0

I have one fairly powerful server running VMware ESXi to allow for multiple virtual machines to handle different purposes. Currently I have 7 set up:

  • PHP Development
  • PHP Staging
  • RoR Development
  • RoR Staging
  • ASP.Net Development
  • ASP.Net Staging
  • Core (Samba, OpenLDAP, DNS DHCP, git)

My questions are:

  1. Which functions should be run on their own server and why? For example, should I split up the Core server and add another virtual machine to run DNS only or DHCP and DNS, another vm to run git only?

  2. What are some common setups within a network and what major functions am I missing to run a proper development network... i.e. intrusion detection? I know this question is subjective to the work being done, but just any obvious ones that may be helpful to operation, maintenance, or security.

Note: If anyone can edit the tags to be more appropriate to the question that would be appreciated.

user29600
  • 399
  • 5
  • 16
  • 29

2 Answers2

1

These days, with VMs being so cheap and easy, I tend to virtualise on a per-function basis. That makes for maximum flexibility (migration, upgrade, etc etc) and minimises the need for later rework ("oops, those functions aren't as combined as I thought they were").

womble
  • 95,029
  • 29
  • 173
  • 228
  • Additionally I tie the services to CNAMEs and load balancers whenever possible so I can do immediate cutovers. – Jodie C Jul 05 '11 at 14:50
  • Aye, service CNAMEs are freaking awesome, and should be used exclusively. Hostnames are for accessing the host itself, and nothing else. – womble Jul 05 '11 at 14:59
  • Did a bit of Googling on tying services to CNAMEs, couldn't find any articles... do you have one you could link me to? (Also please check out my question below your comment on LDAP) – user29600 Jul 05 '11 at 15:17
  • 1
    It's pretty trivial... instead of putting `fred.example.com` in the "SMTP server" field of everyone's mail client, you put `smtp.example.com` and make a `mail CNAME fred` DNS entry. Ditto for `imap`, `pop3`, `ldap`, `phpdev`, `www`, `rordev`, `git`, `samba`, etc etc etc etc. – womble Jul 05 '11 at 22:27
0

While I agree with Womble in general, the definition of "per-function" might be blurry. Unless you have a huge environment (from your description, you don't), I would absolutely keep DNS and DHCP on a single server. Unless you have strong reasons not to (like performance needs, or incompatible maintenance windows, etc), I would also keep Samba and LDAP on the same server.

For question 2 : you have no redundancy in your description. All of you core services should have some redundancy or failover. DNS is a biggie, LDAP is a biggie if it's part of your authentication, Samba is also a likely candidate. DHCP is good and easy to make highly available with split scopes. A lot (or all) of these core services should be on separate hardware; otherwise, you have an enormous single point of failure.

You also have no backup infrastructure listed : every IT shop that does anything should have backups. There are very few scenarios where you don't need any backups.

As far as other common major functions : it really depends on your environment and needs, which you haven't told us. Do you have to manage desktops? Are they Windows, or Linux, or Mac? Then you might want something that can manage those machines. Samba can do for Windows a lot of what Windows Server with AD and GPOs do, but not as easily (as I understand it.) Do you build a lot of machines? Then you might want a PXE/Kickstart/other sort of build infrastructure. Do you need to keep a log of what your users browse on the web? Might want a Squid proxy or something similar. IDS/IPS : maybe you need that, maybe you don't. How would we know?

mfinni
  • 35,711
  • 3
  • 50
  • 86
  • Nope, I say keep DNS and DHCP separate, and *definitely* LDAP and Samba. Hell, just throw LDAP down a deep hole and be three lengths ahead. – womble Jul 05 '11 at 15:00
  • Why do you say that about LDAP? When setting up Samba people kept saying to use LDAP to authenticate for Samba... – user29600 Jul 05 '11 at 15:15
  • Everything is backed up to an off site server nightly using bacula and then offloaded to the cloud. Yes, I'm managing desktops that are both Windows and Linux, no Macs. What is good for managing them? You wouldn't know exactly what I need, hence the reason why I said it's subjective, I was just asking for common functions people find useful... only if it was possible. Thanks for the help. – user29600 Jul 05 '11 at 15:20
  • LDAP is a pain in the arse... it was a small amount of hyperbole on my part,but I wish it'd die in a fire. To use Samba properly these days it's hard to get away from LDAP, unfortunately. – womble Jul 05 '11 at 22:24
  • @womble: Thanks, I guess I'll keep LDAP and Samba together and try to fight to get it to work. I have someone I might be able to bring in to help me with that one... – user29600 Jul 06 '11 at 15:04