Re: [ovirt-users] ovirtmgmt network security
Sorry, But you didn't understood well what i've said. If your host has no ip addresses on that network, you're not encountering any risk because you've no access to that network at layer 3. Removing ovirtmgmt is not possibile, that network is mandatory. Luca Il 27 ott 2017 1:36 PM, "Istvan Buki" <buki.istvan@gmail.com> ha scritto: Hello, I totally agree on the First part: IP set only on the VM. For the ovirtmgmt access, if I understand correctly, I have to choose between sécurity and ease of management of my VM but I can not have both. Istvan Le 26 oct. 2017 6:41 PM, "Luca 'remix_tj' Lorenzetto" < lorenzetto.luca@gmail.com> a écrit : Hello, On the dmz Network you don't need any address configured on the host. You set ip address only on the vm. If the vm gets compromised, its access is limited only to DMZ Network. There is no way for the attacker to gain access to ovirtmgmt if vm is not configured to use it. Luca Il 26 ott 2017 6:32 PM, "Istvan Buki" <buki.istvan@gmail.com> ha scritto:
Hello ovirt experts,
I'm totally new to ovirt and trying to learn as fast as I can.So, please bear with me and my possibly stupid questions. Sorry if my questions have been answered already, but please point me to the place where I can find the answers.
I've setup ovirt 4.1.6 and created a first VM that I want to expose in a DMZ. I attached a dedicated NIC to the VM using passthrough which is connected to the DMZ network. This is all working as expected.
Now,I'm wondering what to do about the ovirtmgmt interface. Obviously, in case the security of the VM is compromised and someone get unautorized access to it I do not want the attacker to have access to my internal network through the ovirtmgmt interface.
The most secure solution would be to remove that ovirtmgmt interface but then I loose management functionalities. Can you suggest the possible solutions to protect the ovirtmgmt network from unwanted access?
Thanks for your answers
Istvan
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Hello, thank you for your patience for trying to let me see the light. Indeed I don't understand what you are explaining. Maybe if I give you more concrete details it will help. My internal network is 192.168.196.0 My DMZ network is 192.168.188.0 ovirt-engine is running on a centos server with IP 192.168.186.3 ovirt host is on a centos server with IP 192.168.186.4 On the host I created a VM that I want to be in the DMZ. When I created the VM, nic 1 was automatically added and is linked to the ovirtmgmt network. In the VM nic1 becomes eth0 and was assigned an IP address with DHCP 192.168.186.167. After that I added a host device to that VM using passthrough. This device is called ens7 in the VM and I gave IP 192.186.188.4. That device is directly connected to my physical DMZ switch and from there to the firewall. This part is OK. My problem is that through eth0 my VM has access to my internal network. Removing the device seems impossible because this is ovirtmgmt network. I can not change or remove the IP of my host because it would not be reachable anymore on my internal network. Maybe the solution is obvious but I can't see it. I'm running in circle with this problem and it makes me crazy. Again than you for your help. Istvan On Fri, Oct 27, 2017 at 7:22 PM, Luca 'remix_tj' Lorenzetto < lorenzetto.luca@gmail.com> wrote:
Sorry,
But you didn't understood well what i've said.
If your host has no ip addresses on that network, you're not encountering any risk because you've no access to that network at layer 3.
Removing ovirtmgmt is not possibile, that network is mandatory.
Luca
Il 27 ott 2017 1:36 PM, "Istvan Buki" <buki.istvan@gmail.com> ha scritto:
Hello,
I totally agree on the First part: IP set only on the VM.
For the ovirtmgmt access, if I understand correctly, I have to choose between sécurity and ease of management of my VM but I can not have both.
Istvan
Le 26 oct. 2017 6:41 PM, "Luca 'remix_tj' Lorenzetto" < lorenzetto.luca@gmail.com> a écrit :
Hello,
On the dmz Network you don't need any address configured on the host.
You set ip address only on the vm. If the vm gets compromised, its access is limited only to DMZ Network.
There is no way for the attacker to gain access to ovirtmgmt if vm is not configured to use it.
Luca
Il 26 ott 2017 6:32 PM, "Istvan Buki" <buki.istvan@gmail.com> ha scritto:
Hello ovirt experts,
I'm totally new to ovirt and trying to learn as fast as I can.So, please bear with me and my possibly stupid questions. Sorry if my questions have been answered already, but please point me to the place where I can find the answers.
I've setup ovirt 4.1.6 and created a first VM that I want to expose in a DMZ. I attached a dedicated NIC to the VM using passthrough which is connected to the DMZ network. This is all working as expected.
Now,I'm wondering what to do about the ovirtmgmt interface. Obviously, in case the security of the VM is compromised and someone get unautorized access to it I do not want the attacker to have access to my internal network through the ovirtmgmt interface.
The most secure solution would be to remove that ovirtmgmt interface but then I loose management functionalities. Can you suggest the possible solutions to protect the ovirtmgmt network from unwanted access?
Thanks for your answers
Istvan
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki <buki.istvan@gmail.com> wrote:
Hello,
thank you for your patience for trying to let me see the light.
Indeed I don't understand what you are explaining. Maybe if I give you more concrete details it will help.
My internal network is 192.168.196.0 My DMZ network is 192.168.188.0
ovirt-engine is running on a centos server with IP 192.168.186.3 ovirt host is on a centos server with IP 192.168.186.4
On the host I created a VM that I want to be in the DMZ. When I created the VM, nic 1 was automatically added and is linked to the ovirtmgmt network. In the VM nic1 becomes eth0 and was assigned an IP address with DHCP 192.168.186.167.
After that I added a host device to that VM using passthrough. This device is called ens7 in the VM and I gave IP 192.186.188.4. That device is directly connected to my physical DMZ switch and from there to the firewall. This part is OK.
My problem is that through eth0 my VM has access to my internal network. Removing the device seems impossible because this is ovirtmgmt network. I can not change or remove the IP of my host because it would not be reachable anymore on my internal network.
Maybe the solution is obvious but I can't see it. I'm running in circle with this problem and it makes me crazy.
Hi Istvan, why are you using device passthrough? Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1. As far as i can understand, you're directly communicating through DMZ. Luca -- "E' assurdo impiegare gli uomini di intelligenza eccellente per fare calcoli che potrebbero essere affidati a chiunque se si usassero delle macchine" Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716) "Internet è la più grande biblioteca del mondo. Ma il problema è che i libri sono tutti sparsi sul pavimento" John Allen Paulos, Matematico (1945-vivente) Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , <lorenzetto.luca@gmail.com>
Hi Istvan, I agree with Luca. You can remove nic1. 'ovirtmgmt' network is not mandatory on the vm, you can run the vm with no vnics (vitrual nics) at all. The 'ovirtmgmt' network is used for communication between the engine and the host. Whether the vm using the 'ovirtmgmt' network or not won't affect the management capabilities. You said that the vm nic with 'ovirtmgmt' was automatically added when you added the vm. It is strange and shouldn't behave this way. Are you sure that in the add vm dialog you didn't choose it as the network of nic1? (you could leave this section in the dialog unfilled, it is not mandatory). BTW, if you don't want any VM to use the 'ovirtmgmt' network you can go to the edit network dialog of 'ovirtmgmt' (in the Network main tab) and uncheck the 'vm network' checkbox. Hope it helps you, Alona. On Mon, Oct 30, 2017 at 11:26 AM, Luca 'remix_tj' Lorenzetto < lorenzetto.luca@gmail.com> wrote:
Hello,
thank you for your patience for trying to let me see the light.
Indeed I don't understand what you are explaining. Maybe if I give you more concrete details it will help.
