A little background... Awhile back, a FreeBSD server (running 7 domains) I had running for 3 years (without reboot) got hacked into over Christmas break. They wiped everything, including most of the logs. I was able to determine that they got in from one of the user accounts. As you could probably tell, no reboot also means being a bit behind on the security patches as well... Anyways, so the plan with the new server is keeping each domain completely isolated. The plan is a base Solaris install, ZFS on the data drives (utilizing regular snapshots to rollback incase of being hacked), and running each domain as a Xen domU. In order to ensure that each OS gets the benefits of ZFS, I plan on sharing (NFS with ACL) a directory for each OS, and then letting the domUs do NFS-based install (still local machine). Ideally, the entire OS would be running on ZFS so that I can maintain a minimum amount of downtime with any problems as well as keep administration time to a minimum. IE: regular snapshots, self-healing, etc... However, from what I understand, the dump device can''t be on ZFS (I think that is the only one at this point, right?). As such, I was looking at doing a mirrored root for the OS and then ZFS for the data... but, looking online, it seems that not only is this not the most convenient install, but somewhat problematic when issues arise... On top of that, I loose the ability to do the snapshots (etc) for the OS. I would like some opinions on how best to do this. I am planning on building this machine this week. Here''s a basic list of what I am working with: Asus L1N64-SLI dual AMD FX-70 4GB memory 2x Addonics AE5RCS35NSA (to assist with downtime) 7x Hitachi Deskstar T7K500 250GB (SATA II) The plan had been 2x hitachi for the mirrored root and 5x for raidz2 (planning on expanding as space is needed) I am always busy, so minimal maintenance is priority, with easy (n00b to Solaris administration) install being secondary. Thanks, Malachi -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20070313/196aa2f1/attachment.html>
> A little background... Awhile back, a FreeBSD server (running 7 domains) I > had running for 3 years (without reboot) got hacked into over Christmas > break. They wiped everything, including most of the logs. I was able to > determine that they got in from one of the user accounts. As you could > probably tell, no reboot also means being a bit behind on the security > patches as well... > > Anyways, so the plan with the new server is keeping each domain completely > isolated. The plan is a base Solaris install, ZFS on the data drives > (utilizing regular snapshots to rollback incase of being hacked), and > running each domain as a Xen domU. In order to ensure that each OS gets the > benefits of ZFS, I plan on sharing (NFS with ACL) a directory for each OS, > and then letting the domUs do NFS-based install (still local machine).Have you considered using Zones (N1 Grid Containers) instead of xen? - Alexander Kolbasov
I had thought about it, but from what I understand that limits the other VMs to Solaris. I have a few different administrators that are going to be running their own OSes (freebsd, linux, possibly windows), as well as some development ones (like jnode). From what I was able to find, that means that I need to run Xen with the newer AMD-V featureset; thus the reason for the new board and cpus. Malachi On 3/13/07, Alexander Kolbasov <akolb at eng.sun.com> wrote:> > > A little background... Awhile back, a FreeBSD server (running 7 > domains) I > > had running for 3 years (without reboot) got hacked into over Christmas > > break. They wiped everything, including most of the logs. I was able > to > > determine that they got in from one of the user accounts. As you could > > probably tell, no reboot also means being a bit behind on the security > > patches as well... > > > > Anyways, so the plan with the new server is keeping each domain > completely > > isolated. The plan is a base Solaris install, ZFS on the data drives > > (utilizing regular snapshots to rollback incase of being hacked), and > > running each domain as a Xen domU. In order to ensure that each OS gets > the > > benefits of ZFS, I plan on sharing (NFS with ACL) a directory for each > OS, > > and then letting the domUs do NFS-based install (still local machine). > > Have you considered using Zones (N1 Grid Containers) instead of xen? > > - Alexander Kolbasov > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20070313/f8bb6850/attachment.html>
I don''t Solaris dom0 does Pacifica (amd-v) yet. That would rule out windows for now. You can run centOS zones on SXCR. That just leaves freebsd (which hasn''t got fantastic xen support either, despite Kip Macys excellent work). Unless you''ve got an app that needs that, zones sound like a much saner bet to me. On 13/03/07, Malachi de ?lfweald <malachid at gmail.com> wrote:> I had thought about it, but from what I understand that limits the other VMs > to Solaris. I have a few different administrators that are going to be > running their own OSes (freebsd, linux, possibly windows), as well as some > development ones (like jnode). From what I was able to find, that means > that I need to run Xen with the newer AMD-V featureset; thus the reason for > the new board and cpus.-- Rasputin :: Jack of All Trades - Master of Nuns http://number9.hellooperator.net/
On Thu, Mar 15, 2007 at 09:40:27PM +0000, Dick Davies wrote:> I don''t Solaris dom0 does Pacifica (amd-v) yet.Not in any public release. It works in the internal bits. dme.
Just saw a message on xen-discuss that HVM is in the next version (b60-ish). On 15/03/07, Dick Davies <rasputnik at gmail.com> wrote:> I don''t Solaris dom0 does Pacifica (amd-v) yet. > That would rule out windows for now. > > You can run centOS zones on SXCR. > > That just leaves freebsd (which hasn''t got fantastic xen support either, > despite Kip Macys excellent work). > > Unless you''ve got an app that needs that, zones sound like a much saner bet > to me. > > On 13/03/07, Malachi de ?lfweald <malachid at gmail.com> wrote: > > I had thought about it, but from what I understand that limits the other VMs > > to Solaris. I have a few different administrators that are going to be > > running their own OSes (freebsd, linux, possibly windows), as well as some > > development ones (like jnode). From what I was able to find, that means > > that I need to run Xen with the newer AMD-V featureset; thus the reason for > > the new board and cpus. > > -- > Rasputin :: Jack of All Trades - Master of Nuns > http://number9.hellooperator.net/ >-- Rasputin :: Jack of All Trades - Master of Nuns http://number9.hellooperator.net/