We are testing a new line of SSD VPS + a little insider from the life of a hoster
A month ago, we at Unihost conducted a full upgrade of the KVM VPS structure from HDD to modern and high-speed SSD VPS. The nerves of the managers subsided, the admins have played enough with the settings, which means it's time to take stock and share the experience gained.
This article does not claim to be innovative or deeply technical. Rather the opposite. We are fully aware that we have been delayed with the upgrade of the year, that is, at least 3 times. Nevertheless, we hope that we will help determine the choice of those who are still considering the acquisition of a virtual server and will save hosting providers who have not yet passed our way from possible errors.
Below you will find insider information about our hosting company: what problems you encountered as an international provider; how we managed to eliminate spamming by 100% and see comparative testing of the minimum tariff plans of the old and the new KVM VPS lines.
A bit of history
Many operate on the principle of "Works - do not touch." If the client is satisfied with everything and he brings money every month, why change something? For a long time, and so we looked at our old VPS structure with HDD.
Until mid-March 2017, all KVM VPS worked on hardware with SATA 6Gb / s hard drives in RAID1, Xeon® E3-1231 v3 processors and 32 GB of RAM for each physical server. Virtual machines were not the fastest, but they did what was expected of them. If the client needed hosting faster, we offered a low-cost dedicated server. Everything is logical.
Sales went, servers filled, the company expanded and entered the European and Asian markets, and with it came new problems that weren't working purely in the CIS.
Having connected the international processing of cards and PayPal, the popular Bitcoin and other international payments, we came across the concepts of Anti-Fraud, AML (Anti Money Laundering) and Chargeback. In addition, it’s not that news, but surprised by the number of people willing to host malicious and fraudulent sites, spam mailings, bot nets and more on servers. This inevitably led to receiving abuses (complaints) and, as a result, blocking individual IP addresses and even completely subnets. Unable to withstand the influx of "bad" users, we had to abandon the instant activation and issuance of ordered VPS. We have implemented a difficult verification system, starting with the project description and the goals of the web resource owner, ending with voice confirmations of orders, verification of documents and payment cards on scans / photos.
Naturally, this led to a decrease in new orders and an increase in negativity on the part of bona fide users, who also fell victim to new verification policies. And the structure of the VPS itself has become obsolete and cannot withstand fierce competition in the market.
Therefore, we decided not to continue in the same spirit. Spent a brainstorm. Tried the method of Kipling and synectic. Arranged an independent vote and came to the following conclusions:
- You need to create a product that will meet modern requirements (HDD is old, SSD is new and popular);
- Provide the most seamless transition for current customers who are satisfied with the fact that there is and will not want to move to a new structure;
- Solve problems with old VPS:
- complex customer verification;
- problems due to spam and other bullying projects;
- infections by viruses, shell, backdoors and other client sites and the consequences of this.
“Just ship it” period
It all started with the selection of iron for the new VPS. The best in terms of price and performance for us are servers with two Xeon® E5-2630v3 CPUs, 128GB DDR4 ECC 2133 MHz RAM, 4x800GB SSD from Samsung and Mega Raid with Fast Path technology. The servers are located in the European data center and are connected to the network at a speed of 1 Gbit / s with no traffic restrictions.
Thanks to the new equipment, it was possible to update the tariff line with an increase in the resources provided by 1.5-2 times (not counting the amount of disk space) and a rise in prices by 1.5 times. In addition, together with the SSD VPS, ISPmanager 5 Lite control panel is now provided free of charge, which in retail costs up to 4 euro / month.
Simplify order verification
As mentioned above, verification before activating a VPS is needed not only to verify payments and prevent unwanted returns, but also to minimize the risks of unfair use of our services. Completely get rid of the verification of payments is difficult - the world arena dictates its tough conditions. Nevertheless, we returned the instant activation of the VPS, and now the client has 3 working days to complete the payment information verification. Here it is standard: when paying with a bank card or PayPal, we request a scan or photo of the document confirming the identity and photo of the payment card (we recommend hiding the series / number of the document, as well as part of the card number and cvv). We practice a simplified check by phone or a simple clarification of the subject of the project. Naturally, verification is not required for existing customers with repeated orders.
Pros:
- Each client receives the ordered VPS within a few seconds after receiving the payment;
- The percentage of fraudulent payments has been significantly reduced and, as a result, the undesirable use of our service has decreased.
Minuses:
- Time costs from our side, as well as from customers for payment verification;
- Reduced customer anonymity. In fact, this is not a minus, because we do not provide anonymous or bulletproof services.
