General question : how to organize your VMs

[microlinux]

Hi,

Up until now my main production server is a "bare metal" installation of Oracle Linux 7.9 (a RHEL clone like CentOS) hosting a variety of stuff.

• DNS server with BIND for eight domains
• IMAP mail server with Postfix and Dovecot for these domains, with about two dozen mail accounts
• Webmail with Roundcube for all the mail accounts
• Various WordPress-based websites and blogs
• Several instances of the management software Dolibarr
• The learning platform GEPI for our local school
• One instance of OwnCloud for half a dozen users

The hardware has no problems to deal with all that performance-wise. But managing all this in one big bulk has become a bit of a problem, since the LAMP-based PHP applications (WordPress, Dolibarr, GEPI, OwnCloud) increasingly cultivate their idiosyncrasies, so this feels more and more like herding cats.

So my main goal in migrating all this stuff to a series of neat Oracle Linux VMs hosted on Proxmox VE (and backed up by PBS) is clarity and ease of maintenance.

Now I wonder what could be a smart subdivision of all these VMs. After a bit of brainstorming, here's what I can come up with.

1. It would make sense to regroup all the applications, e. g. one VM for all the Dolibarr hostings, and then a different VM for WordPress, and a third VM for OwnCloud.

2. It's tempting to have a lot of small VMs for clarity's sake. On the other hand, it's maybe better to have one single VM for all the mail stuff.

3. Should I put all the Roundcube instances in a separate VM? Or does that go with the Postfix/Dovecot mail VM?

4. DNS is a bit of a special case, a bit of a catch 22. I would be tempted to setup an extra (bare-metal) machine for just handling this. Since BIND provides the DNS information about the hypervisor and the backup server themselves this becomes a bit of a chicken-and-egg situation.

5. Even if it's tempting to multiply VMs, let's not forget that I have to keep an eye on hardware resources, not to forget I have to pay for every extra IPv4 address.

I'd be curious to have your input on this.

Cheers,

Niki

 

[Tapio Lehtonen]

I suppose people suggest solutions they are familiar with. You may get better answers from more experience admins but my solution:

Get server grade host, install Proxmox 6. If you can afford, get two machines so you can cluster two Proxmox hosts and gain some redundancy. If your current host can handle the load, something in the same class performance wise should suffice. Now you can create virtual machines and install your preferred OS.
If you can use Debian GNU/Linux or Ubuntu, ISPConfig (https://www.ispconfig.org/) would help to manage the several servers you run. I believe ISPConfig does not support Oracle Linux. It does support CentOS, though.
If the services are proviced to the public Internet, IP address is needed for each virtual machine.

 

[Dunuin]

In many cases you don't need a own public IPv4 for every VM. For all web/FTP/mail stuff you can use reverse proxies so one public IP can point to different VMs based on the domain used to access it.

 

[Dunuin]

1. It would make sense to regroup all the applications, e. g. one VM for all the Dolibarr hostings, and then a different VM for WordPress, and a third VM for OwnCloud.

2. It's tempting to have a lot of small VMs for clarity's sake. On the other hand, it's maybe better to have one single VM for all the mail stuff.

I like to seperate stuff using VMs. If a service is reachable/attackable from the internet I want that service in its own VM. For example, if there is a wordpress security invulnerability and a wordpress gets hacked I want that wordpress blog to be isolated so the attacker can't get access to other services running in other VMs.
And there is another benefit.
If there is a wordpress bug that crashes the LAMP stack I simply can take that wordpress VM offline and fix the bugs while other services with their own LAMP stack can continue running without downtime.

4. DNS is a bit of a special case, a bit of a catch 22. I would be tempted to setup an extra (bare-metal) machine for just handling this. Since BIND provides the DNS information about the hypervisor and the backup server themselves this becomes a bit of a chicken-and-egg situation.

For that case my homelab uses OPNsense in a high availability configuration on 2 different servers. If one router (including DNS/NTP/DHCP/VPN/firewall/proxies services) goes down it second virtual router will take its place within seconds. So the critical services are always running as long as one of the two servers is online.

5. Even if it's tempting to multiply VMs, let's not forget that I have to keep an eye on hardware resources, not to forget I have to pay for every extra IPv4 address.

I totally get your point. But as long as your are using Linux/Unix that isn't that much overhead. Lets say 200-300 MB RAM more for each Linux VM. I think the increased security and less dependencies are worth that. Only Win VMs are really wasting RAM where I would think twice if I would like to run each service in its own VM. Or if your service needs stuff like GPU hardware accelleration and you can't use SR-IOV to passthrough the same physical device to different VMs in paralell.