Is there a special reason for using kvm and CentOS 8 as kvm host?
Nethserver can act as firewall and it supports virtualization with phpVirtualBox
Yes, we want to be able to snapshot it just in case something goes wrong. And CentOS is one of the supported os @our hoster. We discussed today and decided that we want a thin kvm host, with nothing else running on it. The rest of the big drive is encrypted with dm-crypt and there are our virtual disks sitting.
What about Proxmox?
Itâs managed via web interface and provides a complete virtualization environment including snapshots and firewall out of the box.
If Debian is supported by your hoster it should work too.
1 Like
This is the next on my list, but wait, I am making some progress 
I now have a letsencrypt certificate for cloud.ourdomain, then created a virtualhost something.ourdomain and added it successfully to the existing certificate.
Now how to proceed to get a certificate for the domain itself I did as you said and added hostname.ourdomain.com to external dns. I mean the certificate that I will use for creating active directory. Yeah, promox is my fallback szenario, but it seems as it could work with this setup
Just add the new domain to the domains in letsencrypt and request it.
Mhm, that again. Now I have the same error. Not able to download packages and challenge failed. As soon as I opened additional ports, let me check somethingâŠ
I will restore last snapshot and try to reproduce when exactly it goes south. One more question, so it will be one certificate for externally accessible domains and for the one being used for domain creation?
So ad.ourdomain.com and ourdomain.com will be in the same certificate as cloud and possible other virtual hosts?
Yes, one letsencrypt cert for all domains.
I think, I start hating centos 8 host, and am almost done with it. Maybe I should really install debian then promox from webinterface of our hoster, and see where it gets instead of trying to find the problem, that I probably wont have with promox
CentOS is a nice LTS stable system.
But setting up kvm networking and routing can be a pain.
I think you need the bridge for the internal network on your kvm host. If you want to use Nethserver AD you need promisc mode.
I beleave you mrmarkuz, and I found it out the hard way. I had setup bridge in promiscuous mode, but something came inbetween while opening ports, maybe even a selinux problem, I donât know.
I am setting up promox right now, as it was recommended by this forum now and am looking forward to see how it is.
Hi
Even for a console guy, once itâs up & running, i think youâll soon love the web-gui of proxmox.
There isnât much you need to use the console for, except maybe adding stuff like nut (UPS) or snmp for monitoring. LMsensors is also a good suggestion or the manufacturers tool for monitoring a hw-raid card, like from HPâŠ
The forum isnât as good as this one here, but their docs are solid and well written.
Good progress!
Andy
Was fĂŒr eine geile Scheisse 
I am looking into promox and I must admit, it looks impressively great! Sorry that I was not listening in the beginning
I installed, am uploading disks and images and canât wait testing
Furthermore the possibilities for HA with distributed filesystems make me think, that I will rather rethink of how I can setup an even bether system that I planed to.
Iâll be back after installing nethserver, or as soon as there arise some questions.
Thanks again for proposing to use promox!
Youâre welcome! Sometimes - even for me - overcoming old instincts on the console are hard.
But if they package it that good⊠Makes it worth it, and in the end saves a lot of time!
A few Proxmox tipsâŠ
License the product (I use almost only community supportâŠ) to get certified updates. Licensing is per CPU Socket, not per core! Proxmox getâs a lot of updates, rebooting is only necessary about 1-2x a year.
Update of Proxmox can be done while VMs are running, no problems!
Hereâs a doc i made about 2 years ago, itâs in german, but as such should be understandable by mostâŠ
As visible, Proxmox can make good use of at least 3 networks, and all those networks can use NIC BONDING.
CEPH, as used by CERN is a very nice option, if RAM and a couple of servers are available. Fast 10GB Networking or more helps! At the time not yet a real option.
If several servers are in a cluster, itâs a very good idea to create Groups according to HW-Requirements. Say Virtual PCs need a min of 8GB and 4 cpu cores. A SQL Server needs at least 16 GB RAM and 8 cores. This helps in load distribution and failover migration when using HA High Availability.
Also VERY Important for a cluster:
The minimum requirements for a properly working cluster are 3 nodes! Count really 4, as you need 3 working when one fails. 3 can vote whoâs the master, and the cluster getâs Quorum, meaning the cluster is up and fully available. With only 2 nodes, your cluster doesnât reach quorum, and you canât start any VMs, nor migrate them!
Storage for Backups is defined with generations (I want 7 versions of that backupâŠ). You can map the same Storage twice or more often, if you need different generations, say for virtual servers 7 generations daily, for virtual workstations 3 generations, weekly.
If using RAID for DiskImages (Shared storage for running VMs), use RAID10 with 4 fast Disks or SSDs.
If not using CEPH or OpenZFS, the local file system should be XFS rather than ext4.
Live Backups is a great feature and is VERY reliable!
Use .qcow2 Disk Image format.
If you donât need the latest CPU features, keep the CPU to a generic KVM CPU, that facilitates migration to different Hardware without issues. It may be a little less fast, but worth it, it you have several different proxmox hardware running.
An example? Test migration of a running, fully licensed MS-SQL Server based bookkeeping application-server. The original Hardware was a HP Proliant ML380 G9, we migrated to a Mac Mini with a i7 CPU running Proxmox. No issues, no reactivation required by Microsoft.
My 2 cents
Andy
Thanks, I will read through in the evening. Until now, I am not successfull in network configuration.
Reading through the docs, I tried brigded external interace and also masqueraded. Neither is yet functional. I will come back to you when read through your apreciated informations and will probably need some help.
This image shows something similiar to your environment, but not a hosted environment. Itâs at a friends place at home.
The HP Microserver G8 has two LAN connections, and one for ILO.
One LAN is connected to the (bridged) VDSL Modem, the other to a switch at home.
-> Both LANs are bridged (as seen by Proxmox)
The Firewall is OPNsense, running in Proxmox.
Note: AFAIK, Proxmox needs something connected to the NIC to activate it. This would work for external, the internal one can be just an internal switch.
Good Luck
Andy
I understand that aparently proxmox does not act as dhcp server in contrary to libvirt/qemu where while creating a network with libvirt manager you can define iprange and client gets IP automatically from internal dhcp server? I decided to try configure with fixed ip first and let nethserver serve ip for domain clients in internal network.
My promox server has one external IP, and i want nethserver vm be our Router for our lan clients. So one lan vmbr should be configured for lan with masquerade, right?
What about the other network card that is for red network? Do i need a similar bridged configuration on the vm configuring the same external ip adress on the bridge, and setting the ârealâ nic to manual as I have done on the host? Or is routed configuration needed, or just a separate nat network to separate internal and external network?
I understand how to configure host, putting the IP to virbr0 instead oft the real nic.
But how do I do it in the guests? Am I suposed to configure the same ip that I put in the host? I am not used to this network stuffâŠ
My host gets the external ip by DHCP, but it also works when the same ip is configured statically on the corresponding bridge.
Hi
Proxmox does not provide DHCP for hosts. Some other server should do this (Your NethServer is ideal for thisâŠ)
Iâd pass thru the extern reachable ip right to the red NIC of your NethServer, the green connects to the internal network (The virtual Switch represented by vmbr0). The proxmox is part of that internal network ans is not reachable from outside, only through your nethserver.
Your NethServer becomes your Firewall, and can use either Port Forwarding, Reverse Proxy or even 1:1 NAT if needed and IP available to allow access to other hosts. Your NethServer should also provide you with VPN Access, so you can manage your Network.
To get there, you can temporarily configure access to your Proxmox AND your NethServer, at least until the Firewall in Nethserver is up and running, and you have VPN access.
My 2 cents
Andy
Maybe later, for now, I want the physical host be available even if nethserver is down. Thats why my first setup will be two nat networks with different vlans/network masks.
I have 2 vms, 1x windows and 1 x nethserver up and running. I can connect to nethserver from windows client. (green network). I can even ping the external ipadress from my host. But from there I cannot ping anything in internet. So one small step is still missing.
Can Nethserver ping anything external? (8.8.8.8?)
For accessing the Proxmox i would use a simple network connection without NAT. Load fail2ban on Proxmox, and change the ssh port to something else (2222?).
The second connection would be as a bridge, and let the NethServer do the NAT/FW to access the windowsâŠ