Hi,
I would like a bit of advice please on the best way of setting up my virtual machines/containers for my work's development machine (software engineering development team).
Some of the machines (say 10) will be publicly accessible (bug tracker, continuous integration (CI) server, git source repository, file server, blog etc.) and some of them will be private (LDAP, CI slaves, backup server). All of these are Linux based. At the moment they are all KVM virtual machines with at least one network card connected to the internal network. All of the publicly accessible machines have another network card with their external IP address on.
I also have a group (say 6) machines running Windows which are demonstrators for our (web based) applications. Again, these are KVM machines with two nics, one internal, one public.
All of these (KVM) machines (both Linux and Windows) run on a single Dell PE2950 (16RAM, 8 core), but I am considering moving to another provider and choosing a less powerful machine(s).
I was thinking of having all the linux machines are openvz containers as they are lighter than fully virtualised KVM machines, but I have no experience with containers. I understand the windows machines need to remain KVM machines.
So, a few questions:
[isolation]
How isolated are these containers? Is there anything you *can't* do in them that I (average Joe Blogg) might want to do? I understand they have their own resources, their own application space, can even be different kernels but as I say I only know what I have read in "marketing"
[Network]
Do I need to assign two nics to each container in order for them to be able to communicate with each other without going out into the real world? So ldap might be 192.168... but files might be 79.31... and files needs to authenticate against the ldap machine. Does the ldap machine need two nics, one for 192.168.. and one for 79.31...?
[Firewall]
Alternatively, should I assign all the containers/KVM machines internal (192.168..) IP addresses and use port forwarding on the host to manage the external IP addresses (i.e. port forward anything from this external IP to 192.168..1, but that external IP to 192.168..2)? If so, any recommendations for a good firewall? In fact, what is the recommended firewall for proxmox?
For the linux machines I am considering a single Xeon (4 cores @ 2.8GHz) with 8G RAM. If this is too little then I might choose a dual Xeon (8 cores @ 2.0GHz, 16 RAM). Same again for the Windows machines (either single Xeon or dual Xeon).
Thoughts and comments are graciously welcome. (And pretty soon I might actually be in a position to contribute to this forum instead of just leaching).
Thanks,
Col
I would like a bit of advice please on the best way of setting up my virtual machines/containers for my work's development machine (software engineering development team).
Some of the machines (say 10) will be publicly accessible (bug tracker, continuous integration (CI) server, git source repository, file server, blog etc.) and some of them will be private (LDAP, CI slaves, backup server). All of these are Linux based. At the moment they are all KVM virtual machines with at least one network card connected to the internal network. All of the publicly accessible machines have another network card with their external IP address on.
I also have a group (say 6) machines running Windows which are demonstrators for our (web based) applications. Again, these are KVM machines with two nics, one internal, one public.
All of these (KVM) machines (both Linux and Windows) run on a single Dell PE2950 (16RAM, 8 core), but I am considering moving to another provider and choosing a less powerful machine(s).
I was thinking of having all the linux machines are openvz containers as they are lighter than fully virtualised KVM machines, but I have no experience with containers. I understand the windows machines need to remain KVM machines.
So, a few questions:
[isolation]
How isolated are these containers? Is there anything you *can't* do in them that I (average Joe Blogg) might want to do? I understand they have their own resources, their own application space, can even be different kernels but as I say I only know what I have read in "marketing"
[Network]
Do I need to assign two nics to each container in order for them to be able to communicate with each other without going out into the real world? So ldap might be 192.168... but files might be 79.31... and files needs to authenticate against the ldap machine. Does the ldap machine need two nics, one for 192.168.. and one for 79.31...?
[Firewall]
Alternatively, should I assign all the containers/KVM machines internal (192.168..) IP addresses and use port forwarding on the host to manage the external IP addresses (i.e. port forward anything from this external IP to 192.168..1, but that external IP to 192.168..2)? If so, any recommendations for a good firewall? In fact, what is the recommended firewall for proxmox?
For the linux machines I am considering a single Xeon (4 cores @ 2.8GHz) with 8G RAM. If this is too little then I might choose a dual Xeon (8 cores @ 2.0GHz, 16 RAM). Same again for the Windows machines (either single Xeon or dual Xeon).
Thoughts and comments are graciously welcome. (And pretty soon I might actually be in a position to contribute to this forum instead of just leaching
).Thanks,
Col
