New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Proxmox
Hi,
I've been running quite a few servers now for personal use. As a matter of fact I actually always did everything manually. Installing VMs via console and managing everything via VM consoles and stuff.
I just ordered a new dedi and I'm curious to know what your suggestions would be. Keep doing everything manually or just install Proxmox? What are the main advantages, disadvantages? Recommended to get a different VPS to run Proxmox? I'm not quite into that by now..
Thanks!
Comments
proxmox has far from my knowledge no bad sides.
you need to learn how it works.
but proxmox is a good panel.
The latest version of proxmox swaps out OpenVZ for lxc something to keep in mind if you want OVZ.
Go with proxmox. Use LXC for all-non-kernel-related task to make quick installation and easy management from panel.
Thanks for your answers. One more question.. I'm always encrypting my HDDs on dedicated servers. Is it better to encrypt the server itself or the running VMs during installation? Any difference in performance?
If you don't have anything important on the host node. Than I think it would be good to encrypt each virtual machine disk only.
Encryption is another layer of software and it will slow things down as expected. It depends on you CPU power.
IMHO, if you have the skill, it is ultimately better to encrypt the host node; it makes it simple to just install "regular" (unencrypted) VM's.
Also, the passphrase for encrypted VM's could be found by going after the host node anyway; it would be a bit harder to do the same against the host node itself (assuming you setup busybox/dropbear on the host node to provide the passphrase securely via SSH at boot time).
From a performance perspective it is "6 of one, and half a dozen of the other" -- i.e., hard to differentiate "encrypted host node + unencrypted VM" vs "unencrypted host node + encrypted VM"
I have done it both ways and now I exclusively do encrypted Proxmox (RAID1 or RAID10) with unencrypted VM's and the performance is satisfactory for my purposes.
Hope that helps. Good luck.
Thanks.. my machine is a Intel Xeon E3 1220 which should be powerful enough for my machine going to idle most of the time
I'll go the same way as always and encrypt the host as mentioned by @geekalot.
thank you!
+1 geekalot
That hardware should be just fine; I have literally done this with all types of hardware without any major issues (even the kidéchire from Online.net -- though that was not running Proxmox) with uptime of 900+ days and more.
I have had production VM's running on encrypted host nodes using Atom C2750, E3-1220, E3-1231v3, E3-1240, E3-1245v2, L3426, X3450, L5640, 2xL5520, etc etc etc and no issues.
Even a G530 with only 4GB RAM is running 2 production VM's like a champ.
BTW, one last thing I suggest you do: please do yourself a favor and run a firewall on the host node .... it will make your life that much easier as well.
Cheers
Thank you, can get into more detail on that one. why? which firewall?
If you are using proxmox then the proxmox one
Just remember to put an allow in for your own IP before turning it on...
It's quite nice as it passes the VM network traffic through the firewall on the host node allowing you to firewall the VM on the hypervisor itself also the interface isn't bad either
How do you encrypt the host?
or
or
Have you try to use encrypted filesystem inside a file? Do you know how much performance decrease with this method?
@nobizzle: I use a firewall running on the OS (Shorewall), but @dragon2611 makes a good suggestion of using the builtin Proxmox firewall
@dragon2611: Actually good point, I haven't used the builtin Proxmox firewall
@akhfa: You can use LUKS/dm-crypt
Wow.. That was tough. Finally got it. The biggest problem was actually to realize i have to use IE to connect to the remote console. Is unlocking luks via ilo a security issue?
Proxmox so far seems to be great. It will be some additional work to move all KVM VMs to Proxmox.
@geekalot Can you help me to set Firewall correctly?
@nobizzle, I have not used the builtin firewall in Proxmox ... it appears that @dragon2611 may know. And, check out the doc here: https://pve.proxmox.com/wiki/Firewall
I also did a quick search and found this
I would not recommend using PVE-firewall for anything else except for PVE-host filtering. In case of using global PVE-firewall, any mistake could have negative impact and/or compromise security of the whole PVE-host (including all of its VMs). Filtering of VM-traffic should be done inside of VM...
I have tried proxmox firewall, but it doesn't related with debian iptables. Where is better, using proxmox firewall or iptables on the host, or both?
Firewall Config is per VM and either way it's moot as get into the host and you could get console access to the VM's and hijack them anyway.
To be honest.. what is the usage of using a firewall in this scenario? Shouldn't unneeded ports be closed anyway? And those that are opened are probably needed for incoming traffic? Please don't punch me in my face for asking this question
Even those opened are not opened for all kind of traffic (i.e. malformed packet not fulfilling 3way tcp handshake). Or maybe you want to block tor exit-nodes for spamming your forum? Or things like connecting/response rate-limiting? Maybe you do not want your website being visited by script-kiddies from some country? You might want to block every IP that tried to guess your ssh-password 10 times or contacted your server on 10 different ports in the last minute? Or you might want to use port-knocking as secret key to open port just for you? There are a lot of things you can do with firewall...
as @jarry is suggesting there are lots of reasons you may wish to firewall including you might want a service accessible but only from certain ip ranges