Militantly FREE software support.
Militantly FREE software support.
NavigationUser loginLinux NewsClick the above for your daily dose of Linux news. Food for ThoughtWindows Error: 002 - No error yet ... Spam?See spam posts on this site? If so, please don't reply to the spam! Instead, just report the URL to the webmaster. |
rock solidtypical debian server-- i logged in, connected to an old, neglected SCREEN session, and this # uptime and then just for symmetry i added: # uptime ho hum, serves files, backs up, yada yada, all in a year's work. -- -- Bookmark/Search this post with: 
|
• Debian Weekly News - Essential reading for any Debian fan. • Documentation - Debian's own authoritative documentation, including installation docs. • FAQ - Got questions about Debian GNU/Linux? • From Windows to Debian - Tips for converting from Windows to Debian GNU/Linux • Package of the Day. • Security - Security information and alerts! • Bug System - Bug tracking and instructions on reporting bugs. • CD Images - Where/how to get Debian GNU/Linux CD images. • Mailing List Subscription - Dozens of Debian-specific support mailing lists! • Mailing List Archives - Searchable archives of Debian's mailing lists. • Free Software Guidelines - Learn Debian's idea of what "free" software really is. • Package Listings - A very valuable tool: searchable, integrated with bug reports. • Apt-Get Sources - Sources for *.debs which are not official Debian packages. • Backports - Unofficial new software packages that have been "back-ported" to work with the Debian stable/official release. • Developer's Corner - Info about the people behind Debian, policies, and how to package *.deb files.
rock solid
On Sat, Jun 30, 2007 at 02:17:55PM -0500, will trillich wrote:
> typical debian server--
>
> i logged in, connected to an old, neglected SCREEN session, and this
> was still on the screen:
>
> # uptime
> 20:30:17 up 15 days, 6:11, 2 users, load average: 0.76, 0.24, 0.08
> will@tp2fi:/etc
> Fri Jan 05 20:30:17
>
> and then just for symmetry i added:
>
> # uptime
> 15:42:12 up 190 days, 23:42, 2 users, load average: 1.05, 1.05, 1.00
> will@tp2fi:/etc
> Sat Jun 30 15:42:12
> #
>
> ho hum, serves files, backs up, yada yada, all in a year's work.
its almost boring...
A
rock solid
Andrew Sackville-West wrote:
>
> its almost boring...
>
May be true for stable; Neverthless Sid makes it all interesting!
raju
--
rock solid
On Mon, Jul 02, 2007 at 02:11:18PM -0400, Kamaraju S Kusumanchi wrote:
> Andrew Sackville-West wrote:
>
> >
> > its almost boring...
> >
> May be true for stable; Neverthless Sid makes it all interesting!
my home server here runs etch with xen and 3 vm's (at the moment). I
find myself looking for reasons to work on the darn thing because if
can't make up reasons, then there's nothing to do...
right now, the single most exciting thing that happens (other than the
very rare package updates) is a nightly problem with my mail
server. Its memory-bound and I don't any spare sticks lying around at
the moment. So when its running cron-jobs late at night, it will
sometimes time-out while trying to swap in either clamd or spamd and throw an error into
/var/log/exim4/paniclog. I diligently check every day to see that its
the same thing... yawn.
A
rock solid
Is that why there is a missing word? After all it's only 4 bytes and you might need it for stack or something :).
Seriously, I believe there's a setting you can tweak to reduce / minimize the number of simultaneous spamd's you have spawned at any one time.
rock solid
On Mon, Jul 02, 2007 at 07:06:48PM -0700, David Fox wrote:
> >right now, the single most exciting thing that happens (other than the
> >very rare package updates) is a nightly problem with my mail
> >server. Its memory-bound and I don't any spare sticks lying around at
>
>
> Is that why there is a missing word? After all it's only 4 bytes and you
> might need it for stack or something :).
? I'm looking and looking but see no missing word. I assuming its case
of
joke
-----whoosh
me
>
> Seriously, I believe there's a setting you can tweak to reduce / minimize
> the number of simultaneous spamd's you have spawned at any one time.
yes. I think I'm pre-forking
... yup 5 children. I could surely pare that down. Don't know why I
haven't thought of that.
A
rock solid
Andrew Sackville-West said:
> Its memory-bound and I don't any spare...
^
have
Cybe R. Wizard
--
When Windows are opened the bugs come in.
Winduhs
--
rock solid
On Tue, Jul 03, 2007 at 01:25:07PM -0500, Cybe R. Wizard wrote:
> Andrew Sackville-West said:
> > Its memory-bound and I don't any spare...
> ^
> have
gah. how many times did I read that! I am a victim of my own brain.
