Shorewall and Proxmox VE Cluster Configuration
This is a follow up article describing how to use Proxmox VE and Shorewall together. This article focus on using Shorewall within your Proxmox cluster. If you have not read the first article I recommend that you do so, it will aid your understanding with what is going in this one.
Network Layout and Shorewall Configuration
We are going to be using a bridging configuration. This is what Proxmox VE uses with by default. Bridging allows for easy migration of hosts without having to re-configure the firewall each time a machine is migrated.
Proxmox VE does not come with a firewall by default there are several solutions to this problem but the most flexible and robust is integrating the Shorewall firewall. This document assumes a basic knowledge of the Shorewall program and will not cover all of Shorewall capabilities but will give you a good working model to get you started. For more advanced topics check out the Shorewall documentation.
Shorewall will have 3 zones: 1) the fw zone which is the Proxmox host, 2) the net zone which is the Internet and 3) the dmz zone which is where the virtual machines will reside. The hardware just has one network interface card; vmbr0 is a just a bridge interface.
Proxmox VE version 1.1 does not ship with a firewall. This is a bad thing for a production server for obvious reasons. Proxmox VE 2.0 is supposed to ship with firewall support built in. Until that time here is an easy script that you can put on your Proxmox VE box to protect it and the virtual machines running on it, if you so choose. This is based off of http://wiki.openvz.org/Setting_up_an_iptables_firewall but works with KVM machines and tailored to a Proxmox install.
Installation and Usage
Proxmox VE is a “bare metal” ISO Linux distribution that is a virtual machine platform. It is geared towards enterprise users and designed to be installed on enterprise grade hardware. The Proxmox VE distribution combines two virtual machine technologies; KVM and OpenVZ as well as a web interface to manage everything. Proxmox VE also integrates into its web interface a way to manage multiple computers as a cluster. For the rest of the article Proxmox VE shall be referred to as PVE. This article is written about PVE 1.1, the latest stable release.
OpenVZ and KVM are Linux based virtualization programs, both are part of the Proxmox VE distribution. The goal of this article is to provide some knowledge on moving physical machines to virtual containers (OpenVZ) or fully virtualized machines (KVM). This article is not specific to Proxmox VE and the principles outlined and scripts provided should work on "stock" KVM or OpenVZ machines with a few minor changes to path settings.
Proxmox VE is an example of the end product being greater than the sum of parts. All the technologies used to build Proxmox VE are not unique however putting them all together and adding a nice interface is. Overall I am very impressed with the ease of use and quality of the software. The flexibility that is provided by virtualization plus the ease of administration provided by Proxmox VE is a great combination for anybody looking to use virtualization.
Backups are something that are generally ignored until they are needed. Having good backups will save you much time and headache and maybe even money. Having had backups fail before and having to pay thousands of dollars to recover the data is an experience that I hope to never have again.
Virtualbox (http://www.virtualbox.org/) is a virtualzation platform. I use it to test out new Linux distributions as well as to run some limited tests of new software for customers. It can run on Linux or windows hosts and can run quite a few guest operating systems. Installation in Ubuntu is a snap. First enable the VirtualBox repo if you don't want to use the open source edition. Edit your /etc/apt/sources.list. I added this to mine for gutsy:
deb http://www.virtualbox.org/debian gutsy non-free
FreeNX is the free open source version of nomachine.org NX software. It is a VNC like program that tunnels over SSH and has compression to run well and at high resolutions over even slow internet links. This program has many advantages over the VNC protocol. The biggest is security, it is built into the program from the ground up. All connections are encrypted and tunneled over SSH by default with FreeNX. FreeNX is also faster by a huge factor over VNC this is a real plus on slow connections.
As many of you know Zap2it has stopped providing free scheduling infomation for MythTV users. The solution that the developers of MythTV came up with was to help start a company called Schedules Direct (http://www.schedulesdirect.com) to provide the data. According to the Schedules Direct website: