OpenVZ Virtuozzo Containers Wiki - User contributions [en]

Virtual Environment

2007-12-20T11:33:52Z

Josh-A:

Virtual Environment (VE, otherwise also known as Virtual Private Server, or VPS) is one of the main concepts of OpenVZ.

VE is an isolated entity which performs and executes exactly like a stand-alone server. VE can be rebooted independently and have root access, users/groups, IP address(es), memory, processes, files, applications, system libraries and configuration files.

OpenVZ allows to have multiple VEs (up to as many as several hundreds) on a single [[Hardware Node]].

Learn more about [http://www.webhosting.uk.com/web-hosting/faq/what-is-vps-technology/ VPS] Technologly

[[Category: Definitions]]

VPS vs Dedicated

2007-10-05T09:45:11Z

Josh-A: /* Advantages of VPS */

Although I am somewhat of a new user to the VPS world I thought I'd write a short article giving an overview of why use VPS instead of dedicated servers for those of you who are involved in the hosting business or people thinking about leasing a VPS server. Here I will address misconceptions I had about VPS and talk about how my perspective on VPS is changing.

Who am I? This article originally written by [http://www.perkel.com Marc Perkel] - a new VPS user - expressing my overview of OpenVZ from my perspective as a new user talking to other new users about my experience in learning this new environment. I am not an OpenVZ expert and I want to write this while I'm still new to OpenVZ so I can express my view from a new user's perspective. If you are just reading about VPS for the first time I am not that far ahead of you. This article is an attempt by me to give back a little to those who created this free software and give you new people an overview of the big picture as I learn this myself.

= Why use Virtual Private Servers instead of Dedicated Servers =

Like many of you when I first heard of the idea of VPS I pictured it is some small lame server that is sold to 12 year olds trying to start hosting companies on the cheap. It had never quite caught my attention until I decided I needed a remote name server and all I needed was enough of a server to run bind, but didn't want to buy a dedicated box just to do that. So I got a VPS based on Virtuozzo for $80/year and it worked great.

In the process however I started understanding the VPS concept and it became apparent that this is more than just a tool to create little servers. The way I see it VPS can replace dedicated servers in many situations in a data center and do a better job than dedicated. You can actually give the customer more horsepower and better hosting than selling them a small dedicated box. (Of course big customers will still need their own server.)

I don't own a data center business myself but I have a friend who does and I colo several servers there. He has several racks of some old Celeron boxes with 512 mgs of ram and one or two 80 gig drives depending on if the customer has any concept of backups, which most of them don't. I'm looking at the racks of Celerons and P4s thinking that each rack could be consolidated into a single modern server and that the customers would actually have a better server than the one they are on now. And the cost saving is tremendous.

= Advantages of VPS =

Most small dedicated servers are a waste of resources. People buy bigger servers than they need and the excess capacity is wasted. These servers take both space and power which is expensive in a data center and you have hardware costs associated with each server that you have to recoup. People often don't do any backups so after several years the hard drive fails and they lose everything. And it's your fault for not backing them up in the first place.

Imagine a rack of 16 Celeron boxes with 80 gig drives being replaced by a Dual Core Athlox X2 with 8 gigs of ram and 4 500gb SATA 2 drives running in a raid 10 configuration. (Writing this in Feb of 2007 for future historians who will read this and laugh at the old days when computers had just gigabytes.) The above server would cost about $2000 to build and only take 2U of space and use far less power than the 16 machines that are being replaced.

Note that I'm suggesting in this example only a 16 to 1 consolidation. Everyone has the same amount of ram. In reality the consolidation is many times higher because most of those using the Celerons are not using all the memory. Many are using only 1/5 of what they have and a lot of that is used by the individual kernels running. In OpenVZ there is one kernel for everyone.

Note also that many of these servers have idle time where the processor is doing nothing and they have lots of extra hard drive space that isn't being used. By consolidating these systems the free resources are combined allowing you to run many more logical servers that each have more resources than the individual servers.

On a dedicated computer the user is stuck with an old slow 32 bit processor, a limited amount of ram, and an old slow hard drive with no backups. In a VPS that same user is running on a shared dual core 64 bit CPU sharing 8 gigs of ram with fast modern large hard drives with raid backup. That is a significant improvement over having their own dedicated box. So this is a better deal for the customer. [http://www.webhosting.uk.com/knowledgebase/advantages-of-a-vps/ VPS Hosting Advantage]

== Administration Advantages ==

If a customer needs you to fix something on their dedicated server you have to either know the root password or take the server down and boot from a rescue CD to get in and fix it. You also can't access the customer's files without logging in to their server as root. In a VPS you as host can enter their server at any time without a password. (Keeping the host environment very secure of course.) That allows you to do maintenance without having to look up the person's root password.