Eliminate the likelihood of spam
Spam - the most common and undesirable type of activity on servers
Wiki: Spam (eng. Spam) - mass mailing of commercial and other advertising or similar commercial types of messages to persons who did not express the desire to receive them.
Spam should not be underestimated. The problem is global in nature and every hoster has encountered it without exception. Even the bulletproof providers, who are ready to host any projects and content on their servers, have one exception - spamming.
Why is spam mailing so dislike hosters? The answer is simple - IP addresses from which mass mailing is conducted and to which spam complaints come are blacklisted. As a result, servers with these addresses are no longer suitable for further use - even for sending legal mail. All popular mail services will automatically perceive mail from “blackened” IP as spam and block it without additional checks.
How do providers solve this problem?
- Call center or large cloud services use specialized and expensive equipment to filter traffic.
- Hosters at various levels simply block port 25, which opens only after checking the client's web resource.
The second option we shallow immediately, because our goal - the most convenient and simple service. The first method is used at the level of our data center in Europe, where we place server equipment. However, this does not provide the solution we need, since there is a blocking of the same 25 port on the server from which there is a mass mailing - not necessarily spam.
Decision
There is nothing secret or super-complex. The e-mail is sent through port 25 - specialized equipment filters exactly it. We will redirect all email traffic from VPS via port 2525 to a separate server - relay (relay) with installed software: eFa (email Filter application). This software adjusts outgoing mail filtering by specified algorithms, adds addresses to the white or black lists, and trains the program itself to work effectively.
Pros:
- Users do not have any problems sending their email - they don’t even need to change their email server settings. Everything happens automatically on our side;
- We have completely protected clients from spam mailings, which can be conducted from servers without their knowledge after hacking access or injections into the code;
- We stopped the attempts of fraudsters to use our servers for their own purposes.
Minuses:
- Unable to deploy bulk email service to multiple IP. But our VPS and are not designed for this. For such needs, we provide dedicated servers.
We automate anti-virus protection
Habr is a popular IT resource. Here it is hardly necessary to talk about the need to protect data, the use of complex passwords, software updates, etc. However, not every hosting client cares to prevent hacking attempts or infecting its site. In this case, the violation of the integrity of the code can be considered the most innocuous, because it can be cured by a simple recovery from backup.
Much worse when, after hacking the site, Trojans or botnets are poured onto it, which lead to undesirable consequences: the ill-fated spamming, phishing pages, participation in DDoS attacks, etc. This inevitably results in Abusa and the risk of being left without VPS.
To minimize such effects, we implemented automatic scanning on the shell, backdoor and other malicious scripts. As of March 2017, there are 500,000 known viruses and trojans in our database. Self scanning takes place without affecting the work of VPS with user projects.
With a given periodicity (once every 2 days), our script creates copies of the LVM volumes of the client VPS and prepares the appropriate sections for mounting on a separate dedicated server. After mounting, the entire file system is scanned. Having detected a malicious code, the script automatically finds the registration data of the VPS owner and a letter notification is sent to the contact email when a problem is detected. At the same time, in our ticket system, in the Abuse section, a reminder is created about the need to check the client’s actions on cleaning his VPS.
One may ask, why do we not automatically cure viruses? The answer is simple and lies in the principle of providing VPS. A virtual server is a copy of a dedicated server, with root access and isolated resources. This means that in order to make any changes, our employees must also have root access to the client’s server. And this is contrary to the security policy and our principle - no interventions in the client code without his knowledge (request or consent). In order to simplify the work on the removal of malicious scripts from the site, we provide complete information in our knowledge base. And of course, if the user desires, we assist in troubleshooting problems on the servers within the administration package.
Pros:
- Preventing malicious and unwanted activity before it becomes a problem for us or the customers;
- Fully automated scanning process and notifying users, without interfering with the work of the VPS.
Minuses: - Given the specifics of providing VPS, not detected.
Small retreat
We plan to write detailed articles on legal, technical and other aspects of the implementation of the three solutions: verification, anti-spam and anti-virus scanning. If you have questions or requests, write them in the comments below. We will try to answer in new articles.
Now let's move on to comparing the old and the new KVM VPS structures
We are testing
We decided not to reinvent the wheel and took testvps sample scripts. For comparison, we chose two minimum tariffs - the old KVM-384 (1 cpu 3.4 GHz, 768 MB DDR3, 30 GB HDD) and the new KVM-1 (2 cpu 2.4 GHz, 1500 MB DDR4 ECC, 15 GB SSD).
