Topic: Sugestion to a new project - 64 bit runtime environment for SME 7.3/8.0

[arne]

I have a SME 7.3 gateway with a Vmweare server plus diverse virtual installations. The only problem is that everything works. The installation is as userfriendly and stabile as it can be, and there is no a problems left at all  .

So I thoght it would be intersting to look into other well working ways of doing this virtualization stuff.

Her is a suggestion for a project:

As base for the Project is used a standard 64 bit PC. Centos 5.1 and Vmware server is installed. There is made a installation of a SME 7.3 (and/or SME 8.0) running in server-only mode and bridged over to the internal netwok card in this virtual environment.

Then on the 64 bit host system, there is developed a firewalling system that can support 2,3 of 4 network adapters plus wireless client or an integrated wireless access point, as required.

This setup could possibly solve allmost all the firewalling questions and all the wireless networking questions that have been rised in this forum (??!!). Dont know if this really will help for performance, but there will be a 64 bit Centos host system between the 32 bit SME server and the 64 bit processor. (Don't know how directely the hardware access is via the Vmware server.)

If this project is not against some "rules" or some "ideology" in this forum possibly it could be done ? (Like the rule: Do not make naughty things with the SME server firewall  .)

Should the forum for this be only this tread, or somewhere else ? Is there anyone intersted in doing such a project ?

The project will actually contain a number of sub projects: How to do the firewalling thing, how to do the wireless client thing, how to do the wireless access point hing, and how to make it all work togeteher in a reasonable way.(While doing these things in the Centos 5.1 host operating system). As long as Vmware does the virtualization thing in a quite excelent and user friendly way, and as long as the SME server does what it does, the remaining part of it should be just "standard Linux" related to the Centos host. (That might be developed further on to work as a some kind of automated runtime environment, later on.)

The idea would in some way be a new version of the old idea "the box that does it all".)

[william_syd]

Why not install a SmoothWall firewall. Have vmware server run on that with SME as guest in server only mode.

[arne]

I was thinking the same thought and I was also searching their forum to see if there was any projects like this. I did not find it. Dont know if the Smoothwall has the basic design to carry a relatively heavy work load. I would believe not, even though I think it is based on Centos as well.

The Centos 5.1/64 is I think designed for carrying a workload and for allround use.

I have now got started with the first test installation running. It's a Centos 5.1/64 gateway installation in the bottom of the installation does the job as firewall gateway and also the the job of being the host system for the Vmware server. Then I have a SME 7.3 and a Windows 2000 as guest systems. The Centos 5.3 does only the firewalling pluss the rentime environment for the Vmware server, and then all server functions including dhcp is carried out by the SME 7.3 and eventually other guest operating systems. The windows 2000 installation is more or less just for testing.

It's no doubt it can be done, using a Cetos 5.1 in the bottom like this, and it apear to perform quite nice.

One interesting thing to see is if it is possible to install a wireless network card and let it act as a wirless access point as well. I would guess that this can work. I used to have 5 boxes at my server place, 3 servers, one switch and one wireless access pont. Its still 3 boxes left and it is intersting to see if it can be reduced to only one box that does it all.

By the way it apears that I do not have the full track of the Centos 5.1 installation procedure yet. The problem is to know the exactely needed compilators, the liberary files, etc. I ends up every time to install quite to many things before it will work, and that's no good from a security point of veiw. If anyone knew how to make a more "minimalistic" installation it would be great.

Here is some links I used:
http://www.cyberciti.biz/tips/vmware-on-centos5-rhel5-64-bit-version.html
http://www.mokonamodoki.com/vmware-server-on-centos-5
http://www.centos.org/modules/newbb/viewtopic.php?forum=5&topic_id=2071&viewmode=thread
http://communities.vmware.com/thread/119750
(But they did not prevent me from installing to much software.)

[arne]

"64 bit gateway" idea it would be intersting to hear some comments or ideas about this.The idea about setting up a Centos 5.1 64 gateway as a host system and let this do the firewalling and networking things, while the virtual SME 7.3 does the server things seems to be working quite well. It is possible to move the firewall prolems out of the server and down to the host operating system when the host operating system is Linux. The firewalling system of Linux seems to be working quite perfect together with the Vmware server.

On the other hand I was not able to get full functionality from the Ateros 64 wireless driver, so I were not able to run the Network adapter in "Master mode". (To act as an access point.) I don't know if this would have worked, if the driver had worked, but I guess it would.

I then also gave a Windows 2003 test installation a try, as I believed that the Windows operating system might have more easy support for the wireless adapter. What did work was to run the wireless adapter in Managed mode and just to use this as a network connection for the virtual SME 7.3. If anyone would like to connect a SME server to the net and there is no cable, it can be done by running it virtually on Windows and let the windows installation do the Wireless networking.

