Xen users - Jun 2007 - Recommended multi-server approach

Hi all,

My idea is build a server with one of the next approaches:


  ---------------------
| Dom0 (fw, dns, ntp) |
  ---------------------
| Dom1 (smtp)         |
  ---------------------
| Dom2 (http)         |
  ---------------------

or


  ---------------------
| Dom0 		      |
  ---------------------
| Dom1 (fw)           |
  ---------------------
| Dom2 (dns, ntp)     |
  ---------------------
| Dom3 (smtp)         |
  ---------------------
| Dom4 (http)         |
  ---------------------


My question is

¿Is recommended to create a separate VPS for the services I want to 
build in Dom0 (firewall, dns and ntp) and left Dom0 for xen management 
purposes? So... ¿what approach is recommended, the first or the second? 
¿Why?

I have two NICs in the physical box, and my idea is use one of them for 
the services (DMZ) and another one for management purposes only (LAN).


-- 
Thanks,
Jordi Espasa Clofent


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

It makes sense run *nothing* other than sshd in Dom0, IMHO.

--  
-- Tom Mornini, CTO
-- Engine Yard, Ruby on Rails Hosting
-- Support, Scalability, Reliability
-- (866) 518-YARD (9273)


On Jun 14, 2007, at 2:02 AM, Jordi Espasa Clofent wrote:
> Hi all,
>
> My idea is build a server with one of the next approaches:
>
>
>  ---------------------
> | Dom0 (fw, dns, ntp) |
>  ---------------------
> | Dom1 (smtp)         |
>  ---------------------
> | Dom2 (http)         |
>  ---------------------
>
> or
>
>
>  ---------------------
> | Dom0 		      |
>  ---------------------
> | Dom1 (fw)           |
>  ---------------------
> | Dom2 (dns, ntp)     |
>  ---------------------
> | Dom3 (smtp)         |
>  ---------------------
> | Dom4 (http)         |
>  ---------------------
>
>
> My question is
>
> ¿Is recommended to create a separate VPS for the services I want to  
> build in Dom0 (firewall, dns and ntp) and left Dom0 for xen  
> management purposes? So... ¿what approach is recommended, the first  
> or the second? ¿Why?
>
> I have two NICs in the physical box, and my idea is use one of them  
> for the services (DMZ) and another one for management purposes only  
> (LAN).
>
>
> -- 
> Thanks,
> Jordi Espasa Clofent
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

> It makes sense run *nothing* other than sshd in Dom0, IMHO.
Ok. But ¿why?

-- 
Thanks,
Jordi Espasa Clofent

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

>> It makes sense run *nothing* other than sshd in Dom0, IMHO.
> 
> i agree with you.
> 
> what''s about the memory for each DomU?
Depends on the service and how loaded is it. I think that services like 
ntp or dns requires a little bit RAM, but http or bbdd services will 
need so more.

-- 
Thanks,
Jordi Espasa Clofent

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Jun 14, 2007, at 10:00 AM, Jordi Espasa Clofent wrote:
>> It makes sense run *nothing* other than sshd in Dom0, IMHO.
>
> Ok. But ¿why?
Because you don''t need to. :-)

Better to keep it pristine. Upgrade and such will be easier.

And, if there are ever any *issues* with the services, those issues  
will have zero effect on everything else.

-- 
-- Tom Mornini, CTO
-- Engine Yard, Ruby on Rails Hosting
-- Support, Scalability, Reliability
-- (866) 518-YARD (9273)
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Thu, 14 Jun 2007, Tom Mornini wrote:
> On Jun 14, 2007, at 10:00 AM, Jordi Espasa Clofent wrote:
>
>> > It makes sense run *nothing* other than sshd in Dom0, IMHO.
>> 
>> Ok. But ¿why?
>
> Because you don''t need to. :-)
>
> Better to keep it pristine. Upgrade and such will be easier.
>
> And, if there are ever any *issues* with the services, those issues will
have
> zero effect on everything else.
which is one of the two arguments in my head. Stability and security.

By moving as much as you can into the domUs, you theoretically keep dom0 
more stable... and since crashing dom0 crashes everything, you want dom0 
to be rock solid.

The same argument applies to security. If there are no applications in 
dom0, then there are less possible security holes (reduced footprint). In 
theory it''s difficult to break into dom0 from a domU, but simpler to 
compromise a domU from dom0.

There may be situations where performance runs counter to these arguments 
(drbd?).

-Tom
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Jordi Espasa Clofent wrote:
>>> It makes sense run *nothing* other than sshd in Dom0, IMHO.
>>
>> i agree with you.
>>
>> what''s about the memory for each DomU?
>
> Depends on the service and how loaded is it. I think that services 
> like ntp or dns requires a little bit RAM, but http or bbdd services 
> will need so more.
>
Backup operations: LVM imaging of DomU allows backups to occur against 
the LVM snapshot, and vastly improves backup performance.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users