[PVE-User] Suggestion : layer3 KVM isolation integration

Leslie-Alexandre DENIS infoslad at gmail.com
Mon May 12 20:55:04 CEST 2014


Le 12/05/2014 19:19, diaolin a écrit :
> Do you have examples?
>
> Leslie-Alexandre DENIS <infoslad at gmail.com> ha scritto:
>
>> Hello all,
>>
>> I worked a lot on the Proxmox/KVM combination and I'm surprised there
>> isn't something like all orchestrators do, the management of isolation
>> on KVM.
>> I do it already for myself but I'm sure all of Proxmox's users would be
>> enjoyed with that, and as for my point of view It's not so hard.
>> Basically it's just Linux basic routing between bridges, and It's excat
>> the same technic used in others like CloudStack...
>>
>> Anyone working on that ?
>>
>> Regards
>>
>> _______________________________________________
>> pve-user mailing list
>> pve-user at pve.proxmox.com
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
Yes, assuming that the Proxmox hypervizor host is able to forward packets :

/etc/network/interfaces would be :

# device: eth0

autoeth0

iface eth0 inet static

address<main ip>

netmask255.255.255.255

pointopoint<gateway>

gateway<gateway>

# for single IPs

auto vmbr0

iface vmbr0 inet static

address<main ip>

netmask255.255.255.255

bridge_ports none

bridge_stp off

bridge_fd 0

post-up ip route add <vm ip 1>/32 dev vmbr0

post-up ip route add <vm ip 2>/32 dev vmbr0


The first bridge, vmbr0 is assigned to the VM.
The /etc/network/interfaces of the VM would be :

# device: eth0

autoeth0

iface eth0 inet static

address<vm ip 1>

netmask255.255.255.255

pointopoint<main ip of vmbr0>

gateway<main ip of vmbr0>


To have pointopoint with a default gateway is a little bit redundant but 
the gateway clause adds the default route, It's always better.

Anything coming on the hypervizor with the correct IP destination will 
be routed through vmbr0, otherwise It will be dropped.
Another VM can't use another IP if it's not defined on the vmbr 
interface at hypervizor level.

Alexandre, I don't need anything for me but I think It should be 
implemented in the Proxmox VE Web GUI like many others cloud 
orchestrator. You just need to define rules on vmbr in order to have a 
KVM routed and thus secured infrastructure, at least on layer 3. VLAN 
can be used as layer 2 isolation.

Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pve.proxmox.com/pipermail/pve-user/attachments/20140512/efb11009/attachment-0015.html>


More information about the pve-user mailing list