Best KVM for a headless server [SOLVED]

[halcon]

Hi!

What is the best KVM device for a remote server, which would let manage a server, for example, when ssh is screwed up?

Under "best" I mean "can be used without problems in my minimal Gentoo system without any DE"

For example, KVMs from Lantronix, as I see, do not match my criteria, because these devices are using a proprietary (and obsolete?) technology "Oracle Java Web Start"?

EDIT

I read that KVMs from some server vendors have different names:

Intel - ATM
Supermicro - IPMI
DELL - iDRAC
Fujitsu - iRMC
Lenovo - TSM
Hewlett Packard - iLO

[NeddySeagoon]

halcon,

WIth a remote server, don't screw up ssh. :)

I'm not sure I fully understand the question.
Do you want to rent a KVM instance that has some out of band management interface for when ssh fails you or do you want to rent a whole server which you will divide into KVMs, then you want an out of band management interface to the whole server?

I do the latter with a Hetzner second user system. Hetzner allow you to boot your install in QEMU and provide the console from the boot loader onwards, that can be read in a web browser.

IPMI works. On my Mudan server I get console over LAN and can fiddle with the BIOS settings too. That's with

Code: Select all

sys-libs/freeipmi[/codeinstalled on the controller end.
HP iLO is the same idea. I have the remote control card for my HP Gen 7 microserver, I can connect with CoL bet it never puts any data there. Its about on/off control only.

IPMI requires its own IP address and there are not enough to go round, so its an extra cost.
Its a fairly standard interface but the implemented features vary enormously.

[pingtoo]

May be a Raspberry Pi see PiKVM

[pjp]

I'm not sure I fully understand the question.

Keyboard Video Mouse Switch (not Kernel Virtual Machine). Essentially your Mudan / IPMI / HP ILO except the "KVM" is a physical device (switch) that connects one console to many servers.

I've not found a good solution that wasn't expensive, and so far I've not found any "ILO" cards that could be used in a consumer PC.

[halcon]

Thanks for your replies,
NeddySeagoon, pingtoo, pjp!

I think I have to clarify the details of what exactly I need...

Keyboard Video Mouse Switch (not Kernel Virtual Machine)

Yes, I meant physical hardware devices called KVM Switches.

I am choosing a dedicated server instead of a VPS. One of the main features of a dedicated server - that KVM Switch. I just found that I can't use the KVM from Lantronix because it requires "Oracle Java Web Start".

WIth a remote server, don't screw up ssh.

Yes, but what to do if e.g. I am installing Gentoo over Ubuntu, and suddenly dropped my cup of coffee over my keyboard... )

IPMI works. On my Mudan server I get console over LAN and can fiddle with the BIOS settings too. That's with

Code: Select all

sys-libs/freeipmi[/codeinstalled on the controller end.
HP iLO is the same idea. I have the remote control card for my HP Gen 7 microserver, I can connect with CoL bet it never puts any data there. Its about on/off control only.
[/quote]
So, IPMI client should work "out of the box" in Gentoo? It's a good news!

[pjp]

So, IPMI client should work "out of the box" in Gentoo? It's a good news!

Be aware that in general, IPMI is or might only be part of the equation. The hardware ILO (or its software) may or may not work completely with the client. That is, you may not have all of the capabilities via IPMI from the host OS as you would if you connected directly to the ILO hardware (network or direct console). I suspect that may partially be related to the age of hardware, but I never tried to quantify the different results. For the record, I believe that is only using HP and Oracle hardware.

[NeddySeagoon]

halcon,

My Hetzner server has a remote control to reboot to rescue mode.
The rescue mode is like a liveCD, you can ssh into the rescue mode, mount your gentoo install and fix it.

The remote control is a web interface but that's only needed to push the rescue mode reboot button.
I've never tried that from a text browser.

Once the box is up for real, with ssh, I use app-emulation/libvirt over ssh to manage guests, so its like a two stage get you going thing.
Fixing the initrd, to get it to boot at all, was exciting with no console. I eventually did that in a KVM locally, so it worked, then put it back on the server.
However, my initrds are user space tools only, no kernel modules, so they end up like firmware.

[halcon]

Be aware that in general, IPMI is or might only be part of the equation. The hardware ILO (or its software) may or may not work completely with the client. That is, you may not have all of the capabilities via IPMI from the host OS as you would if you connected directly to the ILO hardware (network or direct console). I suspect that may partially be related to the age of hardware, but I never tried to quantify the different results. For the record, I believe that is only using HP and Oracle hardware.

Interesting... I guess, things like these are very complex, which I usually avoid...

My Hetzner server has a remote control to reboot to rescue mode.
The rescue mode is like a liveCD, you can ssh into the rescue mode, mount your gentoo install and fix it.

Oh, it is very useful. Just all I would need. Worth to look at it.

