[OOTB-infra] Live showcase
Heiko Robert
heiko.orderofthebee.info at ecm4u.de
Thu Oct 16 12:22:54 BST 2014
Martin,
please read inline:
> <M^tt> no reason not to go esxi really, for me i was trying to be
> cheap and save public v4 ip's
> <M^tt> esxi doesnt give me the same virtual networking flexibility
> that linux does
> <M^tt> that was my reason for linux/kvm
> <M^tt> also security
> <M^tt> esxi best practice is mgmt interface not publically available
> <M^tt> no way to do that with hetzner
> <M^tt> afaik
> <M^tt> no firewall infront
> <M^tt> unless you routed your mgmt access through a vm on the host
> <M^tt> risky if it goes down
> <M^tt> another reason i went linux, as i iptables everything but ssh
> to the host
> <M^tt> then ssh tunnel to get vnc consoles to guest
> <M^tt> if needed
> <marsbard> right so you mean I would need to run a vm for the firewall?
> <marsbard> and also what do you mean about saving 4 ips? is that if
> you run 4 vms without a firewall?
> <M^tt> if you wanted to firewll the mgmt interface, i think there is
> some sort of internal firewall in esxi anyway
> <M^tt> i can should i wish forward ports destined for the hosts ip to
> a guest on a private network
> <M^tt> couldnt do that on esxi
> <M^tt> effectively gives me use of an otherwise tied up address
>
esxi has a buildin firewall. best practice is to close _all_ ports
except ssh and to secure ssh (we limit access to our fixed IPs disable
password authentication / auth over public key).
To access the vSphere Client you can use ssh port forwards from the
allowed IPs or VPN. We have simple ssh scripts for forwarding all
management ports to internal/private IPs. Additional we make the
management ports available to the private network behind pfsense. So
it's very convenient and secure to connect using VPN or IPSec to have
full access to all VMs and to the ESXi Management.
> <marsbard> ok. I guess though that the comment about being able to
> share vms with others might trump these concerns...
thanks pfsense this would be easy. Beside VPN we could forward ssh ports
on the public (second) IP and we use apache or nginx to route all
applications from one IP using virtual hosts.
> <M^tt> so only saves one address, but for me thats important
> <M^tt> vendor tie in. yey
> <M^tt> install of esxi will require a bit more time, as you will have
> to request a proper net based kvm console to do the install
that's not true. If you order ESXi you will get the ready installed
server but you have to mention that in the order (and you should aks for
5.1 instead of 5.5). They have an image for that. If you really want to
install it for yourself you get access to a kvm console to get the
physical console thru vnc. Additional IPs cost 1€
> <M^tt> and hardware support is a question, depending on what you get
> <M^tt> but if you dont mind spending the 15eur for the flexipack and
> then what ever for a subnet
> <M^tt> then just go esxi
> <M^tt> for me i wanted to avoid paying effectively 30eur pcm extra for
> a subnet and just use the 4 provided public addresses
>
Why do you need a public (paid) subnet? This should be installed in a
private subnet pfsense. The subnet makes only sense if you run multiple
boxes to make management easier. All vms are NATed and access is
controlled by port forwards and/or apache/nginx. If direct access is
required openvpn/ipsec is the choise.
flexipack is only required if you insist on esx 5.5 since after 5.1
vmware removed the drivers for the Realtek network cards which are
buildin the EX4 boxes. To run on esx 5.5 you need to install a supported
intel network card.
If you complain about VMWare support/certifycation for the hardware:
there is no hardware certification for KVM at all. It's running or not.
Main reason for us to decide against KVM was that you can't reuse
generic images/distros and the runtime is not the same as on customer
side. You spent a lot of time to solve just other problems.
KVM is nice for hosters, because it's open source but requires some
extra work and knowledge if you don't want to install everything from
scratch.
More information about the OOTB-infra
mailing list