My internal network is 192.168.196.0 My DMZ network is 192.168.188.0
ovirt-engine is running on a centos server with IP 192.168.186.3 ovirt host is on a centos server with IP 192.168.186.4
On the host I created a VM that I want to be in the DMZ. When I created
VM, nic 1 was automatically added and is linked to the ovirtmgmt network. In the VM nic1 becomes eth0 and was assigned an IP address with DHCP 192.168.186.167.
After that I added a host device to that VM using passthrough. This device is called ens7 in the VM and I gave IP 192.186.188.4. That device is directly connected to my physical DMZ switch and from
On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki <buki.istvan@gmail.com> wrote: the there
to the firewall. This part is OK.
My problem is that through eth0 my VM has access to my internal network. Removing the device seems impossible because this is ovirtmgmt network. I can not change or remove the IP of my host because it would not be reachable anymore on my internal network.
Maybe the solution is obvious but I can't see it. I'm running in circle with this problem and it makes me crazy.
Hi Istvan,
why are you using device passthrough?
Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1. As far as i can understand, you're directly communicating through DMZ.
Luca
-- "E' assurdo impiegare gli uomini di intelligenza eccellente per fare calcoli che potrebbero essere affidati a chiunque se si usassero delle macchine" Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
"Internet è la più grande biblioteca del mondo. Ma il problema è che i libri sono tutti sparsi sul pavimento" John Allen Paulos, Matematico (1945-vivente)
Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , < lorenzetto.luca@gmail.com> _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--_000_150938667850870226leedsbeckettacuk_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Yes you don't need ovirtmgmt on the VMs and I think if you use passthrough = it will pin it to the host, probably better to create a DMZ logical network= and attach the hosts in the cluster to the DMZ VLAN which will allow them = to migrate and be setup for HA. Regards, Paul S. ________________________________ From: users-bounces@ovirt.org <users-bounces@ovirt.org> on behalf of Alona = Kaplan <alkaplan@redhat.com> Sent: 30 October 2017 09:50 To: Luca 'remix_tj' Lorenzetto Cc: users Subject: Re: [ovirt-users] ovirtmgmt network security Hi Istvan, I agree with Luca. You can remove nic1. 'ovirtmgmt' network is not mandatory on the vm, you can run the vm with no = vnics (vitrual nics) at all. The 'ovirtmgmt' network is used for communication between the engine and th= e host. Whether the vm using the 'ovirtmgmt' network or not won't affect the manage= ment capabilities. You said that the vm nic with 'ovirtmgmt' was automatically added when you = added the vm. It is strange and shouldn't behave this way. Are you sure that in the add v= m dialog you didn't choose it as the network of nic1? (you could leave this= section in the dialog unfilled, it is not mandatory). BTW, if you don't want any VM to use the 'ovirtmgmt' network you can go to = the edit network dialog of 'ovirtmgmt' (in the Network main tab) and unchec= k the 'vm network' checkbox. Hope it helps you, Alona. On Mon, Oct 30, 2017 at 11:26 AM, Luca 'remix_tj' Lorenzetto <lorenzetto.lu= ca@gmail.com<mailto:lorenzetto.luca@gmail.com>> wrote: On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki <buki.istvan@gmail.com<mailto:= buki.istvan@gmail.com>> wrote:
Hello,
thank you for your patience for trying to let me see the light.
Indeed I don't understand what you are explaining. Maybe if I give you mo= re concrete details it will help.
My internal network is 192.168.196.0 My DMZ network is 192.168.188.0
ovirt-engine is running on a centos server with IP 192.168.186.3 ovirt host is on a centos server with IP 192.168.186.4
On the host I created a VM that I want to be in the DMZ. When I created t= he VM, nic 1 was automatically added and is linked to the ovirtmgmt network. In the VM nic1 becomes eth0 and was assigned an IP address with DHCP 192.168.186.167.
