[OOTB-infra] Live showcase

Thu Oct 16 12:22:54 BST 2014

Martin,

please read inline:
> <M^tt> no reason not to go esxi really, for me i was trying to be 
> cheap and save public v4 ip's
> <M^tt> esxi doesnt give me the same virtual networking flexibility 
> that linux does
> <M^tt> that was my reason for linux/kvm
> <M^tt> also security
> <M^tt> esxi best practice is mgmt interface not publically available
> <M^tt> no way to do that with hetzner
> <M^tt> afaik
> <M^tt> no firewall infront
> <M^tt> unless you routed your mgmt access through a vm on the host
> <M^tt> risky if it goes down
> <M^tt> another reason i went linux, as i iptables everything but ssh 
> to the host
> <M^tt> then ssh tunnel to get vnc consoles to guest
> <M^tt> if needed
> <marsbard> right so you mean I would need to run a vm for the firewall?
> <marsbard> and also what do you mean about saving 4 ips? is that if 
> you run 4 vms without a firewall?
> <M^tt> if you wanted to firewll the mgmt interface, i think there is 
> some sort of internal firewall in esxi anyway
> <M^tt> i can should i wish forward ports destined for the hosts ip to 
> a guest on a private network
> <M^tt> couldnt do that on esxi
> <M^tt> effectively gives me use of an otherwise tied up address
>
esxi has a buildin firewall. best practice is to close _all_ ports 
except ssh and to secure ssh (we limit access to our fixed IPs disable 
password authentication / auth over public key).
To access the vSphere Client you can use ssh port forwards from the 
allowed IPs or VPN. We have simple ssh scripts for forwarding all 
management ports to internal/private IPs. Additional we make the 
management ports available to the private network behind pfsense. So 
it's very convenient and secure to connect using VPN or IPSec to have 
full access to all VMs and to the ESXi Management.

> <marsbard> ok. I guess though that the comment about being able to 
> share vms with others might trump these concerns...

thanks pfsense this would be easy. Beside VPN we could forward ssh ports 
on the public (second) IP and we use apache or nginx to route all 
applications from one IP using virtual hosts.

> <M^tt> so only saves one address, but for me thats important
> <M^tt> vendor tie in. yey
> <M^tt> install of esxi will require a bit more time, as you will have 
> to request a proper net based kvm console to do the install

that's not true. If you order ESXi you will get the ready installed 
server but you have to mention that in the order (and you should aks for 
5.1 instead of 5.5). They have an image for that. If you really want to 
install it for yourself you get access to a kvm console to get the 
physical console thru vnc. Additional IPs cost 1€

> <M^tt> and hardware support is a question, depending on what you get
> <M^tt> but if you dont mind spending the 15eur for the flexipack and 
> then what ever for a subnet
> <M^tt> then just go esxi
> <M^tt> for me i wanted to avoid paying effectively 30eur pcm extra for 
> a subnet and just use the 4 provided public addresses
>
Why do you need a public (paid) subnet? This should be installed in a 
private subnet pfsense. The subnet makes only sense if you run multiple 
boxes to make management easier. All vms are NATed and access is 
controlled by port forwards and/or apache/nginx. If direct access is 
required openvpn/ipsec is the choise.
flexipack is only required if you insist on esx 5.5 since after 5.1 
vmware removed the drivers for the Realtek network cards which are 
buildin the EX4 boxes. To run on esx 5.5 you need to install a supported 
intel network card.
If you complain about VMWare support/certifycation for the hardware: 
there is no hardware certification for KVM at all. It's running or not.

Main reason for us to decide against KVM was that you can't reuse 
generic images/distros and the runtime is not the same as on customer 
side. You spent a lot of time to solve just other problems.
KVM is nice for hosters, because it's open source but requires some 
extra work and knowledge if you don't want to install everything from 
scratch.