Thursday
Jul102014

Telus rebuttal

An interesting article from Telus, partially debunking an article by Michael Geist concerning an OECD report on cellular service in Canada. It’s a good mix of information, some of which is entirely pertinent, other bits less so which I’m going to try and add a little bit more context from the point of view of a Canadian who has lived in the US and France and travelled for work in England and western Europe.

We’re not about to argue that Canada has the cheapest wireless rates in the world – that would be no more factual than the oft-repeated mythology that our prices are the highest. The facts, however, prove Canadians pay very competitive rates for some of the best wireless technology in the world – backed by very high investment by TELUS and our competitors.

A nice mix of truth and semi-truthfulness here. Canada clearly does not have the cheapest wireless rates, nor the highest. Competitiveness is in the eye of the analyst and it’s true that Telus and other Canadian telcos do invest a lot. It’s also worth noting that current investments are higher than normal due to the ongoing transition from existing networks to next generation LTE networks though so the investment figures need to be taken with a grain of salt.

One key fact – Canadian pricing is better than the U.S. in 12 of the 15 wireless pricing categories the report looks at. The U.S. has similar geography and economic conditions (including incomes) as Canada, though 10 times the population, and therefore makes for a better comparison than countries with far denser – and therefore less expensive to serve – populations and far lower average incomes.

Overall, I have to agree here that the US is the closest natural comparison economically. However, the vast bulk of western Europe is comparable in terms of economic activity and average income, albeit with generally higher average population densities.

A second fact – when you look at Mr. Geist’s chart, note we are being compared to countries like Slovenia, Slovakia, and Turkey – hardly a legitimate comparison when you consider their markets and economies are vastly different from ours. Despite that, if you focus on the high-usage tiers for smartphone service, which are the most relevant for comparison because that’s where the average Canadian sits, we finish 21st and 22nd out of 34 countries. That’s about average. If you compare us to just the G7 countries, which have more comparable economies, we finish third and fourth out of seven – right in the middle. As mentioned above, we do even better when compared to the U.S. one-to-one.

In general I have to agree with these statements. Slovenia, Slovakia and Turkey are emerging economies working withing vastly different economic conditions and regulatory frameworks.

A third key fact – the OECD report’s methodology is limited. It is not a comprehensive report, but rather it takes a random sampling of one or two plans for each country in each category and does not take into account the different flavour of services in countries. Their reports often end up comparing apples to oranges as a result.

Here I have to agree as the report methodology is non-optimal for this kind of comparison.

The wireless data-only plans are a good example of this. At first glance it looks like Canadian prices are high for these plans – which are typically used on a laptop with a thumb-sized wireless modem. However, scratch the surface and you find that Canadian data-only plans offer customers far better speeds than plans in other OECD countries do. The OECD itself notes that in the 10GB basket, the plan representing Finland only delivers up to 400Kbps, Estonia 1 Mbps, and Canada 100 Mbps! They’re more expensive because they’re better plans, on better networks, and deliver vastly superior customer experience.

It’s true that data only plans are badly regrouped in the report. I would note that this is worth revisiting in a couple of years once LTE is the predominant standard. For example, Free.fr in France currently has 40% of their network running on LTE and there is no price differential between 3G and 4G access.

The OECD report also does not factor in the fact that most Canadian providers subsidize handsets for customers whereas that is uncommon or unknown in many OECD countries. Ignoring an upfront cost of $500 or more is not comparing apples to apples. It also does not factor in that typically Europeans pay for two or more wireless accounts because they frequently travel between countries or cannot get the all-in pricing North Americans take for granted – for example, one account for daytime calls, a second one for evening and weekend calls. That’s why you get penetration rates of 160 per cent in Norway – 1.6 wireless devices for every adult and child in the country.

This is actually untrue in western Europe. While there are many operators that offer unsubsidized plans, there is also a high mix of subsidized plans as well. However, I have yet to see significantly discounted plans in Canada for those people willing to pay up front for their terminal.

There is also the question of why many people have multiple devices in Europe. In many cases, employment legislation makes the use of “Bring Your Own Device” to the office non viable so employers furnish a telephone for work and people have their own personal devices. At the same time, à la carte offerings and no contract options make it possible for a higher percentage of people to have cellular plans for their iPads and Android tablets which bumps up the penetration rates.

The argument regarding all-in pricing is frankly bullshit. It’s worth noting that in most european countries, there is no notion of long distance calling, as price separation is set based on calls destined to land lines vs other cellular phones. To give the example, here is a resumé of the no-contract Free.fr offering : - unlimited calls to cell phones in continental France, French islands and territories, USA, Canada, Hawaii - unlimited calls to land lines in France and 41 countries (USA, Canada, Belgium, England, …) - unlimited SMS to continental France, French islands and territories - unlimited MMS to continental France - unlimited use of Wifi hotspots (automatic connection via EAP-SIM) - 3 Gb of data in continental France (bandwidth reduction over this limit)

All of this for 20€/month. Note clearly that the european standard is moving to reduce bandwidth rather than surcharges for overage situations.

Which raises a fourth fact. The report highlights, and Mr. Geist ignores, that Canadian carriers invest almost twice as much in technology and infrastructure per customer than the OECD average. The only country that invests more is Australia, and that’s because they are undertaking a massive tax-payer funded infrastructure project. Our investment is all private, at no cost to taxpayers.

This is undeniably true. Part of this addresses the geographic constraints imposed by Canada’s huge size, but also must be considered in the light of the current infrastructure upgrades to LTE which are not being pursued with equal vigor in all countries, notably due to the economic issues affecting countries like Italy and Spain.

Consider that world-leading level of private investment in the context of population density, and the challenges that come with serving a vast, sparsely populated landscape. Canada has only 12 subscribers per square km, compared to an average of 37 in the U.S. and 312 in the UK. If you factor out the unpopulated areas of Canada that don’t have wireless networks and only include the geography that does have wireless service, we are still serving the 200th least densely-populated landmass in the world. Despite this, 99 per cent of Canadians have access to cutting-edge wireless technology.

While this is certainly true, when you map actual coverage to population density, Canada is a lot more like Europe than telcos would have you believe. Cellular coverage is destined primarily to urban environments where there is sufficient population to justify the investments. Extracting the unpopulated areas gets us closer to a reasonable comparison, but note that the density figures are not quoted in this comparison.

That investment back into service for our customers comes out of the profits we earn, and is directly responsible for the quality of the networks we offer. TELUS alone has invested $100 billion in Canada since 2000. On the back of that investment Nokia Siemens, an international telecom technology firm, found TELUS has the best 4G LTE network in the world – best quality, least dropped calls. I’m very proud of that, and the work that made that remarkable achievement possible.

So that’s a little less than $10B per year which is a perfectly reasonably outlay for covering a country like Canada. For reference, the 2012 investments by operators in France came to 10B€ and around 8B€ in 2011 so it looks like these numbers are pretty much par for the course.

When you consider our enormous investment, challenging geography, sparse population and outstanding networks Canada really SHOULD be the most expensive country for wireless service in the OECD, but we’re not. That’s a great success story we should be celebrating.

Agreed that the investment is proportional to the challenge, but the pricing is still significantly higher for equivalent service. The closest I’ve found according to Telus for a smartphone with 3Gb of data comes to $95 vs 20€ not including free international calling. If I consider the fact that I’m using a cellular equipped iPad plus an iPhone, I get to $165 vs 40€ in order to have 6Gb total.

Don’t let the critics with a vested interest in a well-established, but ill-informed, position spin you on this one. Scratch the surface of their arguments and get to the facts.

Scratch further and you get more contextualized facts.

Wednesday
May072014

Whither the Mac Mini?

Whither the Mac Mini ?

I’ve been a fan of the Mac Mini for ages now and with the ability to run (albeit unsupported) VMware ESXi makes it a wonderfully useful method for hosting multiple virtual machines including OS X VMs. It is my favorite home lab machine. It consumes hardly any power (11W-85W), is tiny, requires no big external power brick, has only a discreet white LED.

The current issue is that it hasn’t evolved in ages with the last update dating back to October 2012 which has been keeping me from buying a new one for upgrading my home lab.

My wish list for the next generation Mac Mini is to see them split it into two streams for desktop and server use. The Mini is already sold in this manner with a “server” model that comes with the OS X Server licence. But since OS X Server has become a $20 app purchase, there’s little practical difference between the two types.

The desktop model can continue with the current lineage with a Haswell processor bump and perhaps a better graphics card for those people that want to use it as a desktop or media station.