After that I added a host device to that VM using passthrough. This devic= e is called ens7 in the VM and I gave IP 192.186.188.4. That device is directly connected to my physical DMZ switch and from ther= e to the firewall. This part is OK.
My problem is that through eth0 my VM has access to my internal network. Removing the device seems impossible because this is ovirtmgmt network. I can not change or remove the IP of my host because it would not be reachable anymore on my internal network.
Maybe the solution is obvious but I can't see it. I'm running in circle w= ith this problem and it makes me crazy.
Hi Istvan, why are you using device passthrough? Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1. As far as i can understand, you're directly communicating through DMZ. Luca -- "E' assurdo impiegare gli uomini di intelligenza eccellente per fare calcoli che potrebbero essere affidati a chiunque se si usassero delle macchine" Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716) "Internet =E8 la pi=F9 grande biblioteca del mondo. Ma il problema =E8 che i libri sono tutti sparsi sul pavimento" John Allen Paulos, Matematico (1945-vivente) Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , <lorenzetto.luca@gmail= .com<mailto:lorenzetto.luca@gmail.com>> _______________________________________________ Users mailing list Users@ovirt.org<mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users To view the terms under which this email is distributed, please go to:- http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html --_000_150938667850870226leedsbeckettacuk_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> <style type=3D"text/css" style=3D"display:none"><!--P{margin-top:0;margin-b= ottom:0;} --></style> </head> <body dir=3D"ltr" style=3D"font-size:12pt;color:#000000;background-color:#F= FFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;"> <p>Yes you don't need ovirtmgmt on the VMs and I think if you use passthrou= gh it will pin it to the host, probably better to&= nbsp;create a DMZ logical network and attach the h= osts in the cluster to the DMZ VLAN which will allow th= em to migrate and be setup for HA.</p> <p><br> </p> <p>Regards,</p> <p> Paul S. <br=
</p> <div style=3D"color: rgb(33, 33, 33);"> <hr tabindex=3D"-1" style=3D"display:inline-block; width:98%"> <div id=3D"divRplyFwdMsg" dir=3D"ltr"><font style=3D"font-size:11pt" face= =3D"Calibri, sans-serif" color=3D"#000000"><b>From:</b> users-bounces@ovirt= .org <users-bounces@ovirt.org> on behalf of Alona Kaplan <alkaplan= @redhat.com><br> <b>Sent:</b> 30 October 2017 09:50<br> <b>To:</b> Luca 'remix_tj' Lorenzetto<br> <b>Cc:</b> users<br> <b>Subject:</b> Re: [ovirt-users] ovirtmgmt network security</font> <div> </div> </div> <div> <div dir=3D"ltr"> <div> <div> <div> <div> <div> <div>Hi Istvan,<br> <br> </div> I agree with Luca. You can remove nic1.<br> 'ovirtmgmt' network is not mandatory on the vm, you can run the vm with no = vnics (vitrual nics) at all.<br> </div> The 'ovirtmgmt' network is used for communication between the engine and th= e host.<br> </div> Whether the vm using the 'ovirtmgmt' network or not won't affect the manage= ment capabilities.<br> <br> </div> You said that the vm nic with 'ovirtmgmt' was automatically added when you = added the vm.<br> </div> It is strange and shouldn't behave this way. Are you sure that in the add v= m dialog you didn't choose it as the network of nic1? (you could leave this= section in the dialog unfilled, it is not mandatory).<br> <br> </div> BTW, if you don't want any VM to use the 'ovirtmgmt' network you can go to = the edit network dialog of 'ovirtmgmt' (in the Network main tab) and unchec= k the 'vm network' checkbox.<br> <div> <div> <div><br> </div> <div>Hope it helps you,<br> </div> <div>Alona.