Re: OpenBSD ESXi VMware image on Soekris Net5501
* Michal mic...@sharescope.co.uk [2009-05-21 11:01]: Oh I didnt realise it was that under-poweredoh now I just feel stupid :( Well, we are all laughing at you. but only because too many of us get hit with this bullshit at work. http://a2.vox.com/6a00d09e512cfdbe2b00f30f5b193a0001-pi I mean everyone knows Vmware makes everything run faster, use less power, more securely, gives blowjobs under the table, etc.. And the great part about your only tool being a hammer is you sure spend less time deciding what to use so it's more efficient :)
Re: OpenBSD ESXi VMware image on Soekris Net5501
I know that VMware does all that, I even hear the next release makes you coffee while you use it and not just instant, as in proper Columbian brewed coffee...fantastic. But still yes, every once in a while a smart arse pops his head up and claims he has heard of this VMWARE blah blah blah. It's nice to know I can bring a little with of laughter to people's lives though, it sure beats everyone moaning at me as they cannot read e-mails clearly marked IMPORTANT, DO THIS OR YOUR E-MAIL WONT WORK, then moaning when their email doesn't work -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Bob Beck Sent: 26 May 2009 17:35 To: Michal Cc: misc@openbsd.org Subject: Re: OpenBSD ESXi VMware image on Soekris Net5501 * Michal mic...@sharescope.co.uk [2009-05-21 11:01]: Oh I didnt realise it was that under-poweredoh now I just feel stupid :( Well, we are all laughing at you. but only because too many of us get hit with this bullshit at work. http://a2.vox.com/6a00d09e512cfdbe2b00f30f5b193a0001-pi I mean everyone knows Vmware makes everything run faster, use less power, more securely, gives blowjobs under the table, etc.. And the great part about your only tool being a hammer is you sure spend less time deciding what to use so it's more efficient :)
Re: OpenBSD ESXi VMware image on Soekris Net5501
When you've got something to start with job it up on Sourceforge and pop us a message on this list. Maybe some of us have a use for the same application and will want to help. On Fri, May 22, 2009 at 8:05 PM, Obiozor Okeke obiozorok...@yahoo.comwrote: Thanks Ross/Ed, yes we're going to dump the custom Windows app and use an open source solution using Samba's file share capability (with Samba running on OBSD of course :). --- On Fri, 5/22/09, Ross Cameron abal...@gmail.com wrote: From: Ross Cameron abal...@gmail.com Subject: Re: OpenBSD ESXi VMware image on Soekris Net5501 To: Ed Ahlsen-Girard eagir...@cox.net Cc: misc@openbsd.org Date: Friday, May 22, 2009, 9:05 AM On Fri, May 22, 2009 at 5:56 PM, Ed Ahlsen-Girard eagir...@cox.net wrote: On 2009-05-22 Ross Cameron wrote: Certainly the hardware chosen isnt anywhere NEAR potent enough,... and u're leaving ure whole configuration open for attack via the ESXi sub layer. Why not just port the custom app to OpenBSD and run the configuration natively on the hardware? There are apps on Windows for which porting to OpenBSD would be roughly equivalent to porting to NetWare Virtual Loadable Module. Maybe he doesn't mind doing it all over from scratch, but that's about what it might turn out to be. True but then again I generally find that rewriting and targeting the code for portability and re-use is worth the efforts in the long run. Painting you're self into a corner with regards to coding standards/languages/host OS are generally just a headache waiting to happen in the years to come. -- Opportunity is most often missed by people because it is dressed in overalls and looks like work. Thomas Alva Edison Inventor of 1093 patents, including: The light bulb, phonogram and motion pictures.
Re: OpenBSD ESXi VMware image on Soekris Net5501
On Thu, May 21, 2009 at 6:53 PM, obiozorok...@yahoo.com wrote: Well I'm certainly no expert in all this and I'm happy to be corrected before I make any more mistakes with my configuration. Man am I glad I put this post out because I'm getting such great feedback! I'll have to re-think this but I honestly thought (I guess I'm wrong) that if I my first OpenBSD VM image running on ESXi as my strong firewall I would be ok. Basically its just a virtualization of my physical environment but all on one box with 3 VM images. So my idea was to have second OpenBSD image (not the firewall OpenBSD image) running with Samba as my Domain Controller and File server, and Email server and then the third Windows VM running just the custom app. I figured that as long as all the 'Net traffic hit my first OpenBSD VM and was properly filtered and controlled by pf, spam greylisting, brute force checked, etc I would be ok? No? Certainly the hardware chosen isnt anywhere NEAR potent enough,... and u're leaving ure whole configuration open for attack via the ESXi sub layer. Why not just port the custom app to OpenBSD and run the configuration natively on the hardware?
Re: OpenBSD ESXi VMware image on Soekris Net5501
On 2009-05-22 Ross Cameron wrote: Certainly the hardware chosen isnt anywhere NEAR potent enough,... and u're leaving ure whole configuration open for attack via the ESXi sub layer. Why not just port the custom app to OpenBSD and run the configuration natively on the hardware? There are apps on Windows for which porting to OpenBSD would be roughly equivalent to porting to NetWare Virtual Loadable Module. Maybe he doesn't mind doing it all over from scratch, but that's about what it might turn out to be. -- Ed Ahlsen-Girard [demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a name of eagirard.8621DEFANGED-vcf]
Re: OpenBSD ESXi VMware image on Soekris Net5501
On Fri, May 22, 2009 at 5:56 PM, Ed Ahlsen-Girard eagir...@cox.net wrote: On 2009-05-22 Ross Cameron wrote: Certainly the hardware chosen isnt anywhere NEAR potent enough,... and u're leaving ure whole configuration open for attack via the ESXi sub layer. Why not just port the custom app to OpenBSD and run the configuration natively on the hardware? There are apps on Windows for which porting to OpenBSD would be roughly equivalent to porting to NetWare Virtual Loadable Module. Maybe he doesn't mind doing it all over from scratch, but that's about what it might turn out to be. True but then again I generally find that rewriting and targeting the code for portability and re-use is worth the efforts in the long run. Painting you're self into a corner with regards to coding standards/languages/host OS are generally just a headache waiting to happen in the years to come.
Re: OpenBSD ESXi VMware image on Soekris Net5501
Ross Cameron wrote: On Fri, May 22, 2009 at 5:56 PM, Ed Ahlsen-Girard eagir...@cox.net mailto:eagir...@cox.net wrote: -(snip)- There are apps on Windows for which porting to OpenBSD would be roughly equivalent to porting to NetWare Virtual Loadable Module. Maybe he doesn't mind doing it all over from scratch, but that's about what it might turn out to be. True but then again I generally find that rewriting and targeting the code for portability and re-use is worth the efforts in the long run. Painting you're self into a corner with regards to coding standards/languages/host OS are generally just a headache waiting to happen in the years to come. I am sympathetic with that POV. It's part of why I decided to learn Perl instead of VB when I wanted to automate accounts on a Windows web server. When I had to clean up and migrate a Linux web server years later (without having meaningful Linux experience), I was very happy about my choice. [demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a name of eagirard.26699DEFANGED-vcf]
Re: OpenBSD ESXi VMware image on Soekris Net5501
Thanks Ross/Ed, yes we're going to dump the custom Windows app and use an open source solution using Samba's file share capability (with Samba running on OBSD of course :). --- On Fri, 5/22/09, Ross Cameron abal...@gmail.com wrote: From: Ross Cameron abal...@gmail.com Subject: Re: OpenBSD ESXi VMware image on Soekris Net5501 To: Ed Ahlsen-Girard eagir...@cox.net Cc: misc@openbsd.org Date: Friday, May 22, 2009, 9:05 AM On Fri, May 22, 2009 at 5:56 PM, Ed Ahlsen-Girard eagir...@cox.net wrote: On 2009-05-22 Ross Cameron wrote: Certainly the hardware chosen isnt anywhere NEAR potent enough,... and u're leaving ure whole configuration open for attack via the ESXi sub layer. Why not just port the custom app to OpenBSD and run the configuration natively on the hardware? There are apps on Windows for which porting to OpenBSD would be roughly equivalent to porting to NetWare Virtual Loadable Module. Maybe he doesn't mind doing it all over from scratch, but that's about what it might turn out to be. True but then again I generally find that rewriting and targeting the code for portability and re-use is worth the efforts in the long run. Painting you're self into a corner with regards to coding standards/languages/host OS are generally just a headache waiting to happen in the years to come.
Re: OpenBSD ESXi VMware image on Soekris Net5501
Hi, 2009/5/21 Obiozor Okeke obiozorok...@yahoo.com: Hi Diana (and Stuart) thanks for all your advice. The problem or nut we're trying to crack is that we're trying to deploy OpenBSD to remote clients and we wanted an inexpensive but very high reliability system with the flexibility to change configurations (switch in/out different VMs) and add/modify services remotely on-the-fly. For example we could upgrade a client from 4.4 to 4.5 along with all the custom apps and client data packaged in a VM. We would grab the old 4.4 VM bring it back to our lab, then upgrade and re-configure it the way we wanted to and drop it back on the ESXi. Then just change the network configs and switch the old for the new all remotely without ever visiting the client Thanks again all. Even if this were feasible (given the hardware limitations of the 5501), you would still have to maintain ESX in a manner which requires console access. Wrapping OpenBSD up in ESX defeats the typical purpose of using OpenBSD. ESX and other x86 virtualization software introduces a whole new vulnerable layer of software which requires patching and rebooting. Take it from the horses mouth... A critical vulnerability in the virtual machine display function might allow a guest operating system to run code on the host. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1244 to this issue. http://kb.vmware.com/selfservice/microsites/search.do?language=en_UScmd=disp layKCexternalId=1009853 A memory corruption condition might occur in the virtual machine hardware. A malicious request sent from the guest operating system to the virtual hardware might cause the virtual hardware to write to uncontrolled physical memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-4917 to this issue. http://kb.vmware.com/selfservice/microsites/search.do?language=en_UScmd=disp layKCexternalId=1007507 VMware addresses an in-guest privilege escalation on 64-bit guest operating systems. VMware products emulate hardware functions including CPU, memory, and I/O. A flaw in VMware's CPU hardware emulation could allow the virtual CPU to jump to an incorrect memory address. Exploitation of this issue on the guest operating system does not lead to a compromise of the host system, but could lead to a privilege escalation on guest operating systems. An attacker would need to have a user account on the guest operating system. Affected guest operating systems include 64-bit Windows, 64-bit FreeBSD, and possibly other 64-bit operating systems. http://kb.vmware.com/selfservice/microsites/search.do?language=en_UScmd=disp layKCexternalId=1007090 This is just a small sample. All this will get you extra complexity and the doubt that a problem with the guest software is really with it or the host. Shane
Re: OpenBSD ESXi VMware image on Soekris Net5501
I ran OpenBSD on ESXi on a Dell 905 at my old job and it worked quite well. It wasn't really fast, but it didn't need to be. All it did was mail web forms. The security auditors didn't even mention it in their report. Ed Ahlsen-Girard
OFF TOPIC: Re: OpenBSD ESXi VMware image on Soekris Net5501
David - it looks like my mobile device did a horrendous job of displaying your email so I apologise for coming off a bit half-cocked in the last email (and despite it being so much more OT conversation on the list, I still wanted to do it publicly). 2009/5/20 David Talkington dt...@flyingjoke.org: Kevin Wilcox wrote: that practically necessitates IBM, Sun, HP or Dell hardware. No it doesn't. That was based on my last review of the .pdf we received from our VMWare rep that was, admittedly, some time ago. I just checked the ESXi HCL and I'm glad to see that support has grown *substantially*, particularly with them offering ESXi. So, my apologies for outdated information. Skip the virtualisation cruft and install natively. That isn't a helpful or enlightened answer (not that one should expect help with this topic here). Agreed. A better reply (though perhaps less relevant) would be, O.P. - I do not have experience with OBSD on VMWare ESXi on a Soekris. I do have quite a bit of experience with OpenBSD on VMWare ESX on officially supported hardware and the results vary depending on load and how much tweaking you may or may not have to do with your configuration. For certain storage backends we have to do some minor voodoo to the disk configuration before the VM is made aware of the disk - this has caused several of our OpenBSD VMs to panic, an issue that in no way, shape, form or fashion am I blaming on OpenBSD - that problem lies with VMWare. On the other hand, I have virtualised OpenBSD firewalls on plain configurations sitting in front of virtualised servers (yes, it works for our needs) that never hiccup. The latest I am using is 4.4 as I've been unable to take any of those machines down for upgrade since receiving the 4.5 cds. Because of the quirks that are introduced with running on top of VMWare, if you have the hardware and this is a single use machine, I can't stress highly enough that, if at all possible, you should skip the virtualisation cruft and install natively. Performance *will* be better, as will reliability and the chance of finding some form of community assistance. O.P., you should start here for detailed ESXi hardware support info: http://www.vm-help.com/ And the official VMWare HCL here should you ever decide to move to supported hardware: http://www.vmware.com/resources/compatibility/search.php?action=basedeviceCa tegory=server kmw -- To take from one, because it is thought that his own industry and that of his fathers has acquired too much, in order to spare to others, who, or whose fathers have not exercised equal industry and skill, is to violate arbitrarily the first principle of association, bthe guarantee to every one of a free exercise of his industry, the fruits acquired by it.'
Re: OpenBSD ESXi VMware image on Soekris Net5501
Hi Diana (and Stuart) thanks for all your advice. The problem or nut we're trying to crack is that we're trying to deploy OpenBSD to remote clients and we wanted an inexpensive but very high reliability system with the flexibility to change configurations (switch in/out different VMs) and add/modify services remotely on-the-fly. For example we could upgrade a client from 4.4 to 4.5 along with all the custom apps and client data packaged in a VM. We would grab the old 4.4 VM bring it back to our lab, then upgrade and re-configure it the way we wanted to and drop it back on the ESXi. Then just change the network configs and switch the old for the new all remotely without ever visiting the client Thanks again all. --- On Wed, 5/20/09, Diana Eichert deich...@wrench.com wrote: From: Diana Eichert deich...@wrench.com Subject: Re: OpenBSD ESXi VMware image on Soekris Net5501 To: misc@openbsd.org Date: Wednesday, May 20, 2009, 7:16 PM On Wed, 20 May 2009, Obiozor Okeke wrote: Hi I am hoping to run an ESXi OpenBSD 4.5 image on a Soekris Net5501 appliance and I was wondering if anyone has already tried successfully running ESXi on the Soekris Net5501 before I order the hardware? Any advice or comments is appreciated. Thanks in advance The better question is, What nut are you trying to crack? Why would you even consider running a virtualization system on what is effectively a 486? Okay, a 500MHz 586, but still, it's slow to start with. diana Past hissy-fits are not a predictor of future hissy-fits. Nick Holland(06 Dec 2005)
Re: OpenBSD ESXi VMware image on Soekris Net5501
On Thu, May 21, 2009 at 06:47:08AM -0700, Obiozor Okeke wrote: Hi Diana (and Stuart) thanks for all your advice. The problem or nut we're trying to crack is that we're trying to deploy OpenBSD to remote clients and we wanted an inexpensive but very high reliability system with the flexibility to change configurations (switch in/out different VMs) and add/modify services remotely on-the-fly. For example we could upgrade a client from 4.4 to 4.5 along with all the custom apps and client data packaged in a VM. We would grab the old 4.4 VM bring it back to our lab, then upgrade and re-configure it the way we wanted to and drop it back on the ESXi. Then just change the network configs and switch the old for the new all remotely without ever visiting the client No offense, but that's a terrible design. Get yourself two inexpensive systems (5501's are ok) and run them in a failover configuration. You have redundancy and the flexiblity to alternate between releases. Without the headache of middleware patches, an unsupported configuration, etc. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenBSD ESXi VMware image on Soekris Net5501
