Presentation is loading. Please wait.

Presentation is loading. Please wait.

01/13/051 Cheap, Easy Virtual Hosts for Web-Based Services Richard L. Goerwitz III.

Published byMarsha Small Modified over 9 years ago

Similar presentations

Presentation on theme: "01/13/051 Cheap, Easy Virtual Hosts for Web-Based Services Richard L. Goerwitz III."— Presentation transcript:

1 01/13/051 Cheap, Easy Virtual Hosts for Web-Based Services Richard L. Goerwitz III

2 01/13/052 Are you... Flooded with requests for new web servers? –E.g., blogs, wikis –internal test boxes –sandboxes for classes, projects –front ends for apps (e.g., webmail) –dynamic/DB-driven sites for research –cross-institutional, collaborative sites

3 01/13/053 How Are You Responding? Buying lots and lots of hardware? –1U units –Blades –Re-purposed desktops Setting up virtual HTTP hosts? –Name-based (Apache) virtual hosts –IP-based virtual hosts Moving to virtual hardware? –VMWare –Other server virtualization solutions

4 01/13/054 Problems With These Responses Buying lots and lots of hardware: –Requires rack space, power, cooling –Costs $$; requires hardware, OS licenses –Means OS installs, more patching Setting up virtual HTTP hosts: –Creates two “single” points of failure –Offers “accounts,” not true sandboxes –Opens horrendous security holes Break-in on one vhost compromises all vhosts Users share single process space, database

5 01/13/055 More Problems Moving to virtual (VMWare) hardware: –Requires OS licenses, installs, patching, as with real servers –Uses as much disk space as real servers –Requires virtualization licenses and extra in-house expertise –Adds some virtualization overhead –(VMWare) performs poorly on fork/exec

6 01/13/056 What Have We Missed? Aha! We've missed one solution This solution requires: –Little (or no) additional hardware –Little additional disk space –Few (or no) additional OS licenses –No special virtualization software –No manual patching –No shared webservers or databases

7 01/13/057 Solution: Chrooted Hosts Unix programs may be chrooted, i.e., run from an alternate root directory Whole sets of programs may be run together from such a root directory Coupled with a basic filesystem, this alternate root can be made to look like a distinct “chrooted” host –Has its own /home, logging, daemons

8 01/13/058 Chrooted Web Hosts Look/act mostly like full web servers Offer relative security and isolation Serve as terrific sandboxes Can run Apache, database instances Can take remote SFTP xfers (SSHd) Utilize 400 meg apiece as a baseline Cheap!

9 01/13/059 But, but... Q: Don’t chrooted web hosts require a lot of time and skill to set up and maintain? A: Yes, and no –Setup mostly scripted at Carleton –Patching can also be automated –User credentials can be maintained centrally via LDAP

10 01/13/0510 But, but... (2) Q: Can't chrooted web hosts be “escaped,” compromising the parent host? A: Yes, but –Difficult (esp. with no /proc, suid stuff) –Requires some skill, compiler tools –Even so, unlikely—especially with strong monitoring and off-host logging

11 01/13/0511 But, but... (3) Can't one out-of-control chrooted web host impact the performance of all the others? A: Yes, and no –Sure, this can happen –But remember that daemons in chroots live in separate process space –So, a small cron job can go and auto-lower priorities of excessively busy processescron job

12 01/13/0512 How-To Part 1: Base Server Setup Install RedHat Enterprise Linux AS 2.1/3.x Add Apache, database, related modules Bind base server’s Apache, database, SSHd instances to base IP address Create virtual IP interfaces that chroots will later bind to (in a big batch) Create corresponding generic DNS names Set up LDAP authentication

13 01/13/0513 How-To Part 2: Template Setup (At Carleton this step is scripted) Run make_chrootenv utility –Reads list of software to go into chrootslist of software –Constructs master chroot template Check template to be sure it has all the desired software –Add software, recreate template as needed

14 01/13/0514 How-To Part 3: Host Setup Invoke copy_chrootenv utility to set up a new host –Bind to IP address set up earlier on –IP address should have a corresponding generic DNS name like WebHost-1...edu Create CNAME record for new host Add user accounts, software Verify SSHd, HTTPd, etc. startup

15 01/13/0515 Current Uses at Carleton Current uses for chrooted web hosts at Carleton include: –Blogs, wikis, webmailBlogswikiwebmail –Faculty projects Esternay –Various other one-off sites Caucus GIS (only viewable at Carleton)GIS

16 01/13/0516 Future Uses at Carleton Future uses of chrooted web hosts at Carleton may include: –Sandboxes for classes, student projects –More faculty projects –Cross-institutional, collaborative projects –On-demand hosts for anyone wanting a private dynamic and/or database-driven website

17 01/13/0517 Way Out Ideas Build a web interface that allows (e.g., faculty) to create chrooted web hosts on demand Automate setup, archiving, teardown of chrooted web hosts for classes Build a general interface for creating, archiving, and tearing down all chrooted hosts

18 01/13/0518 Conclusion Chrooted web hosts are not only cool; they've been a life saver: –Easy to set up, patch, maintain –Use little/no disk/rack space –Offer reasonable security –Cost virtually nothing –Help us greatly in meeting demand for web servers and web-based services

Download ppt "01/13/051 Cheap, Easy Virtual Hosts for Web-Based Services Richard L. Goerwitz III."

Similar presentations

About Me CTO, Individual Digital, Inc. (Startup) Author of ext/tidy, PHP 5 Unleashed, Zend Ent. PHP Patterns

About Me CTO, Individual Digital, Inc. (Startup) Author of ext/tidy, PHP 5 Unleashed, Zend Ent. PHP Patterns
Chapter 20 Oracle Secure Backup.

Chapter 20 Oracle Secure Backup.
PlanetLab: An Overlay Testbed for Broad-Coverage Services Bavier, Bowman, Chun, Culler, Peterson, Roscoe, Wawrzoniak Presented by Jason Waddle.

PlanetLab: An Overlay Testbed for Broad-Coverage Services Bavier, Bowman, Chun, Culler, Peterson, Roscoe, Wawrzoniak Presented by Jason Waddle.
Virtual Machine Technology Dr. Gregor von Laszewski Dr. Lizhe Wang.

Virtual Machine Technology Dr. Gregor von Laszewski Dr. Lizhe Wang.
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
  Copyright 2003 by SPAN Technologies. Performance Assessments of Internet Systems By Kishore G. Kamath SPAN Technologies Testing solutions for the enterprise.

  Copyright 2003 by SPAN Technologies. Performance Assessments of Internet Systems By Kishore G. Kamath SPAN Technologies Testing solutions for the enterprise.
The Apache Web Server  Started in April 1996 as an open source multiplatform web server (Windows, FreeBSD, UNIX, and Linux compatible).  Now the world’s.

The Apache Web Server  Started in April 1996 as an open source multiplatform web server (Windows, FreeBSD, UNIX, and Linux compatible).  Now the world’s.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
SharePoint is only an application so it has to run on top of Windows Server Windows 2008 R2 SP1 or Windows 2012 Standard, Enterprise, or Data Center Still.

SharePoint is only an application so it has to run on top of Windows Server Windows 2008 R2 SP1 or Windows 2012 Standard, Enterprise, or Data Center Still.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
VMware vCenter Server Module 4.

VMware vCenter Server Module 4.
CVMFS: Software Access Anywhere Dan Bradley Any data, Any time, Anywhere Project.

CVMFS: Software Access Anywhere Dan Bradley Any data, Any time, Anywhere Project.
Chapter 22 Web Hosting and Internet Servers Xuanxuan Su.

Chapter 22 Web Hosting and Internet Servers Xuanxuan Su.
Securing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Securing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
Talend 5.4 Architecture Adam Pemble Talend Professional Services.

Talend 5.4 Architecture Adam Pemble Talend Professional Services.
Linux Operations and Administration

Linux Operations and Administration
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
IT:Network:Applications Fall 2009.  Running one “machine” inside another “machine”  OS in Virtual machines sees ◦ CPU(s) ◦ Memory ◦ Disk ◦ USB ◦ etc.

IT:Network:Applications Fall  Running one “machine” inside another “machine”  OS in Virtual machines sees ◦ CPU(s) ◦ Memory ◦ Disk ◦ USB ◦ etc.

Similar presentations

Ads by Google