<br> </div> </div> </div> </div> <div class=3D"gmail_extra"><br> <div class=3D"gmail_quote">On Mon, Oct 30, 2017 at 11:26 AM, Luca 'remix_tj= ' Lorenzetto <span dir=3D"ltr"><<a href=3D"mailto:lorenzetto.luca@gmail.com" target= =3D"_blank">lorenzetto.luca@gmail.com</a>></span> wrote:<br> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex; border-left:1= px #ccc solid; padding-left:1ex"> <span class=3D"">On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki <<a href= =3D"mailto:buki.istvan@gmail.com">buki.istvan@gmail.com</a>> wrote:<br> > Hello,<br> ><br> > thank you for your patience for trying to let me see the light.<br> ><br> > Indeed I don't understand what you are explaining. Maybe if I give you= more<br> > concrete details it will help.<br> ><br> > My internal network is 192.168.196.0<br> > My DMZ network is 192.168.188.0<br> ><br> > ovirt-engine is running on a centos server with IP 192.168.186.3<br> > ovirt host is on a centos server with IP 192.168.186.4<br> ><br> > On the host I created a VM that I want to be in the DMZ. When I create= d the<br> > VM, nic 1 was automatically added and is linked to the ovirtmgmt netwo= rk.<br> > In the VM nic1 becomes eth0 and was assigned an IP address with DHCP<b= r> > 192.168.186.167.<br> ><br> > After that I added a host device to that VM using passthrough. This de= vice<br> > is called ens7 in the VM and I gave IP 192.186.188.4.<br> > That device is directly connected to my physical DMZ switch and from t= here<br> > to the firewall.<br> > This part is OK.<br> ><br> > My problem is that through eth0 my VM has access to my internal networ= k.<br> > Removing the device seems impossible because this is ovirtmgmt network= .<br> > I can not change or remove the IP of my host because it would not be<b= r> > reachable anymore on my internal network.<br> ><br> > Maybe the solution is obvious but I can't see it. I'm running in circl= e with<br> > this problem and it makes me crazy.<br> ><br> <br> <br> <br> </span>Hi Istvan,<br> <br> why are you using device passthrough?<br> <br> Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1.<br> As far as i can understand, you're directly communicating through DMZ.<br> <span class=3D"HOEnZb"><font color=3D"#888888"><br> Luca<br> <br> <br> --<br> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare<b= r> calcoli che potrebbero essere affidati a chiunque se si usassero delle<br> macchine"<br> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)<br> <br> "Internet =E8 la pi=F9 grande biblioteca del mondo.<br> Ma il problema =E8 che i libri sono tutti sparsi sul pavimento"<br> John Allen Paulos, Matematico (1945-vivente)<br> <br> Luca 'remix_tj' Lorenzetto, <a href=3D"http://www.remixtj.net" rel=3D"noref= errer" target=3D"_blank"> http://www.remixtj.net</a> , <<a href=3D"mailto:lorenzetto.luca@gmail.co= m">lorenzetto.luca@gmail.com</a>><br> </font></span> <div class=3D"HOEnZb"> <div class=3D"h5">______________________________<wbr>_________________<br> Users mailing list<br> <a href=3D"mailto:Users@ovirt.org">Users@ovirt.org</a><br> <a href=3D"http://lists.ovirt.org/mailman/listinfo/users" rel=3D"noreferrer= " target=3D"_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a><= br> </div> </div> </blockquote> </div> <br> </div> </div> </div> To view the terms under which this email is distributed, please go to:- <br=
<a href=3D"http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html"= target=3D"_blank">http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaim= er.html</a> <p></p> </body> </html> --_000_150938667850870226leedsbeckettacuk_--
On Mon, Oct 30, 2017 at 10:50 AM, Alona Kaplan <alkaplan@redhat.com> wrote:
Hi Istvan,
I agree with Luca. You can remove nic1. 'ovirtmgmt' network is not mandatory on the vm, you can run the vm with no vnics (vitrual nics) at all. The 'ovirtmgmt' network is used for communication between the engine and the host. Whether the vm using the 'ovirtmgmt' network or not won't affect the management capabilities.