Wow!! Thanks guys for all your advice and the vm-help.com site! The OpenBSD community is fantastic!!! --- On Wed, 5/20/09, Kevin Wilcox ke...@tux.appstate.edu wrote: From: Kevin Wilcox ke...@tux.appstate.edu Subject: Re: OpenBSD ESXi VMware image on Soekris Net5501 To: David Talkington dt...@flyingjoke.org, misc@openbsd.org Date: Wednesday, May 20, 2009, 7:44 PM David, I'm currently mobile and unable to track down the HCL for ESX/i myself - thus my mentioning them to the original poster with what I could remember off the top of my head about supported machines. If that was an insufficient response then the OP is more than welcome to ignore it. On the other hand, the OP could always say, oh, ESXi HCL, I wonder... and google 'vmware esxi hardware compatibility'. kmw On 20/05/2009, David Talkington dt...@flyingjoke.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is way OT for this list, but: Kevin Wilcox wrote: My understanding is that it has a strict HCL, Yes it does. that practically necessitates IBM, Sun, HP or Dell hardware. No it doesn't. Skip the virtualisation cruft and install natively. That isn't a helpful or enlightened answer (not that one should expect help with this topic here). O.P., you should start here for detailed ESXi hardware support info: http://www.vm-help.com/ Cheers -d - -- David Talkington dt...@flyingjoke.org - -- PGP key: http://www.flyingjoke.org/keys/801E3976.asc (What's this? http://en.wikipedia.org/wiki/Digital_signature) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.11 (GNU/Linux) iQEcBAEBAgAGBQJKFKpkAAoJEO7jL1CAHjl2+YgH/jwqmzLTgAGD1wDkxBPbJGZC qOQkT2lYoyy0obJ66777wfh/BRcZt88jIpnBVxPfprfnE3h4HUVw/0pP4xtriWcK nOQp+dWQeuhGYmV9QycWXAWvhRIrSwgmB3LagKPPYUQ4eR0aVz8NJ/LzkJpzwRb1 4kdxc4KXYxDG+HdaQ/mhQ4yGeY2AiTs41zs0oEjBQraeBb/FUwdXzKfFmK9brFxd kOEuKYUW9QAFnpzAmkKcFHM7QOQ8zIhLNIs7K/jTmLPVYycU14eutUUR+Q+SoI9W YriQmxcZ2PTxHIXA2hjvORM9FZiy0NwyDU8H9NHl2gA34rq1vheuVUnsHRJVH4U= =eE8z -END PGP SIGNATURE- -- Sent from my mobile device To take from one, because it is thought that his own industry and that of his fathers has acquired too much, in order to spare to others, who, or whose fathers have not exercised equal industry and skill, is to violate arbitrarily the first principle of association, bthe guarantee to every one of a free exercise of his industry, the fruits acquired by it.'
Re: OpenBSD ESXi VMware image on Soekris Net5501
On Thu, 21 May 2009, Obiozor Okeke wrote: Wow!! Thanks guys for all your advice and the vm-help.com site! The OpenBSD community is fantastic!!! FWIW, I've run ESXi on run of the mill desktops, you just have to know the various boot options to get the ESXi kernel to boot. But to sound like a broken record, I hate running higly customized configurations for production systems. Just because you can do something doesn't mean you should do something. However it's ultimately up to you, try it out and let us know how it worked. g.day
Re: OpenBSD ESXi VMware image on Soekris Net5501
On Thu, 21 May 2009, Obiozor Okeke wrote: Hi Diana (and Stuart) thanks for all your advice. The problem or nut we're trying to crack is that we're trying to deploy OpenBSD to remote clients and we wanted an inexpensive but very high reliability system with the flexibility to change configurations (switch in/out different VMs) and add/modify services remotely on-the-fly. For example we could upgrade a client from 4.A4 to 4.5 along with all the custom apps and client data packaged in a VM. We would grab the old 4.4 VM bring it back to our lab, then upgrade and re-configure it the way we wanted to and drop it back on the ESXi. Then just change the network configs and switch the old for the new all remotely without ever visiting the client Thanks again all. If you want to stick with the Soekris you might want to consider basing your solution on flashboot, http://lists.mindrot.org/pipermail/flashboot/2009-May/000223.html . Using a CF with multiple partitions would allow you to upgrade remotely the flashboot kernel. Of course this would take some work to fine tune the upgrade procedure to minimize failure mechanisms. diana
Re: OpenBSD ESXi VMware image on Soekris Net5501
Well I should have mentioned that the ESXi is also running a Windows server VM for a custom app that requires it. So the idea was to have one box running ESXi and reduce hardware costs. --- On Thu, 5/21/09, Jason Dixon ja...@dixongroup.net wrote: From: Jason Dixon ja...@dixongroup.net Subject: Re: OpenBSD ESXi VMware image on Soekris Net5501 To: Obiozor Okeke obiozorok...@yahoo.com Cc: misc@openbsd.org, Diana Eichert deich...@wrench.com Date: Thursday, May 21, 2009, 7:19 AM On Thu, May 21, 2009 at 06:47:08AM -0700, Obiozor Okeke wrote: Hi Diana (and Stuart) thanks for all your advice. The problem or nut we're trying to crack is that we're trying to deploy OpenBSD to remote clients and we wanted an inexpensive but very high reliability system with the flexibility to change configurations (switch in/out different VMs) and add/modify services remotely on-the-fly. For example we could upgrade a client from 4.4 to 4.5 along with all the custom apps and client data packaged in a VM. We would grab the old 4.4 VM bring it back to our lab, then upgrade and re-configure it the way we wanted to and drop it back on the ESXi. Then just change the network configs and switch the old for the new all remotely without ever visiting the client No offense, but that's a terrible design. Get yourself two inexpensive systems (5501's are ok) and run them in a failover configuration. You have redundancy and the flexiblity to alternate between releases. Without the headache of middleware patches, an unsupported configuration, etc. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenBSD ESXi VMware image on Soekris Net5501
On Thu, May 21, 2009 at 08:05:52AM -0700, Obiozor Okeke wrote: Well I should have mentioned that the ESXi is also running a Windows server VM for a custom app that requires it. So the idea was to have one box running ESXi and reduce hardware costs. BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA *whew* Thanks, I needed that. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenBSD ESXi VMware image on Soekris Net5501
Jason Dixon wrote: On Thu, May 21, 2009 at 08:05:52AM -0700, Obiozor Okeke wrote: Well I should have mentioned that the ESXi is also running a Windows server VM for a custom app that requires it. So the idea was to have one box running ESXi and reduce hardware costs. BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA *whew* Thanks, I needed that. Er yes, you will not be able to get there from here. Re-think. Don't run vmware on your firewall. If you virtualize your entire DC in to a single box, still don't run your firewall as a vm.
