obsd as domU?

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

obsd as domU?

Arthur Bela
Can I run obsd as a xen guest?

Reply | Threaded
Open this post in threaded view
|

Re: obsd as domU?

Michiel van Baak-2
On 08:59, Tue 12 Jan 10, Vadkan Jozsef wrote:
> Can I run obsd as a xen guest?

under 'full' virtualisation, yes.
under para-virtualisation, no.

--

Michiel van Baak
[hidden email]
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD

"Why is it drug addicts and computer aficionados are both called users?"

Reply | Threaded
Open this post in threaded view
|

Re: obsd as domU?

Bret S. Lambert-2
In reply to this post by Arthur Bela
On Tue, Jan 12, 2010 at 8:59 AM, Vadkan Jozsef <[hidden email]> wrote:
> Can I run obsd as a xen guest?
>
>

http://lmgtfy.com/?q=Can+I+run+obsd+as+a+xen+guest

The internet: you're doing it wrong.

Reply | Threaded
Open this post in threaded view
|

Re: obsd as domU?

Ciprian Dorin Craciun
On Tue, Jan 12, 2010 at 10:10 AM, Bret Lambert <[hidden email]> wrote:
> On Tue, Jan 12, 2010 at 8:59 AM, Vadkan Jozsef <[hidden email]> wrote:
>> Can I run obsd as a xen guest?
>>
>>
>
> http://lmgtfy.com/?q=Can+I+run+obsd+as+a+xen+guest
>
> The internet: you're doing it wrong.


    Hello all! (I'm a very new OpenBSD user (tested only on Qemu, but
would like to put OpenBSD in production).)

    And I just want to say that I had the same question a couple a
days ago: <<Is it really possible (as in tried in a quasi-production
environment) to run OpenBSD as a Xen domU? And if so are there some
guidelines, documentation, etc.? If not is there any disponibility to
implement such a feature?>>

    I've searched a little on the net and I've reached to the
following two possibilities:
    * Yes but under Xen with HVM support, with the drawback of
(greater) CPU overhead and with some networking problems;
    * And also yes as direct DomU, but based on the work of
<<Christoph Egger>> but which is not available on the net anymore;
    * any other options??? (anyone???)

   So I bet that the initial poster expected an (authoritative) answer
that should have came in the form of an advice based on experience or
at least something useful... (Not lmgtfy, which I'm sure he already
did, but did not found a good enough answer (as in authoritative)...)

    Sorry,
    Ciprian.

Reply | Threaded
Open this post in threaded view
|

Re: obsd as domU?

Bret S. Lambert-2
On Tue, Jan 12, 2010 at 9:41 AM, Ciprian Dorin, Craciun
<[hidden email]> wrote:

[snipz0rz]

>   So I bet that the initial poster expected an (authoritative) answer
> that should have came in the form of an advice based on experience or
> at least something useful... (Not lmgtfy, which I'm sure he already
> did, but did not found a good enough answer (as in authoritative)...)

When both of his questions were, verbatim:

OpenBSD as Dom0: Is it possible?

and

Can I run obsd as a xen guest?

it's unclear to me, since he's unwilling to document what he's
found in order to help others to help him, whether or not he's willing
to do the work required in finding those answers to begin with.

Reply | Threaded
Open this post in threaded view
|

Re: obsd as domU?

J.C. Roberts-3
In reply to this post by Ciprian Dorin Craciun
On Tue, 12 Jan 2010 10:41:15 +0200 "Ciprian Dorin, Craciun"
<[hidden email]> wrote:

>    So I bet that the initial poster expected an (authoritative) answer
> that should have came in the form of an advice based on experience or
> at least something useful... (Not lmgtfy, which I'm sure he already
> did, but did not found a good enough answer (as in authoritative)...)

You are missing the point. Virtualization has been discussed to death
for *YEARS* and all of it is in the misc@ list archives.

Here's the short version of those years of discussion:

1.) Since you can't trust the skill of most developers to write a
perfectly secure operating systems, trusting them to write a perfectly
secure software emulation of hardware is insane.

2.) If systems and application software runs fine on real hardware, but
fails to run on emulated/virtualized hardware, then the problem is in
the virtualization software. --In other words, take questions and
complaints to the vendor of your virtualization software.

3.) Many of the benefits you gain by running a stable and secure
operating system like OpenBSD are lost when you run it as a "guest" on
top of some other insecure "host" operating system.

4.) Most Virtualization Software fails to emulate hardware perfectly.

5.) Most Virtualization Software expects the "host" operating system to
have specific features, and hence, it's not easily portable, or it is
not portable at all.

6.) Most Virtualization Software wants to use fancy hardware features
and/or have direct access to hardware. If your vitualization software
is by-passing the restrictions enforced by the "host" operating system,
then the "host" operating systems is not able to do it's job.


Virtualization can be very useful in certain situations, yet you not
only need to fully understand and accept the implications and risks of
virtualization, but *you* also need to test it in *your* environment to
determine if it meets *your* requirements. Anything less is irrelevant!

If you're too lazy to do the weeks or months of research work on your
own, then you really should not use virtualization. Unfortunately, most
people just believe the constant bullshit from the virtualization
vendors, or ask irrelevant questions on various mailing lists.


Lastly, Bret Lambert is one of the OpenBSD developers, so you can
consider his "lmgtfy" reply as "authoritative" --He's humorously telling
you to do your own work. There is no other way.


--
J.C. Roberts

Reply | Threaded
Open this post in threaded view
|

Re: obsd as domU?

Ciprian Dorin Craciun
On Wed, Jan 13, 2010 at 7:43 AM, J.C. Roberts <[hidden email]>
wrote:

> On Tue, 12 Jan 2010 10:41:15 +0200 "Ciprian Dorin, Craciun"
> <[hidden email]> wrote:
>
>> B  B So I bet that the initial poster expected an (authoritative) answer
>> that should have came in the form of an advice based on experience or
>> at least something useful... (Not lmgtfy, which I'm sure he already
>> did, but did not found a good enough answer (as in authoritative)...)
>
> You are missing the point. Virtualization has been discussed to death
> for *YEARS* and all of it is in the misc@ list archives.

    Sorry didn't knew... (I should have checked the mailing list...)


> Here's the short version of those years of discussion:
>
> 1.) Since you can't trust the skill of most developers to write a
> perfectly secure operating systems, trusting them to write a perfectly
> secure software emulation of hardware is insane.

    Sorry, but you guys from OpenBSD have proved that you <<can trust
the skills of **some** developers to write an __supposed__ perfectly
secure operating system>>, so why not trust other developers to write
a __supposed__ secure software emulation with the help of hardware.
(Let me say it more simply: we have trust in you, but why don't you
have the disposition to trust in others?)


> 2.) If systems and application software runs fine on real hardware, but
> fails to run on emulated/virtualized hardware, then the problem is in
> the virtualization software. --In other words, take questions and
> complaints to the vendor of your virtualization software.

    Agree. This is the same as with software: if software runs
perfectly on one version of OpenBSD, but not on another it does not
mean that its the fault of the new version. (But Xen is not all about
emulation, it cooperates with the guest kernel, so in this case the
blame could be on both sides.)


> 3.) Many of the benefits you gain by running a stable and secure
> operating system like OpenBSD are lost when you run it as a "guest" on
> top of some other insecure "host" operating system.

    This is only true if either:
    * there is a security bug in the virtualization software (highly
improbable, and maybe easibly fixed);
    * you let the host operating system front the Internet; (but you
could just filter out all the traffic from the exterior to the host,
and use one of the guests (OpenBSD) as a gateway);


> 4.) Most Virtualization Software fails to emulate hardware perfectly.

    (Again we are not speaking of emulation, we are speaking of
cooperation between the hypervisor and the guest kernel.)


> 5.) Most Virtualization Software expects the "host" operating system to
> have specific features, and hence, it's not easily portable, or it is
> not portable at all.
>
> 6.) Most Virtualization Software wants to use fancy hardware features
> and/or have direct access to hardware. If your vitualization software
> is by-passing the restrictions enforced by the "host" operating system,
> then the "host" operating systems is not able to do it's job.

    No, (in general) the requirement of virtualization is not to
bypass the restrictions imposed by OS to hardware.


> Virtualization can be very useful in certain situations, yet you not
> only need to fully understand and accept the implications and risks of
> virtualization, but *you* also need to test it in *your* environment to
> determine if it meets *your* requirements. Anything less is irrelevant!

    One important use of virtualization software (like Xen for
example), is to allow experimentation. For example I don't have 4
pieces of hardware to be able to also host a Linux server (for
personal stuff), experiment with OpenBSD or Plan9, and also give one
of my friends a small VPN and download host. So I use Xen and turn one
computer into many. (As you see it's not the security aspect I'm
interested but the consolidation aspect...) (Yes very lame I know, but
sometimes money does beat security...)


> If you're too lazy to do the weeks or months of research work on your
> own, then you really should not use virtualization. Unfortunately, most
> people just believe the constant bullshit from the virtualization
> vendors, or ask irrelevant questions on various mailing lists.

    (I hope I've touched this subject above.)


> Lastly, Bret Lambert is one of the OpenBSD developers, so you can
> consider his "lmgtfy" reply as "authoritative" --He's humorously telling
> you to do your own work. There is no other way.
> --
> J.C. Roberts


    Thanks for the time and the responses,
    Ciprian.

Reply | Threaded
Open this post in threaded view
|

Re: obsd as domU?

Bret S. Lambert-2
How did "lazy internet denizen gets told he's lazy" turn into
anything worth spending this much time on?

Reply | Threaded
Open this post in threaded view
|

Re: obsd as domU?

Ciprian Dorin Craciun
On Wed, Jan 13, 2010 at 8:43 AM, Bret S. Lambert <[hidden email]> wrote:
> How did "lazy internet denizen gets told he's lazy" turn into
> anything worth spending this much time on?

    I would like to personally apologize for criticizing you, Bret, of
"lmgtfy" the other guy (which I didn't knew he also posted another
question about OpenBSD and dom0, and he was also responded).

    But I wouldn't say that the discussion has turned into something
"not-worth" discussing. I myself have learned a lot about the position
of the OpenBSD developers regarding the possibility of ever using
OpenBSD ontop of virtualization (not emulation) platforms (like Xen).
(I had my hopes, but not any more... :) )

    Thanks again for all the time and effort spent,
    Ciprian.

    P.S.: Maybe an entry in the FAQ about this topic will cut down all
these questions about virtualization?

Reply | Threaded
Open this post in threaded view
|

Re: obsd as domU?

Henning Brauer
In reply to this post by Ciprian Dorin Craciun
* Ciprian Dorin, Craciun <[hidden email]> [2010-01-13 07:37]:
>     This is only true if either:
>     * there is a security bug in the virtualization software (highly
> improbable, and maybe easibly fixed);

i owuld pee my pants (or maybe bob's instead) laughing if it wasn't so
sad. it is this mindset that gets this industry in shit every other
day.

--
Henning Brauer, [hidden email], [hidden email]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

Reply | Threaded
Open this post in threaded view
|

Re: obsd as domU?

Eric Furman-3
In reply to this post by Ciprian Dorin Craciun
On Wed, 13 Jan 2010 08:31 +0200, "Ciprian Dorin, Craciun"
<[hidden email]> wrote:

> On Wed, Jan 13, 2010 at 7:43 AM, J.C. Roberts <[hidden email]>
> wrote:
> > On Tue, 12 Jan 2010 10:41:15 +0200 "Ciprian Dorin, Craciun"
> > <[hidden email]> wrote:
> >
> >> B  B So I bet that the initial poster expected an (authoritative) answer
> >> that should have came in the form of an advice based on experience or
> >> at least something useful... (Not lmgtfy, which I'm sure he already
> >> did, but did not found a good enough answer (as in authoritative)...)
> >
> > You are missing the point. Virtualization has been discussed to death
> > for *YEARS* and all of it is in the misc@ list archives.
>
>     Sorry didn't knew... (I should have checked the mailing list...)
>
>
> > Here's the short version of those years of discussion:
> >
> > 1.) Since you can't trust the skill of most developers to write a
> > perfectly secure operating systems, trusting them to write a perfectly
> > secure software emulation of hardware is insane.
>
>     Sorry, but you guys from OpenBSD have proved that you <<can trust
> the skills of **some** developers to write an __supposed__ perfectly
> secure operating system>>, so why not trust other developers to write
> a __supposed__ secure software emulation with the help of hardware.
> (Let me say it more simply: we have trust in you, but why don't you
> have the disposition to trust in others?)

Very few have demonstrated that they can be trusted.
BTW, *any* virtualization software written for i386 is always going
to have the potential for compromise because of the inherent flaws
in that architecture. It was *not* designed with virtualization in mind.

>
>
> > 2.) If systems and application software runs fine on real hardware, but
> > fails to run on emulated/virtualized hardware, then the problem is in
> > the virtualization software. --In other words, take questions and
> > complaints to the vendor of your virtualization software.
>
>     Agree. This is the same as with software: if software runs
> perfectly on one version of OpenBSD, but not on another it does not
> mean that its the fault of the new version. (But Xen is not all about
> emulation, it cooperates with the guest kernel, so in this case the
> blame could be on both sides.)

Wrong. If it works on real hardware and fails in virtualization
the virtualization software is *always* to blame.

>
>
> > 3.) Many of the benefits you gain by running a stable and secure
> > operating system like OpenBSD are lost when you run it as a "guest" on
> > top of some other insecure "host" operating system.
>
>     This is only true if either:
>     * there is a security bug in the virtualization software (highly
> improbable, and maybe easibly fixed);

BWAAAAHAHHAHAHAHAHH. Have you ever actually worked with any
virtualization software?
There have been many documented security bugs in every virtualization
software.
Try Securityfocus or your favorite search engine.

>     * you let the host operating system front the Internet; (but you
> could just filter out all the traffic from the exterior to the host,
> and use one of the guests (OpenBSD) as a gateway);
>
>
> > 4.) Most Virtualization Software fails to emulate hardware perfectly.
>
>     (Again we are not speaking of emulation, we are speaking of
> cooperation between the hypervisor and the guest kernel.)
>
>
> > 5.) Most Virtualization Software expects the "host" operating system to
> > have specific features, and hence, it's not easily portable, or it is
> > not portable at all.
> >
> > 6.) Most Virtualization Software wants to use fancy hardware features
> > and/or have direct access to hardware. If your vitualization software
> > is by-passing the restrictions enforced by the "host" operating system,
> > then the "host" operating systems is not able to do it's job.
>
>     No, (in general) the requirement of virtualization is not to
> bypass the restrictions imposed by OS to hardware.

BWAAAHAHAHAHAHAH! It *should* be a requirement, but rarely *is*.

>
>
> > Virtualization can be very useful in certain situations, yet you not
> > only need to fully understand and accept the implications and risks of
> > virtualization, but *you* also need to test it in *your* environment to
> > determine if it meets *your* requirements. Anything less is irrelevant!
>
>     One important use of virtualization software (like Xen for
> example), is to allow experimentation. For example I don't have 4
> pieces of hardware to be able to also host a Linux server (for
> personal stuff), experiment with OpenBSD or Plan9, and also give one
> of my friends a small VPN and download host. So I use Xen and turn one
> computer into many. (As you see it's not the security aspect I'm
> interested but the consolidation aspect...) (Yes very lame I know, but
> sometimes money does beat security...)

This is actually very true. But you need to be very aware of where
it does and where it doesn't.

Reply | Threaded
Open this post in threaded view
|

Re: obsd as domU?

bofh-6
On Wed, Jan 13, 2010 at 2:08 AM, Eric Furman <[hidden email]> wrote:
> On Wed, 13 Jan 2010 08:31 +0200, "Ciprian Dorin, Craciun"
> <[hidden email]> wrote:

>>     Sorry, but you guys from OpenBSD have proved that you <<can trust
>> the skills of **some** developers to write an __supposed__ perfectly
>> secure operating system>>, so why not trust other developers to write
>> a __supposed__ secure software emulation with the help of hardware.
>> (Let me say it more simply: we have trust in you, but why don't you
>> have the disposition to trust in others?)

How did "you guys... have proved that you can trust the skills" turn
into "we can trust virtualization developers".  Since when have the
virtualization developers demonstrated that tust?

>> > 2.) If systems and application software runs fine on real hardware, but
>> > fails to run on emulated/virtualized hardware, then the problem is in
>> > the virtualization software. --In other words, take questions and
>> > complaints to the vendor of your virtualization software.
>>
>>     Agree. This is the same as with software: if software runs
>> perfectly on one version of OpenBSD, but not on another it does not
>> mean that its the fault of the new version. (But Xen is not all about
>> emulation, it cooperates with the guest kernel, so in this case the
>> blame could be on both sides.)
>
> Wrong. If it works on real hardware and fails in virtualization
> the virtualization software is *always* to blame.

I think he's thinking of para virtualization, which open bsd doesn't do,
iirc.

>> > 3.) Many of the benefits you gain by running a stable and secure
>> > operating system like OpenBSD are lost when you run it as a "guest" on
>> > top of some other insecure "host" operating system.
>>
>>     This is only true if either:
>>     * there is a security bug in the virtualization software (highly
>> improbable, and maybe easibly fixed);
>
> BWAAAAHAHHAHAHAHAHH. Have you ever actually worked with any
> virtualization software?
> There have been many documented security bugs in every virtualization
> software.
> Try Securityfocus or your favorite search engine.

I just finished sans 560 pen testing class.  We had some discussions
about day 0 exploits of guest->host bugs.  "Highly improbably" should
be changed to "it's out there"


--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."
-- Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted."  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=30v_g83VHK4

Reply | Threaded
Open this post in threaded view
|

Re: obsd as domU?

William Boshuck
In reply to this post by Ciprian Dorin Craciun
On Wed, Jan 13, 2010 at 08:31:14AM +0200, Ciprian Dorin, Craciun wrote:

>  Sorry, but you guys from OpenBSD have proved that you <<can trust
> the skills of **some** developers

viz., precisely those developers that are telling you to not trust
the virtualization hype/crap.  So, why not trust those developers?

> .. we have trust in you, but why don't you  have the disposition
>  to trust in others?)

These developers have _earned_ (through careful hard work and
meticulously accurate documentation) the trust accorded them.
With respect to the others, this remains to be seen (and current
indications are not promising).

Reply | Threaded
Open this post in threaded view
|

Re: obsd as domU?

Marco Peereboom
In reply to this post by Ciprian Dorin Craciun
On Wed, Jan 13, 2010 at 08:55:33AM +0200, Ciprian Dorin, Craciun wrote:

> On Wed, Jan 13, 2010 at 8:43 AM, Bret S. Lambert <[hidden email]> wrote:
> > How did "lazy internet denizen gets told he's lazy" turn into
> > anything worth spending this much time on?
>
>     I would like to personally apologize for criticizing you, Bret, of
> "lmgtfy" the other guy (which I didn't knew he also posted another
> question about OpenBSD and dom0, and he was also responded).
>
>     But I wouldn't say that the discussion has turned into something
> "not-worth" discussing. I myself have learned a lot about the position
> of the OpenBSD developers regarding the possibility of ever using
> OpenBSD ontop of virtualization (not emulation) platforms (like Xen).
> (I had my hopes, but not any more... :) )

Virtualization is a toy sold as an enterprise solution.  The argument
goes like this: you need a domain controller and sequel server so you
need 2 machines.  So instead of paying for 2 machines you virtualize
them!!!!! OMGZOMG!!!!11111ONe

What Mr. dingle berry insultant forgets to point out is that both tasks
will run like ass in a virtualized environment AND can be easily
combined on the same box.  Usually lost in the same conversation is
that you need both machines to be up at the same time too to be useful.

I have seen people virtualize a file server and domain controller on a
single machine.  Which is awesome because now you get free >30% loss of
IO performance. You know it keeps bandwidth use lower and latency
higher.  Exactly what lusers like.

Virtualization is great to develop kernel code and get an idea if it'd
work before moving on to real hardware (and fixing real bugs on real
hardware because virtualization failed to run right).

I like to play with old OS' as well so its neat for that but usually
doesn't work.  This really is in the toy section though.

>     Thanks again for all the time and effort spent,
>     Ciprian.
>
>     P.S.: Maybe an entry in the FAQ about this topic will cut down all
> these questions about virtualization?

What's next?  Pokemon on OpenBSD FAQ entry?

Reply | Threaded
Open this post in threaded view
|

Re: obsd as domU?

Peter Nicolai Mathias Hansteen
Marco Peereboom <[hidden email]> writes:

> I have seen people virtualize a file server and domain controller on a
> single machine.  Which is awesome because now you get free >30% loss of
> IO performance. You know it keeps bandwidth use lower and latency
> higher.  Exactly what lusers like.

Oh, try what a medium sized educational institution not too far from
here did: put several file servers on the same physical rig (sharing
one gigabit ethernet interface), then start whining when backups to
$elsewhere don't complete overhight.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: obsd as domU?

bofh-6
Of course it didn't!  What they should have done was put the backup
server on the same VM!!!  Problem solved!

On 1/13/10, Peter N. M. Hansteen <[hidden email]> wrote:

> Marco Peereboom <[hidden email]> writes:
>
>> I have seen people virtualize a file server and domain controller on a
>> single machine.  Which is awesome because now you get free >30% loss of
>> IO performance. You know it keeps bandwidth use lower and latency
>> higher.  Exactly what lusers like.
>
> Oh, try what a medium sized educational institution not too far from
> here did: put several file servers on the same physical rig (sharing
> one gigabit ethernet interface), then start whining when backups to
> $elsewhere don't complete overhight.
>
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>
>

--
Sent from my mobile device

http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."
-- Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted."  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=30v_g83VHK4

Reply | Threaded
Open this post in threaded view
|

Re: obsd as domU?

Christopher Dukes
In reply to this post by Ciprian Dorin Craciun
On Tue, Jan 12, 2010 at 10:41:15AM +0200, Ciprian Dorin, Craciun wrote:
>     * any other options??? (anyone???)

If you are looking at OpenBSD in a production environment as
a firewall, ssl accelerator, or for protection from OS privilege
escalation when someone else finds and uses an exploit in your apps,
run it on bare metal.

If you are looking at virtualization to maximize hardware utilization,
look at the operating systems officially supported by the virtualization
software you choose.

If you are looking at Xen for virtualization because paravirtualization
might give a lower impact on performance, I would suggest checking
the performance impact between paravirtualization and VT extension
assisted virtualization on real workloads.

But look on the bright side... odds are whatever you are trying to
do is probably so full of holes at the application layer even with
all of OpenBSD's protections you'll still get sufficiently maliciously
pwned through several application exploits.
--
Chris Dukes

Reply | Threaded
Open this post in threaded view
|

Re: obsd as domU?

Christopher Dukes
In reply to this post by Marco Peereboom
On Wed, Jan 13, 2010 at 07:54:46AM -0600, Marco Peereboom wrote:

>
> Virtualization is a toy sold as an enterprise solution.  The argument
> goes like this: you need a domain controller and sequel server so you
> need 2 machines.  So instead of paying for 2 machines you virtualize
> them!!!!! OMGZOMG!!!!11111ONe
>
> What Mr. dingle berry insultant forgets to point out is that both tasks
> will run like ass in a virtualized environment AND can be easily
> combined on the same box.  Usually lost in the same conversation is
> that you need both machines to be up at the same time too to be useful.

Ah, but the dingle berry insultant was probably brought in because
management finally listened when they were told
1) The machines with the most compute power and memory are
nearly completely idle file and backup servers.
2) The key compute heavy apps are running on 7 year old hardware
for which replacement parts are becoming nearly non-existant.
So the insultant picks the virtualization topology best suited
to bring a second insulting contract for performance detuning...
>
> I have seen people virtualize a file server and domain controller on a
> single machine.  Which is awesome because now you get free >30% loss of
> IO performance. You know it keeps bandwidth use lower and latency
> higher.  Exactly what lusers like.

We intentionally did this for an environment for application developers
so they would find the performance issues with their applications sooner.

>
> Virtualization is great to develop kernel code and get an idea if it'd
> work before moving on to real hardware (and fixing real bugs on real
> hardware because virtualization failed to run right).

It also works rather well testlabs for software applications.
Faster reinstall turnarounds.  Smaller budget required for chairs and
displays and KVM switches and work surfaces.  Higher homicide rates as
5 app developers pile into a cube that isn't large enough for one
person all looking at one tiny display for a problem involving 6 different
virtual machines and start accusing each other loudly (Previously
they had enough space to run and scatter).
>
> I like to play with old OS' as well so its neat for that but usually
> doesn't work.  This really is in the toy section though.

I find that it's useful to validating procedures before applied to production
and for working out a load balanced configuration.
--
Chris Dukes

Reply | Threaded
Open this post in threaded view
|

Re: obsd as domU?

Diana Eichert
In reply to this post by Peter Nicolai Mathias Hansteen
Chuckle, try to troubleshoot a network issue when it is in a
virtual network.  Lots of fun, not.

diana

Reply | Threaded
Open this post in threaded view
|

Re: obsd as domU?

Ted Unangst-2
In reply to this post by Ciprian Dorin Craciun
On Wed, Jan 13, 2010 at 1:31 AM, Ciprian Dorin, Craciun
<[hidden email]> wrote:
>    Sorry, but you guys from OpenBSD have proved that you <<can trust
> the skills of **some** developers to write an __supposed__ perfectly
> secure operating system>>, so why not trust other developers to write
> a __supposed__ secure software emulation with the help of hardware.
> (Let me say it more simply: we have trust in you, but why don't you
> have the disposition to trust in others?)

A lot of OpenBSD's security comes from a model of "bad things can and
will happen" and trying to mitigate the damage, ala privilege
separation.  We don't assume the code is perfect, we assume it's NOT.
Combining virtual servers onto a single physical machine is the exact
opposite of that philosophy.

12