You said that the vm nic with 'ovirtmgmt' was automatically added when you added the vm. It is strange and shouldn't behave this way. Are you sure that in the add vm dialog you didn't choose it as the network of nic1? (you could leave this section in the dialog unfilled, it is not mandatory).
BTW, if you don't want any VM to use the 'ovirtmgmt' network you can go to the edit network dialog of 'ovirtmgmt' (in the Network main tab) and uncheck the 'vm network' checkbox.
Hope it helps you, Alona.
Hi Alona, Yes, removing nic1 was the solution I was looking for. You are right, I probably added nic1 during the creation of the VM. This is my first ovirt install and I'm a little bit overwhelmed by all the details one has to know to create a system that is reliable and efficient. Fortunately, thanks to people like you and Luca, I'll be able to overcome the initial difficulties. Istvan On Mon, Oct 30, 2017 at 11:26 AM, Luca 'remix_tj' Lorenzetto <
lorenzetto.luca@gmail.com> wrote:
Hello,
thank you for your patience for trying to let me see the light.
Indeed I don't understand what you are explaining. Maybe if I give you more concrete details it will help.
My internal network is 192.168.196.0 My DMZ network is 192.168.188.0
ovirt-engine is running on a centos server with IP 192.168.186.3 ovirt host is on a centos server with IP 192.168.186.4
On the host I created a VM that I want to be in the DMZ. When I created
VM, nic 1 was automatically added and is linked to the ovirtmgmt network. In the VM nic1 becomes eth0 and was assigned an IP address with DHCP 192.168.186.167.
After that I added a host device to that VM using passthrough. This device is called ens7 in the VM and I gave IP 192.186.188.4. That device is directly connected to my physical DMZ switch and from
On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki <buki.istvan@gmail.com> wrote: the there
to the firewall. This part is OK.
My problem is that through eth0 my VM has access to my internal network. Removing the device seems impossible because this is ovirtmgmt network. I can not change or remove the IP of my host because it would not be reachable anymore on my internal network.
Maybe the solution is obvious but I can't see it. I'm running in circle with this problem and it makes me crazy.
Hi Istvan,
why are you using device passthrough?
Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1. As far as i can understand, you're directly communicating through DMZ.
Luca
-- "E' assurdo impiegare gli uomini di intelligenza eccellente per fare calcoli che potrebbero essere affidati a chiunque se si usassero delle macchine" Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
"Internet è la più grande biblioteca del mondo. Ma il problema è che i libri sono tutti sparsi sul pavimento" John Allen Paulos, Matematico (1945-vivente)
Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , < lorenzetto.luca@gmail.com> _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Glad to hear it! You're welcome! Il 30 ott 2017 9:13 PM, "Istvan Buki" <buki.istvan@gmail.com> ha scritto:
On Mon, Oct 30, 2017 at 10:50 AM, Alona Kaplan <alkaplan@redhat.com> wrote:
Hi Istvan,
I agree with Luca. You can remove nic1. 'ovirtmgmt' network is not mandatory on the vm, you can run the vm with no vnics (vitrual nics) at all. The 'ovirtmgmt' network is used for communication between the engine and the host. Whether the vm using the 'ovirtmgmt' network or not won't affect the management capabilities.
You said that the vm nic with 'ovirtmgmt' was automatically added when you added the vm. It is strange and shouldn't behave this way. Are you sure that in the add vm dialog you didn't choose it as the network of nic1? (you could leave this section in the dialog unfilled, it is not mandatory).
BTW, if you don't want any VM to use the 'ovirtmgmt' network you can go to the edit network dialog of 'ovirtmgmt' (in the Network main tab) and uncheck the 'vm network' checkbox.
Hope it helps you, Alona.
Hi Alona,
Yes, removing nic1 was the solution I was looking for.