I then tried to set up the Windows 2003 as a gateway by enabeling firewalling and forwarding. What apeared then to be the case was that all those nice little network configuration tools of the Vmware Windows installation stopped working. (Or was it just me ?) It looks like the situation is that there is full firewalling/natrouting compability between Linux and Vmware server and nothing of the same for a Windows host system.

The idea of to let a Centos 5.1/64 gateway do the firewalling and act as a host system for the virtualization does work, but my wireless network adapter doesn't, in this enviroment, so don't know how how much I will do further on on this project as a one man show.

To run Centos 5.1/64 in the bottom might perform well, but it will anyhow apear like a some kind of "hobby project" working "allmost like it should" and with some loose ends, unless you put a lot of work in it.

The Centos 7.3 on the other hand does the Vmware virtualization as the host and as the guest, with the "the beauty of heaven" and with no loose ends or bugs at all.

If anyone alse have some ideas or some other point of views about this subject it would be interesing to know.

[arne]

In the end a reasonable clean installation of the Centos 5.1 with wmware server, without a lot of extras:

<Basic Centos 5.1/64 installation>
yum update
<reboot, because there will be a new kernel !!>
<If no reboot there will be a lot of problems !!>
yum install gcc
yum install kernel-devel*
yum install libXtst-devel libXrender-devel
yum install xinetd
<download vmware server rpm>
 rpm -ivh VMware-server-1.0.4-56528.i386.rpm
vmware-config.pl

Question: Should these modules or some of them be removed again ? (Or will this make it imposible to run the confiuration script again ..) (Eventually: yum remove gcc .. etc) (Well they could be installed agin.)

Next: Download the Vmware console for Windows and do a remote loginto the server. Insert the SME 7.3 CD to the server, and install as many virtual SME servers as required, only restricted by HD and RAM.

****
Some usable info:
http://www.centos.org/docs/5/

[arne]

I now have a SME 7.3 32 bit Vmware virtualization gateway, and a Centos 5.1/64 Vmware server on my network. Both works nice and without a known issue. The native forwarding mechanism of the SME gateway can be used to forward to any virtual machine on the gateway or on the Centos server.

Open question 1:

The two old wireless network questions, now resirculated and in a new setting. It apeared that the Centos 64 kernel does not support my Atheros card. Installing a madwifi rpm did give the option of running the network card in Managed mode, but not in Master mode. Is it anyone in this forum who knows how to make Atheros/Madwifi fully working with Ventos 5.1 64 ? (The idea was to let the underlaying host operating system do the wireless comunication and then in some way to connect further on this established data connection to the virtual SME server.) (This approach has been tested with Windows 2003 as host operating system and SME 7.3 as guest and it worked fine for Managed mode.)

Open question 2:

When doing a minimum Centos installation, this minimum actually includes a number of running processes. SHould it be a idea to shut down a few of them ? There is a easy Centos command "ntsysv" to control processes. There is also some easy tools to see what processes is running: "pstree" and  "chkconfig --list". Is there anyone who knws which processes can or should be shutted down to run Vmware server with maximum stability and performace ? (Do I need bluetooth support and mailserver ?)

[root@pc-00249 ~]# chkconfig --list
NetworkManager  0:off   1:off   2:off   3:off   4:off   5:off   6:off
NetworkManagerDispatcher        0:off   1:off   2:off   3:off   4:off   5:off  6:off
acpid           0:off   1:off   2:off   3:on    4:on    5:on    6:off
anacron         0:off   1:off   2:on    3:on    4:on    5:on    6:off
atd             0:off   1:off   2:off   3:on    4:on    5:on    6:off
auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
autofs          0:off   1:off   2:off   3:on    4:on    5:on    6:off
bluetooth       0:off   1:off   2:on    3:on    4:on    5:on    6:off
capi            0:off   1:off   2:off   3:off   4:off   5:off   6:off
conman          0:off   1:off   2:off   3:off   4:off   5:off   6:off
cpuspeed        0:off   1:on    2:on    3:on    4:on    5:on    6:off
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
cups            0:off   1:off   2:on    3:on    4:on    5:on    6:off
dhcdbd          0:off   1:off   2:off   3:off   4:off   5:off   6:off
dund            0:off   1:off   2:off   3:off   4:off   5:off   6:off
firstboot       0:off   1:off   2:off   3:on    4:off   5:on    6:off
gpm             0:off   1:off   2:on    3:on    4:on    5:on    6:off
haldaemon       0:off   1:off   2:off   3:on    4:on    5:on    6:off
hidd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
ip6tables       0:off   1:off   2:on    3:on    4:on    5:on    6:off
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
irda            0:off   1:off   2:off   3:off   4:off   5:off   6:off
irqbalance      0:off   1:off   2:on    3:on    4:on    5:on    6:off
isdn            0:off   1:off   2:on    3:on    4:on    5:on    6:off
kudzu           0:off   1:off   2:off   3:on    4:on    5:on    6:off
lvm2-monitor    0:off   1:on    2:on    3:on    4:on    5:on    6:off
mcstrans        0:off   1:off   2:on    3:on    4:on    5:on    6:off
mdmonitor       0:off   1:off   2:on    3:on    4:on    5:on    6:off
mdmpd           0:off   1:off   2:off   3:off   4:off   5:off   6:off
messagebus      0:off   1:off   2:off   3:on    4:on    5:on    6:off
multipathd      0:off   1:off   2:off   3:off   4:off   5:off   6:off
netconsole      0:off   1:off   2:off   3:off   4:off   5:off   6:off
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
netplugd        0:off   1:off   2:off   3:off   4:off   5:off   6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
nfs             0:off   1:off   2:off   3:off   4:off   5:off   6:off
nfslock         0:off   1:off   2:off   3:on    4:on    5:on    6:off
nscd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
oddjobd         0:off   1:off   2:off   3:off   4:off   5:off   6:off
pand            0:off   1:off   2:off   3:off   4:off   5:off   6:off
pcscd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
portmap         0:off   1:off   2:off   3:on    4:on    5:on    6:off
psacct          0:off   1:off   2:off   3:off   4:off   5:off   6:off
rdisc           0:off   1:off   2:off   3:off   4:off   5:off   6:off
readahead_early 0:off   1:off   2:on    3:on    4:on    5:on    6:off
readahead_later 0:off   1:off   2:off   3:off   4:off   5:on    6:off
restorecond     0:off   1:off   2:on    3:on    4:on    5:on    6:off
rpcgssd         0:off   1:off   2:off   3:on    4:on    5:on    6:off
rpcidmapd       0:off   1:off   2:off   3:on    4:on    5:on    6:off
rpcsvcgssd      0:off   1:off   2:off   3:off   4:off   5:off   6:off
saslauthd       0:off   1:off   2:off   3:off   4:off   5:off   6:off
sendmail        0:off   1:off   2:on    3:on    4:on    5:on    6:off
smartd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off
vmware          0:off   1:off   2:on    3:on    4:off   5:on    6:off
wpa_supplicant  0:off   1:off   2:off   3:off   4:off   5:off   6:off
xinetd          0:off   1:off   2:off   3:on    4:on    5:on    6:off
ypbind          0:off   1:off   2:off   3:off   4:off   5:off   6:off
yum-updatesd    0:off   1:off   2:off   3:on    4:on    5:on    6:off

xinetd based services:
        chargen-dgram:  off
        chargen-stream: off
        daytime-dgram:  off
        daytime-stream: off
        discard-dgram:  off
        discard-stream: off
        echo-dgram:     off
        echo-stream:    off
        eklogin:        off
        ekrb5-telnet:   off
        gssftp:         off
        klogin:         off
        krb5-telnet:    off
        kshell:         off
        rsync:          off
        tcpmux-server:  off
        time-dgram:     off
        time-stream:    off
        vmware-authd:   on


Note: If anyone use the Putty client against the Centos 5.1 and gets ugly looking layouts, change the character set of putty to Character set UTF-8. (Rightclick top blue bar and select settings.)

Some info:
http://nixcraft.com/web-servers/2172-useless-services-centos-vds-vps.html
(VDS virtual didicated server, info might not apply completely for a server running on ordinary hardware.)

*****
Some notes:

Sat up a wireless access point:

Installed rpms:

madwifi-hal-kmdl-2.6.18-53.1.6.el5-0.9.3.3-39.el5.x86_64.rpm

madwifi-kmdl-2.6.18-53.1.6.el5-0.9.3.3-39.el5.x86_64.rpm

Edited into the file

/etc/modprobe.conf

alias ath0 ath_pci
options ath_pci autocreate=ap

Then made this file

/etc/sysconfig/network-scripts/ifcfg-ath0

DEVICE=ath0
USERCTL=yes
TYPE=wireless
HWADDR=00:20:e0:ff:ea:54
BOOTPROTO=static
IPADDR=192.168.1.5
NETMASK=255.255.255.0
BROADCAST=192.168.1.255
GATEWAY=192.168.1.1
ONBOOT=yes
MODE=Master
ESSID=Centosmaster

Running as master/access point but configuration not finished.

[arne]

Hopefully someone can use this information sooner or later.

It did work well to set up a wireless card managed by the host system, in such a way that it can be used as a common resource for all vitualized systems. There is actually no need to touch the configuration of the guest operating system at all.
 
Here is how I sat up the host operating system based wireless access point:

1. Installed two network adapters. eth0 is used for Vmware bridging to virtual Vmware machines. eth1 is used for Linux bridging to the wireless adapter.

