KVM Architecture

[mastablasta]

what kind of power (CPU) do you intend to use/think you will need?

I was thinking of seting up something similar. I see FreeNAS has jails while many use vbox to add these virtual servers. though I am a bit worried that kind of setup will be outside my price range

even though it doesn't seem to be too demanding to run these specialised servers (bitnami stack, turnekey Linux) etc. on lower end hardware. they actually run quite well on my low end desktops... I never put them under any serious load though.

[TheFu]

Thanks again, Fu. Good blog article. One more question though (if I may)....

You mentioned in your last message to "not allow any internet facing services on the hostOS". I'd like some more info on how to harden the host OS when running VM's, but I'm particularly curious why the host OS is especially vulnerable to malicious activity. Is the host OS more vulnerable when running VM's (e.g. via KVM) than, say, running a single Ubuntu Server instance without KVM installed? Maybe the need for some type of DMZ is required for externally-facing ports to the Internet?

If you have any recommended reading on the security issues of the host OS, please share a link or two. I'd appreciate it.

Thanks again,
Marty

Thanks. I write and present about virtualization a bunch. You might find a step-by-step presentation I did for beginning KVM + libvirt + virt-manager - I'd have to google to find it myself.

No, the hostOS is not more vulnerable - it is just that if they hack that, then every guestOS is "owned" too. Security experts have learned over the years that placing non-complementary services on the same host leads to extra complexity. Extra complexity leads to mistakes. Is it generally accepted to
* put 1 service on every VM
* don't have ANY public facing services available to the internet - actually, it is best to have the hostOS on a different LAN than where the internet access is provided to guests.
* only allow services that absolutely must be on the internet access from the internet. Best to force a VPN whenever possible, especially for any hard-to-secure services (like anything written in PHP).

So - if we put 1 service on a host - then KVM is that service for the hostOS. Done. Move on to others and put them inside a VM. A case can be made that storage (AoE, iSCSI, NFS) are special, so allowed. Just be certain they are not accessible on the public facing network if you must put them on the KVM hostOS.

As to security hardening - there are thousands of tiny things to be done on every host after creating a secure network first. DMZ? Not for a home user. It is just a bad idea, since home users tend to put an entire open machine there, which is always a bad idea. Use router filters, port forwards to open pin-pricks into the non-secure side of a network.

For reading, I like Bob Toxen's book and the Practical UNIX and Internet Security by Garfinkel.
I'll include my signature which has links for more security stuff. Lots of good options online.
Don't forget about joining your local DefCon and OWASP groups too. We eat, sleep, dream, about security.

Security is hard. Get a process, follow it, improve it, and automate as much of it as you can. I like Ansible for that aspect. I'm constantly improving the playbooks here for bringing up new servers. http://blog.jdpfu.com/2014/02/28/1st...es-on-a-server

Oh and don't forget to have a little fun too.

[Marty_Grove]

what kind of power (CPU) do you intend to use/think you will need?

I'm planning on going with the configuration I've been discussing with Fu (Ubuntu Host OS and a single VM running under KVM) on to an 8-core box that I have. For starters I was looking at dedicating 4 cores to the host OS and 4 cores to the VM. Over time I may need to add additional VM's, and I'll divvy up the cores appropriately. Memory on this machine is at 16GB; i'll most likely increase that in the near future. My current file server is running fine with 4GB memory, so I would expect it to continue merrily along with 8GB on the new machine.

Marty

[Marty_Grove]

Again, excellent post Fu.

I'm planning on getting a start on this new box with the KVM configuration this weekend. And if any more questions come up, I'll know who to send a message off to! Thanks for all the help/pointers/suggestions/etc. Its cleared up a lot of my curiosities.

Marty

[TheFu]

1 core for a VM, please. Until it is proven that 2 is needed. I think you'll be surprised. No need to waste so many CPUs.
If the hostOS is a pure VM server, 1 core is fine there too. That means you should be able to have excellent performance (RAM/CPU-wise) for 7 VMs. Disk I/O and network performance are different issues.

DO NOT OVER ALLOCATE CPU OR RAM for VMs. None of my VMs have more than 1.8G of RAM allocated.

[Marty_Grove]

1 core for a VM, please. Until it is proven that 2 is needed. I think you'll be surprised. No need to waste so many CPUs.

I agree, but since I have 8 cores and will only be installing one VM (I might go ahead and create 2 VM's while I'm at it), I suppose all the remaining cores will be utilized by the host OS.

I'll create the first one (or two) VM's with one core apiece when I build the system.

As always, thanks.

Marty

[TheFu]

For Linux, more is NOT always better. There are many examples where performance slows with more vCPUs.
Adding 1 more vCPU to a VM is just a shutdown, change the setting, restart effort for Linux. Trivial. Start with 1.

[Marty_Grove]

Thought I'd add a few updates from my experiences with KVM.

My first (few) installation attempts went well, but I wasn't getting the performance I would like to see. It appears to be mostly due to the X11 protocol; very slow screen refreshes. I see Spice is supported but I haven't configured it yet. Might give it a shot in the next few days.

But for setting up KVM/libvirtd/QEMU, it was all pretty straight forward. Seemed pretty stable.

I'll try to get another update out in a few days after I've had a VM cooking for a while.

Marty

[TheFu]

You are trying to virtualize desktops? Which apps? I use x2go for remote desktops and it works really well, securely from anywhere in the world. Clearly, it doens't handle video, but that is an issue for every free remote desktop offering available. The only solution for that I know is using Xen and their paid remote desktop solution.

For servers - X11 performance doesn't matter, obviously. Plus NOT having any X11 dependences is smart for servers.

[Marty_Grove]

You are trying to virtualize desktops? Which apps?

Only to experiment with the installation and performance of KVM. Long-term I doubt I'll have any need for a desktop installation of any VM. Over the weekend I experimented with the installation of the following VM's:

• Ubuntu 64 minimal install
• Ubuntu 64 Desktop
• Fedora 64
• CentOS 7 minimal install
• CentOS 7 KDE desktop

All the VM's installed fine. I played around with VNC for a bit on the installs that had desktops installed, and noticed that the graphical interface was pretty poor... really unusable for the most part. But again, these tests were only to experiment with VM installations since I've never worked with KVM before. Overall I am very satisfied with the performance of the VM's. I have two minimal installs running now: Ubuntu and CentOS 7. Both seem to be performing very well as minimal installs. If I need a GUI of some app... say gparted... I can always run it in an X-window session from the minimal installs.

Marty