On the server front, the following changes would be relatively easy to accomplish and even retain the same form factor :

ECC memory

This is a requirement for VMware certification and support. This would enable sales into companies that want a more robust method for hosting their OS X Server machines in VMs that can then be moved around dynamically and more easily integrated into disaster recovery and business continuity plans. OS X Server is a great small business platform, but lacks in areas of clustering and so on, which is where VMware shines.

Bump the max memory to at least 32 Gb

This is the first core limitation for running a lot of virtual machines. I’ve tested with both the Core i5 and the Core i7 models and at steady state, unless you have some truly processor intensive applications, you’ll run out of memory long before you saturate the CPU. Currently there’s no point in buying the i7 model for most standard server workloads (mail, Open Directory, DNS, file services, caching, messages, etc.). With 32 Gb, you can push the consolidation rate up enough to justify the Core i7.

Dual ethernet interfaces

Currently I end run this problem by using a Thunderbolt adaptor in order to get a second gigabit ethernet interface so that I can separate storage traffic from regular network traffic, but dual integrated ethernet would simplify things immensely. No extra adapter to buy and clutter things up and no driver issues. I’d really really love to see 10GBase-T, but since we saw the Mac Pro arrive without 10 GbE, I don’t think that’s a likely scenario.

Dreaming

These are terribly unlikely options, but ones that would be nice to see :

Expansion options

Thunderbolt is an extension of the PCIe bus and there are solutions out there from Sonnet, OWC and others that let you install regular PCIe cards in a Thunderbolt connected box. But they are all relatively big, expensive and clunky. Currently Apple is the only one that is producing Thunderbolt ports at sufficiently large scale to be able to take advantages of economies of scale so it would be nice if they took advantage and proposed a stackable Mini formatted box with a PCIe slot, even if it was limited to half-length cards.

Management interface

Another one that is exceedingly unlikely, but having a ILO/DRAC style remote management interface would go a long way to making it a truly serious server that lives in a server room and can be managed remotely. But after adding the dual ethernet connections there’s not a lot of room left on the back if we keep the current form factor.

Here’s hoping there will be some news at WWDC…

Tuesday
Feb252014

Mac Mini Hosting (ZFS loopback)

ZFS

I’ve been a fan of ZFS storage for a while now and I find it particularly useful in this type of standalone environment. One of my constant preoccupations (personally and professionally) is data protection from both a backup and disaster recovery perspective. So in this case, I’m going to create a VM locally that is going to play the role of a storage server that will publish NFS shares to the ESXi server internally.

From here, I gain all of the advantages of the ZFS built-in features like snapshots, compression, and the ability to efficiently replicate data back to the ZFS servers at home.

There are basically two main streams of ZFS based systems: Solaris kernel based solutions and BSD ones. ZFS on Linux is making some headway, but I haven’t yet had the time to poke at the current release to check out its stability.

If you want a simple setup with a really nice web interface for management, FreeNAS is probably the best bet. I personally prefer OmnisOS for this kind of thing since I drive mostly from the command line and it’s a very lean distribution with almost no extra overhead. Generally speaking the big advantage of FreeNAS is the extensive hardware support because of its BSD roots. But in my case, the VM “hardware” is supported so this doesn’t matter as much.

I’ll give a walkthrough on the process for using OmniOS here.

Networking

You could simply deploy the ZFS VM directly on the virtual LAN network you’ve created, but I like to keep storage traffic segmented from the regular network traffic. So I create a new virtual switch with a port for connecting VMs called Storage (or NFS or whatever). I also create a new VMkernel interface on this vSwitch using a completely different subnet that will be used to connect the NFS server to the ESXi server.

If this server were completely isolated and there was no need for routing traffic, I would just leave it this way, but there are a couple of things to keep in mind: how to you manage the server and how does it replicate data? You could manage the server by using the Remote Console in the VMware client, but ssh is more convenient. For replication the server will also need to be able to connect to machines on the remote network so it will need to be attached to the routed LAN subnet.

So the preferred configuration for the VM is with two network cards, one for the LAN for management and replication, and one for NFS traffic published to the ESXi server.

