I’m experimenting with service separation by having each service run in its own operating system, all of the sharing hardware though. Why ? Separation seems to be the only secure approach to running any software. Check Joanna’s blog out. I went with VirtualBox on Debian 7 host, with, well, Debian 7 guests. First I’ve prepared template VM by creating a new VM and just proceeding with install. Then I tried spawning some clones of that, but having it done manually takes quite some time and is error prone. Did somebody say automation ? Yes ! First, clone a VM, regenerating MAC addresses and making sure the resource caps are good:
vmrunner@storage:~$ cat prepare_vm #!/bin/bash set -e if [ $# -ne 2 ] ; then echo "usage: $0 vm_name vm_number" exit 0 fi VM_NAME="$1" RAM_AMOUNT="128" DISK_SIZE="2000" VM_NUMBER="$2" RDP_PORT=$(($2+3389)) EXECUTION_CAP="50" VBoxManage clonevm fresh.cyplo.net --name $VM_NAME --mode machine --register VBoxManage modifyvm $VM_NAME --vrde on echo "setting RDP listening port to $RDP_PORT" VBoxManage modifyvm $VM_NAME --memory $RAM_AMOUNT VBoxManage modifyvm $VM_NAME --vrdeport $RDP_PORT VBoxManage modifyvm $VM_NAME --nic1 bridged --bridgeadapter1 eth0 VBoxManage modifyvm $VM_NAME --pae on VBoxManage modifyvm $VM_NAME --cpuexecutioncap $EXECUTION_CAP VBoxManage modifyvm $VM_NAME --hpet on VBoxManage modifyvm $VM_NAME --hwvirtex on VBoxManage modifyvm $VM_NAME --pagefusion on VBoxManage modifyvm $VM_NAME --dvd none VBoxManage modifyvm $VM_NAME --autostart-enabled on VBoxManage modifyvm $VM_NAME --macaddress1 auto VBoxManage modifyvm $VM_NAME --macaddress2 auto echo "vm set up, listing all VMs:" VBoxManage list vms
Then run the VM and change it into Debian service host with new name and some software:
vmrunner@storage:~$ cat kickstart_debian #/bin/bash set -e if [ $# -ne 2 ] ; then echo "usage: $0 new_hostname new_domainname" exit 0 fi NEW_HOSTNAME="$1" NEW_DOMAINNAME="$2" NEW_FQDN="$NEW_HOSTNAME.$NEW_DOMAINNAME" aptitude update aptitude dist-upgrade -y aptitude install vim atop sudo -y hostname ifconfig set -v echo "$NEW_FQDN" > /etc/mailname echo "$NEW_HOSTNAME" > /etc/hostname sed -i "s/dc_other_hostnames\='.*'/dc_other_hostnames='$NEW_FQDN'/g" /etc/exim4/update-exim4.conf.conf sed -i "s/127\.0\.1\.1.*/127.0.1.1 $NEW_FQDN $NEW_HOSTNAME/g" /etc/hosts rm /etc/ssh/ssh_host_* dpkg-reconfigure openssh-server reboot
The script above needs to be run on guest, I’m using scp with known ssh keys to upload it and then run via ssh. This step is to be automated in the future. Points to improve:
- updating all the guests at once [Chef?]
- monitoring all guests at once [Nagios?]
Summarizing, I’m now running a Tor node, file server, caldav, carddav and some other services on my home server. All of them in separate VMs. And it’s running quite well with 2GB of RAM. For more info on my home server build check its hardware and basic software.