richlowe: no, I don't think i did

hi im interesting in using illumos. is it possible to do block device encryption using geli (like on freebsd) and then do an installation of openindiana or omnios? thanks

also, does someone use any illumos on hetzner vps?

properguest We am using OmniOS on Hetzner bare metal. We have opted not to use encryption due to the lack of any console device. By "hetzner vps" I assume you mean their "shared vCPU" offering?

There is no geli but you should be able to use native ZFS encryption as long as you can enter the passprase on the console during reboot.

i have access to qemu console on hetzner vps so i can use the password prompt. though i prefer to wrap zfs with encryption (geli) and not use zfs native encryption.

thx vab

is it possible to install omnios from a booted freebsd iso? id start freebsd image on the vps, download+mount the omnios iso inside freebsd, then (?)

i prefer geli because i dont trust the hoster much (notes.valdikss.org.ru/jabber.ru-mitm applies to hard drive as well)

> Encrypted traffic interception on Hetzner and Linode targeting the largest Russian XMPP (Jabber) messaging service

properguestt, just make ZFS volume and enable encryption on it. I use hex keys but you could also use passwords.

I have an instance of SmartOS on Hetzner cloud , where you are limited to no-HVM I suppose to only branded zones / Smart machines, but there are LS zones too.

You just need to as Hetzner support to upload newest SmartOS image for you to install from and enable bootable pool (piadm )

thank you very much, nikolam

LX zones, sorry

how do i install an illumos distro with encryption? do i create the zvol first and then run the installer pointing to the already created zvol?

are metadata and paths unencrypted?

Said that , it is always better to have it running on hardware, SmartOS hypervisor or Triton Datacenter install (16+GB RAM min, better 32, 64 supported) there is then KVM and Bhyve HVM VMs too, just recommended to have at least 2 network cards and IPs (you know, one public , one for administration).

also, does the bootloader figure out automatically how to decrypt?

id only run containers, no vms

so lx zones and packages that the illumos distro provides

properguestt, well there are 2 ways of looking at things. Runnin hypervisor (SmartOS, Triton SDC) and regular OS install (OmnosCE, Openindiana, others)

Running hypervisor (that doesn't need to be encrypted itself) , some safe place to mount/pull cypher keys and then run guest VM/zone with mounted dataset with encrypted data.

i want a stable and highly available, thin host OS and then run my virtual network and containers on top of it

i dont want the hosting provider to be able to touch the host OS data

on linux id use luks+btrfs with encrypted /boot

on freebsd geli+zfs

in SmartOS , you create per manual a startup service (does not come out of box) but there in a script you say to the ssytem to mount zfs volume that is encrypted (ZFS dataset itself pints to FS location of the key)

Then choose hardware on your premises and internet link. Seriosly. Hosting provider even with the Hypervisor OS on hardware, have access to ssytem console and drives. So I avoid thinking I can create a full blackbox. I canprotect customer data and mayve the whole VM I am actually running loads in. Plus get keys from somewhere else.

i need to find someone where i can put my hosting hardware. i regularly travel around by bicycle and rely on someone elses computer being available

"Highly available" part brings down to apllication level. What is highly available exactly. Storage, service? It is per service how to deploy on infrastructure. Triton Datacenter on regular hardware can give you place for VMs but you need to architect your service. Triton needs at leaset One machine for Headnode and at least 2 machines for running VMs.

for hetzner, the weakest links are the bios partition and the javascript web console

i only want to host some domains and web services. xmpp, websites etc

id connect per one public ip to one domain

properguestt, sure. On hardware machines on Hetzner, hardware KVM is available _only upon request_ and limited per month.

yes i now, 3 free hours

Depending on what part of the world you are , maybe good solution is to host ou machine(s) in your private accommodation, datacenter. providing you have a good internet link

But handling private cloud is a bit different sport , UPS, link, etc

can i just secretly place a single board computer in a data center...

