Jani Tiainen wrote: > David Brown kirjoitti: >> For those of you who feel it is hard getting trac (or any other >> software) running, may I give a brief recommendation of the way I did it >> (at least, for those starting from scratch)? > > Very good advice... > >> Pick a virtual server system. I use openvz, which gives strong >> separation with minimal overhead (the virtual servers share the main >> kernel) - alternatives include linux-vservers (slightly lighter), kvm >> (heavier, as the kernels are separate), xen (even the "host" is a >> virtual machine), and various commercial choices. > > vmware does pretty good job for server virtualization these days. Very > good pick. >
It depends on your requirements - vmware (in my limited experience) is relatively heavy. Each virtual machine has its own separate installation of an operating system. That means setting up a new server is similar to a standard installation (although I suppose you can install a base, then copy it for new machines?). Changes such as giving the virtual server more or less resources (memory, disk place, etc.) are akin to doing the changes physically, and require the same sorts of service such as reboots to see the extra memory. Openvz, on the other hand, is much easier. It is somewhat akin to an enhanced chroot jail - it's file system is a branch of the host's file system, and it's processes run on the host's kernel. But extra levels of security and accounting allow finer control of the virtual servers, so that you can control maximums and guaranteed minimums for memory, cpu time, network buffers, disk space, etc., and you cannot break out of the virtual machine using known chroot methods (I'm not claiming it can't be broken, of course). Sometimes you want to run a different kernel on your virtual machine, or use more virtualised devices (other than disks and networks), and then need a more complete virtualisation system (like vmware, kvm, or xen). But for my use (with virtual servers for email, databases, an ftp server, two experimental crm systems, svn/trac, freenx, and probably a few others I've forgotten at the moment), openvz is a better way to go. (The SWsoft also have commercial version called Virtuozzo, if you want paid support, extra management tools, etc.) >> Many people will tell you about the benefits of virtual servers in terms >> of security, or the ability to use fewer physical servers, or the >> ability to migrate virtual servers between physical servers as you need >> more power or space. All of that is true, but the big benefit I see is >> the separation of tasks so that you can avoid any questions of >> conflicts, and the freedom to have different balances between version >> stability and frequent updates for different services. > > > Well for security things it might actually give a less security... > A collection of virtual machines on one physical machine will, all other things being equal, be less secure than a corresponding collection of physical machines. And a lightweight virtualisation system like openvz will be slightly less secure than a more heavyweight solution. But my belief (I've nothing but experience and common sense to back this up - no statistics or reports) is that separate virtual machines for different tasks is more secure than the traditional method of one server providing a range of services. Attack vectors often exploit combinations of software for security breaches - one service's faults might allow the attacker to run a script, while another service's faults might allow for privilege escalation to root. When these two services are on separate virtual servers, this connection is broken, and damage is much more limited. For additional security, none of the openvz virtual machines have any valid logins (you can enter a virtual machine shell from the host). Of course, if anyone breaks out to the host from one of the virtual machines, and gets root access, everything is lost on all the virtual servers - but that applies whenever someone gets root access. > But good thing is that you can separate tasks - You don't need to bloat > server with all kind of unneeded stuff and if something fails while > setting up you can start over. If you bloat single server that is pretty > much impossible. > Absolutely. It makes setup easy, and it makes it easy to see what is happening and what is important on a given virtual server. It also makes updates faster and smoother (again, a web cache makes these much faster for common files). > Good thing is also that some virtual servers allows makes copies and > then you can play around with copy without having to destroy your > running environment. > That's easy too on openvz, as is backup or comparison between virtual machines (to see why one setup works and not another). mvh., David --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to trac-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~----------~----~----~----~------~----~------~--~---