Installation & Configuration

The install process is just a matter of downloading the ISO, attaching it to a new VM and following the instructions. I configured mine with 3Gb of RAM (ZFS like memory), an 8 Gb virtual hard disk from the SSD for the OS and two 400Gb virtual disks, one from the SSD and one from the HD. When I build custom appliances like this, I usually use the vmDirectPath feature in order to pass a disk controller directly to the VM, but it’s a little hard to bootstrap remotely.

Then from the console, there’s some configuration to do. The first stages are best done from the console since you’ll be resetting the networking from DHCP to a fixed address.

Network configuration

Here’s a set of commands that will configure the networking to use a fixed IP address, setup DNS and so on. You’ll need to replace the values with ones appropriate to your environment. Most of this requires that you run this as root, either via sudo or by activating the root account by setting a password.

echo "192.168.3.1" > /etc/defaultrouter # sets the default router to the LAN router
echo "nameserver 192.168.3.201" > /etc/resolv.conf # create resolv.conf and add a name server
echo "nameserver 192.168.2.205" >> /etc/resolv.conf # append a second DNS server
echo "domain infrageeks.com" >> /etc/resolv.conf # and your search domain
echo "infrageeks.com" > /etc/defaultdomain
cp /etc/nsswitch.dns /etc/nsswitch.conf # a configuration file for name services that uses DNS
svcadm enable svc:/network/dns/client:default # enable the DNS client service
echo "192.168.3.2 nfsserver" >> /etc/hosts # the LAN IP and the name of your server
echo "192.168.3.2/24" > /etc/hostname.e1000g0 # the IP for the LAN card - a virtual Intel E1000 card
echo "192.168.101.2/24" > /etc/hostname.e1000g1 # the IP for the NFS card
svcadm disable physical:nwam # disable the DHCP service
svcadm enable physical:default # enable fixed IP configuration
svcadm enable svc:/network/dns/multicast:default # enable mDNS

Reboot and verify that all of the network settings work properly.

Setting up zpools

The first thing you’ll need to do is to find the disks and their current identifiers. You can do this with the format command to list the disks and Ctrl-C to cancel the format application.

# format
Searching for disks...done
AVAILABLE DISK SELECTIONS:
       0. c2t0d0 <VMware-Virtualdisk-1.0 cyl 4093 alt 2 hd 128 sec 32>
          /pci@0,0/pci15ad,1976@10/sd@0,0
       1. c2t1d0 <VMware-Virtual disk-1.0-400.00GB>
          /pci@0,0/pci15ad,1976@10/sd@1,0
       2. c2t2d0 <VMware-Virtual disk-1.0-400.00GB>
          /pci@0,0/pci15ad,1976@10/sd@2,0
Specify disk (enter its number): ^C

In my case, I have my two 400 Gb disks available, and are available at the identifiers c2t1d0 and c2t2d0, which corresponds to Controller 2, Targets 1 & 2, Disk 0. The first entry is for the OS disk.

I’m going to create my first non-redundant zpool on the SSD disk which is the first one with:

zpool create ssd c2t1d0

Note that these names are cases sensitive. The result is a new zpool called ssd which is automatically mounted on the root file system so it’s contents are available at /ssd.

Before continuing there are a few settings that I like to configure since any filesystems I create will inherit these settings so I only need to do it once.

zfs set atime=off ssd
zfs set compression=on ssd

Disabling atime means that it won’t update the last accessed time metadata for files which incurs an unnecessary write overhead for our use case. On a regular file server this value may be more useful. Setting compression is a practically free way to get more usable space and the overhead is negligeable.

Now we have a pool, we can create filesystems on it. I’m going to keep it simple with top level filesystems only. So for my setup, I’m creating one filesystem for my mail server all by itself and a second one for general purpose VMs on the LAN.

zfs create ssd/mail
zfs create ssd/lan

To make these accessible to ESXi over NFS, we need to share the filesystems:

zfs set sharenfs=rw=@192.168.101.0/24,root=@192.168.101.0/24 ssd/mail

Here I’m publishing the volume over NFS to all IP addresses in the 192.168.101.0/24 subnet. Currently the only other IP in this zone is the VMkernel interface on the storage vSwitch, but you could imagine having others here. This means that the NFS share is not available to the LAN, which is the desired configuration since the only thing on this volume should be the mail server VM. You can also set this to use specific IP addresses by ommiting the @ prefix which designates a subnet.

Now I’ve had some permissions issues from time to time with NFS and VMware, so to keep things simple, I open up all rights on this filesystem. Not really a security issue since the only client that can see it is the ESXi server.

chmod -R a+rwx

VMware

Now on the ESXi Configuration we need to mount the NFS share so that we can start using it to store VMs. This is done in Configuration > Storage > Add Storage… and select NFS.

The server address is it’s IP address on the storage subnet and the path to the share is the complete path: /ssd/mail in this case.

Snapshots and backups

Now that we’ve got a VMware datastore where we can put VMs, we can profit from the advanced features of the ZFS filesystem underlying the NFS share.

The first cool feature is snapshots where you can make a note of the state of the filesystem that you can then use to roll back to previous points in time, or mount it on a new filesystem so you can go pick out files you want to recover. Now it’s worth remembering that snapshots are not backups since if you lose the underlying storage device, you lose the data. But it is a reasonable tool for doing data recovery.

Creating snapshots is as simple as:

zfs snapshot ssd/mail@snapshot_name

Any new writes are now written to storage in such as way as to not touch the blocks referred to the filesystem at the time the snapshot was taken. The side effect is that you can consume more disk space since all writes have to go to fresh storage so you also need to delete (or commit) snapshots so that they don’t hang around forever.

zfs destroy ssd/mail@snapshot_name

Will delete the snapshot and free up any associated blocks that were uniquely referred to by the snapshot. Obviously, this is the sort of thing that you want to automate and there are a number of tools out there. I’ve created a couple of little scripts that you can pop into cron jobs to help manage these tasks. simple-snap just creates a snapshot with a date/time stamp as the name. The following line in crontab will create a new snapshot every hour.

0 * 0 0 0 /root/scripts/simple-snap.ksh ssd/mail

For cleaning them up, I have auto-snap-cleanup which takes a filesystem and the number of snaps to keep as arguments, so the following command will delete all but the last 24 snapshots:

1 * 0 0 0 /root/scripts/auto-snap-cleanup.ksh ssd/mail 24

So you’ll have a day’s worth of “backups” to go back to.

For the remote replication go check out the scripts under the projects tab. If you have two physical machines, each with an SSD and an HD a reasonable approach would be to replicate the SSD filesystems to the HD of the other machine (assuming you have an IPsec tunnel between the two). In this case, if one machine goes offline, you simply set the replicated filesystems on the HD to read/write, and mount them to the local ESXi host, register the VMs and you can start the machines. Obviously there will be a performance reduction since you’ll be running from the hard drive, but the machines can be made available practically immediately with at most an hour’s worth of lost data.

Time Machine

You can also use a ZFS server as a Time Machine destination with Netatalk which adds the AFP protocol to the server. Compiling netatalk can be a picky process so on OmniOS I tend to use the napp-it package which automates all of this and provides a simple web interface for configuration, making it a similar system to FreeNAS (but not as pretty).

Tuesday
Feb252014

Mac Mini Hosting (step by step)

Basic ESXi configuration

For this you’ll need a windows machine to run the VI-Client (although you can do most of it from the command line, this will be much easier via the client if you’re just starting with ESXi). As as alternate method, you could download the vCenter Linux Appliance in evaluation mode and run it as a local virtual machine using Fusion or something else locally. Then you would manage the ESXi server with this machine and you can use the web interface from your browser to do the configuration. I would recommend doing this at some point anyway in order to get access to some of the features reserved for ESXi 5.5 like the latest VM versions for running OS X VMs.

At this stage, you’ll be talking directly to your ESXi server across the internet, so the first thing to do will be to set the root password to something horribly complicated (which you will then note in your password manager or some other secured storage).

The basic steps of getting the client and changing the root password can be found here.

The networking configuration is a little specific to this kind of all in one configuration. We start with the default vSwitch where we have the ESXi management port setup with its internet facing IP address.

First off, we need a new vSwitch to plug our VMs into. For this, we go to Configuration > Networking > Add Networking… Select “Create a vSphere standard switch” with no physical adaptors selected (it’s already allocated to the default switch anyway) and in the next screen, call it LAN with the default VLAN ID.

Now we have two virtual switches, one connected to the ethernet card, connected to the internet and one connected to nothing at all for the moment.

For the beginning storage, we’ll just format the internal drives as individual datastores. This is done under Configuration > Storage > Add Storage…, selecting Disk/LUN as the storage type.

