[ovirt-users] ovirtmgmt network security
Alona Kaplan
alkaplan at redhat.com
Mon Oct 30 09:50:50 UTC 2017
Hi Istvan,
I agree with Luca. You can remove nic1.
'ovirtmgmt' network is not mandatory on the vm, you can run the vm with no
vnics (vitrual nics) at all.
The 'ovirtmgmt' network is used for communication between the engine and
the host.
Whether the vm using the 'ovirtmgmt' network or not won't affect the
management capabilities.
You said that the vm nic with 'ovirtmgmt' was automatically added when you
added the vm.
It is strange and shouldn't behave this way. Are you sure that in the add
vm dialog you didn't choose it as the network of nic1? (you could leave
this section in the dialog unfilled, it is not mandatory).
BTW, if you don't want any VM to use the 'ovirtmgmt' network you can go to
the edit network dialog of 'ovirtmgmt' (in the Network main tab) and
uncheck the 'vm network' checkbox.
Hope it helps you,
Alona.
On Mon, Oct 30, 2017 at 11:26 AM, Luca 'remix_tj' Lorenzetto <
lorenzetto.luca at gmail.com> wrote:
> On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki <buki.istvan at gmail.com>
> wrote:
> > Hello,
> >
> > thank you for your patience for trying to let me see the light.
> >
> > Indeed I don't understand what you are explaining. Maybe if I give you
> more
> > concrete details it will help.
> >
> > My internal network is 192.168.196.0
> > My DMZ network is 192.168.188.0
> >
> > ovirt-engine is running on a centos server with IP 192.168.186.3
> > ovirt host is on a centos server with IP 192.168.186.4
> >
> > On the host I created a VM that I want to be in the DMZ. When I created
> the
> > VM, nic 1 was automatically added and is linked to the ovirtmgmt network.
> > In the VM nic1 becomes eth0 and was assigned an IP address with DHCP
> > 192.168.186.167.
> >
> > After that I added a host device to that VM using passthrough. This
> device
> > is called ens7 in the VM and I gave IP 192.186.188.4.
> > That device is directly connected to my physical DMZ switch and from
> there
> > to the firewall.
> > This part is OK.
> >
> > My problem is that through eth0 my VM has access to my internal network.
> > Removing the device seems impossible because this is ovirtmgmt network.
> > I can not change or remove the IP of my host because it would not be
> > reachable anymore on my internal network.
> >
> > Maybe the solution is obvious but I can't see it. I'm running in circle
> with
> > this problem and it makes me crazy.
> >
>
>
>
> Hi Istvan,
>
> why are you using device passthrough?
>
> Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1.
> As far as i can understand, you're directly communicating through DMZ.
>
> Luca
>
>
> --
> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
> calcoli che potrebbero essere affidati a chiunque se si usassero delle
> macchine"
> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
>
> "Internet è la più grande biblioteca del mondo.
> Ma il problema è che i libri sono tutti sparsi sul pavimento"
> John Allen Paulos, Matematico (1945-vivente)
>
> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , <
> lorenzetto.luca at gmail.com>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20171030/6293b7a0/attachment.html>
More information about the Users
mailing list