From owner-freebsd-virtualization@freebsd.org Mon Jan 25 17:10:54 2021 Return-Path: Delivered-To: freebsd-virtualization@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 46C3C4E9732 for ; Mon, 25 Jan 2021 17:10:54 +0000 (UTC) (envelope-from warlock@phouka1.phouka.net) Received: from phouka1.phouka.net (phouka1.phouka.net [107.170.196.116]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "phouka.net", Issuer "Go Daddy Secure Certificate Authority - G2" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DPbwr5fr3z4j8B for ; Mon, 25 Jan 2021 17:10:52 +0000 (UTC) (envelope-from warlock@phouka1.phouka.net) Received: from phouka1.phouka.net (localhost [127.0.0.1]) by phouka1.phouka.net (8.16.1/8.16.1) with ESMTPS id 10PH9YDc043015 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Mon, 25 Jan 2021 09:09:34 -0800 (PST) (envelope-from warlock@phouka1.phouka.net) Received: (from warlock@localhost) by phouka1.phouka.net (8.16.1/8.16.1/Submit) id 10PH9Xrm043012 for freebsd-virtualization@freebsd.org; Mon, 25 Jan 2021 09:09:34 -0800 (PST) (envelope-from warlock) Date: Mon, 25 Jan 2021 09:09:33 -0800 From: John Kennedy To: freebsd-virtualization@freebsd.org Subject: Re: RHEL virtualization Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4DPbwr5fr3z4j8B X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of warlock@phouka1.phouka.net has no SPF policy when checking 107.170.196.116) smtp.mailfrom=warlock@phouka1.phouka.net X-Spamd-Result: default: False [-1.74 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[107.170.196.116:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-virtualization@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[107.170.196.116:from:127.0.2.255]; DMARC_NA(0.00)[phouka.net]; NEURAL_HAM_SHORT(-0.94)[-0.936]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[warlock@phouka.net,warlock@phouka1.phouka.net]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:14061, ipnet:107.170.192.0/18, country:US]; FROM_NEQ_ENVFROM(0.00)[warlock@phouka.net,warlock@phouka1.phouka.net]; MAILMAN_DEST(0.00)[freebsd-virtualization]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jan 2021 17:10:54 -0000 On Sat, Jan 23, 2021 at 03:14:53PM -0800, John Kennedy wrote: > At work, we have RHEL (-ish; some RHEL, some CentOS, some OEL). Mostly v7, > some v8. Since I'm doing the Covid work-from-home telecommute, I'm trying to > recreate some of my work infrastructure while trying to plan a bit towards > the future (migrating a lot of VMs to Azure). > > What I'd like to recreate is my existing kickstart infrastructure, where I > PXE boot the system, feed it anaconda goodness which dovetails into puppet > and I can generate a clean system from a template. Works great for VMWare > and HyperV, not so much for Azure but if I can generate a snapshot disk > image Azure can ingest, I'll be happy on that score. > > I've been very happy with bhyve for FreeBSD. I messed with VirtualBox for > a while (a long time ago), but with my tendency to track stable (think: > kernel modules) and keep very current on ports-from-source (frequent > package updates, upon which VirtualBox has MANY dependencies) made that a > poorer experience than I had with it on Windows. I've been very happy with > bhyve since it's basically baked right in. Let me restate some of this in a different way to maybe get some more thinking. Using the BHYVE_UEFI.fd from uefi-edk2-bhyve, I can boot my OEL8 (RHEL8 clone). That currently worries me because it has the big python-2.7 warning on it (as does uefi-edk2-bhyve-csm). On physical boxes, I've been able to grab a PXEBOOT ISO when the firmware lacks PXE booting, but I haven't got that to work yet for these. Those python worries are basically what is driving me to look elsewhere (like fighting with grub-bhyve and away from the only UEFI booting that I know about). I personally like PXE-booting a new system (and possibly making a gold image from that, depending on what I'm doing) because it basically answers that little auditor-voice in the back of my head that, in the event of some possible security problem, how do I know that my backups haven't been compromised. In all of those gigabytes, after all of the toxic recursive mindless non-logic, how do you *know*? My happy answer to myself is: "here is a configuration file that I can review, all the binaries are on the vendor's site or re-downloaded, here are the puppet customization rules, blam! done! 10 minutes later I have a clean system." In any case, that is why I'm chasing PXE booting, although I'd be interested in the way other people solve that problem. That really doesn't work that way in Azure, thus the gold images approach I'll probably have to take with them in the future.