Tag Archives: openvz

Asterisk virtualization – OpenVZ or VMWare?

I recently read a post/advert claiming that VMWare was a ‘much better’ platform for hosting Asterisk than any other virtualization platform, such as OpenVZ, Xen, KVM … So I thought I’d write a little about the architecture running the SysAdminMan VPSs and why it was chosen.openvz-logo

There are a few different names given to a virtualized server – Virtual Private Server (VPS), Virtual Dedicated Server (VDS), VM (Virtual Machine) but they all refer to the same overall goal – take a dedicated server and partition it in to several virtual servers that share the underlying hardware.

Now, don’t get me wrong, I really like VMWare ESX. In fact I spent many years as a VMWare admin running mission critical ESX clusters that needed to be available 24/7. These hosted corporate web systems that processed many £100k’s of transactions per year. So does that make it the perfect platform for offering Asterisk hosting? Not necessarily.

VMWare and KVM both provide ‘full virtualization’ which is a layer in between the hardware and VPS that emulates the hardware and provides the virtual machine access to it. This means the operating system on the VPS does not need to be aware that it is running inside a VPS. It runs as normal, with VMWare/KVM translating the requests to the underlying hardware. Xen can now also do this running in HVM mode.

While this provides good segregation between the Virtual Servers it does add a layer between the VPS and underlying hardware that can cause timing issues, which are so critical to VOIP/Asterisk. This is not always the case, but a possibility.

OpenVZ is different. This provides operating system-level virtualization where the underlying hardware runs a kernel that is shared by all of the virtual machines. On SysAdminMan VPSs this is CentOS. This provides more direct access to the underlying hardware which, in my experience, makes it an ideal platform for hosting Asterisk.

Where OpenVZ gets a bad name is that it’s very easy to provision many more VPSs on a physical server than that server can really handle. This means lots of virtual machines all trying to use the CPU, ram, network etc on the underlying server, resulting in bottlenecks. This might not be a problem on a webserver. If a web server takes half a second longer to display a web page because the server is overloaded then maybe nobody will notice. However, if your VOIP packets are delayed for half a second then you will definitely notice!

SysAdminMan only has around 10 virtual servers per physical server, often less depending on the resource allocations to the VPSs on that server. This results in a lot less contention for the underlying hardware than with some providers (especially general VPS providers) that might have 20, 30, 40 servers running on the same hardware.

Probably the most crucial fact about running Asterisk on a VPS though is who you are sharing the underlying hardware with, and how well the server is managed. Even if there are only a few other virtual servers on that server and they are allowed to abuse the resources available then you will likely get a bad VOIP experience. This can definitely be the case where Asterisk is installed on a general purpose VPS.

All SysAdminMan VPSs are specifically designed to be running Asterisk. The underlying hardware is closely monitored and you can be sure that you are not sharing the hardware with customers running highly demanding Java application servers or game servers etc. It can be very difficult for VPS customers to troubleshoot VOIP quality issues on their server as they have no visibility to the underlying hardware. You have to trust that your VPS provider is not allowing the underlying server to be overloaded.

The Asterisk hosting market is definitely getting more competitive but I’m confident that the service and products offered by SysAdminMan represent excellent value for money and a stable and well managed platform to host your VOIP server. SysAdminMan has been successfully hosting Asterisk servers since early 2009.

Installing Digium g.729 codec for Asterisk on an OpenVZ VPS

Installing Digium’s g.729 codec for Asterisk on an OpenVZ VPS requires an Asterisk friendly VPS provider. This is because the installation routine relies on there being an ‘eth0’ device on the server. This is not normally the case with OpenVZ where the network device is called venet0.

An ‘eth0’ device can be created on the VPS by running the following command (this is done on the OpenVZ server) –
(see here for more information – http://wiki.openvz.org/Asterisk_G729)

vzctl set $VEID --netif_add eth0 --save

Continue reading

Limit SMTP connections for OpenVZ VPS

I’ve started renting out some OpenVZ VPSs for a few people and wanted to make sure that they couldn’t be used to send spam. One of the easiest ways to do this is just to limit the number of outbound smtp connections allowed from the VPS using iptables.

I used the following iptables rules on the OpenVZ host node to accomplish this –

# Limit number of SMTP connections from Mail Server
<br>iptables -A FORWARD -o eth0 -p tcp -s --dport 25 -m limit --limit 3/minute -m state --state NEW -j ACCEPT
<br># iptables -A FORWARD -o eth0 -p tcp -s --dport 25 -m state --state NEW -j LOG
<br>iptables -A FORWARD -o eth0 -p tcp -s --dport 25 -m state --state NEW -j DROP

The ip address is the ip address of the VPS. The optional log rule in the middle (that’s commented out) is useful when you are setting this up so you can check that packets are actually begin affected by the rules.

Running OpenVPN

I’ve been playing with OpenVPN for the past couple of weeks and I’m pretty impressed. OpenVPN allows you to create a private network between 2 computers. These could be 2 servers or a client and a server. A few of the reasons for wanting to do this are –

  • bypassing your ISPs traffic shaping
  • making your traffic appear to originate from a different country
  • encrypting your laptop traffic over an insecure link – such as a coffee shop wifi connection
  • anonymous web surfing
  • bypassing a countries web access controls

Setup and configuration of the server component can be fairly complicated depending how you want to manage the certificates and networking on there. It’s possible to install it on Linux or Windows although I’ve only tested it on Linux. Running the server on Linux you also need to configure iptables to translate your private ‘vpn’ ip address to an external ip address on the vpn server.

Continue reading