== Ease of Setup ==

Setup couldn't be easier as compared to building a dedicated server. All you have to do is type a few commands and the new virtual server is ready to go. You can have the customer running while you are still on the phone taking the order. A dedicated box requires setup, installation, and often has to be scheduled. This involves cost and time. VPS is ready instantly and easily. Any distro you want with all the latest updates installed. When a customer places an order they want it now. With VPS you can deliver it now.

== Backup Advantages ==

Additionally you can access the customers files directly from the host environment. This allows you to run rsync scripts to back up all the virtual servers to external storage or backup servers without the customer being aware that you are doing sophisticated backups. Then when the customer calls you up in a panic and says, "I totally screwed up my server and deleted a bunch of files by accident. Can you get it back?" You can magically restore their lost data and you are forever their hero.

== IP Allocation Advantages ==

Tired of allocating 4 IP addresses just to give the customer 1 usable? Or giving them 8 so they have 5 usable and most of them only use one? How inefficient is that? With OpenVZ you can allocate IP addresses individually so that if a customer only needs one IP then they get only 1 IP. But if they need 9 IP addresses you can give them exactly 9 of them. They can call you up and say I need one more IP and you can give it to them in seconds. On a dedicated server if you gave them a /29 vlan and they are using all 5 IPs and they need another one - that is a huge hassle.

== Disk Space Allocation ==

On dedicated servers you have to install a big hard drive that is mostly wasted. If the customer wants backups then it's two hard drives. In OpenVZ you just allocate space in the raid array based on what the customer actually needs and they only use the space that they use rather than what's allocated. The "allocation" is really just a software limit and that is a line in a text file that you can instantly change the moment the customer needs more space. On a dedicatd box if the customer needs a bigger drive then it's a trip to the data center with a new drive and a few hours time to copy everything over and replacing the drive, not to mention the down time.

== Memory Upgrades ==

Memory upgrades are as easy as hard drive upgrades. Just one command than the user has more ram. But what if the server is full and you don't have any more ram? No problem. Just copy the user's VE (virtual environment) over to another physical server with rsync and start them up there. In only a few minutes you've migrated them to a new box and they are up and running.

== Migration ==

Suppose a customer just needs a bigger server. Migration is easy in the VPS environment because the VE is consistent between servers. You just copy over the files and start it up. You don't have to build a new server, install an OS, copy it all over, and then mess with it for an hour getting everything to work.

== Emergency Procedures ==

Let's say that a server fries. With VPS and good backups you have more options. You can copy the backup of the VPS onto another server and restore it as of the last (nightly) backup. (I'm a backup freak - but it pays.) That gets the customers up instantly if they need that while a tech can go down there and fox the server with less pressure. This give you more options when bad things happen.

== Load Balancing ==

OpenVZ allows you to migrate servers live from one physical server to another. I haven't yet done that but I have done a shutdown, copy, and restart of the VE on another server and it's so easy to do that. So suppose you have a server that's a little crowded and some user starts hogging some resources. No problem. You just move a few users to another box and problem solved. This could probably be done automatically with some well configured cluster and I would love it if someone wrote a wiki page telling us how to do it.

== Protecting your Customers ==

Since you are managing the host system you can create IP filters and port blocking policies that help keep users from exploiting you or keep hackers from exploiting your users. Instead of a separate box that is all theirs you have them in a more managed shell allowing you to keep the inexperienced out of trouble. This provides them with a service that watched it more closely allowing them to do their own thing, but keeping you closer by to keep them out of trouble.

= Cost =

The cost savings are rather obvious. An entire rack compressed into one or two computers. Picture the space and power savings. The greenhouse gas not being generated by the power you're not using. The number of computers that you are not buying. The hours you are saving in setup time and administrative time. When it comes to saving money this is definitely a winner. You can take that extra money and pass some on to customers and keep some extra for yourself.

