Like the other commentators, I feel that running mission-critical Linux-based S/W on top of a vm in Windows (XP) is a really bad idea. There are a bunch of mandatory "System Services", they constitute large security risks but you can't run WIndows without them. IMHO, it is IMPOSSIBLE to adequately lock down Windows XP.

If you want to run with multiple VMs, I recommend that you take a good look at using Xen:
http://www.cl.cam.ac.uk/Research/SRG/netos/xen/

A lot of key Linux players (Red Hat, Novell, Andrew Morton....) are working on adding Xen support right in the Linux Kernel, rather than supporting it as a side-bar "add-on".

You can also simply use your current Windows vm implementation to "play with", while using a native Linux machine (desktop or portable) for production. HP has announced that they will be selling Mandriva OS pre-installed in South America, I bet they'd be happy to tell you which USA models can support this OS.

I'd also note that K3B, the *REALLY GREAT* DVD burner program, has a nice macro language. You could write a little script to shut down MySQL, perform the backup, and restart MySQL via atd.

Another backup scheme, way slower, but really good as a "total disaster" backup, is to take one of those "emergency recovery" Linux CDs, reburn it with a script to mount and copy all of your hard disk partitions to an external USB drive.

This one would be good for saving you from rebuilding the System (full of maintenance updates) if the System Disk in your main computer goes totally bad. Do this one once every couple of weeks... then, if the computer dies, you do this one first, then restore the data from the latest daily DVD(s).

In my experience (nearly 30 years), 3 things ALWAYS HAPPEN:

• Disks crash at the worst possible time.
• Only then do the people realize that their backup procedure DIDN'T INCLUDE ALL THE STUFF THEY NEED!
• Then it turns out, they didn't actually --> DO THE BACKUP, Since Mark considers it OK to leave the laptop at work sometimes, it's not an issue of "the office isn't secure enough to leave unattended at night".

  Like the other commentators, I feel that running mission-critical Linux-based S/W on top of a vm in Windows (XP) is a really bad idea. There are a bunch of mandatory "System Services", they constitute large security risks but you can't run WIndows without them. IMHO, it is IMPOSSIBLE to adequately lock down Windows XP.

  If you want to run with multiple VMs, I recommend that you take a good look at using Xen:
  http://www.cl.cam.ac.uk/Research/SRG/netos/xen/

  A lot of key Linux players (Red Hat, Novell, Andrew Morton....) are working on adding Xen support right in the Linux Kernel, rather than supporting it as a side-bar "add-on".

  You can also simply use your current Windows vm implementation to "play with", while using a native Linux machine (desktop or portable) for production. HP has announced that they will be selling Mandriva OS pre-installed in South America, I bet they'd be happy to tell you which USA models can support this OS.

  I'd also note that K3B, the *REALLY GREAT* DVD burner program, has a nice macro language. You could write a little script to shut down MySQL, perform the backup, and restart MySQL via atd.

  Another backup scheme, way slower, but really good as a "total disaster" backup, is to take one of those "emergency recovery" Linux CDs, reburn it with a script to mount and copy all of your hard disk partitions to an external USB drive.

  This one would be good for saving you from rebuilding the System (full of maintenance updates) if the System Disk in your main computer goes totally bad. Do this one once every couple of weeks... then, if the computer dies, you do this one first, then restore the data from the latest daily DVD(s).

  In my experience (nearly 30 years), 3 things ALWAYS HAPPEN:

  • Disks crash at the worst possible time.
  • Only then do the people realize that their backup procedure DIDN'T INCLUDE ALL THE STUFF THEY NEED!
  • Then it turns out, they didn't actually --> DO THE BACKUP,

• Re: Rod, why this config (a vm within XP laptop)? by Mark Leeds on Wednesday February 01, 2006 @ 01:50 PM

  Thanks for your response. First, Rod did not configure it as a vm within an XP laptop. He only provided the vm which could have been run on either Linux or Windows with the free vmware player. While I have installed and configured Linux systems in the past, there is a shortage of time these days with the opening of the new office. The easiest and fastest way to get going smoothly was to put the vm on the XP laptop. Of course I am going to get dedicated, non-portable hardware to run the server eventually instead of the laptop. I was not aware that the security risks of running a Windows machine hosting a vm with Linux were more complex or less secure than running a Windows machine with a Linux machine next to it on the same network. Maybe that was your point, to eliminate the XP machine altogether. Either way, the network is closed so there is no access to the internet on any of the three networked machines involved (4 with the vm) Otherwise, I am not aware of any problems with running my server under vmware. Speed has not been an issue at all. Maybe as my database fills up, it will become an issue. I'll deal with that problem if and when it comes up.

  [ Reply to this ]

• Yes, it was vmware on XP (more risky) by Rick Stockton on Thursday February 02, 2006 @ 12:27 AM

  First, let me apologize for my erroneous cut-and-paste (leading to lots of repetition in my parent post). The real ending was: "congratulations to both you and Rod on this successful roll-out!" Your understanding is exactly correct: a vmware "Linux" environment on LINUX is almost as safe as running Linux natively, whereas running a vmware "Linux" on WINDOWS is exposed to nearly all of the vast numbers of Windows vulnerabilities. (Only those IP ports which vmware and Linux have "taken over" are "immunized", e.g. you have an Apache Web Server instead of an IIS.) There is much higher safety with either vmware "Linux" on Linux, or Linux-native, even if there are lots of Windows XP machines on the local network. For example, I make way too large a portion of my income fixing Windows machines, although only about 1/3 of my Window System repairs are malware-related. My Linux machine (this desktop) has been, for many years, totally immune to anything these Windows Systems have attempted to infect it with after I plug them into my Router. They've never found a vulnerability in Apache or ProFTPd, and just about everything else is locked down, or simply immune to Windows-based attacks. (Remember, Windows XP simply can't be locked down adequately: it uses this horribly insecure RPC mechanism for communicating between different parts of Windows XP inside the box, and you can't tell the RPC Service to refuse communications from outside.) The same advantage I have would be true of any Linux Server in an environment full of Windows machines. Now, your vmware Virtual Environment adds another layer, but it mostly just "takes over" the Apache listener, the associated modules (PHP4, SSL, etc.) and the MySQL operations, rather than adding new things. In contrast, vmware running on Windows XP (or Windows Server 2003, which would be SLIGHTLY better) can EASILY have the rug pulled out from under it... because once your Windows box is "0wn3d", EVERYTHING running on it, and all of its files, are "owned". Although the network at work isn't Internet-connected, I suspect that you plug in the portable at home from time to time. So, it can become infected, and subsequently infect other Windows machines at work. BTW, if Internet is disabled, how do you keep those machines up-to-date on maintenance? (And, you do the billing on paper?) Speed should not become an issue unless you start composing your own Database Queries, scanning hundreds/thousands of longtext fields for specific words and phrases. And don't forget, both Linux and your Hard Disks do very helpful file caching to speed that up. If you ever see a speed issue developing, it's probably best to add memory first (allowing Linux to cache more aggressively), and only mess with the disk configuration later. Again(?!?!) my congratulations!

  [ Reply to this ]

• 1.2.2. by huk2 on Friday June 30, 2006 @ 06:20 AM

  [ Reply to this ]

• Re: Rod, why this config (a vm within XP laptop)? by Pete Gandy on Monday March 29, 2010 @ 05:33 PM

  Wow, That takes guts! I run an XP server on a CentOs zen based server for those who think they just can't figure out were the click on buttons are. Simple adversity to change. I never would ever would run anything that is mission critical on a MicroSnot machine "virtual or otherwise". Microsoft with Linux as virtual. That's upside down. Especially on security and stability. It's taking Linux and lowering it to the level of MicroSnot. Why not run it the other way and raise MicroSnot up a little? All we do with MicroSnot on the virtual server is Word files. End of story. I do not allow my critical services on this machine either as with MicroSnot on it I have no faith it will still be working in the next five minutes or days. My server running CentOS that runs my email and other critical services now runs a bright new shiny openemr. Not open to the users yet except for a few. So far great. MicroSnot! Your outta here in the very near future. Users get used to KDE or Gnome, OpenOffice or find a new job. Pete

  [ Reply to this ]

Is the partition on which OpenEMR exists on the laptop encrypted? If not, then you are exposing all your patients' very private medical data to a security risk far greater than than posed by the operating systems - that of theft. Laptops are stolen all the time, particularly if they are ever left in cars.

Similarly the back-up DVDs should not be taken off-site unless they are encrypted.

Tim C

• Re: Using OpenEMR in Family Practice by Mark Leeds on Tuesday February 14, 2006 @ 02:41 PM

  This is true. I should give a brief update now that some time has passed and we are gaining experience. The laptop is no longer hosting the virtual server in the office. The security concerns of using Windows XP as the host OS scared me and the temptation to take the laptop home was too great. I also wanted to be able to leave the server running because my staff arrives to work before me and I did not like being the excuse for them not having access in the morning. I am now running a desktop machine with a Sempron 2400, 1GB RAM, 100GB hard drive and a DVD burner. The Host OS is Red HAT WS, subscribed and fully updated, and I am still running the same virtual OS, Ubuntu, set up with all of the software by Rod. As much as I was in favor of this setup in the beginning, I discovered how fast and easy it was to do mysqldump for the OpenEMR data. At this point, I have not used the other software, freeb or SQL-Ledger, so backing up the MySQL OpenEMR database really covers everything I need at this point. The space and time savings are, of course, huge. I am even considering if I should just run the software natively instead of in the vm. On the other hand, it is nice to be able to easily save the state of the machine and have the ability to run it on multiple platforms if necessary. So, at this point, the laptop is no longer involved in the system and the DVD backups are not made as often and do not leave the office. I will probably get a fire proof box and store the DVDs there. As far as carrying data out of the office for backup or reference purposes, a database dump of a few megabytes is easy to encrypt and decrypt quickly.

  [ Reply to this ]