Consolidating Servers Under Linux
Pages: 1, 2
Consolidating services under Linux: Part two
Another way to consolidate servers if you can't run all of your applications under Linux (if you're tied to Windows for Workgroups, for example) is to downsize your server count though hardware emulation.
The emulation of computer systems, more popularly known as "virtual machines" has been around for a long time. IBM pioneered virtual machine technology back in the 1960s as a way to allow its customers to retain their investment in software by allowing emulation of entire computer systems to run on their latest hardware. On a smaller scale, virtual machines have been used for years in everything from USCD Pascal to Java, allowing programmers to write software for one set of APIs that has the capability to run on multiple hardware platforms. For our uses, we're interested in figuring out how to use one or more virtual machines to run a number of different operating systems on one physical box.
Most people have heard of VMWare and its virtual machine for emulation of desktop systems, VMWare Desktop. It's a great boon if you run a Linux laptop or desktop system but still need to run applications such as Visio or Microsoft Office. VMWare is a versatile performer. It allows you to run not only Windows (3.1 all the way up through XP), but you can also run Net/Open BSD or even another Linux virtual machine -- you can even run all of these at the same time.
One drawback, until recently, was that VMWare was a good desktop/laptop solution but it didn't scale to the enterprise. There are issues such as CPU performance and I/O bandwidth if you are trying to force a desktop machine (and VMWare Desktop) into server-level duty. Recently VMWare released new versions of its virtual machine software that can be used to run large-scale servers. The new enterprise versions of VMWare, called VMWare ESX and VMWare GSX, allow VMWare to be used for data center consolidation or departmental consolidation respectively.
The ESX version actually runs its own kernel and can host 4 to 20 Linux, Windows, or BSD virtual machines and supports 1Gb per second of network bandwidth. This is really an industrial-strength solution to support database machines and streaming content for those who want to cut down the number of physical servers they support in a data center while maintaining a single management interface.
The GSX version of VMWare is meant for departmental servers and runs on top of Linux (or Windows) and supports four to eight virtual machines. This is the perfect solution for businesses or departments that either have too many machines and not enough support staff, or have seen their IT budgets slashed and need to support more applications on disparate operating systems.
Once of the nice features of VMWare's enterprise solutions is their web-based interface that allows a system administrator to build and control all of the virtual machines from a single unified interface. This means that you can dispense with KVM switches and manage virtual machines right from your desktop.
|
VMWare's solutions are not cheap -- a VMWare enterprise license can run $2,500 -- but given the number of machines they can replace and the value they add in terms of being able to support more applications on your existing hardware they're quite a bargain.
Resources
David HM Spector is President & CEO of Really Fast Systems, LLC, an infrastructure consulting and product development company based in New York
Read more Linux in the Enterprise columns.
Return to the Linux DevCenter.
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 5 of 5.
-
FreeBSD's Jail / chroot
2001-09-26 12:34:00 nate@nutopia.org [Reply | View]
one thing overlooked in this article is "chroot." The chroot command exists in linux and the BSD's and allows you to prevent an application (like your web or mail server) from accessing parts of your servers drive(s) it's not supposed to - even if the app is hacked the kernel will not allow it to write outside the directory has been chrooted to. Bind has built-in support for this.
FreeBSD (and it's at least planned for the other BSD's) has a jail command that goes a step farther and controls what syscalls it can make, the ip/ports it can bind to, the protocals it can bind to, etc... (i believe there was an article about using it on daemonnews recently)
both of these methods allow for greater security on boxes with multiple services running on them and don't requrire the overhead / expense of VMware. i personally keep most services chrooted on my openbsd server and am consitereing chrooting all user logins for a little extra paranoia :)
-
Security issues overlooked
2001-08-31 02:08:37 mbruce [Reply | View]
Server applications have been separated onto different physical machines for 2 reasons: load and security. The security aspect has been completely overlooked in this article.
Let's say you have your company mail server and your database of customer details (including credit card numbers, if you want an obvious warning bell that even non-techies can hear) running on the same server "because you want to consolidate your hardware" and save a few bucks. Then Joe Cracker comes along and roots your all-in-one server using an exploit in Sendmail (because the admin was too busy/lazy/hungover to ensure it was running the latest "known good" patchlevel).
Bye bye credit card numbers, hello lawsuit, bye bye company.
I've only just covered the Confidentiality aspect.
What about Integrity? Modification of data, ordering with a bent credit card and erasing the transaction, etc.
And what about Availabilty? The underlying virtual server app goes down (presumably via an attack on the admin port - everyone wants ease of management, don't they?) and every virtual machine on this all-in-one server goes down.
What does the business impact assessment classify downtime criticalities to be? (You HAVE done a BIA, haven't you?) Will it take the resident ubergeek a day to rebuild it? Will that day of lost productivity cost you more than you can recover in a month or year?
While I applaud the technology, and think it may have some real uses, I really do have concerns about putting it into a production environment based on the fact this article writer has completely glossed over such a critical subject.
-
Win4Lin can actually give >100% emulation efficiency
2001-08-23 00:00:05 leonbrooks [Reply | View]
I've played with a Win4Lin installation that has Windows 95/98 apps running *faster* in Win4Lin than natively. Also, running multiple instances of a Windows program seems to use less memory than doing so natively. Win4Lin will only allow you to run x86 Win9[58] programs on an X86 Linux box, but it does this one thing really, really well. It's possible to set thin clients up so that there is no obvious sign (other than a 2-second ``reboot'' and less crashes to start with) that they aren't running Windows, or so that Windows apps are just another Linux desktop icon.
-
..And let's not forget IBM..
2001-08-19 13:21:00 Laen [Reply | View]
An S390 mainframe is capable of running many thousand virtual machines and makes a lot of sense for people who either want to stick with the "one service per machine" philosophy, or have applications that shouldn't be sharing memory and disk space for security reasons.
Of course, if you're balking at the $2,500 cost of a VMWare enterprise license, the $500,000 price tag on an S390 will probably kill you. :)
FreeBSD (and it's at least planned for the other BSD's) has a jail command that goes a step farther and controls what syscalls it can make, the ip/ports it can bind to, the protocals it can bind to, etc... (i believe there was an article about using it on daemonnews recently)
both of these methods allow for greater security on boxes with multiple services running on them and don't requrire the overhead / expense of VMware. i personally keep most services chrooted on my openbsd server and am consitereing chrooting all user logins for a little extra paranoia :)