[PVE-User] Suggestion : layer3 KVM isolation integration
Leslie-Alexandre DENIS
infoslad at gmail.com
Mon May 12 20:55:04 CEST 2014
Le 12/05/2014 19:19, diaolin a écrit :
> Do you have examples?
>
> Leslie-Alexandre DENIS <infoslad at gmail.com> ha scritto:
>
>> Hello all,
>>
>> I worked a lot on the Proxmox/KVM combination and I'm surprised there
>> isn't something like all orchestrators do, the management of isolation
>> on KVM.
>> I do it already for myself but I'm sure all of Proxmox's users would be
>> enjoyed with that, and as for my point of view It's not so hard.
>> Basically it's just Linux basic routing between bridges, and It's excat
>> the same technic used in others like CloudStack...
>>
>> Anyone working on that ?
>>
>> Regards
>>
>> _______________________________________________
>> pve-user mailing list
>> pve-user at pve.proxmox.com
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
Yes, assuming that the Proxmox hypervizor host is able to forward packets :
/etc/network/interfaces would be :
# device: eth0
autoeth0
iface eth0 inet static
address<main ip>
netmask255.255.255.255
pointopoint<gateway>
gateway<gateway>
# for single IPs
auto vmbr0
iface vmbr0 inet static
address<main ip>
netmask255.255.255.255
bridge_ports none
bridge_stp off
bridge_fd 0
post-up ip route add <vm ip 1>/32 dev vmbr0
post-up ip route add <vm ip 2>/32 dev vmbr0
The first bridge, vmbr0 is assigned to the VM.
The /etc/network/interfaces of the VM would be :
# device: eth0
autoeth0
iface eth0 inet static
address<vm ip 1>
netmask255.255.255.255
pointopoint<main ip of vmbr0>
gateway<main ip of vmbr0>
To have pointopoint with a default gateway is a little bit redundant but
the gateway clause adds the default route, It's always better.
Anything coming on the hypervizor with the correct IP destination will
be routed through vmbr0, otherwise It will be dropped.
Another VM can't use another IP if it's not defined on the vmbr
interface at hypervizor level.
Alexandre, I don't need anything for me but I think It should be
implemented in the Proxmox VE Web GUI like many others cloud
orchestrator. You just need to define rules on vmbr in order to have a
KVM routed and thus secured infrastructure, at least on layer 3. VLAN
can be used as layer 2 isolation.
Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-user/attachments/20140512/efb11009/attachment.htm>
More information about the pve-user
mailing list