[CentOS] How to organize your VMs

Tue Apr 13 17:15:33 UTC 2021
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On 4/13/21 11:48 AM, Roberto Ragusa wrote:
> On 4/10/21 6:13 PM, Nicolas Kovacs wrote:
>> I'd be curious to have your input, since I'm fairly new to this sort 
>> of approach.
> I would only separate things that for some reasons are "dirty", e.g. 
> require non packaged
> installation.
> All the rest (like bind, postfix, dovecot) can happily live in the same 
> machine.
> Splitting things too much will increase the maintenance effort, every 
> stupid detail
> like new kernel installation, clock syncing, log rotation, security 
> patching, etc.
> gets duplicated. Not to mention the need to now maintain a network 
> connecting the pieces.

This is where what I do in jails on FreeBSD is different from what you 
describe. All jails in FreeBSD have same base system. Thus, no extra 
overhead for base system: it is updated for all jails in a single go.

Separate jails have only what is necessary for particular jail. 
Therefore, I only put in the same jail "inseparable things (e.g. mailman 
has to have web interface and postfix or sendmail, so this is minimal 
sufficient bundle that has to be together). Services that do not have to 
live in the same jail run in different jails. The separation of services 
into different jails brings a lot of convenience:

1. If service "a" has to be worked on, only other services living in the 
same jail may potentially be affected, nothing else

2. If service "a" and service "b" need incompatible dependencies, there 
is no problem when they run in different jails

3. If you do upgrade (as in upgrade of base system), you can upgrade one 
jail at a time, hence it is much smaller set of things that has to be 
dealt with as a result of upgrade; the last helps to diminish downtime 
of every service caused by upgrade

4. Suppose you have compromise (no one is guaranteed from that), that 
came through some service, but then only that jail is affected, no mess 
bad guys can do to other services.

5. And one more important thing: base system in jail is mounted 
read-only: any mess due to compromise does not affect base system of 
jail (any one of jails)

And the list can continue.

I hope, experts in Linux virtualization will chime in and outline how 
similar (common for all virtual systems read-only base, etc) can be done 
with one of Linux virtualization solutions, because I'm certain in must 
be possible. And I for one would love to learn about that.

I hope, this helps.


> Same considerations when using containers instead of VMs, you only gain 
> some performance
> by not dragging entire kernels for each service.
> Start by isolating the service that is giving you most troubles.
> Then with a bit of experience, you can evaluate if proceeding along that 
> road.
> Best regards.

Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247