Re: How to organize your VMs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]





On 4/13/21 11:48 AM, Roberto Ragusa wrote:
On 4/10/21 6:13 PM, Nicolas Kovacs wrote:

I'd be curious to have your input, since I'm fairly new to this sort of approach.

I would only separate things that for some reasons are "dirty", e.g. require non packaged
installation.

All the rest (like bind, postfix, dovecot) can happily live in the same machine.

Splitting things too much will increase the maintenance effort, every stupid detail like new kernel installation, clock syncing, log rotation, security patching, etc. gets duplicated. Not to mention the need to now maintain a network connecting the pieces.

This is where what I do in jails on FreeBSD is different from what you describe. All jails in FreeBSD have same base system. Thus, no extra overhead for base system: it is updated for all jails in a single go.

Separate jails have only what is necessary for particular jail. Therefore, I only put in the same jail "inseparable things (e.g. mailman has to have web interface and postfix or sendmail, so this is minimal sufficient bundle that has to be together). Services that do not have to live in the same jail run in different jails. The separation of services into different jails brings a lot of convenience:

1. If service "a" has to be worked on, only other services living in the same jail may potentially be affected, nothing else

2. If service "a" and service "b" need incompatible dependencies, there is no problem when they run in different jails

3. If you do upgrade (as in upgrade of base system), you can upgrade one jail at a time, hence it is much smaller set of things that has to be dealt with as a result of upgrade; the last helps to diminish downtime of every service caused by upgrade

4. Suppose you have compromise (no one is guaranteed from that), that came through some service, but then only that jail is affected, no mess bad guys can do to other services.

5. And one more important thing: base system in jail is mounted read-only: any mess due to compromise does not affect base system of jail (any one of jails)

And the list can continue.

I hope, experts in Linux virtualization will chime in and outline how similar (common for all virtual systems read-only base, etc) can be done with one of Linux virtualization solutions, because I'm certain in must be possible. And I for one would love to learn about that.

I hope, this helps.

Valeri

Same considerations when using containers instead of VMs, you only gain some performance
by not dragging entire kernels for each service.

Start by isolating the service that is giving you most troubles.
Then with a bit of experience, you can evaluate if proceeding along that road.

Best regards.


--
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux