About the organization of a network workspace in a small network at the level of virtual servers
Good day, habrazhiteli! In this article, I will describe the structure that I had in the course of thinking about setting up a virtual workspace for a network with a small number of users (the department at the university). Main tasks: hosting of the cathedral site (Drupal), own repository and wiki, file sharing (or network drive), access to the network outside the premises of the department.
This work has two objectives:
The system used is Ubuntu 12.04 Server x64. Physical server configuration: i5 second generation, 8 GB RAM, HDD 5400 1 TB.
Drupal . Historically (tm), that the site works on CMS Drupal. Drupal is written in PHP, provides a choice of which database to use to store content. Setting up Drupal with MySQL and nginx on Ubuntu 12.04, for example, here .
')
RhodeCode A web application for working with the Git and Mercurial repositories. He has some problems in the internal structure (for example, hanging a hook on an event in RhodeCode is more complicated than in a bare Mercurial). However, you will not come across them until you get inside, and this may not be necessary. Setup Instructions for Ubuntu 12.04 with nginx.
DokuWiki Wiki system does not use a database, but stores pages as files on a hard disk. Moreover, when you add a file to disk, it appears in the wiki, and vice versa. It is very convenient if you want to write an application for working with a wiki, and there is no time and desire to deal with XML-RPC . Setup Instructions for Ubuntu 12.04 with nginx.
ownCloud Online file storage on your own server (i.e. “Dropbox equivalent”). Allows you to view PDF inside and listen to audio files, has clients for various platforms.
nginx Nginx is used as a web server. This is less convenient in terms of installing from repositories, since the same Drupal in turnips Ubuntu uses Apache, so the first one has to be installed by hand.
OpenLDAP Domain Analog in Windows. Centralized work with user accounts. In due time, I suffered with its setting (I don’t remember already why). Therefore, I offer you two guides that work exactly: server and client .
VPN A good guide to setting up a VPN is in the Ubuntu server manual.
VirtualBox Virtualization technology does not play a role. In this paper, VirtualBox was chosen for the following reasons: I could not find why using VirtualBox on the combat server is bad - I have uptime on it reaches 2 months (then reboot to install updates), I haven’t met any glitches. I will not argue, as I stumble upon the shortcomings - convert vdi to raw and switch to Xen.
Bittorrent Sync Backup is implemented using Bittorrent Sync. For data security (code is closed!) It is proposed to use hybrid asymmetric encryption . Asymmetric encryption is expensive, therefore, hybrid: a long key is generated, which is saved to a file. With this key, a large file is encrypted. The file with the key itself is then encrypted asymmetrically.
In the simplest case, all virtual machines are located on the same physical server. This option will be described later. It uses 4 virtual systems and one host (hostserver) installed directly on the hardware.
The virtual systems identified in the vmserver-web scheme, vmserver-dev and vmserver-drive only host a specific web application. The motivation for sharing is as follows: Drupal turns the main and slightly changing site, DokuWiki / RhodeCode is used in active mode, several similar viral machines can be created for different purposes, ownCloud hung my home server a couple of times, I would like to separate it from the rest.
The vmserver-net virtual machine is running customized LDAP and VPN. Network connection for all virtual machines - NAT. All virtual machines are connected connected via VPN. For vmserver-net, the specified VPN and LDAP ports have been forwarded from the host system.
When requesting via http / https, the request is parsed by nginx on the host machine and, depending on the address, is forwarded via internal VPN to the correct virtual machine. Using VPN allows the network to remain functional even if the vmserver-web, vmserver-dev and vmserver-drive are physically located somewhere else. Just add new virtual systems, you only need to modify the nginx config.
Now a little about security: backup and encryption. Ssh access for all machines is allowed only by key. Outside VPN only ssh of the host machine sticks out. Access to virtual machines via ssh is possible only within your VPN. Backup is the following set of operations on the host machine: pause the virtual machine, compress the image with gzip and hybrid encrypt the resulting archive. The encrypted archive and file are placed in a folder synchronized via btsync between several physical machines. (Based on stackoverflow, I suggest convenient scripts: initialization (installing necessary packages and generating a key with a given name), encryption and decryption (in the case of encryption, you must specify the file to encrypt and the public key, the original file will be deleted. In the case of decryption, you must specify the file and the private key, the encrypted file will be deleted. The file name with the symmetric encryption key will be automatically determined.).
When backing up virtual machines is a very large overhead, but deploying such a backup is very easy. And synchronization within your physical network of 3 GB per day seems insignificant (approximately as much as 4 archives of systems now).
The described approach allows, in my opinion, to achieve modularity and security when organizing a virtual workspace. Preserving functionality when transferring any of the purple (vmserver-web, vmserver-dev or vmserver-drive) virtual machines to another physical machine provides scalability.
On the other hand, in the comments I would like to hear the opinion of the community about this way of organizing virtual servers, the tools used and the questions indicated in the introduction.
