New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
@jcaleb I recommend you think about who you are most concerned about and prioritize. If you trust the providers staff enough, but you are more concerned about other tenants (aka local users) on the same node...avoid openvz. It takes one kernel bug/exploit and a tenant can see/modify your stuff. With KVM, it depends on whcih part of kvm has an exploitable weakness whether its 1 or 2 bugs needed (and corresponding exploits) for a tenant to get to your stuff. If your finance data meets the requirements for PCI and your not using an approved 3rd party gateway to handle all PCI related data/processing, the first decision you need to make is which PCI approved provider to go with
"it is generally not advisable to modify/access the guest file systems while the guest virtual machine is running."
So unless the provider is willing to shut down your VPS every time they want to snoop, i cant see this been much of a problem. You could always encrypt your FS too.
And on topic @jcaleb, we host our corporate DNS/Web/FTP/Mysql on a OpenVZ/SSD VPS with uncle sal.
I can only give personal preference, and I would prefer KVM. I feel like that if something like credit card information were a factor, I'm not entirely sure, I wouldn't feel secure enough to be storing credit card numbers on any VPS personally, the way I would set it up would probably be plenty secure by most people's standards but it's more a matter of accountability and "what if" from a legal standpoint.
I mainly mention credit cards, because what else would be that sensitive that you would be hosting, especially in regards to an LEB provider which 99.99999% of the time won't take responsibility for loss or compromise of customer's data in the TOS itself?
But far as the whole provider/customer trust etc earlier. If we take that out of the equation with regards to OpenVz/KVM, OpenVz would be less secure than KVM in the case of an exploit of the root node (or just simply easier/faster to compromise).
Though the original question was "production", meaning actively out there in the wild ready-for-business, did not specifically address a certain level of security/sensitivity involved, and to the original question, I would say both OpenVz and KVM are production ready and it's a matter of your personal choice and specific needs for the system.
@jcaleb 1 KVM and 1 OpenVZ
Yes, I was simply points that KVM isn't enought to say "it's safe".
I think that the only thing that matter is if you trust the provider or not.
I think that the only thing that matter is if you trust the provider or not.
Yup
KVM volumes can be mounted read only without downing the VM or the volume simply grepped so if its not encrypted its fair game...
I think that the only thing that matter is if you trust the provider or not.
I'm curious if there's such a thing like Trucrypt that exists for FreeBSD or Linux to mount a virtual volume at boot up, and make that the storage point of say the database, so that if the KVM volume were shut down/copied it's still encrypted (since it's only unencrypted in memory when files need to be read/accessed).
I know for something like that to work on OpenVz the provider has to enable the fuse module for the kernel on the host node.
OpenVZ will work fine.
Ok this did get derailed in a pretty typical fashion:
OVZ or KVM?
I pick OVZ because I can adjust resources on the fly without rebooting...
All my production cPanel servers run this. If I need to throw 2GB more RAM without rebooting, OVZ is the way I decided to go.
I'll leave all the theory to our virtualization theorists while I talk about a real world scenario.
Don't you mind the lack of CloudLinux support?
Eh, you can also do that with Xen but I digress. If it were me I'd choose KVM simply because it is without a shadow of a doubt pretty much the most isolated you can get.
I don't run CloudLinux
Ford vs Chevy discussion... the radical jihadists on both sides are here ready to defend their virtualization lifestyle through any means possible.
I'll leave all the theory to our virtualization theorists while I talk about a real world scenario.
And just like clockwork, @bamn turns up to another thread - add a relevant comment, then trolololololol....
I know. You can't. That's why I asked whether you mind the lack of CloudLinux support or not.
Talking about a real world scenario; I would never consider running a cPanel server without CloudLinux.
I really wish we could be friends but I don't really go for guys who mancrush on me so when I try to be friends with you, it ends up being awkward.
I mentioned what I said about memory because nobody else mentioned it. Please, get off my genitalia.
You do not consider I have about 100 local shared web hosting customers, with the biggest disk user of the 10gb disk I provide uses about 2gb, and 20gb of transfer per month is a "busy month" while the cash coming in covers my rent at my place.
My real world scenario and your in theory thing, again, two different things.
@bamn chillax, I got the safety on
LMFAO
@kbeezie said:
check out LUKS (Linux Unified Key Setup), it works well when used as an encrypted partition (I have used it with LVM and with Software RAID)
I have not used it to encrypt a file to be then used as a block device or object store (one of the nice features of TrueCrypt); I suspect that is what you might have to do to run encryption within your VM container.
BTW, TrueCrypt does support Linux and "DragonFly BSD"
Don't even know what "DragonFly BSD" is, I imagine it's something like PC-BSD or another desktop spin off of free/open/net-bsd (seems odd it would support that, but not one of the three common ones).
It does not seem to support BSD at all:
http://www.truecrypt.org/docs/?s=supported-operating-systems
TrueCrypt currently supports the following operating systems:
Windows 7 (32-bit and 64-bit)
Windows Vista
Windows Vista x64 (64-bit) Edition
Windows XP
Windows XP x64 (64-bit) Edition
Windows Server 2008 R2 (64-bit)
Windows Server 2008
Windows Server 2008 x64 (64-bit)
Windows Server 2003
Windows Server 2003 x64 (64-bit)
Windows 2000 SP4
Mac OS X 10.7 Lion (64-bit and 32-bit)
Mac OS X 10.6 Snow Leopard (32-bit)
Mac OS X 10.5 Leopard
Mac OS X 10.4 Tiger
Linux (32-bit and 64-bit versions, kernel 2.6 or compatible)
EDIT: it is however listed in ports.
Path: /usr/ports/security/truecrypt
Info: Free open-source disk encryption software
I will suggest KVM, since it will save you hassle from hitting up on a node that is already too much overloaded and someone who is a real abuser can harm your PROD setup. However even on top of that I will suggest you host with XEN OnApp high availability setups like StyleXNetworks. Or some pure XEN like databasebydesignLLC. These guys will be better for that.
It's a FreeBSD 4.x spinoff, optimized for SMP
Oh... OSX was a FreeBSD 4.x spin-off too :P
Thank you guys for all your inputs, appreciate it much
Yeah (and also OSX have some things from NetBSD), but without a BSD kernel