Re: OpenBSD ESXi VMware image on Soekris Net5501
-Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Jason Dixon Sent: 21 May 2009 17:08 To: Obiozor Okeke Cc: misc@openbsd.org; Diana Eichert Subject: Re: OpenBSD ESXi VMware image on Soekris Net5501 On Thu, May 21, 2009 at 08:05:52AM -0700, Obiozor Okeke wrote: Well I should have mentioned that the ESXi is also running a Windows server VM for a custom app that requires it. So the idea was to have one box running ESXi and reduce hardware costs. BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA *whew* Thanks, I needed that. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/ What a helpful e-mail that was. Thanks for helping the community with that one
Re: OpenBSD ESXi VMware image on Soekris Net5501
On Thu, May 21, 2009 at 11:35 PM, Michal mic...@sharescope.co.uk wrote: -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Jason Dixon Sent: 21 May 2009 17:08 To: Obiozor Okeke Cc: misc@openbsd.org; Diana Eichert Subject: Re: OpenBSD ESXi VMware image on Soekris Net5501 On Thu, May 21, 2009 at 08:05:52AM -0700, Obiozor Okeke wrote: Well I should have mentioned that the ESXi is also running a Windows server VM for a custom app that requires it. B So the idea was to have one box running ESXi and reduce hardware costs. BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA *whew* Thanks, I needed that. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/ What a helpful e-mail that was. Thanks for helping the community with that one just think, a system with 500mhz and 512MB ram running two VMs. One of them is Windows (nt4? 98? 3.1?) , no less -- O ascii ribbon campaign - stop html mail - www.asciiribbon.org
Re: OpenBSD ESXi VMware image on Soekris Net5501
Oh I didnt realise it was that under-poweredoh now I just feel stupid :( -Original Message- From: Edho P Arief [mailto:edhopr...@gmail.com] Sent: 21 May 2009 17:54 To: Michal Cc: misc@openbsd.org Subject: Re: OpenBSD ESXi VMware image on Soekris Net5501 On Thu, May 21, 2009 at 11:35 PM, Michal mic...@sharescope.co.uk wrote: -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Jason Dixon Sent: 21 May 2009 17:08 To: Obiozor Okeke Cc: misc@openbsd.org; Diana Eichert Subject: Re: OpenBSD ESXi VMware image on Soekris Net5501 On Thu, May 21, 2009 at 08:05:52AM -0700, Obiozor Okeke wrote: Well I should have mentioned that the ESXi is also running a Windows server VM for a custom app that requires it. So the idea was to have one box running ESXi and reduce hardware costs. BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA *whew* Thanks, I needed that. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/ What a helpful e-mail that was. Thanks for helping the community with that one just think, a system with 500mhz and 512MB ram running two VMs. One of them is Windows (nt4? 98? 3.1?) , no less -- O ascii ribbon campaign - stop html mail - www.asciiribbon.org
Re: OpenBSD ESXi VMware image on Soekris Net5501
On Thu, 21 May 2009, Michal wrote: Oh I didnt realise it was that under-poweredoh now I just feel stupid :( No needed to feel stupid, you added to the entertainment value of this thread. ;-) diana
Re: OpenBSD ESXi VMware image on Soekris Net5501
Well I'm certainly no expert in all this and I'm happy to be corrected before I make any more mistakes with my configuration. Man am I glad I put this post out because I'm getting such great feedback! I'll have to re-think this but I honestly thought (I guess I'm wrong) that if I my first OpenBSD VM image running on ESXi as my strong firewall I would be ok. Basically its just a virtualization of my physical environment but all on one box with 3 VM images. So my idea was to have second OpenBSD image (not the firewall OpenBSD image) running with Samba as my Domain Controller and File server, and Email server and then the third Windows VM running just the custom app. I figured that as long as all the 'Net traffic hit my first OpenBSD VM and was properly filtered and controlled by pf, spam greylisting, brute force checked, etc I would be ok? No? --- On Thu, 5/21/09, Dag Richards dagricha...@speakeasy.net wrote: From: Dag Richards dagricha...@speakeasy.net Subject: Re: OpenBSD ESXi VMware image on Soekris Net5501 To: misc@openbsd.org Date: Thursday, May 21, 2009, 9:24 AM Jason Dixon wrote: On Thu, May 21, 2009 at 08:05:52AM -0700, Obiozor Okeke wrote: Well I should have mentioned that the ESXi is also running a Windows server VM for a custom app that requires it. So the idea was to have one box running ESXi and reduce hardware costs. BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA *whew* Thanks, I needed that. Er yes, you will not be able to get there from here. Re-think. Don't run vmware on your firewall. If you virtualize your entire DC in to a single box, still don't run your firewall as a vm.
Re: OpenBSD ESXi VMware image on Soekris Net5501
On Thu, 21 May 2009, obiozorok...@yahoo.com wrote: SNIP I'll have to re-think this but I honestly thought (I guess I'm wrong) that if I my first OpenBSD VM image running on ESXi as my strong firewall I would be ok. Basically its just a virtualization of my physical environment but all on one box with 3 VM images. So my idea was to have second OpenBSD image (not the firewall OpenBSD image) running with Samba as my Domain Controller and File server, and Email server and then the third Windows VM running just the custom app. I figured that as long as all the 'Net traffic hit my first OpenBSD VM and was properly filtered and controlled by pf, spam greylisting, brute force checked, etc I would be ok? No? Yes, you could do this (please NOT on a Soekris) but your system won't be any more secure than the weakest link. We haven't really seen the exploits for ESX, yet. Virtualization is really cool, you could own the virtual hardware and the O/S would never know. It takes the issue related to binary blobs to a whole new level. diana
Re: OpenBSD ESXi VMware image on Soekris Net5501
On Thu, May 21, 2009 at 11:06 AM, Diana Eichert deich...@wrench.com wrote: SNIP . Virtualization is really cool, you could own the virtual hardware and the O/S would never know. It takes the issue related to binary blobs to a whole new level. Entire machine as binary blob - never thought of it that way, but its sort of true.
Re: OpenBSD ESXi VMware image on Soekris Net5501
On Thu, May 21, 2009 at 09:53:16AM -0700, obiozorok...@yahoo.com wrote: Well I'm certainly no expert in all this and I'm happy to be corrected before I make any more mistakes with my configuration. Man am I glad I put this post out because I'm getting such great feedback! I'll have to re-think this but I honestly thought (I guess I'm wrong) that if I my first OpenBSD VM image running on ESXi as my strong firewall I would be ok. Basically its just a virtualization of my physical environment but all on one box with 3 VM images. So my idea was to have second OpenBSD image (not the firewall OpenBSD image) running with Samba as my Domain Controller and File server, and Email server and then the third Windows VM running just the custom app. I figured that as long as all the 'Net traffic hit my first OpenBSD VM and was properly filtered and controlled by pf, spam greylisting, brute force checked, etc I would be ok? No? No. The traffic doesn't hit your vm first; it hits the host os first. Any and all network stack issues there are still in play. --- On Thu, 5/21/09, Dag Richards dagricha...@speakeasy.net wrote: From: Dag Richards dagricha...@speakeasy.net Subject: Re: OpenBSD ESXi VMware image on Soekris Net5501 To: misc@openbsd.org Date: Thursday, May 21, 2009, 9:24 AM Jason Dixon wrote: On Thu, May 21, 2009 at 08:05:52AM -0700, Obiozor Okeke wrote: Well I should have mentioned that the ESXi is also running a Windows server VM for a custom app that requires it. So the idea was to have one box running ESXi and reduce hardware costs. BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA *whew* Thanks, I needed that. Er yes, you will not be able to get there from here. Re-think. Don't run vmware on your firewall. If you virtualize your entire DC in to a single box, still don't run your firewall as a vm.
Re: OpenBSD ESXi VMware image on Soekris Net5501
2009/5/21 obiozorok...@yahoo.com: I'll have to re-think this but I honestly thought (I guess I'm wrong) that if I my first OpenBSD VM image running on ESXi as my strong firewall I would be ok. B Basically its just a virtualization of my physical environment but all on one box with 3 VM images. So my idea was to have second OpenBSD image (not the firewall OpenBSD image) running with Samba as my Domain Controller and File server, and Email server and then the third Windows VM running just the custom app. B I figured that as long as all the 'Net traffic hit my first OpenBSD VM and was properly filtered and controlled by pf, spam greylisting, brute force checked, etc I would be ok? B No? There are some strategic issues with virtualising a firewall. What should be the simplest, most rock solid member of your network is now on the same hardware as foo virtual machines. If one of the application servers is compromised then it's *possible* that the VMWare server itself could be compromised, rendering the firewall VM under the control of The Bad Guys. If one of the VMs screws the pooch and takes down the server then you've not only lost the ability to communicate with those servers, you've lost the ability to communicate with your firewall. If one of the application VMs isn't configured with proper resource limits then performance on the firewall will drop under periods of heavy traffic. For that matter, you've already introduced overhead on throughput of the firewall by forcing traffic to be received by the VM OS before it's received by OpenBSD. If the VM server is compromised then the things that can be done to traffic without ever actually disrupting the firewall are almost certainly fun fun fun (in all fairness, I haven't tried mucking with traffic on ESX/i, this is based entirely in speculation). I'm sure there are obvious things that I'm missing but these are the ones that blast the loudest through my brain when I think about virtualising a firewall. As I stated before, I have done it and there are a few that I maintain - and they do their job well - but that doesn't mean I condone the practice in general and it surely doesn't suggest that I think it's something that should be done on a whim or with a light attitude. It is dangerous and unsupported and you need to understand there is significant risk in doing so. kmw -- To take from one, because it is thought that his own industry and that of his fathers has acquired too much, in order to spare to others, who, or whose fathers have not exercised equal industry and skill, is to violate arbitrarily the first principle of association, bthe guarantee to every one of a free exercise of his industry, the fruits acquired by it.'
Re: OpenBSD ESXi VMware image on Soekris Net5501
Dag Richards wrote: Jason Dixon wrote: On Thu, May 21, 2009 at 08:05:52AM -0700, Obiozor Okeke wrote: Well I should have mentioned that the ESXi is also running a Windows server VM \ for a custom app that requires it. So the idea was to have one box running ESXi \ and reduce hardware costs. BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA *whew* Thanks, I needed that. Er yes, you will not be able to get there from here. Re-think. Don't run vmware on your firewall. If you virtualize your entire DC in to a single box, still don't run your firewall as a vm. Run a firewall on *hardware* that is not doing anything else. The firewall is practically by definition the thing that is NOT protected by something else; have no additional holes in it or in what it relies on. Like VMWare, or a Windows application server. -- Ed Ahlsen-Girard Ft. Walton Beach FL
Re: OpenBSD ESXi VMware image on Soekris Net5501
Many, many thanks to all who responded! I now plan to run my OpenBSD firewall *stand-alone* on directly on a Soekris box for sure (no VM) and isolate all else on a separate box running the ESXi that fully supports the ESXi HCL. Many thanks to all the developers and especially Theo for creating IMHO the world's greatest OS!! --- On Thu, 5/21/09, Kevin Wilcox ke...@tux.appstate.edu wrote: From: Kevin Wilcox ke...@tux.appstate.edu Subject: Re: OpenBSD ESXi VMware image on Soekris Net5501 To: obiozorok...@yahoo.com Cc: misc@openbsd.org Date: Thursday, May 21, 2009, 11:39 AM 2009/5/21 obiozorok...@yahoo.com: I'll have to re-think this but I honestly thought (I guess I'm wrong) that if I my first OpenBSD VM image running on ESXi as my strong firewall I would be ok. B Basically its just a virtualization of my physical environment but all on one box with 3 VM images. So my idea was to have second OpenBSD image (not the firewall OpenBSD image) running with Samba as my Domain Controller and File server, and Email server and then the third Windows VM running just the custom app. B I figured that as long as all the 'Net traffic hit my first OpenBSD VM and was properly filtered and controlled by pf, spam greylisting, brute force checked, etc I would be ok? B No? There are some strategic issues with virtualising a firewall. What should be the simplest, most rock solid member of your network is now on the same hardware as foo virtual machines. If one of the application servers is compromised then it's *possible* that the VMWare server itself could be compromised, rendering the firewall VM under the control of The Bad Guys. If one of the VMs screws the pooch and takes down the server then you've not only lost the ability to communicate with those servers, you've lost the ability to communicate with your firewall. If one of the application VMs isn't configured with proper resource limits then performance on the firewall will drop under periods of heavy traffic. For that matter, you've already introduced overhead on throughput of the firewall by forcing traffic to be received by the VM OS before it's received by OpenBSD. If the VM server is compromised then the things that can be done to traffic without ever actually disrupting the firewall are almost certainly fun fun fun (in all fairness, I haven't tried mucking with traffic on ESX/i, this is based entirely in speculation). I'm sure there are obvious things that I'm missing but these are the ones that blast the loudest through my brain when I think about virtualising a firewall. As I stated before, I have done it and there are a few that I maintain - and they do their job well - but that doesn't mean I condone the practice in general and it surely doesn't suggest that I think it's something that should be done on a whim or with a light attitude. It is dangerous and unsupported and you need to understand there is significant risk in doing so. kmw -- To take from one, because it is thought that his own industry and that of his fathers has acquired too much, in order to spare to others, who, or whose fathers have not exercised equal industry and skill, is to violate arbitrarily the first principle of association, bthe guarantee to every one of a free exercise of his industry, the fruits acquired by it.'
Re: OpenBSD ESXi VMware image on Soekris Net5501
On 2009-05-21, Diana Eichert deich...@wrench.com wrote: On Thu, 21 May 2009, Obiozor Okeke wrote: Hi Diana (and Stuart) thanks for all your advice. The problem or nut we're trying to crack is that we're trying to deploy OpenBSD to remote clients and we wanted an inexpensive but very high reliability system with the flexibility to change configurations (switch in/out different VMs) and add/modify services remotely on-the-fly. For example we could upgrade a client from 4.A4 to 4.5 along with all the custom apps and client data packaged in a VM. We would grab the old 4.4 VM bring it back to our lab, then upgrade and re-configure it the way we wanted to and drop it back on the ESXi. Then just change the network configs and switch the old for the new all remotely without ever visiting the client Thanks again all. If you want to stick with the Soekris you might want to consider basing your solution on flashboot, http://lists.mindrot.org/pipermail/flashboot/2009-May/000223.html . Using a CF with multiple partitions would allow you to upgrade remotely the flashboot kernel. Of course this would take some work to fine tune the upgrade procedure to minimize failure mechanisms. with flashboot, it's reasonably ok on a single partition too, just point boot.conf at the right one after downloading. failure recovery would usually involve a serial port, resetting, and typing at the boot prompt, but if it's not too disastrous a failure you might get away with setting the bios to turn the reset button over to software control and having some daemon check the gpio pin and, when the button's detected, revert to a previous boot.conf.
OpenBSD ESXi VMware image on Soekris Net5501
Hi I am hoping to run an ESXi OpenBSD 4.5 image on a Soekris Net5501 appliance and I was wondering if anyone has already tried successfully running ESXi on the Soekris Net5501 before I order the hardware? Any advice or comments is appreciated. Thanks in advance
Re: OpenBSD ESXi VMware image on Soekris Net5501
* Obiozor Okeke obiozorok...@yahoo.com [090520 19:40]: Hi I am hoping to run an ESXi OpenBSD 4.5 image on a Soekris Net5501 appliance and I was wondering if anyone has already tried successfully running ESXi on the Soekris Net5501 before I order the hardware? Any advice or comments is appreciated. Thanks in advance So in other words, you plan to run OpenBSD on top of ESXi. Moreover, you plan to run ESXi on a Soekris. This doesn't smell like a recipe for success. It may be possible, but the light weight nature of a Soekris would preclude ESXi and anything as a VM in my opinion. I don't know if you can even boot/run ESXi on a Soekris. Better to just to install OpenBSD natively on the Soekris and skip VMWare altogether. HTH, Jim
Re: OpenBSD ESXi VMware image on Soekris Net5501
This is doomed to failure, mostly because I am *almost* certain that you'll never get ESXi to install on a Soekris. My understanding is that it has a strict HCL, very similar if not identical to the HCL for ESX, that practically necessitates IBM, Sun, HP or Dell hardware. Skip the virtualisation cruft and install natively. kmw On 20/05/2009, Obiozor Okeke obiozorok...@yahoo.com wrote: Hi I am hoping to run an ESXi OpenBSD 4.5 image on a Soekris Net5501 appliance and I was wondering if anyone has already tried successfully running ESXi on the Soekris Net5501 before I order the hardware? Any advice or comments is appreciated. Thanks in advance -- Sent from my mobile device To take from one, because it is thought that his own industry and that of his fathers has acquired too much, in order to spare to others, who, or whose fathers have not exercised equal industry and skill, is to violate arbitrarily the first principle of association, bthe guarantee to every one of a free exercise of his industry, the fruits acquired by it.'
Re: OpenBSD ESXi VMware image on Soekris Net5501
On 2009-05-20, Obiozor Okeke obiozorok...@yahoo.com wrote: Hi I am hoping to run an ESXi OpenBSD 4.5 image on a Soekris Net5501 appliance and I was wondering if anyone has already tried successfully running ESXi on the Soekris Net5501 before I order the hardware? Any advice or comments is appreciated. It's slow enough on a dual core xeon with VT enabled and sufficient ram. Even if this did work on a Geode (highly unlikely since the latest version doesn't even work on some HP ML servers properly) it would be so horribly painful you wouldn't want to do it anyway. What problem are you trying to solve?
Re: OpenBSD ESXi VMware image on Soekris Net5501
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is way OT for this list, but: Kevin Wilcox wrote: My understanding is that it has a strict HCL, Yes it does. that practically necessitates IBM, Sun, HP or Dell hardware. No it doesn't. Skip the virtualisation cruft and install natively. That isn't a helpful or enlightened answer (not that one should expect help with this topic here). O.P., you should start here for detailed ESXi hardware support info: http://www.vm-help.com/ Cheers -d - -- David Talkington dt...@flyingjoke.org - -- PGP key: http://www.flyingjoke.org/keys/801E3976.asc (What's this? http://en.wikipedia.org/wiki/Digital_signature) iQEcBAEBAgAGBQJKFKpkAAoJEO7jL1CAHjl2+YgH/jwqmzLTgAGD1wDkxBPbJGZC qOQkT2lYoyy0obJ66777wfh/BRcZt88jIpnBVxPfprfnE3h4HUVw/0pP4xtriWcK nOQp+dWQeuhGYmV9QycWXAWvhRIrSwgmB3LagKPPYUQ4eR0aVz8NJ/LzkJpzwRb1 4kdxc4KXYxDG+HdaQ/mhQ4yGeY2AiTs41zs0oEjBQraeBb/FUwdXzKfFmK9brFxd kOEuKYUW9QAFnpzAmkKcFHM7QOQ8zIhLNIs7K/jTmLPVYycU14eutUUR+Q+SoI9W YriQmxcZ2PTxHIXA2hjvORM9FZiy0NwyDU8H9NHl2gA34rq1vheuVUnsHRJVH4U= =eE8z -END PGP SIGNATURE-
Re: OpenBSD ESXi VMware image on Soekris Net5501
On Wed, 20 May 2009, Obiozor Okeke wrote: Hi I am hoping to run an ESXi OpenBSD 4.5 image on a Soekris Net5501 appliance and I was wondering if anyone has already tried successfully running ESXi on the Soekris Net5501 before I order the hardware? Any advice or comments is appreciated. Thanks in advance The better question is, What nut are you trying to crack? Why would you even consider running a virtualization system on what is effectively a 486? Okay, a 500MHz 586, but still, it's slow to start with. diana Past hissy-fits are not a predictor of future hissy-fits. Nick Holland(06 Dec 2005)
Re: OpenBSD ESXi VMware image on Soekris Net5501
David, I'm currently mobile and unable to track down the HCL for ESX/i myself - thus my mentioning them to the original poster with what I could remember off the top of my head about supported machines. If that was an insufficient response then the OP is more than welcome to ignore it. On the other hand, the OP could always say, oh, ESXi HCL, I wonder... and google 'vmware esxi hardware compatibility'. kmw On 20/05/2009, David Talkington dt...@flyingjoke.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is way OT for this list, but: Kevin Wilcox wrote: My understanding is that it has a strict HCL, Yes it does. that practically necessitates IBM, Sun, HP or Dell hardware. No it doesn't. Skip the virtualisation cruft and install natively. That isn't a helpful or enlightened answer (not that one should expect help with this topic here). O.P., you should start here for detailed ESXi hardware support info: http://www.vm-help.com/ Cheers -d - -- David Talkington dt...@flyingjoke.org - -- PGP key: http://www.flyingjoke.org/keys/801E3976.asc (What's this? http://en.wikipedia.org/wiki/Digital_signature) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.11 (GNU/Linux) iQEcBAEBAgAGBQJKFKpkAAoJEO7jL1CAHjl2+YgH/jwqmzLTgAGD1wDkxBPbJGZC qOQkT2lYoyy0obJ66777wfh/BRcZt88jIpnBVxPfprfnE3h4HUVw/0pP4xtriWcK nOQp+dWQeuhGYmV9QycWXAWvhRIrSwgmB3LagKPPYUQ4eR0aVz8NJ/LzkJpzwRb1 4kdxc4KXYxDG+HdaQ/mhQ4yGeY2AiTs41zs0oEjBQraeBb/FUwdXzKfFmK9brFxd kOEuKYUW9QAFnpzAmkKcFHM7QOQ8zIhLNIs7K/jTmLPVYycU14eutUUR+Q+SoI9W YriQmxcZ2PTxHIXA2hjvORM9FZiy0NwyDU8H9NHl2gA34rq1vheuVUnsHRJVH4U= =eE8z -END PGP SIGNATURE- -- Sent from my mobile device To take from one, because it is thought that his own industry and that of his fathers has acquired too much, in order to spare to others, who, or whose fathers have not exercised equal industry and skill, is to violate arbitrarily the first principle of association, bthe guarantee to every one of a free exercise of his industry, the fruits acquired by it.'