A
Purpose of a hypervisor (was rock solid)
On 07/02/07 15:06, Andrew Sackville-West wrote:
> On Mon, Jul 02, 2007 at 02:11:18PM -0400, Kamaraju S Kusumanchi wrote:
>> Andrew Sackville-West wrote:
>>
>>> its almost boring...
>>>
>> May be true for stable; Neverthless Sid makes it all interesting!
>
> my home server here runs etch with xen and 3 vm's (at the moment). I
Why? Can't Linux's scheduler handle the load?
> find myself looking for reasons to work on the darn thing because if
> can't make up reasons, then there's nothing to do...
--
Ron Johnson, Jr.
Jefferson LA USA
Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!
--
Purpose of a hypervisor (was rock solid)
On Mon, Jul 02, 2007 at 09:46:06PM -0500, Ron Johnson wrote:
> On 07/02/07 15:06, Andrew Sackville-West wrote:
> >On Mon, Jul 02, 2007 at 02:11:18PM -0400, Kamaraju S Kusumanchi wrote:
> >>Andrew Sackville-West wrote:
> >>
> >>>its almost boring...
> >>>
> >>May be true for stable; Neverthless Sid makes it all interesting!
> >
> >my home server here runs etch with xen and 3 vm's (at the moment). I
>
> Why? Can't Linux's scheduler handle the load?
'cuz I can ;)
seriously though, here's what I've got:
Dom0: local file server (video, music, local backups)
DomU1: firewall
DomU2: dmz mail/imaps server
DomU3: dmz apache server
the primary reason is as a testbed for me to learn stuff. It has the
nice feature of segmenting functionality without more machines
running.
And the chicks dig it!
I'm happy to learn the pros and cons of such a setup, but its hard to
beat the last one...
A
Purpose of a hypervisor (was rock solid)
On 07/03/07 13:25, Andrew Sackville-West wrote:
> On Mon, Jul 02, 2007 at 09:46:06PM -0500, Ron Johnson wrote:
>> On 07/02/07 15:06, Andrew Sackville-West wrote:
>>> On Mon, Jul 02, 2007 at 02:11:18PM -0400, Kamaraju S Kusumanchi wrote:
>>>> Andrew Sackville-West wrote:
>>>>
>>>>> its almost boring...
>>>>>
>>>> May be true for stable; Neverthless Sid makes it all interesting!
>>> my home server here runs etch with xen and 3 vm's (at the moment). I
>> Why? Can't Linux's scheduler handle the load?
>
> 'cuz I can ;)
>
> seriously though, here's what I've got:
>
> Dom0: local file server (video, music, local backups)
>
> DomU1: firewall
I understand the need for a small, "separate" firewall.
> DomU2: dmz mail/imaps server
> DomU3: dmz apache server
>
> the primary reason is as a testbed for me to learn stuff. It has the
> nice feature of segmenting functionality without more machines
> running.
But then you are trying to statically do (allocate CPU and RAM) what
the kernel can do so much better.
> And the chicks dig it!
>
> I'm happy to learn the pros and cons of such a setup, but its hard to
> beat the last one...
--
Ron Johnson, Jr.
Jefferson LA USA
Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!
--
Purpose of a hypervisor (was rock solid)
On Tue, Jul 03, 2007 at 06:22:46PM -0500, Ron Johnson wrote:
> On 07/03/07 13:25, Andrew Sackville-West wrote:
> >On Mon, Jul 02, 2007 at 09:46:06PM -0500, Ron Johnson wrote:
> >>On 07/02/07 15:06, Andrew Sackville-West wrote:
> >>>my home server here runs etch with xen and 3 vm's (at the moment). I
> >>Why? Can't Linux's scheduler handle the load?
> >
> >'cuz I can ;)
> >
> >seriously though, here's what I've got:
> >
> >Dom0: local file server (video, music, local backups)
> >
> > DomU1: firewall
>
> I understand the need for a small, "separate" firewall.
>
> > DomU2: dmz mail/imaps server
> > DomU3: dmz apache server
> >
> >the primary reason is as a testbed for me to learn stuff. It has the
> >nice feature of segmenting functionality without more machines
> >running.
>
> But then you are trying to statically do (allocate CPU and RAM) what
> the kernel can do so much better.
true and I'm sure it could be done better without my help. It did sort
of organically grow that way (never a good justification for
anything).
So I maintain that its good to keep our local fire server isolated by
operating the DMZ in a xen vm. But I will agree that its not necessary
to run seperate DomU's for mail and apache. And with multiple vm's
running their cron jobs over night at roughly the same time, dropping
one vm would lessen the load significantly (in this case, 25%).
A
Purpose of a hypervisor (was rock solid)
On Tue, Jul 03, 2007 at 05:35:14PM -0700, Andrew Sackville-West wrote:
> So I maintain that its good to keep our local fire server isolated by
> operating the DMZ in a xen vm. But I will agree that its not necessary
> to run seperate DomU's for mail and apache. And with multiple vm's
> running their cron jobs over night at roughly the same time, dropping
> one vm would lessen the load significantly (in this case, 25%).
