Posted by mike Filed Under Virtual Server with Comments Off
Create a Virtual Server
Using the vzctl command you will be able to create a virtual server in less than 5 minutes. One of the steps that must be completed before you begin is to move the template you will use into the /vz/template/cache.
The first command uses a template and sets the configuration as a vps.basic. The 26 is a identifier for the vps. It makes sense to use the last octet of the IP Address for this identifier. Thus this is used for 192.168.4.26. In the example the centos template is used.
# vzctl create 26 – -ostemplate centos-4 –config vps.basic
Creating VE private area (centos-4-i386-default)
Performing postcreate actions
VE private area was created
This setting provides for the VE to start on boot. This is probably what you want. However, the default is not to start a VE on boot so if you do not use this setting it will remain off.
# vzctl set 26 – -onboot yes –save
# vzctl set 26 – -hostname admin26–save
# vzctl set 26 – -ipadd 192.168.4.26 –save
# vzctl set 26 – -nameserver 22.214.171.124 –save
# vzctl start 26
Starting VE …
VE is mounted
Adding IP address(es): 192.168.4.26
Setting CPU units: 1000
Set hostname: admin26
File resolv.conf was modified
VE start in progress…
# vzctl set 26 – -userpasswd root:bcrY67LD3 –save
Changing password for user root.
passwd: all authentication tokens updated successfully.
Saved parameters for VE 26
Now use vzlist to show which virtual servers are running.
# vzlist -a
VEID NPROC STATUS IP_ADDR HOSTNAME
26 16 running 192.168.4.26 admin26
Posted by mike Filed Under Virtual Server with 1 Comment
Virtualized Postfix Mail Server
This section will show you how to virtualize a mail server with OpenVZ. There are several advantages to virtualizing your mail server. One is the ability to backup the entire mail server by either using LVM snapshots, or by creating a compressed tar file. If nothing else this will give you peace of mind in knowing that you can drop the backup in place to have a working mail server in a very short period of time. Secondly, you will be able to place a host firewall in front of the mail server to provide an additional layer of security. You could even build a gateway mail server on the same machine. Third, OpenVZ will give you the ability to clone your mail server to create other mail servers within minutes. By cloning a mail server you can take it and drop it into another box and have a mail server running simply by changing IP, hostname and a few configurations in Postfix. Fourth, virtualization allows you modify the system resources on the fly so that you can increase required CPU, memory and disk space as is required by Postfix. This provides an opportunity to use the box for several other servers at the same time, thus saving you money.
Here is a description of OpenVZ and what it does from the website.
“OpenVZ is container-based virtualization for Linux. OpenVZ creates multiple secure, isolated containers (otherwise known as VEs or VPSs) on a single physical server enabling better server utilization and ensuring that applications do not conflict. Each container performs and executes exactly like a stand-alone server; a container can be rebooted independently and have root access, users, IP addresses, memory, processes, files, applications, system libraries and configuration files.” http://wiki.openvz.org/Main_Page
Create the OpenVZ Host
The first task is to create the OpenVZ host which will hold the virtual servers that you create, including Postfix. The best option for an operating system for your host server is to use CentOS as OpenVZ is built upon Red hat Enterprise, but compatible with other distros.
Add OpenVZ to your yum repositories.
# cd /etc/yum.repos.d
# wget http://download.openvz.org/openvz.repo
# rpm –import http://download.openvz.org/RPM-GPG-Key-OpenVZ
Install the OpenVZ kernel. OpenVZ will only run if you install the kernel and boot to that kerne..
# yum install ovzkernel
Modify sysctl.conf so that it reflects these changes.
# On Hardware Node we generally need
# packet forwarding enabled and proxy arp disabled
net.ipv4.ip_forward = 1
net.ipv4.conf.default.proxy_arp = 0
# Enables source route verification
net.ipv4.conf.all.rp_filter = 1
# Enables the magic-sysrq key
kernel.sysrq = 1
# We do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
Turn off SELinux.
Enable Conntracks for CTO
Enable conntracks for CT0, add the following line to /etc/modprobe.conf file:
options ip_conntrack ip_conntrack_enable_ve0=
Reboot the server and then add the tools needed for OpenVZ.
# yum install vzctl vzquota
# /sbin/service vz start
At this point you should have a working OpenVZ host. If you try to run OpenVZ commands and they do not work then it is probably because the OpenVZ kernel did not automatically boot. Specifically choose the OpenVZ kernel when you boot and it should be OK.
Once the OpenVZ host has been created it is imperative that you protect it from any form of attack because if the host is cracked the virtual servers will also be lost. There are several ways to minimize the access to the host server.
1. Use tcp_wrappers
2. Eliminate all unused services
3. Create a firewall that minimizes any access to the host
4. Only allow one SSH connection to the host
5. Use Port Scan Attack Detector