[pingtoo]

halcon,

I think your usage scenario are,

1. Damn I messed up sshd setting, no longer able connect over ssh, but I am sure can login via console,
2. ping the remote machine is not working, but I still have network to other machine on same net,
3. as above, but the remote machine just sit beside me,
4. the remote just die, the remote machine is far away and I need it reboot

For a, your KVM need to have USB/Bluetooth/Rf and VGA/html into your remote at same time you can net connect to the KVM.
For b. same as a.
For c. it could be just as easy to connect screen and keyboard to the remote.
For d, your KVM need have control to your dead machine's power in order to reboot.

So there are complexity in select KVM to support different usages.

[halcon]

Hi pingtoo,

Thanks for your analysis. As far as I understand, it may be especially useful for locating an own server somewhere?

My usage scenario is choosing between hosters offerings (not colocation, not my own server). A button to reboot - all hosters have it even without KVM; "beside me" - correspondingly, false.

VGA/html

I guess, you mistyped hdmi here?

EDIT

Or didn't mistype ... Just found "html5 KVM" in the web...

[halcon]

a proprietary (and obsolete?) technology "Oracle Java Web Start"?

I just found that I can't use the KVM from Lantronix because it requires "Oracle Java Web Start".

In fairness, I should say that there is a newer, open-sourced version:

https://bugs.gentoo.org/673050#c5
https://github.com/karakun/OpenWebStart

Did anybody here use it? Reviews? Experience?

[figueroa]

Run two ssh servers. On a remote server I run OpenSSH on one port and DropBear on another. Only one is open to the outside, but I have multiple servers on Desktop machines at the destination location, therefore multiple paths to the server in question.

[halcon]

Hi figueroa,

An advanced setup!..

I have multiple servers on Desktop machines at the destination location

Sorry... What do you mean under "destination location" here?

The last time when I successfully screwed up ssh, I just commented out a wrong line in the firewall script So, the ssh port was just closed in iptables for new connections. Please correct me if I am wrong: In this setup, connections establshed earlier could work for a while (as "conntrack established")? For how long?

[pingtoo]

Hi pingtoo,

Thanks for your analysis. As far as I understand, it may be especially useful for locating an own server somewhere?

My usage scenario is choosing between hosters offerings (not colocation, not my own server). A button to reboot - all hosters have it even without KVM; "beside me" - correspondingly, false.

VGA/html

I guess, you mistyped hdmi here?

Yes, I meant hdmi. Thanks for correction.

[figueroa]

...

I have multiple servers on Desktop machines at the destination location

Sorry... What do you mean under "destination location" here?

The 10 machines, 1 server and 9 used as staff and student desktops, at the remote destination (the LOCATION; a school 600 miles to the north on real local-to-them hardware) are all on the same local net and each can be access via ssh via it's own local IP and SSH port. None of them have software updates installed automatically. The server runs Gentoo; the desktops are running MX-Linux.

I can access the server directly only through a single port forward to OpenSSH server. DropBear is also running on its own port on the server but that cannot be accessed directly from outside the LAN. Should I mess up, and find the sshd port not accessible on the server, I can ssh into any one of the desktop machines and access the DropBear ssh port on the server in order to fix its OpenSSH instance of sshd. It's just a back door. (Push comes to shove, a local helper can boot the server from a flash-drive with a live-usb running sshd, and I can get in that way, also by first accessing one of the desktop machines.)

Each machine is protected with Fail2Ban running with extremely stringent settings. Nothing runs on port 22. Still, we used to get a lot of probes, but after putting a couple of select alternate ports into non-use, we just don't get found anymore -- knock on wood.

[Hu]

The last time when I successfully screwed up ssh, I just commented out a wrong line in the firewall script So, the ssh port was just closed in iptables for new connections. Please correct me if I am wrong: In this setup, connections establshed earlier could work for a while (as "conntrack established")? For how long?

A conntrack established state will persist until a certain amount of time elapses with no activity on the connection. If you kept the ssh connection active by using it, you can keep it in the established state indefinitely.

[halcon]

@figueroa: Thanks for clarification! Very educational.

@Hu: Thanks. "indefinitely" is long...

[halcon]

My Hetzner server has a remote control to reboot to rescue mode.
The rescue mode is like a liveCD, you can ssh into the rescue mode, mount your gentoo install and fix it.

Oh, it is very useful. Just all I would need. Worth to look at it.

I looked. Indeed, the rescue mode is useful enough. I noticed a few small details* that were not very convenient, but in general I liked it!
* - Changes made to this system do not last for long as the system is periodically refreshed; ssh sessions hang periodically for the same reason; there is no iptables available - for the time of using the rescue mode it is necessary to configure the "external" firewall in the Hetzner web panel.

Also, I've found Lantronix KVM in the Hetzner web panel, but with HTML5 instead of Java Web Start (upgraded one), and successfully used it. It can be ordered pushing the button "Remote Console" in the bottom left corner of the "Support" block.

So, I can say: for my purposes, the Best KVM is one with HTML5.
Marking as solved. Thanks again to everybody who participated!