Why not change the crontab on each so that they run at different times?
Doug.
--
Purpose of a hypervisor (was rock solid)
On Tue, Jul 03, 2007 at 10:01:40PM -0400, Douglas Allan Tutty wrote:
> On Tue, Jul 03, 2007 at 05:35:14PM -0700, Andrew Sackville-West wrote:
>
> > So I maintain that its good to keep our local fire server isolated by
> > operating the DMZ in a xen vm. But I will agree that its not necessary
> > to run seperate DomU's for mail and apache. And with multiple vm's
> > running their cron jobs over night at roughly the same time, dropping
> > one vm would lessen the load significantly (in this case, 25%).
>
> Why not change the crontab on each so that they run at different times?
Because I'm inherently lazy? ;)
I did look into this and got distracted. I'll take it up again.
A
Purpose of a hypervisor (was rock solid)
On Tue, Jul 03, 2007 at 06:22:46PM -0500, Ron Johnson wrote:
> On 07/03/07 13:25, Andrew Sackville-West wrote:
> >
> >Dom0: local file server (video, music, local backups)
> >
> > DomU1: firewall
>
> I understand the need for a small, "separate" firewall.
>
> > DomU2: dmz mail/imaps server
> > DomU3: dmz apache server
> >
> >the primary reason is as a testbed for me to learn stuff. It has the
> >nice feature of segmenting functionality without more machines
> >running.
>
> But then you are trying to statically do (allocate CPU and RAM) what
> the kernel can do so much better.
>
What about that if his webserver gets hacked, then his mail server is
safe and vice versa?
Regards,
-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
Purpose of a hypervisor (was rock solid)
On 07/03/07 20:53, Roberto C. Sánchez wrote:
> On Tue, Jul 03, 2007 at 06:22:46PM -0500, Ron Johnson wrote:
>> On 07/03/07 13:25, Andrew Sackville-West wrote:
>>> Dom0: local file server (video, music, local backups)
>>>
>>> DomU1: firewall
>> I understand the need for a small, "separate" firewall.
>>
>>> DomU2: dmz mail/imaps server
>>> DomU3: dmz apache server
>>>
>>> the primary reason is as a testbed for me to learn stuff. It has the
>>> nice feature of segmenting functionality without more machines
>>> running.
>> But then you are trying to statically do (allocate CPU and RAM) what
>> the kernel can do so much better.
>>
> What about that if his webserver gets hacked, then his mail server is
> safe and vice versa?
If you own the web server, it's likely to be "easy" to crack other
machines on the network.
--
Ron Johnson, Jr.
Jefferson LA USA
Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!
--
Purpose of a hypervisor (was rock solid)
On Tue, Jul 03, 2007 at 09:09:02PM -0500, Ron Johnson wrote:
> On 07/03/07 20:53, Roberto C. Sánchez wrote:
> >On Tue, Jul 03, 2007 at 06:22:46PM -0500, Ron Johnson wrote:
> >>On 07/03/07 13:25, Andrew Sackville-West wrote:
> >>>Dom0: local file server (video, music, local backups)
> >>>
> >>> DomU1: firewall
> >>I understand the need for a small, "separate" firewall.
> >>
> >>> DomU2: dmz mail/imaps server
> >>> DomU3: dmz apache server
> >>>
> >>>the primary reason is as a testbed for me to learn stuff. It has the
> >>>nice feature of segmenting functionality without more machines
> >>>running.
> >>But then you are trying to statically do (allocate CPU and RAM) what
> >>the kernel can do so much better.
> >>
> >What about that if his webserver gets hacked, then his mail server is
> >safe and vice versa?
>
> If you own the web server, it's likely to be "easy" to crack other
> machines on the network.
>
except to get to the other machines, there are only certain allowed
ways. For example, assume, from Roberto's comment, that my webserver
gets hacked. Which machines are now easier to hack?
Certainly nothing on my local (non-DMZ) LAN as those machines are
subject to the same firewall rules as they were before. The rules from
the net to local are the same as the rules from the DMZ to local.
Maybe the mail server is easier (how?) because you are into the DMZ,
but the mail server has the same ports open as it always did: 25 and
993. So what's different.
I'm not asking to refute your claims, but to learn.
A
Purpose of a hypervisor (was rock solid)
On Tue, Jul 03, 2007 at 06:22:46PM -0500, Ron Johnson wrote:
> On 07/03/07 13:25, Andrew Sackville-West wrote:
>
> >Dom0: local file server (video, music, local backups)
> >
> > DomU1: firewall
>
> I understand the need for a small, "separate" firewall.
