[Discuss] Securing a VMware ESXi server at a colo site?

[jabr at blu.org (John Abreau)]

My backup solution is for each guest VM to back itself up. I already do
this for the old servers that I plan to replace with guest VMs: each server
runs a nightly cron job that backs itself up to Amazon S3 in a manner that
mimics rsnapshot.



On Tue, Mar 10, 2015 at 11:51 AM, Edward Ned Harvey (blu) <blu at nedharvey.com
> wrote:

> > From: John Abreau [mailto:abreauj at gmail.com]
> >
> > I did a bit of googling to see how to setup a vpn server on the ESXi
> host, and it
> > seems that's not possible. And managing the host through a vpn running
> on a
> > guest VM sounds unreliable; if you need to use the management console to
> > fix a problem that affects the vpn server guest, you have no access to
> the
> > management console until the problem is fixed.
> > So it seems I'll still need a separate physical server to provide the
> vpn.
>
> Correct(ish).
>
> You should not imagine ESXi as being a "normal" linux - although it runs a
> linux kernel, it has little to no semblance to any normal linux
> distribution that you're used to.  It is intended to be a bare metal black
> box, and it's generally best to let it be that way.  As I said before,
> there is some useful stuff you can do via ssh, but good reasons to avoid it.
>
> Presumably you have some other backup solution available, right?  Don't
> expect the host OS to do anything useful in terms of software raid or
> backups, or even hardware raid management.  HW raid management is a whole
> separate subject - Some things you can do, others you can't.
>
> The *best* solution is to have the ESXi host running VM's, which are
> network shared via iscsi from a storage server, which is *designed* to do
> storage and iscsi well (such as a ZFS server).  I like to run ESXi
> diskless, because they do crap for disk management.
>
> You *can* install a VPN server in a VM running on the ESXi host - and I
> have before - and it works fine - as long as nothing goes wrong with that
> guest VM.  Some time ago, I had to put in extra effort to make pfSense work
> in a VM, but I think the recent versions actually support it, or something
> - you can check with pfSense if you want.
>
> Of course, if anything goes wrong with your ESXi host, you'll be glad to
> have a separate hardware vpn, and remote access to the iLom or whatever.
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>



-- 
John Abreau / Executive Director, Boston Linux & Unix
Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6