Subject: Re: A Xen configuration
To: Julio M. Merino Vidal <jmmv84@gmail.com>
From: Manuel Bouyer <bouyer@antioche.eu.org>
List: netbsd-users
Date: 09/08/2005 23:51:08
On Thu, Sep 08, 2005 at 02:52:22PM +0200, Julio M. Merino Vidal wrote:
> Hi all,
> 
> [ please CC me any replies ]
> 
> I've just upgraded my home server's hardware to a Pentium III
> 450Mhz and 512MB of memory.  I'm planning to set up a KDC
> (and possibly a PDC for the Windows machines) but, as you
> know, these services should be as isolated as possible to
> avoid compromising the whole network in case of attach to
> other services (web, etc.).  I can't afford keeping more machines
> running, so maybe Xen is a good idea in this scenario.
> 
> Basically, what I have in mind is the following:
> - Have a domain 0 that does firewalling and nat between the
>   Internet and my home network.  This also bridges between the
>   subdomains and the home network.
> - Have a subdomain that runs the KDC and related authentication
>   services.
> - Have a subdomain that runs any other servers, such as thttpd,
>   monotone, ssh, ntp and bind.
> 
> Do you think setting this up is worth the effort (WRT security) or
> should I just go and run everything as usual, in a single system?
> Will the machine be powerful enough to handle this?  (I'd expect
> it to need more memory.)

This machine should be powerfull enouth. I would guess that the
domain0 and KDC's domU won't need much memory, so allocating 64M for each
should be enouth. Xen needs 32M, so this leaves 352M for the second domU.
It's up to you to see if it's enouth or not :)

Also, keep in mind that in the current state, NetBSD/xen copies network
packets between dom0 and domUs. If you have lots of traffic to a domU this can
be a problem. 

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 26 ans d'experience feront toujours la difference
--