This work has two objectives:
- learn the opinion of experienced system administrators about this approach to setting up the workspace (please, criticize)
- in case the approach is incorrect, the article will nevertheless remain a list of technologies, among which someone can find suitable ones for him (for example, I have not heard about ownCloud for some reason)
The system used is Ubuntu 12.04 Server x64. Physical server configuration: i5 second generation, 8 GB RAM, HDD 5400 1 TB.
Instruments
Drupal . Historically (tm), that the site works on CMS Drupal. Drupal is written in PHP, provides a choice of which database to use to store content. Setting up Drupal with MySQL and nginx on Ubuntu 12.04, for example, here .
')
RhodeCode A web application for working with the Git and Mercurial repositories. He has some problems in the internal structure (for example, hanging a hook on an event in RhodeCode is more complicated than in a bare Mercurial). However, you will not come across them until you get inside, and this may not be necessary. Setup Instructions for Ubuntu 12.04 with nginx.
DokuWiki Wiki system does not use a database, but stores pages as files on a hard disk. Moreover, when you add a file to disk, it appears in the wiki, and vice versa. It is very convenient if you want to write an application for working with a wiki, and there is no time and desire to deal with XML-RPC . Setup Instructions for Ubuntu 12.04 with nginx.
ownCloud Online file storage on your own server (i.e. “Dropbox equivalent”). Allows you to view PDF inside and listen to audio files, has clients for various platforms.
nginx Nginx is used as a web server. This is less convenient in terms of installing from repositories, since the same Drupal in turnips Ubuntu uses Apache, so the first one has to be installed by hand.
OpenLDAP Domain Analog in Windows. Centralized work with user accounts. In due time, I suffered with its setting (I don’t remember already why). Therefore, I offer you two guides that work exactly: server and client .
VPN A good guide to setting up a VPN is in the Ubuntu server manual.
VirtualBox Virtualization technology does not play a role. In this paper, VirtualBox was chosen for the following reasons: I could not find why using VirtualBox on the combat server is bad - I have uptime on it reaches 2 months (then reboot to install updates), I haven’t met any glitches. I will not argue, as I stumble upon the shortcomings - convert vdi to raw and switch to Xen.
Bittorrent Sync Backup is implemented using Bittorrent Sync. For data security (code is closed!) It is proposed to use hybrid asymmetric encryption . Asymmetric encryption is expensive, therefore, hybrid: a long key is generated, which is saved to a file. With this key, a large file is encrypted. The file with the key itself is then encrypted asymmetrically.
Network structure
In the simplest case, all virtual machines are located on the same physical server. This option will be described later. It uses 4 virtual systems and one host (hostserver) installed directly on the hardware.
The virtual systems identified in the vmserver-web scheme, vmserver-dev and vmserver-drive only host a specific web application. The motivation for sharing is as follows: Drupal turns the main and slightly changing site, DokuWiki / RhodeCode is used in active mode, several similar viral machines can be created for different purposes, ownCloud hung my home server a couple of times, I would like to separate it from the rest.
The vmserver-net virtual machine is running customized LDAP and VPN. Network connection for all virtual machines - NAT. All virtual machines are connected connected via VPN. For vmserver-net, the specified VPN and LDAP ports have been forwarded from the host system.
When requesting via http / https, the request is parsed by nginx on the host machine and, depending on the address, is forwarded via internal VPN to the correct virtual machine. Using VPN allows the network to remain functional even if the vmserver-web, vmserver-dev and vmserver-drive are physically located somewhere else. Just add new virtual systems, you only need to modify the nginx config.
Now a little about security: backup and encryption. Ssh access for all machines is allowed only by key. Outside VPN only ssh of the host machine sticks out. Access to virtual machines via ssh is possible only within your VPN. Backup is the following set of operations on the host machine: pause the virtual machine, compress the image with gzip and hybrid encrypt the resulting archive. The encrypted archive and file are placed in a folder synchronized via btsync between several physical machines. (Based on stackoverflow, I suggest convenient scripts: initialization (installing necessary packages and generating a key with a given name), encryption and decryption (in the case of encryption, you must specify the file to encrypt and the public key, the original file will be deleted. In the case of decryption, you must specify the file and the private key, the encrypted file will be deleted. The file name with the symmetric encryption key will be automatically determined.).
When backing up virtual machines is a very large overhead, but deploying such a backup is very easy. And synchronization within your physical network of 3 GB per day seems insignificant (approximately as much as 4 archives of systems now).
Conclusion
The described approach allows, in my opinion, to achieve modularity and security when organizing a virtual workspace. Preserving functionality when transferring any of the purple (vmserver-web, vmserver-dev or vmserver-drive) virtual machines to another physical machine provides scalability.
On the other hand, in the comments I would like to hear the opinion of the community about this way of organizing virtual servers, the tools used and the questions indicated in the introduction.
Source: https://habr.com/ru/post/186022/
All Articles