>
Does this really give any more security than running the firewall as a
regular part of the main box? Is it as secure as a separate old
computer? These three (plus I suppose a commercial hardware firewall)
seem to be the choices. How do they compare for security?
Doug.
--
Purpose of a hypervisor (was rock solid)
On Tue, Jul 03, 2007 at 10:00:35PM -0400, Douglas Allan Tutty wrote:
> On Tue, Jul 03, 2007 at 06:22:46PM -0500, Ron Johnson wrote:
> > On 07/03/07 13:25, Andrew Sackville-West wrote:
> >
> > >Dom0: local file server (video, music, local backups)
> > >
> > > DomU1: firewall
> >
> > I understand the need for a small, "separate" firewall.
> >
>
> Does this really give any more security than running the firewall as a
> regular part of the main box? Is it as secure as a separate old
> computer? These three (plus I suppose a commercial hardware firewall)
> seem to be the choices. How do they compare for security?
I don't really know, but the following things occur to me:
1. its seperate and distinct, serves only one purpose, and thus is
less likely to have vulnerabilities. A seperate firewall machine has
so few packages installed, that it is more secure just because it has
fewer possible vulnerabilities.
2. the seperate machine, if it falls to some attack, is a seperate
machine. That means there is one more step to be taken to get to some
damaging location. Granted, once you're past the firewall, its a
pretty simple step. This assumes that its the firewall that gets
cracked and not some other machine behind the firewall that gets
cracked.
I don't think there is anything wrong with a debian machine on the net
with its local firewall as the only thing protecting it. But I think
if you want anything more sophisticated, some sort of seperate device
is the way to go.
A
Purpose of a hypervisor (was rock solid)
On Thu, Jul 05, 2007 at 08:43:34AM -0700, Andrew Sackville-West wrote:
> On Tue, Jul 03, 2007 at 10:00:35PM -0400, Douglas Allan Tutty wrote:
> > On Tue, Jul 03, 2007 at 06:22:46PM -0500, Ron Johnson wrote:
> > > On 07/03/07 13:25, Andrew Sackville-West wrote:
> > >
> > > >Dom0: local file server (video, music, local backups)
> > > > DomU1: firewall
> > > I understand the need for a small, "separate" firewall.
> >
> > Does this really give any more security than running the firewall as a
> > regular part of the main box? Is it as secure as a separate old
> > computer? These three (plus I suppose a commercial hardware firewall)
> > seem to be the choices. How do they compare for security?
>
> I don't think there is anything wrong with a debian machine on the net
> with its local firewall as the only thing protecting it. But I think
> if you want anything more sophisticated, some sort of seperate device
> is the way to go.
>
So what about a virtual box as a firewall? That virtual box may have
less on it but it exists in the same physical box as everything else.
Doesn't the virtualization mean that there is one more thing that could
have a vulnerability?
In general, I agree with you and with old boxes being free it makes
sense that once one has more than a couple of boxes to have a spare box
as a firewall.
Doug.
--
Purpose of a hypervisor (was rock solid)
On Thu, Jul 05, 2007 at 07:25:15PM -0400, Douglas Allan Tutty wrote:
> On Thu, Jul 05, 2007 at 08:43:34AM -0700, Andrew Sackville-West wrote:
> > On Tue, Jul 03, 2007 at 10:00:35PM -0400, Douglas Allan Tutty wrote:
> > > On Tue, Jul 03, 2007 at 06:22:46PM -0500, Ron Johnson wrote:
> > > > On 07/03/07 13:25, Andrew Sackville-West wrote:
> > > >
> > > > >Dom0: local file server (video, music, local backups)
> > > > > DomU1: firewall
> > > > I understand the need for a small, "separate" firewall.
> > >
> > > Does this really give any more security than running the firewall as a
> > > regular part of the main box? Is it as secure as a separate old
> > > computer? These three (plus I suppose a commercial hardware firewall)
> > > seem to be the choices. How do they compare for security?
> >
>
> > I don't think there is anything wrong with a debian machine on the net
> > with its local firewall as the only thing protecting it. But I think
> > if you want anything more sophisticated, some sort of seperate device
> > is the way to go.
> >
>
> So what about a virtual box as a firewall? That virtual box may have
> less on it but it exists in the same physical box as everything else.
> Doesn't the virtualization mean that there is one more thing that could
> have a vulnerability?
sure. I view it as one additional vulnerability versus the many
potential vulnerabilities of a full system. But I am no security
expert by any stretch of the imagination.
>
> In general, I agree with you and with old boxes being free it makes
> sense that once one has more than a couple of boxes to have a spare box
> as a firewall.
I'm all for the old boxes, but at some point the power becomes an
issue... much better to have one box running at high capacity than
lots of boxes sitting around spinning fans...
.02
A