You are right, I probably added nic1 during the creation of the VM. This is my first ovirt install and I'm a little bit overwhelmed by all the details one has to know to create a system that is reliable and efficient. Fortunately, thanks to people like you and Luca, I'll be able to overcome the initial difficulties.
Istvan
On Mon, Oct 30, 2017 at 11:26 AM, Luca 'remix_tj' Lorenzetto <
lorenzetto.luca@gmail.com> wrote:
Hello,
thank you for your patience for trying to let me see the light.
Indeed I don't understand what you are explaining. Maybe if I give you more concrete details it will help.
My internal network is 192.168.196.0 My DMZ network is 192.168.188.0
ovirt-engine is running on a centos server with IP 192.168.186.3 ovirt host is on a centos server with IP 192.168.186.4
On the host I created a VM that I want to be in the DMZ. When I created the VM, nic 1 was automatically added and is linked to the ovirtmgmt network. In the VM nic1 becomes eth0 and was assigned an IP address with DHCP 192.168.186.167.
After that I added a host device to that VM using passthrough. This device is called ens7 in the VM and I gave IP 192.186.188.4. That device is directly connected to my physical DMZ switch and from
On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki <buki.istvan@gmail.com> wrote: there
to the firewall. This part is OK.
My problem is that through eth0 my VM has access to my internal network. Removing the device seems impossible because this is ovirtmgmt network. I can not change or remove the IP of my host because it would not be reachable anymore on my internal network.
Maybe the solution is obvious but I can't see it. I'm running in circle with this problem and it makes me crazy.
Hi Istvan,
why are you using device passthrough?
Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1. As far as i can understand, you're directly communicating through DMZ.
Luca
-- "E' assurdo impiegare gli uomini di intelligenza eccellente per fare calcoli che potrebbero essere affidati a chiunque se si usassero delle macchine" Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
"Internet è la più grande biblioteca del mondo. Ma il problema è che i libri sono tutti sparsi sul pavimento" John Allen Paulos, Matematico (1945-vivente)
Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , < lorenzetto.luca@gmail.com> _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Hello,
thank you for your patience for trying to let me see the light.
Indeed I don't understand what you are explaining. Maybe if I give you more concrete details it will help.
My internal network is 192.168.196.0 My DMZ network is 192.168.188.0
ovirt-engine is running on a centos server with IP 192.168.186.3 ovirt host is on a centos server with IP 192.168.186.4
On the host I created a VM that I want to be in the DMZ. When I created
Le 30 oct. 2017 10:26 AM, "Luca 'remix_tj' Lorenzetto" < lorenzetto.luca@gmail.com> a écrit : On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki <buki.istvan@gmail.com> wrote: the
VM, nic 1 was automatically added and is linked to the ovirtmgmt network. In the VM nic1 becomes eth0 and was assigned an IP address with DHCP 192.168.186.167.
After that I added a host device to that VM using passthrough. This device is called ens7 in the VM and I gave IP 192.186.188.4. That device is directly connected to my physical DMZ switch and from there to the firewall. This part is OK.
My problem is that through eth0 my VM has access to my internal network. Removing the device seems impossible because this is ovirtmgmt network. I can not change or remove the IP of my host because it would not be reachable anymore on my internal network.
Maybe the solution is obvious but I can't see it. I'm running in circle with this problem and it makes me crazy.
Hi Istvan, why are you using device passthrough? Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1. As far as i can understand, you're directly communicating through DMZ. Hi Luca, As I have only one VM in the DMZ currently I assigned the NIC directly to the VM instead of creating a logical network to get maximum performance and better security because only the VM can access that network interface. If one day I have to create another VM inside DMZ I'll create a logical network and bind the NIC to that network instead of the VM. OK, I removed nic1 and it looks good. The only interface left is the DMZ network and I can reach it through the firewall. :-) Thanks you so much for your help and patience. Istvan
participants (4)
-
Alona Kaplan -
Istvan Buki -
Luca 'remix_tj' Lorenzetto -
Staniforth, Paul