Disclaimer Testing indicators were conducted on servers that are under normal workload in a specific period of time. Indicators do not claim to be true, and may differ when re-testing.
Test Benchmark - overall processor unit performance
| Type | KVM-384 (old) | KVM-1 (new) |
|---|---|---|
| Dhrystone 2 using register variables | 3681.5 | 6501.6 |
| Double-Precision Whetstone | 700.1 | 1690.2 |
| Execl throughput | 1326.5 | 2203.4 |
| Pipe throughput | 2561.2 | 4191.4 |
| Pipe-based Context Switching | 913.2 | 1538.3 |
| Process Creation | 1082.2 | 1932.2 |
| Shell Scripts (1 concurrent) | 2432.5 | 4649.4 |
| Shell Scripts (8 concurrent) | 2250.6 | 4335.2 |
| System Benchmarks Index Score | 2076.9 | 2895.4 |
Pros:
- Overall assessment of system indicators increased by 40%
- The increase in most indicators, including the execution of shell scripts has increased almost 2 times.
Minuses:
- not found
Test Disk - the main performance indicators of the disk subsystem
| Type | KVM-384 | KVM-1 |
|---|---|---|
| 3221225472 bytes written in / seconds: | 50.91 | 6.94 |
| on speed: | 60.34 MiB / sec | 442.72 MiB / sec |
| File operations: | ||
| reads / s: | 170.15 | 5630.07 |
| writes / s: | 113.43 | 3753.05 |
| fsyncs / s: | 357.51 | 12005.27 |
| 8.6 GB, 8.0 GiB copied / s | 144,183 | 11.9649 |
| 8.6 GB, 8.0 GiB copied, Mb / s | 59.6 | 718 |
| Throughput: | ||
| Read, MiB / s: | 2.66 | 87.97 |
| written, MiB / s: | 1.77 | 58.64 |
Pros:
- The speed of writing many small files increased 7 times, and one large file 12 times.
- The read / write throughput increased about 33 times!
- We also came to the conclusion that the use of the hardware raid of the controller instead of the software positively affected the performance. Additionally, the read speed has increased: when a hardware raid is running, 4 bytes are read by 1 byte from each disk. And when a software raid is running, reading occurs 2 bytes only from the main pair.
Minuses:
- Using RAID 10 does not provide the maximum speed that RAID 0 would give. We chose the best data security in the event of equipment failure, and minimizing downtime.
How do you feel about the fact that some hosters offer exactly RAID 0 to increase the speed of the VPS, but at the same time allow it to be idle when recovering user data up to 12 hours or more? What is your priority?
Test the speed of CMS Wordpress without additional optimization
| Type | KVM-384 | KVM-1 |
|---|---|---|
| Load time ms | 1810 | 903.7 |
| Number of requests / min, | 1492 | 6331 |
| read speed mb | 80.14 | 337.23 |
| Requests / sec: | 24.62 | 105.41 |
| Transfer / sec: | 1.32 | 5.61 |
Pros:
- Almost all indicators increased 4 times
- Site loading time decreased by 2 times.
Minuses:
- not detected
Let's sum up the comparison
Got the result that was expected. The new structure by all indicators exceeds the old one at times, and the read / write performance of the disk subsystem on the SSD is 33 times higher than the HDD.
Transfer customers to new VPS
Launch a new line of VPS is one thing. The next stage seemed to be more difficult - the transfer of current customers.
To ensure a smooth move without unnecessary downtime and haste, we decided that we would support the old structure for another 3 months. This means that customers have enough time to decide whether to switch to a new SSD VPS or look for other accommodation options. If so, then we offer a dedicated server :).
We were worried that the new tariff plans had less disk space. At the minimum tariff, the difference was only 5 GB, and at the older tariffs, the difference was more than 2 times. We carried out a simple analysis and saw that no client used the space provided 100% on the old VPS. This means that there will be no problems with resizing volumes during transfer.
Marketers prepared a newsletter with the news and, fingers crossed, sent it to customers.
Surprisingly, our fears were not justified - users responded positively. Many of them have been waiting for the transition of VPS to SSD from us. Now servers are filled with virtual servers of both current clients and new ones. We managed to bring our plans to life.
Feedback matters
We create a service based on the needs of current and potential customers. Therefore, we will be glad to your questions, advice and comments.
In the coming months, we will update the current hosting structure and make the company site more pleasant and easier to use. About all the nuances of this work, we will certainly share with you. Stay tuned for blog updates!
')
Source: https://habr.com/ru/post/327588/
All Articles