1:01 p.m.
I have a Fedora 18 server hosting several Fedora 18 guests with a
bridge. The server, guests of the server, and peers of the server can
all freely interact. I have YUM repositories available via http and
home and shared directories available via nfs from the server. And DNS,
authentication and policies for autofs and sudo are available from IPA
on one of server guests. Life is good.
[root@host ~]# cat /etc/sysconfig/network-scripts/ifcfg-em1
# Configured manually
BRIDGE=br1
DEVICE=em1
HWADDR=00:1C:C4:AE:57:4F
ONBOOT=yes
TYPE=Ethernet
[root@host ~]# cat /etc/sysconfig/network-scripts/ifcfg-br1
# Configured manually
BOOTPROTO=static
DEFROUTE=yes
DELAY=0
DEVICE=br1
DNS1=192.168.1.11
DNS2=75.75.76.76
DNS3=75.75.75.75
DOMAIN=hunter.org
GATEWAY=192.168.1.254
IPADDR=192.168.1.10
IPV4_FAILURE_FATAL=no
IPV6INIT=no
NAME="System br1"
ONBOOT=yes
PREFIX=24
STP=on
TYPE=Bridge
[root@host ~]# virsh net-dumpxml Subnet1
<network connections='4'>
<name>Subnet1</name>
<uuid>3a50ed6a-0350-e46e-5a9d-a6b159ce5c37</uuid>
<forward mode='bridge'/>
<bridge name='br1' />
<mac address='52:54:00:18:8F:47'/>
</network>
[root@host ~]#
Now Fedora 19 comes along and I need to test new versions of the server
guests in isolation from existing server guests and server peers; ie.
everything except for the http and nfs services of the server. I
welcome your suggestions.
2:01 p.m.
On Mon, 08 Jul 2013 13:01:25 -0500
Dean Hunter wrote:
Now Fedora 19 comes along and I need to test new versions of the
server
guests in isolation from existing server guests and server peers; ie.
everything except for the http and nfs services of the server. I
welcome your suggestions.
Don't know if this will help, but I setup a VLAN on my
router to operate a separate isolated subnet (for totally
different reasons). Details here:
http://home.comcast.net/~tomhorsley/game/isolate.html
10:39 a.m.
On Mon, 2013-07-08 at 15:01 -0400, Tom Horsley wrote:
On Mon, 08 Jul 2013 13:01:25 -0500
Dean Hunter wrote:
> Now Fedora 19 comes along and I need to test new versions of the server
> guests in isolation from existing server guests and server peers; ie.
> everything except for the http and nfs services of the server. I
> welcome your suggestions.
Don't know if this will help, but I setup a VLAN on my
router to operate a separate isolated subnet (for totally
different reasons). Details here:
http://home.comcast.net/~tomhorsley/game/isolate.html
Ah! Aliases for the device and a bridge for each alias. Thank you.
What was the source of the name "Bifrost Bridge"? I have seen it a
couple of times recently in science fiction and now in your notes.
11 a.m.
On Tue, 09 Jul 2013 10:39:34 -0500
Dean Hunter wrote:
What was the source of the name "Bifrost Bridge"? I have
seen it a
couple of times recently in science fiction and now in your notes.
http://en.wikipedia.org/wiki/Bifr%C3%B6st
The movie "Thor" had just come out when I was trying to
get things to work :-).
3:25 p.m.
On Mon, 2013-07-08 at 15:01 -0400, Tom Horsley wrote:
On Mon, 08 Jul 2013 13:01:25 -0500
Dean Hunter wrote:
> Now Fedora 19 comes along and I need to test new versions of the server
> guests in isolation from existing server guests and server peers; ie.
> everything except for the http and nfs services of the server. I
> welcome your suggestions.
Don't know if this will help, but I setup a VLAN on my
router to operate a separate isolated subnet (for totally
different reasons). Details here:
http://home.comcast.net/~tomhorsley/game/isolate.html
Uh oh! Not aliases, but VLANs. And my old Linksys has no ability to
configure VLANs. The isolated network does not need Internet access,
just access to the server host from the guests.
Any other suggestions?
8:15 p.m.
On 07/08/2013 02:01 PM, Dean Hunter wrote:
I need to test new versions of the server guests in isolation from
existing server
guests and server peers; ie. everything except for the http and nfs services of the
server.
Hi Dean,
I'm new to virtualization on Linux so bear with me...
As I see it you have this "Subnet1" for your br1 bridge:
(your network) --> em1 --> br1 <-- your guests
Why don't you just just create a new network "Subnet2" (with a new
bridge "br2") that won't have any real interface bridged to it? That way
you'll get the isolation you want for your new guests plus you'll have
another ip for your host system (the ip you'll assign to the bridge).
Then you can configure HTTP/NFS to also listen on that new ip (in order
to allow your isolated guests talk to your host system).
Regards,
Jorge
3:19 p.m.
On 07/10/2013 09:15 PM, Jorge Fábregas wrote:
On 07/08/2013 02:01 PM, Dean Hunter wrote:
> I need to test new versions of the server guests in isolation from existing server
> guests and server peers; ie. everything except for the http and nfs services of the
server.
Hi Dean,
I'm new to virtualization on Linux so bear with me...
As I see it you have this "Subnet1" for your br1 bridge:
(your network) --> em1 --> br1 <-- your guests
Why don't you just just create a new network "Subnet2" (with a new
bridge "br2") that won't have any real interface bridged to it? That way
you'll get the isolation you want for your new guests plus you'll have
another ip for your host system (the ip you'll assign to the bridge).
And you can do this very easily with a libvirt virtual network:
<network>
<name>isolated</name>
<domain name='isolated.net'/>
<ip address='192.168.254.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.254.2' end='192.168.254.250' />
</dhcp>
</ip>
</network>
Put that in /tmp/x.xml and run:
virsh net-define /tmp/x.xml
virsh net-start isolated
virsh net-autostart isolated
Now edit your guest xml (with "virsh edit" of course!) and change the
<interface>
element to something like this:
<interface type='network'>
...
<source network='isolated'/>
...
</interface>
save that, shutdown the guest (if it isn't already) then start it up
again. The guest will get an IP address from 192.168.254.x, and be able
to communicate with the server at 192.168.254.1 or with other guests on
the same subnet, but won't be able to talk with anything else (even DNS
requests will not be forwarded upstream).
To protect against the guests on this isolated networks contacting
anything except nfs and https (as well as DHCP and DNS, I'm guessing),
you have three choices:
1) make sure the other services are listening only on certain interfaces.
2) modify the host's firewall accordingly
3) put a libvirt nwfilter firewall on the guest (see:
http://www.libvirt.org/formatnwfilter.html)
3935
days inactive
3938
days old
7 comments
4 participants
participants (4)
-
Dean Hunter -
Jorge Fábregas -
Laine Stump -
Tom Horsley