Saturday 9 October 2010

Virtualizing my Internet server

I'm about to start work on a new non-profit website using a content management system so that other people can help to edit the content.  I'm hoping that a VMware-type approach will make this easier...

The basic problem is that an Internet-visible server always suffers from maintenance hassles :-
  • If you don't apply frequent security updates, then eventually either the CMS or the OS will be compromised, and the site will be defaced.
  • If you do apply frequent security updates, then sooner or later, something breaks. 
  • If you do security lockdown, you may screw up and lock yourself out.
  • In any case, eventual compromise & defacement is always a risk using any CMS, especially if semi-trusted users have access to the system (or if trusted users log in from compromised home PCs).   For my application, the use of a CMS can't be avoided.
  •  If the hardware fails, you're faced with reinstalling everything, not just restoring data from a backup.
What's needed is a quick way to recover the whole server to a known good state, so that you can easily roll back the system in the event of a failed upgrade, a hardware failure, or a security compromise of the OS or the CMS.   So it seems to me that some sort of VM system is the way to go.

Desirable features of a VM system :-
  • Must allow the live VM to be checkpointed, then backed up to a remote server (may be in a cron job). 
  • Must be cheap for my non-profit site.
  • Should allow the live VM to be cloned and used for development (although avoiding an IP address clash with the live VM might be a problem, unless we have enough access to boot the cloned VM into single-user mode and edit one or two config files).
  • Must not expose management services to the network (except perhaps in a limited way, for example SSH with key authentication on a random TCP port) because my server is in a remote datacentre, directly exposed to the Internet.
  • The host & guest OSes need to be easily updated with security patches when necessary.
VMware ESXi looks nice in theory, but it lacks a firewall, and I seem to recall the free version doesn't offer many tools for managing the VM guests.  Another option is VMware Server + Ubuntu LTS server, but VMware Server isn't officially supported on Ubuntu Server 10.04 LTS, only on 8.04. It seems that VMware Server hasn't been updated for a while now.

Other options include Citrix XenServer;  Oracle Virtualbox;  KVM; Proxmox and Parallels Virtuzzo.    The first three of these are free products; the last two cost money.   I decided to investigate Citrix XenServer.

XenServer seems similar to VMware ESXi - it's a virtualisation appliance - but unlike ESXi, XenServer allows you to use the Iptables firewall to protect the management services.  Initial setup of XenServer was quick and painless using the hosting company's automated server deployment tool (see for affordable dedicated servers).   Then :-
  • Log in as root over SSH, using the password allocated by the Kimsufi installer.
  • Run "netstat -an | grep LISTEN" to check for ports open to the Internet.
  • Point a web browser at the HTTP interface & download/install the management GUI client (Windows only).
  • Check you can log into the management GUI with the root password.
  • Edit the firewall ruleset ("vi /etc/sysconfig/iptables") and block all inbound access except from your authorised management client IP ranges.
  • Reload the firewall ruleset: "/etc/init.d/iptables restart".
  • Run NMAP port-scans against the box from authorised and unauthorised IP addresses to make sure that the firewall rules are working.
So far the box doesn't have an IPV6 address, otherwise /etc/init.d/iptables6 would also need editing.

It would be nicer to route management traffic through a VPN, but restricting access by IP address is probably good enough to be going on with. But I will just run Wireshark tomorrow to check that the Windows management GUI client doesn't pass traffic in the clear.

OK, so now the VM host management services are hidden from the public internet. Tomorrow I'll try using the GUI to build a VM guest.

Update: it turns out that the free XenServer license expires after 12 months, after which time it needs to be renewed, otherwise my VM's won't come back up if the host server reboots for any reason.  So in effect, XenServer's free edition has an automatic 12-monthly denial-of-service feature.  Furthermore, if Citrix ever decided to discontinue license renewals, then my VM's would be dead in the water.  Commercial licenses for XenServer costs $1,000 for the first year alone, so that's not an option for our non-profit site.   So, no point wasting any more time with Citrix products: I'll look elsewhere.

No comments:

Post a Comment

Spammers: please stop wasting my time. All comments are moderated before publication.