2. Installed an Atheros wireless adapter. Downloaded and installed Madwifi drivers (rpm's)

Then configured like this, and it was working:

 /etc/modprobe.conf

alias ath0 ath_pci
options ath_pci autocreate=ap

/etc/sysconfig/network-scripts/ifcfg-ath0

DEVICE=ath0
USERCTL=yes
TYPE=wireless
HWADDR=00:0F:EA:8D:B2:10
BOOTPROTO=static
IPADDR=10.0.0.12
NETMASK=255.255.255.0
BROADCAST=10.0.0.255
GATEWAY=10.0.0.1
ONBOOT=yes
MODE=Master
ESSID=HalloNetwork

/etc/sysconfig/network-scripts/ifcfg-eth0

# nVidia Corporation MCP55 Ethernet
DEVICE=eth0
HWADDR=00:16:17:93:8b:a8
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=10.0.0.11
GATEWAY=10.0.0.1
TYPE=Ethernet

/etc/sysconfig/network-scripts/ifcfg-eth1

# nVidia Corporation MCP55 Ethernet
DEVICE=eth1
HWADDR=00:16:17:93:ad:4d
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=10.0.0.13
GATEWAY=10.0.0.1
TYPE=Ethernet

/etc/rc.d/rc.local

ifconfig ath0 0.0.0.0 down
ifconfig eth1 0.0.0.0 down
brctl addbr br0
brctl addif br0 ath0
brctl addif br0 eth1
brctl stp br0 off
ifconfig br0 10.0.0.14
ifconfig ath0 up
ifconfig eth1 up


I think it will be enough with only one network adapter for ordinary managed mode (eth0 + ath0)

Still missing: Encryption and firewall.

Note: The Vmware server migh (will) stop working after the reconfiuration. The trick is to run the configuration script again in the end of it all. To just select defalt all the way will also work. (vmware-config.pl)

Temporary solution for encryption (wep):

/etc/sysconfig/network-scripts/ifcfg-ath0

KEY=xxxxxxxxx

Turn on/off radio:

iwconfig eth0 txpower off
iwconfig eth0 txpower on

About experiment with reducing the number of running prosesses: When closing down some processes that were believed to be unneccesary, this gave a dramatically drop in performance. Configuration resat back to its original settings and as delivered by RedHat (ntsysv).

CORRECTION: I believe the last statement above is incorrect. The reason that the processorload increased might be because that the number of virtual kernels were increased from one to two. To run with two wirtual kernels seems to produce some overhead. On the other hand it does not seem to be much to win on reducing the number of running processes in a basic Centos installation.


If anyone has ideas, can see anything that could be bether, etc, it would be nice to know.

[arne]

The Centos 5.1 / 64 - How it ended.

After xxx hours of testing/failures/trying it ended up like this:

1. Even thoug it can be done and even thoug it also works, I think I found out that the implementation of a wireless access point mess up the host system to much, so I ended up returning back to my old Netgear box for the wireless AP part of the project.

2. Centos 5.1/64 was installed as host system with Vmware server.

3. The host system was set up with zero ip adresses. External ip, internel ip's and gateway ip adresses applied to virtual machines only.

4. Smothwall was installed as virtual nat firewall/gateway that receives the external ip.

5. SME server 7.3 was installed as virtual general Linux server.

6. Astlinux was installed as virtual Asterisk server.

7. Windows 2000 was installed as virtual Windows client for remote access.

8. The installation was tested with 2, 3 and 4 ordinary networksadapters, each of them connected to the green, orange, purpele, and red connection to the virtual Smoothwall firewall. As this confirmes best with my needs a reduced the number of network adapters to only two, configured as a red and green zone at the virtual Smoothwall firewall.

9. Diverse other servers can be installed as required. (And if you use more than two zones you can also connect them to the security zone you like.)


William_syd ->

Why not install a SmoothWall firewall. Have vmware server run on that with SME as guest in server only mode.

Thats allmost what I am doing. The only change is that the SmoothWall is not the host system, it is the virtual firewall running on top og a Centos 5.1/64 host system. Except for that, functionality is much the same as suggested.


It's allmost unbelieveble to see how all the properties and functions of Vmware Server + Smoothwall 3.0 + SME 7.3 + Astlinux + Windows 2000 can be combined into one server installation. The free Vmware server is really a great product .. (I think the same arrangement could also have been/can be set up with Xen, but with a bit more bugs and problems, so anyway it will be a good idea to prototype things with Vmware first.)

I will now give this "virtual firewall" arrangement some testing, but I will believe it will work.

By the way I have now two alternative installations that can do the same, one with Sme 7.3 "in the bottom" as host system and one with Centos 5.1 as host system. Basically they can do the same, but the last one has also implemented the firewalling functions of Smoothwall, and it can work with 2, 3 and 4 networkadapters (and a wireless zone) etc.


If anyone should be interesed in some more details and information about this installation it's just to post some words: