Arch Linux

jasonc221

Member

Registered: 2007-05-25

Posts: 4

Virtualization for a router?

I'd like to use arch as my base system and then have a virtual machine within with Smoothwall (http://www.smoothwall.org/) installed. I'll be running on an older machine that doesn't have the built-in virtualization features on the processor.

What are your suggestions on the virtual machine/hypervisor to use?

murffatksig

Member

From: Atl

Registered: 2004-05-17

Posts: 358

Re: Virtualization for a router?

I like both VMWare Server and VirtualBox, both are free, both work nicely.  However, how old of a machine are we talking?  No matter which VM software you use, you generally would like a beefy machine to handle the load.

---

"Oh, they have the internet on computers now."

jasonc221

Member

Registered: 2007-05-25

Posts: 4

Re: Virtualization for a router?

It's a 2GHz with 1GB ram. I should probably have mentioned that this is just for personal home use so the load shouldn't be that great.

It's actually a moot point now. I found smoothwall more difficult to use than I would have liked (didn't support my card among other things). What I'm planning on doing now is having an arch install configred to be a router and then using UML to host another install of arch to be my fileserver and whatnot.

Maybe someone could comment on the security risks/benefits of this setup? Is there a better way to utilize a single machine for a router/file/dev server? My main concerns were exposing services to the net that didn't need to be.

emphire

Member

From: Canada

Registered: 2007-03-21

Posts: 203

Re: Virtualization for a router?

You might want to check out OpenVZ too.  It has a little less overhead than UML.  UML would give you a bit more isolation though as it runs it's own kernel.  If you're going to run a separate kernel, I think you may as well go for VMware, Virtualbox, xen, or qemu with kvm.  I haven't worked with UML, but it sounds like it's better suited to tasks like kernel debugging.

I'm thinking about doing something similar with my server.  I haven't gotten around to it yet though.  I was thinking of setting-up a really stripped-down and secure OS as the host (maybe debian-stable) with as little as possible running on it.  Then I would set-up a bunch of isolated virtual servers on it for different tasks.

If you're just wanting to run a firewall virtual server, I would so go for full-blown virtualization.  You shouldn't need to allocate much memory for a lean virtual firewall (I know someone who runs an OpenBSD firewall in VMWare Server with 32MB and he's really happy with it).

If you're wanting to run a lot of virtual servers, you might want to look to something lighter... especially if you only have 1 gig of ram on there.  OpenVZ is nice since it can give you a virtual network without the overhead of an extra kernel.

Keep in mind that if your Host OS is compromised, then your virtual firewall is no longer secure and any other machines on your network could be exposed.  That's why I'd opt for running several virtual machines on a stripped-down host.

I'm thinking of running a host with debian-stable and:
Firewall: OpenBSD in Virtualbox
Webserver (External): OpenBSD in Virtualbox
Webserver (Testing - External): OpenBSD in Virtualbox
DNS (External): OpenBSD in Virtualbox
Webserver (Internal): some linux in OpenVZ
DNS/DHCP (Internal): some linux in OpenVZ
LDAP: some linux in OpenVZ
NTP: some linux in OpenVZ

I would probably also have arch, gentoo, and maybe other linux's running in OpenVZ to play around with.  I might set-up some extra virtual servers for individual projects (especially if I'm going to have other people using them).  I'd also likely set-up a virtual server running FreeBSD via Virtualbox since I like FreeBSD a lot.  :-)

One thing to keep in mind is how easy it will be to maintain too.  In some ways, I find it easier to maintain a (virtual) server that only has a single purpose.  But when have about 20 of them... things start to get a little redundant.  I'm not too worried about it as I'll probably just write-up some scripts to help me out... but it's something to keep in mind.