Here you may run into problems if the disks were previously formatted by another OS. Refer to this note if this happens. Accept the defaults and name the volumes however you like. I went with the exceedingly unoriginal SSD and HDD.

Bootstrap your first virtual machines

To get started we have a bit of a chicken and egg situation. To install your first virtual machines, you’ll need an ISO image. Now if this machine were on the local LAN, it would be fairly easy to just map an ISO image from the machine you’re using to run the VI-Client. However, if you’re like me, your DSL upstream speed is pretty awful (~100KB/s) so interactively reading from a local disk is going to be really really slow.

So to get around this, we’ll go back to the ESXi command line via SSH. You’ll need to activate ssh and the shell under Configuration > Security Profile. On the Services section, click the Properties button to get the list of services. From there, select the ESXi Shell, Options and Start. Do the same for SSH.

Now we can open a terminal session and use

ssh root@<your_ip>

From here we can navigate to our VMFS volume :

cd /vmfs/volumes/SSD
mkdir sources
cd sources

and download an ISO image using wget. I’m going to start with pfSense:

wget http://files.nyi.pfsense.org/mirror/downloads/pfSense-LiveCD-2.1-RELEASE-amd64.iso.gz

This will download the image to the sources directory on the VMFS volume. Now we can create the pfSense VM and install the firewall.

Installing the pfSense VM

To create pfSense VM, we’ll start in the VM client or web interface and create a custom VM. There’s a great instruction page on the pfSense website, so I’m not going to repeat all of that. The key things that I’ve done in my configuration is named the interfaces for the virtual machines as follows :

  • WAN
  • LAN

To correspond with the pfSense naming conventions. Actually, I went a little further and have added another subnet called DMZ to separate my internal machines and services from internet facing stuff. Again, in this case, there is a separate vSwitch with a separate named connection associated. Unlike the configuration explained on the pfSense site, these vSwitches have no physical adapters associated with them.

Basic pfSense configuration

pfSense is a complete firewall solution and as such can be configured in many different ways. You can either work from the principle that we let everything through, and then block off places where we don’t want to go, or we can do the opposite and block everything by default and open up ports selectively.

Getting the VPN running

Setting up an IPsec VPN can be a bit of a pain, but on most modern systems it’s not too bad as long as you pay attention to making sure you have selected exactly the same settings on both sides. In fact the biggest problem with getting IPsec working is that there is no industry standard UI implementation that shows the same form structure to fill out so it’s easy to get various settings mixed up.

I found the Cisco RV180 to be a perfect fit for my use here. It can handle site to site VPN, some basic internal VLAN stuff and is quite inexpensive for the feature set. In France, it sells on Amazon for 109 € and in the US it’s priced at $108. There is also a version that includes wireless capability but since I already have my wifi setup using an Airport Extreme and various Expresses for extension and Airplay I went with the simple model.

Side note: If you’re currently replacing something like an Airport Extreme for your local wireless networking, you can just plug it into the back of the RV180 and set it to bridge mode so that it’s no longer routing, just offering wireless services.

So the architecture looks like this:

And here’s the configuration that’s running:

pfSense:

Cisco RV180:

Once you have this up and running, any machines on your local network should be able to route to the LAN subnet on the hosted machine and vice-versa. This makes it a transparent extension of your current network.

Routing changes

Now that we have a firewall and a solid VPN connection running, it’s a good idea to make a few more little changes to ensure that your ESXi server isn’t hanging out exposed directly to the internet.

First off, we can shutdown the SSH and ESXi shell in the Configuration > Security Profile > Services section.

Now the only exposed ports are the standar ESXi management ports. You can manually adjust the exposed ports firewall rules so that they only accept connections from your network in the ESXi configuration. But this means that if you need to connect to your server while you’re one the road, you’ll be blocked. So my approach is to add another vKernel Management interface on the internal LAN interface, and then use the LAN gateway as the default route. The net result of this configuration is that the server can only be accessed from machines either on the LAN subnet behind the pfSense or your home/office network that is connected via the VPN. Then I add a VPN service that I can connect to from my other machines while on the road.

I leave the original vKernel management port installed just in case something catastrophic goes wrong and I can get the hosting provider to reset the default gateway at the console to get remote access working via the internet.

