Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Production Webserver, OVZ or KVM?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Production Webserver, OVZ or KVM?

jcalebjcaleb Member
edited December 2012 in General

If you will run an important website, will you host it on OVZ, or will you only trust KVM. Assuming the website just needs PHP and Mysql database.

«1

Comments

  • InfinityInfinity Member, Host Rep

    Why would you not trust OVZ? It's not a trust issue.

  • kbeeziekbeezie Member
    edited December 2012

    Define Important... as in important enough you want to keep the provider and their staff out of it?

    (considering that the administrator on OpenVz needs only type vzctl enter ### to enter your VPS as a root user without any password).

    I'm on KVM right now because obviously OpenVz doesn't support FreeBSD guests (and OpenVz wouldn't quite as easily support a IPv6 Tunnel setup solely in the container).

  • @Infinity said: Why would you not trust OVZ? It's not a trust issue.

    It's somehow also a psychological question.

    @kbeezie said: Define Important..

    Important means, its critical for your business. It might also store sensitive information. E.g. financial and customer information.

  • RobertClarkeRobertClarke Member, Host Rep

    VZ will suit your needs just fine.

  • gubbytegubbyte Member
    edited December 2012

    But nobody here has or will have an "important" site. It's 100% narcissistic personality disorder (source: LET's users' signatures).

  • KuJoeKuJoe Member, Host Rep

    I host my important websites on mostly OpenVZ. For my critical website, I have it hosted on 2 KVM and 6 OpenVZ servers.

  • How about provider's website? I read before some of them host with Uncle. But I don't know if they purchased KVM or OVZ.

  • @KuJoe said: I host my important websites on mostly OpenVZ. For my critical website, I have it hosted on 2 KVM and 6 OpenVZ servers.

    Thanks, so I guess OVZ is okay.

  • KuJoeKuJoe Member, Host Rep

    @jcaleb said: How about provider's website?

    Our primary website (SD.net, the critical one I mentioned above) is hosted with BuyVM (x2), Hostigation, and RAMNode (including 4 of our own OpenVZ VPSs).

  • @KuJoe said: Our primary website (SD.net, the critical one I mentioned above) is hosted with BuyVM (x2), Hostigation, and RAMNode (including 4 of our own OpenVZ VPSs).

    Your buyvm is ovz?

  • Steve81Steve81 Member
    edited December 2012

    @kbeezie said: (considering that the administrator on OpenVz needs only type vzctl enter ### to enter your VPS as a root user without any password).

    The node admin can access to anything even with KVM, without too much problems: http://equivocation.org/node/107

  • running debian6+nginx+php5-fpm+mysql on openvz...

    no problem at this time

  • @jcaleb said: Thanks, so I guess OVZ is okay.

    Hell you could run OpenVz inside of a KVM node :D hehe.

  • See no problem with OpenVZ if you are ok with the limitations - Linux only, no kernel modifications etc...

  • I don't think this is something about visualization, I think how stable the VPS provider could be is the most important.

  • I am okay with limitations. I just feel paranoid too as many people prefer KVM. I thought it was better for production application

  • @jcaleb said: I am okay with limitations. I just feel paranoid too as many people prefer KVM. I thought it was better for production application

    not sure the importance is really relevant to the virtualizatoin type as it's more about what do you need exactly for the server? OpenVz generally offers better performance overall if you don't need to be using your own kernel, or tun/tap, vpn, or creating your own network device etc. Xen-PV is more like OpenVz but with the ability to bootstrap your own kernel, Xen-HVM I guess was mainly useful for virtualizing stuff other than linux (windows, BSD, etc), then course you got KVM which seems to be putting the likes of Xen-HVM to shame and performing better.

    Personally I went with KVM simply because it was the best choice out of the virtualizations I've found to run FreeBSD on without needing a host that was already running FreeBSD.

    But for most people, OpenVz is going to be perfectly fine for even production use.

  • edited December 2012

    @Steve81 said: With KVM can also access to anything without too much problems: http://equivocation.org/node/107

    This is for file based KVM disk images. SolusVM uses LVM for Xen and KVM.
    (not that it's a problem to access a VMs LVM from the main node if it's partition based)

    But, with KVM, the guest partition can also be an encrypted LVM, so this way the node admin (i.e. provider) can't access your data.

    @AstroProfundis said: I don't think this is something about visualization, I think how stable the VPS provider could be is the most important.

    +1

  • kbeeziekbeezie Member
    edited December 2012

    @George_Fusioned said: But, with KVM, the guest partition can also be an encrypted LVM, so this way the node admin (i.e. provider) can't access your data.

    Most people won't encrypt it though (or I should say not set to encrypt by default when set up). Also... don't you have to take the node offline to be able to mount and browse the logical volume?

    The better question is, if you're concerned about your provider spying on your content and just having a field day with it... why are you hosted with them?

  • @kbeezie said: The better question is, if you're concerned about your provider spying on your content and just having a field day with it... why are you hosted with them?

    That's very true. But @jcaleb mentioned he "might also store sensitive information. E.g. financial and customer information" so I was just pointing out the options.

    @kbeezie said: Also... don't you have to take the node offline to be able to mount and browse the logical volume?

    Correct

  • kbeeziekbeezie Member
    edited December 2012

    @George_Fusioned said: That's very true. But @jcaleb mentioned he "might also store sensitive information. E.g. financial and customer information" so I was just pointing out the options.

    In stuff like credit card numbers etc, safest bet is to stick with PCI Compliance (which may include requiring the provider is PCI Compliant in the machine they provision you with). WHMCS for example is not, storing CC numbers and even the encryption has on the same physical server.

    Most smart people if they're dealing with financial/etc information they use a 3rd party to handle credit card processing and such, in which they run/lease their own servers and have their own quarterly audits.

  • @kbeezie you are applying the same argument peeps use for "why do you encrypt if you have nothing to hide". Can we dump this binary thinking and get real? There are a ton of reasons why peeps go with a provider and trust is shades of grey...

  • @George_Fusioned said: But, with KVM, the guest partition can also be an encrypted LVM, so this way the node admin (i.e. provider) can't access your data.

    I suppose that the KVM should know the key to access to the partition; so I suppose that the node admin can find it. Or is necessary manual user intervention to bootup the vps?

  • kbeeziekbeezie Member
    edited December 2012

    @craigb said: @kbeezie you are applying the same argument peeps use for "why do you encrypt if you have nothing to hide". Can we dump this binary thinking and get real? There are a ton of reasons why peeps go with a provider and trust is shades of grey...

    Actually I'm not, I'm simply saying OpenVz is fine if it suits your need, when did I say otherwise? I'm mainly saying if you have a credible reason to believe that the host will look at your information without your consent, why host with them?

    If you're that concerned, get a physical server and lock it down. Choice is good... make the choice that suits you.

  • @kbeezie said: If you're that concerned, get a physical server and lock it down. Choice is good... make the choice that suits you.

    Won't you then be concerned that the data center would look at your data? And then once you own the data center, won't you be concerned that the staff you hire will look at your data?

  • kbeeziekbeezie Member
    edited December 2012

    @concerto49 said: Won't you then be concerned that the data center would look at your data? And then once you own the data center, won't you be concerned that the staff you hire will look at your data?

    AGAIN I am not in the "if you have nothing to hide..." camp. You guys are forcing those words into my mouth. I'm saying make the choice YOU want/need based on what YOU want/need. If YOU do not NEED/WANT an encrypted volume on a virtual private server, then YOU can just go with OpenVZ if YOU WANT/NEED it.

    As I said before CHOICE is good.

  • If say provider is trustworthy. Is it possible for other clients on same node to snoop your data?

  • kbeeziekbeezie Member
    edited December 2012

    @jcaleb said: If say provider is trustworthy. Is it possible for other clients on same node to snoop your data?

    As in physical server, it's "possible" if the provider did not secure it well, ie: if root were compromised on the node, there's a good number of things that could be done even if the disk volume were encrypted (ie: traffic in/out/etc). So naturally if your data requires that level of sensitivity/security then not only should the container be set up accordingly, should be leasing from a provider that holds a certain level of accountability for security, kinda like those do in medical/financial hosting/services.

    There is no one-single-correct answer to your vague original post.

  • thank you

  • @kbeezie said: In stuff like credit card numbers etc, safest bet is to stick with PCI Compliance

    Also correct, but the question here was OpenVZ or KVM :D

    @Steve81 said: Or is necessary manual user intervention to bootup the vps?

    If the keys necessary to decrypt the volume would need to be on the system somewhere accessible during boot then there would be no reason to use an encrypted LVM in the first place. The passphrase should be entered manually (e.g. via VNC) after every reboot of the system.

Sign In or Register to comment.