Sound like you would want someone to create infrastructure as a service for you so you can load your HA service on top of it. Private CLoud. MNX Triton is for that.

See what budget you have and what services you want to be running. illumos based hypervisor, together with virtual netowrks is great solution.

i think illumos is even really great for containers only because it integrates zones, filesystem and networking neatly together

properguestt, SmartOS/TritonDC have a mailing list, web site, docs, even Youtube channel, as other illumos distros.

thank you lots so far, nikolam

properguestt, yup but ask yourself what your services you want to be available.. you can pu anything in zone or VM , but more general infrastructure is , the better - app itself have it's needs, infrastructure is separate form that.

for now i want to run a thick lx branded zone for one domain with a few services: postgresql, openldap, dex (openid), xmpp, haproxy, php and some web services

if some service requires isolation, i will seperate it out into its own zone

later on i will build similar zones for different domains

can a lx branded zone boot systemd?

properguestt, all depending what level of privacy and performance you need. MNX cloud,others, VPS on it, hosted hardware etc

lx zone have full OS in it, except it is not running Linux kernel in it, everything is supposed to work as it does.

properguestt, you can post me a PM if you want.

lx zone is syscall translation like on freebsd, right?

Well, yes, but upgraded, on steroids. Zone first.

One can have HVMs and zones on hardware .

thank you lots. i can make some decisions now

properguestt, there are also distro channels, #smartos , #triton , #omnios etc.

for now, i will stick with my cheap hetzner vps, install omnios and for reboot i ssh into the system to decrypt the volumes

properguestt, you can write some blog post about it, I run SmartOS in same setup.

yes i was also searching for guides :D

any reason to prefer smartos vs other illumoses?

properguestt, smartos is thin hypervisor. Can boot from USB on hardware to avoid rootkits on boot. But can also boot from data pool, e.g. NOT requiring separate boot disks, unlike most Linux distros.

eexcept from /usbkey/config for network and basic settings, SmartOS have no other things to set. Maybe if you make a startup service for specific things.

Other distros are basically classical on disk install distros.

oh thats a very useful seperation

Oh yes and SmartOS has imgadm , vmadm , piadm for managing images and VMs

Hypervisor OS swan song. plus now have added WebGUI with uiadm. Just for kicks :P

ssh: connect to host code.illumos.org port 29418: Connection refused

oh thats a long list of features i havent event thought of

properguestt, welcome to #smartos, read a site a bit and come over :P

thx :D

did something happen to the code.illumos.org ssh key?

Getting the: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

definitely so, the ssh was down for some time, and now there seems to be new key...

it hasn't, jclulow will appear and rectify

that is, something _is_ wrong, but not what it appears

With my apologies, this should be sorted out now.

Also: it's just the regular sort of incompetence, not a security incident or whatever

jclulow: thanks for fixing the problem; from here, ssh is working without error (old key is back)...

Thanks!

You're welcome!

[illumos-gate] 16817 winlock can probably be removed -- Richard Lowe <richlowe⊙rn>

[illumos-gate] 16810 installboot should handle 4096 byte sectors -- Toomas Soome <tsoome⊙mc>

[illumos-gate] 16824 hal: storing the address of local variable -- Toomas Soome <tsoome⊙mc>

[illumos-gate] 16822 EFI loader: Don't free bcache for DEVT_DISK devs -- Colin Percival <cperciva⊙Fo>

[illumos-gate] 16823 stmf: writing 1 byte into a region of size 0 -- Toomas Soome <tsoome⊙mc>

[illumos-gate] 16826 vi: dangling pointer 'dname' to 'funkey' may be used -- Toomas Soome <tsoome⊙mc>

it already told you it was 'funkey'

That's the key to fun, right?

tsoome: Actually setting "acpi-user-options=legacy" doesn't work. Only work 'acpi-user-option=8'

ou.

tsoome: * 'acpi-user-options=8'