to a 512 kbps adsl broadband & provides name based apache, mail server based on qmailtoaster.com, djbdns server, yum for upgrading, php, perl, mysql & postgresql etc. The DMZ server is having a private ip address and services are port-forwarded/natted from the main iptables firewall. It has a single 40 GB HDD using LVM2. What I want to do is to virtualise each of the services into a seperate Xen OS instance, with iptables firewalling of its own. Two outcomes are wanted...1. in case of a compromise of a server through any of the services, the penetration is limited to that instance of the OS/Service and 2. I want to put another server on the same subnet in the DMZ and want to implement an expeditious failover using rsync (not instantaneous...as I don't think I have the either the budget or the expertise to do that...or maybe I am just plain scared to attempt it). Later, I want to do the same to services on the LAN. My questions are: Most Important: Is Xen ready for Production deployments? Availability of many Xen hostings seem to be positive but nerthless...what's the situation? Pros/Cons? Would that require a very experienced Sysadmin who can patch & test kernel umpteen times? 1. Is Xen virtualization good from the point of security, if I do not expose any services except for ssh and that too from the internal network, on the host OS. The guest OS will again be firewalled and will expose only one service which it is providing, in addition to ssh for management. In some cases apache may be needed for management, in that case the apache access will be restricted from one or two management computers. What are the issues I need to study? Various Pros & Cons? 2. If I get Xen hosting from a hosting provider on a fast network, can I simply migrate my guestOS (domU...I think you guys call it?) to them...this can relieve me of management every time I implement changes/upgrades? Any issues in this? 3. My needs are secure small biz intranet/extranet/mail/dns/ftp server & database usage, all in seperate Xen Guest OS & firewalled from even each other, except for web-server, which would require one port to access the database Any issues on this? Would PIII 550 MHz with 256 or 512 MB Ram be enough? 4. What are pen-tester's views of Xen? Tried to search but could not find much in first few minutes. Maybe Xen is too new or I need to search better & I intend doing so. 5. My readings conflict about one issue...Xen Host kernel needs to be patched. What about the guest kernel. One post I read suggested it need not be patched because of some code borrowed from qemu and improved upon thereafter...some seem to say guest kernel needs to be patched. 6. I plan on exclusively using Centos...both as a host OS & a guest OS, but I don't want to go in for custom kernal compilation, every time Xen updates or CentOS kernel updates. Any packaged rpms available anywhere? that I can simply use with yum from my local yum repository? Any other issues I need to look into, given my above use-case scenario? Budget: Shoe String/ Expertise: Medium..can compile softwares if instructions are there but no programming/patch creation capability. Understand technical issues and administer my own linuses though am a business person. Please help...criticism, advise, warnings from pros & oracles wanted/welcome ;-) With best regards. Sanjay. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20060223/05d681c1/attachment-0002.html>