Automatic boot

Now that we have set things up this way, there’s no way back in from the internet if the host ESXi machine reboots. So to get around this problem we need to make sure that the pfSense VM automatically starts up when the host starts.

This is configured in Configuration > Virtual Machine Startup/Shutdown. It’s just a matter of editing the list so that the pfSense VM is the first machine in the list to boot automatically when the ESXi server starts up. This is mostly an additional protection since ESXi is a remarkably stable environment so the only reason this should come into play is when you want to upgrade the ESXi itself.

Next Up : Loopback ZFS storage

Tuesday
Feb252014

Mac Mini Hosting

Backstory

Up until now, I’ve been handling my own hosting via my home DSL service for a number of years now, with a few VPS instances and Squarespace service for some other web sites. One key component is my mail server, currently hosted on OS X Server in a VM running on ESXi at home. I had an unfortunate incident where the local telco cut off my DSL line by accident and as a result I was without internet connectivity for almost three weeks starting around Christmas.

This meant that all mail destined to my infrageeks.com domain ended up bouncing after a certain amount of time which was the impetus to finally go out and get a Mac Mini hosted in a datacenter. I’ve been thinking about doing this for a long time, but put off by the cost. But now I find that some of the Mac Mini colocation services will install ESXi as a standard install, which makes it considerably more attractive since I am no longer limited to one OS instance and can run multiple OS environments. This also means that I’ll be able to consolidate some of my other VPS and web hosting services onto this machine.

Yes, I could have done the same thing with a base install and VMware Fusion, Parallels or VirtualBox, but the result is not as efficient nor flexible enough for what I have in mind.

For the notes and instructions, I’m assuming you have a basic understanding of ESXi so I won’t be filling in a ton of screen shots, although if I get some feedback, I’ll go back and try and add some more in. Or (shameless plug) ping me for consulting assistance.

Configuration

I went with an upgraded Mac Mini with a 500 Gb SSD + a 500 Gb internal HD, running ESXi from an SD Card which leaves the full disk space available for ESXi.

The basics

Networking

One nice feature of running ESXi is that you can easily create a set of virtual networks with a router instead of just putting your virtual machines directly on the internet. This also allows you to do some interesting stuff like create a private network on your ESXi instance where your machines live, but are connected to your own network via VPN so it becomes just another subnet that behaves like an extension of your network.

This is important since my mail server is a member of an Open Directory domain that is hosted on another machine. By setting things up as an extended private network, the servers can talk to each other through normal channels without opening up everything to the internet or doing firewall rules on a machine by machine basis.

I’m using pfSense in a virtual machine linked with a VPN to a Cisco RV180.

Storage

You can use the internal disks formatted as VMFS-5 volumes natively to store your virtual machines, but I wanted to ensure that I had an effective backup plan that fit into my current system. I could have used VMware’s built-in replication feature or a third party tool like Veeam or Zerto which are designed for this kind of replication, but they all require vCenter and I wanted to see what could be done without additional investment.

So in this case I’m using OmniOS to create a virtual NFS server backed by VMDK files. It adds some extra work on the server since it has to go through NFS to OmniOS virtual machine to the disks, but I gain snapshots and free replication back to my ZFS servers at home.

I’m in the middle of an existential debate concerning the most efficient configuration for the zpool in this situation. One option is to have two zpools, one for the SSD and one for the HD and to replicate from the SSD to the HD on a regular basis, and then off to the storage server at home. If the SSD fails, I can easily switch over to the HD. But in this case, I don’t have any real automated protection against bit-rot since each block is stored on non-redundant (from the ZFS point of view) storage. The other obvious option is to create a single zpool with a mirror of the SSD and the HD which would ensure that there are two copies of each block and if there is a problem with the data, ZFS will read both copies and use the one that matches the checksum. But the flip side is that performance will become less predictable since some reads will come from a slow 5400 RPM disk and others from the SSD, while all writes will be constrained by the speed of the spinning disk. I could also just set the SSD as a very large cache to a zpool backed by the hard drive, but this seems a little silly with no additional data protection.

The other side effect of slow disk IO is that I will end up in many more situations where the CPU is waiting on disk IO which will slow down the whole system, so I’m going with the two pool setup for now. Budget permitting, a mirrored zpool with two SSDs is the ideal solution.

Next up: Step by step