= The Down Side =

Any time you add another layer then you have another layer of things that can go wrong. It takes some learning to understand the process and there is the possibility that one person can screw up the system for everyone. As virtualization develops it will get better. OpenVZ is very stable in that it is far less intrusive than other virtualization methods. It is limited to Linux only so BSD and Windows users will have to do something else.

= Conclusion =

I believe that VPS represents the future of computing. The space, power, and cost savings are too great to ignore. I see data centers that are massive clusters running tens of thousands of logical servers that transparently migrate around the physical resources and are up 100% of the time. Customers no longer will have to deal with issues of backups the way they have to now, and it will simplify the hosting process. I think that every data center should be looking into virtualization technology now with the idea that you are going to be doing this and it's time to at least start thinking about it and exploring it with an eye towards the future.

I have to say that my view of VPS has radically changed and that I now see this as a solution not just for people wanting little servers but for most everyone who is looking for dedicated service. VPS is a different way of looking at the computing world and it takes some significant mental adjustment and education to grasp the big picture.

[[Category: Technology]]
[[Category: Concepts]]

Setting up an iptables firewall

2007-10-05T09:39:25Z

Josh-A: /* See also */

This document consists of two parts. The first is setting up a firewall (using iptables) on the HN, which will restrict traffic to the VEs. The effect would emulate, as far as the VEs and their customers are concerned, an external hardware firewall controlled by the sysadmin. The second is setting up a firewall that protects the HN itself but still allows traffic to the VEs, thus allowing individual VEs to define their own iptables.

While the firewalls shown here can be accomplished using iptables manually (or using Fedora core's iptables service), the methods presented here are especially modular and easy to modify. This is important when you have 20+ VEs and a lot of other things to be doing...

The scripts and pathnames given here are for Fedora Core 6, though they can probably be applied to most similar SysV-like systems with little modification.

== A little background ==

On our systems, we use the HN to provide privileged services which are not appropriate for access by the VEs. For example, the HN acts as a backup server, runs Nagios for health monitoring, has a webserver for managing the 3ware RAID controller, etc. The VEs are leased to customers, who can't entirely be trusted, especially if they get hacked. As such, our scenario is one in which the HN must be protected from all access (even from the VEs) except for a few trusted hosts (e.g. my home-office).

The exception to this is the nameserver, which we want open to the world. We use it as a caching nameserver for our VEs and also to host DNS for a few customer domain.

== Setting up a HN-based firewall ==

This setup emulates (to the VEs anyway) an external hardware firewall. It protects the HN from any access and then defines what services and ports are allowed/banned for individual VEs. This leaves the firewall controlled by the site administrator, not be individual VEs and the hackers who've gotten into them. ;)

First off, let's disable Fedora's existing <code>iptables</code> service:
<pre>
service iptables stop
chkconfig iptables off
</pre>

Now create the new <code>firewall</code> service. This code should be <code>/etc/init.d/firewall</code> and then should be chmod'd 755.
<pre>
#!/bin/sh
# firewall Start iptables firewall
# chkconfig: 2345 08 92
# description: Starts, stops and saves iptables firewall
# This script sets up the firewall for the INPUT chain (which is for the HN itself)
# and then processes the config files under /etc/firewall.d to set up additional rules
# in the FORWARD chain to allow access to VEs' services.

. /etc/init.d/functions

# the IP block allocated to this server
SEGMENT="192.168.0.0/24"
# the IP used by the hosting server itself
THISHOST="192.168.0.1"
# services that should be allowed to the HN; services for VEs are configured in /etc/firewall.d/*
OKPORTS="53"
# hosts allowed full access through the firewall, to all VEs and to this server
DMZS="12.34.56.78 90.123.45.67"

purge() {
echo -n "Firewall: Purging and allowing all traffic"
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P INPUT ACCEPT
iptables -F
success ; echo
}

setup() {
echo -n "Firewall: Setting default policies to DROP"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -I INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -I INPUT -j ACCEPT -i lo
iptables -I FORWARD -j ACCEPT --source $SEGMENT
success ; echo

echo "Firewall: Allowing access to HN"
for port in $OKPORTS ; do
echo -n " port $port"
iptables -I INPUT -j ACCEPT -s $SEGMENT -d $THISHOST --protocol tcp --destination-port $port
iptables -I INPUT -j ACCEPT -s $SEGMENT -d $THISHOST --protocol udp --destination-port $port
success ; echo
done
for ip in $DMZS ; do
echo -n " DMZ $ip"
iptables -I INPUT -i eth0 -j ACCEPT -s $ip
iptables -I FORWARD -i eth0 -j ACCEPT -s $ip
success ; echo
done

VESETUPS=`echo /etc/firewall.d/*`
if [ "$VESETUPS" != "/etc/firewall.d/*" ] ; then
echo "Firewall: Setting up VE firewalls"
for i in $VESETUPS ; do
. $i
echo -n " $VENAME VE$VEID"
if [ -n "$BANNED" ]; then
for source in $BANNED ; do iptables -I FORWARD -j DROP --destination $VEIP --source $source ; done
fi
if [ -n "$OPENPORTS" ]; then
for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $VEIP --destination-port $port ; done
for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $VEIP --destination-port $port ; done
fi
if [ -n "$DMZS" ]; then
for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $VEIP --source $source ; done
for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $VEIP --source $source ; done
fi
[ $? -eq 0 ] && success || failure
echo
done
fi
}

case "$1" in
start)
echo "Starting firewall..."
purge
setup
;;
stop)
echo "Stopping firewall..."
purge
;;
restart)
$0 stop
$0 start
;;
status)
iptables -n -L
;;
*)
echo "Usage: $0 <start|stop|restart|status>"
;;
esac
</pre>

The above script can be called like this:
<pre>
service firewall start
service firewall stop
service firewall restart
service firewall status
</pre>

It will set up the firewall for the HN according to the parameters you specified for OKPORTS, DMZs, etc. and then it will call each file under /etc/firewall.d and process its configuration.

So create a file under /etc/firewall.d The exact filename isn't important, as long as it's meaningful to you, e.g. <code>ExampleCompany</code> or <code>ve12</code> and give it content like this:

<pre>
# This file is processed by /etc/init.d/firewall
VEID="1" # the VE's ID#
VENAME="Customer1" # A human-friendly label for the VE
VEIP="192.168.1.34" # the IP address for this VE
OPENPORTS="80 443" # ports that should be universally opened to the entire Internet
DMZS="1.2.3.0/24 5.6.7.8/32" # IPs and blocks that should have full access to the VE's services
BANNED="" # IPs and blocks that should be entirely blocked from the VE's services
</pre>

And there you go. Go ahead and start the firewall and check its status:
<pre>
service firewall restart
service firewall status
</pre>

As you can see, you can now add and edit the configurations for individual VEs very easily. This method proves a lot easier to manage than Fedora's iptables-config mechamism!

== Setting up a firewall that allows per-VE configuration ==

This setup configures iptables on the HN to disallow access to all hosts, including the VEs. However, it allows all traffic into the VEs so they may define their own iptables rules and therefore manage their own firewall.

<code>This content is missing. You are invited to fill it in, if you get to it before I do. :)</code>

== See also ==

* [[Traffic accounting with iptables]]
* [http://blog.webhosting.uk.com/2006/06/08/some-thing-about-iptables/ More info on iptables]

[[ Category: Networking ]]
[[ Category: Firewalls ]]

Control panels

2007-09-28T11:44:48Z

Josh-A: /* Free software */

This page contains links to different control panels for OpenVZ, written by third parties. If you know the project that's missing here, please add it.

== Free software ==
* EasyVZ: [http://easyvz.sourceforge.net/ screenshots] | [http://sourceforge.net/projects/easyvz sf.net project page]
* Webmin: [http://www.webmin.com/index8.html homepage] | [http://webadminmodules.sourceforge.net/?page=Search&action=search OpenVZ plugin] (search for OpenVZ)
* Webhosting.UK.com: [http://www.webhosting.uk.com/forums/showthread.php?t=77 List of free and paid hosting control panels]

== Non-free ==
* VZ-Manager: [http://vzmanager.de/ homepage (German)]
* HyperVM: [http://lxlabs.com/software/hypervm/ homepage]
* vzAdmin: [http://www.vzAdmin.info/ homepage (German)]

== Unknown license ==
* OpenVZ Control panel for Windows(r): {{forum|1491}} | [http://downloads.qmailrocks.ru/vz/ downloads] ''unknown license''

== Frozen projects ==
* VZAdmin: [http://www.ronny-goerner.de/ homepage] ''seems not available now''
* WVZ: [http://homaly.dunanet.hu/wvz/ homepage] ''seems frozen''
* New OpenVZ Web Based Control Panel by rsailor: {{forum|230}} ''seems not available now''