The new server is now in. The whole trausch.us domain is now running from it, aside from one service (my email MX backup for my desktop machine). And even better, it’s being run in a Linux Container.  The server now has the ability to (very efficiently) stand in for at least 10 servers, nicely and efficiently compartmentalized from each other, and after I add a few firewall rules to finalize the containment between public services and network-local (LAN) services for our home network, the containers will have effective separation between them.  The set of rules that I’ll be dropping in will:

• Bar a container from SSH’ing into its host system,
• Bar a container housing public services from SSH’ing into any of its sibling systems that are not also public (i.e., firewalling against the entire RFC1918 set of networks), and
• Bar a container housing completely private services from communicating with any non-RFC1918 addressed machine.

This way, I can ensure that services that I absolutely want kept private (such as the database servers) are that way without chance of mistake.  In situations where one of the private machines must have communication with the public Internet (for example, the database server needs to be able to replicate over the Internet to its sibling), a whitelist rule to permit exactly just that communication will be dropped in, and all is well and good.

My original plan was going to be to use KVM, and have the choice of running any operating system I wanted.  This didn’t work well with the storage strategy that I wanted to employ, though, without writing a lot of custom scripts to manage it for me.  Xen wouldn’t boot a Dom0 Linux kernel on my hardware (and NetBSD would not install successfully), and so I figured I had two reasonable choices left: FreeBSD jails and Linux Containers.  I installed FreeBSD, at first, thinking back to when I ran it on servers as my first choice of operating system.  The more I was thinking about the jobs that the server would be performing—along with the fact that the server was going to be performing many Linux-specific jobs, at least that is in the plans—I realized that jails under FreeBSD would probably not be the ideal solution.  So I started tinkering with container support on Linux.  So far, I am pleased with it.  It’s very much like FreeBSD jails, in that you can have a separate namespace for processes, mounts, and networking.  I think the mounts part is different from jails, since I don’t think you can mount new filesystems in a BSD jail (or at least, couldn’t at the time I used them, when they were very new; they may now have a tweakable or just support it out-right).  That said, it works nicely.  It can be easily managed with default system configuration files and minor additions to the init scripts.  (It can probably even be managed as an Upstart job, as I do with my DNS server, but I haven’t gotten there just yet.)

Currently, there are only two containers running on the server, though that will change very soon.  Containers/VMs were the very reason I needed to make this setup in the first place…

In Other News…

I am still stuck on AllTray.  I somehow still do not completely understand the code that I’m going to need to write to get the minimize-instead-of-close feature to work properly, nor how to elegantly handle various situations that it seems like will arise once it is written.  Once I “get it” (or someone else is able/willing to make it happen), the next release of AllTray will be made.  It looks as though that will definitely not be in time for inclusion in the forthcoming distribution releases for the latter half of the year, but I will try to build packages for then-current distributions and work to get the new AllTray into the next versions of distributions soon after that.  I’m not giving up; I’m just stuck at the moment.