Linux-hosted virtualization server, newbie questions post-Virtualbox

skyeyemachine · 2018-08-24 20:48:17

Hello,

I have been running a home server for the past while, and one thing I wanted to do was give myself a bit of insulation from internet-borne threats, as well as partition some of my system's net-facing services. My first main attempt at this looked like so;

- bare metal Arch, running SSH configured to accept only local LAN connections
- Virtualbox running in Arch; VM1 runs a web server and can only see a specific sandboxed directory on the real HDD; VM2 runs a file storage server and can only access specific media folders on the real HDD
- basically, no internet-borne network traffic interacts with the real OS directly, only local LAN can talk to the actual bare-metal services (in principle). (The VMs each had their own distinct IPs via Virtualbox's network stack and all relevant web traffic was directed to them.)

This is all running on an Intel i3 CPU with 16GB of RAM, with a relatively decent SSD for the OS, and HDDs for storage.

This all seemed to work pretty well, giving me a bit more protection from a potential remote intruder (hopefully) and easing management of distinct services on my system in a modular way. Unfortunately, VirtualBox kept inevitably choking on itself if left to run for a sufficiently long time (apparently around 250 days or so on average). At that point the system would lock up pretty hard, and I'd be forced to hard-reboot it, risking data loss (and eventually I did lose my active virtual machine instances at the time) (I know about REISUB, even that barely worked in this scenario). VirtualBox is also a bit unwieldy to work with if you want to configure more than two or three VMs to specific specifications.

I'm now looking to replicate a similar setup in another virtualization system which is hopefully more reliable and scalable than VirtualBox has been. My questions, as such, are;

- Can anyone recommend to me a hypervisor which is appropriate for my hardware and usage case? I am doing my own reading on this, but I have little experience beyond VirtualBox and would appreciate advice from those with more experience.

- Can anyone suggest improvements or offer constructive criticism on the setup I've described? I'd be interested to know if there are any serious flaws in my approach to network security, or if there are ways I could engineer this approach to be better.

Thanks in advance.

Last edited by skyeyemachine (2018-08-24 20:52:50)

skyeyemachine · 2018-08-24 23:26:28

Quasi-relatedly, has anyone used Qubes for any sort of server, and how difficult is that to achieve if so? I am aware that it is primarily intended for use as a desktop client by a single user, but its security features are attractive and I am wondering whether it's worth trying to use in a server role.

Last edited by skyeyemachine (2018-08-25 07:07:03)

skyeyemachine · 2018-08-25 07:08:34

UPDATE: After looking around some more I am of the impression that Xen or QEMU are probably the main options I am looking for, but I'm still interested in further suggestions or advice. I am currently reading more about how those work in the meantime.

Last edited by skyeyemachine (2018-08-25 07:09:09)

jaergenoth · 2018-08-25 09:34:22

Have you thought about the possibility of running the services in a container, instead of full blown virtualized OS?
For example:
https://wiki.archlinux.org/index.php/Docker
https://wiki.archlinux.org/index.php/Systemd-nspawn
https://wiki.archlinux.org/index.php/LXC

Containers are probably more performant when compared to running a full virtualized OS for every service, but I guess containers can also be more susceptible to attacks.
Though some say containers are better security-wise than VMs. I don't know enough to actually say which is safer.

On the enterprise level some companies are running containers inside VMs, but that's a bit paranoid for a home network IMO.

Last edited by jaergenoth (2018-08-25 09:43:07)

graysky · 2018-08-25 11:13:52

I recommend linux containers. I have one running pihole and another running openvpn. I also ran one for own cloud, but we just stopped using the services it provided. I also wrote some services to manage lxc via its native snapshot feature. See: https://github.com/graysky2/lxc-snapshots

Last edited by graysky (2018-08-25 11:15:21)

skyeyemachine · 2018-09-08 00:23:16

Thanks for the suggestions; I was checking into Qubes 4.0, but unfortunately that won't work in my case due to hardware limitations.

I will check out Linux containers, they seem like they could work well in the interim.

Arch Linux

#1 2018-08-24 20:48:17

Linux-hosted virtualization server, newbie questions post-Virtualbox

#2 2018-08-24 23:26:28

Re: Linux-hosted virtualization server, newbie questions post-Virtualbox

#3 2018-08-25 07:08:34

Re: Linux-hosted virtualization server, newbie questions post-Virtualbox

#4 2018-08-25 09:34:22

Re: Linux-hosted virtualization server, newbie questions post-Virtualbox

#5 2018-08-25 11:13:52

Re: Linux-hosted virtualization server, newbie questions post-Virtualbox

#6 2018-09-08 00:23:16

Re: Linux-hosted virtualization server, newbie questions post-Virtualbox

Board footer