On Thu Jan 14, 2010 at 19:32:16 +0700, Sthu Deus wrote:

> I want to separate diver services and make NAT to them - so that
> it be more secure in case if one of them will be hacked - I still

  Right so you want a host which has a public IP (or more than one)
 and each guest will have private IPs on seperate ranges, such that
 they cannot talk to each other?

  That sounds like a good setup.

  If you're going to assume that a machine will be hacked, and then
 assume a kernel bug will come into play on one of the guests that
 strongly suggests you want to ensure that they aren't sharing a
 single kernel - ie. Don't choose vserver.

> I know that KVM offers much less respond comparing w/
> vserver. How about Xen? Can I turn the guests on/off on the fly?

  Both Xen and KVM will let you start/stop guests independently of
 each other.

  KVM works as a process, so you just stop it.

  Xen has a lot of magic behind the scenes, but ultimately you can
 do things like list the running guests with "xm list", start one
 that is stopped with "xm create blah.cfg" and stop a running one
 with "xm shutdown blah".

> I want them to use for email, web, and do not know if proxy
> is any worth of to put in separate guest? - Nothing special.

  Probably not worth the overhead I'd have thought; historically the
 common squid proxy has had a good security record.

> Ok, what is the best here (relating for my tasks)? - If any
> had experience w/ several of them?

  Best is still going to be a personal preference.  I'd choose KVM,
 then Xen, then vmware then vserver.

> Why nobody says about packaging problem in Debian, net
> interfaces at guests turning off?!

  If you use something like Xen/vmware/kvm you'd not concern yourself
 with the interfaces.  Instead you'd shutdown a guest if you wanted it
 to be unreachable and disabled.

  Leaving it running but dropping the traffic would work, but it would
 be an odd thing to do.  (e.g. it would still run cronjobs and try to
 send email, etc.)

> I guess that KVM takes a lot of overload comparing w/ vserver -
> for for example spam filtering, virus scanning.

  It will take overhead, yes.  But not a lot.

  Certainly a virtual KVM guest can handle spam filtering just fine,
 assuming your setup is sane.  (ie. Make lightweight tests before the
 heavier ones.)

Steve
--
Debian GNU/Linux System Administration
http://www.debian-administration.org/


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to