8:22 p.m.
Sorry,
But you didn't understood well what i've said.
If your host has no ip addresses on that network, you're not encountering
any risk because you've no access to that network at layer 3.
Removing ovirtmgmt is not possibile, that network is mandatory.
Luca
Il 27 ott 2017 1:36 PM, "Istvan Buki" <buki.istvan(a)gmail.com> ha scritto:
Hello,
I totally agree on the First part: IP set only on the VM.
For the ovirtmgmt access, if I understand correctly, I have to choose
between sécurity and ease of management of my VM but I can not have both.
Istvan
Le 26 oct. 2017 6:41 PM, "Luca 'remix_tj' Lorenzetto" <
lorenzetto.luca(a)gmail.com> a écrit :
Hello,
On the dmz Network you don't need any address configured on the host.
You set ip address only on the vm. If the vm gets compromised, its access
is limited only to DMZ Network.
There is no way for the attacker to gain access to ovirtmgmt if vm is not
configured to use it.
Luca
Il 26 ott 2017 6:32 PM, "Istvan Buki" <buki.istvan(a)gmail.com> ha scritto:
Hello ovirt experts,
I'm totally new to ovirt and trying to learn as fast as I can.So, please
bear with me and my possibly stupid questions.
Sorry if my questions have been answered already, but please point me to
the place where I can find the answers.
I've setup ovirt 4.1.6 and created a first VM that I want to expose in a
DMZ.
I attached a dedicated NIC to the VM using passthrough which is connected
to the DMZ network. This is all working as expected.
Now,I'm wondering what to do about the ovirtmgmt interface. Obviously, in
case the security of the VM is compromised and someone get unautorized
access to it I do not want the attacker to have access to my internal
network through the ovirtmgmt interface.
The most secure solution would be to remove that ovirtmgmt interface but
then I loose management functionalities.
Can you suggest the possible solutions to protect the ovirtmgmt network
from unwanted access?
Thanks for your answers
Istvan
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
10:45 a.m.
New subject: ovirtmgmt network security
Hello,
thank you for your patience for trying to let me see the light.
Indeed I don't understand what you are explaining. Maybe if I give you more
concrete details it will help.
My internal network is 192.168.196.0
My DMZ network is 192.168.188.0
ovirt-engine is running on a centos server with IP 192.168.186.3
ovirt host is on a centos server with IP 192.168.186.4
On the host I created a VM that I want to be in the DMZ. When I created the
VM, nic 1 was automatically added and is linked to the ovirtmgmt network.
In the VM nic1 becomes eth0 and was assigned an IP address with DHCP
192.168.186.167.
After that I added a host device to that VM using passthrough. This device
is called ens7 in the VM and I gave IP 192.186.188.4.
That device is directly connected to my physical DMZ switch and from there
to the firewall.
This part is OK.
My problem is that through eth0 my VM has access to my internal network.
Removing the device seems impossible because this is ovirtmgmt network.
I can not change or remove the IP of my host because it would not be
reachable anymore on my internal network.
Maybe the solution is obvious but I can't see it. I'm running in circle
with this problem and it makes me crazy.
Again than you for your help.
Istvan
On Fri, Oct 27, 2017 at 7:22 PM, Luca 'remix_tj' Lorenzetto <
lorenzetto.luca(a)gmail.com> wrote:
Sorry,
But you didn't understood well what i've said.
If your host has no ip addresses on that network, you're not encountering
any risk because you've no access to that network at layer 3.
Removing ovirtmgmt is not possibile, that network is mandatory.
Luca
Il 27 ott 2017 1:36 PM, "Istvan Buki" <buki.istvan(a)gmail.com> ha
scritto:
Hello,
I totally agree on the First part: IP set only on the VM.
For the ovirtmgmt access, if I understand correctly, I have to choose
between sécurity and ease of management of my VM but I can not have both.
Istvan
Le 26 oct. 2017 6:41 PM, "Luca 'remix_tj' Lorenzetto" <
lorenzetto.luca(a)gmail.com> a écrit :
Hello,
On the dmz Network you don't need any address configured on the host.
You set ip address only on the vm. If the vm gets compromised, its access
is limited only to DMZ Network.
There is no way for the attacker to gain access to ovirtmgmt if vm is not
configured to use it.
Luca
Il 26 ott 2017 6:32 PM, "Istvan Buki" <buki.istvan(a)gmail.com> ha
scritto:
> Hello ovirt experts,
>
> I'm totally new to ovirt and trying to learn as fast as I can.So, please
> bear with me and my possibly stupid questions.
> Sorry if my questions have been answered already, but please point me to
> the place where I can find the answers.
>
> I've setup ovirt 4.1.6 and created a first VM that I want to expose in a
> DMZ.
> I attached a dedicated NIC to the VM using passthrough which is connected
> to the DMZ network. This is all working as expected.
>
> Now,I'm wondering what to do about the ovirtmgmt interface. Obviously, in
> case the security of the VM is compromised and someone get unautorized
> access to it I do not want the attacker to have access to my internal
> network through the ovirtmgmt interface.
>
> The most secure solution would be to remove that ovirtmgmt interface but
> then I loose management functionalities.
> Can you suggest the possible solutions to protect the ovirtmgmt network
> from unwanted access?
>
> Thanks for your answers
>
> Istvan
>
>
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
12:26 p.m.
New subject: ovirtmgmt network security
On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki <buki.istvan(a)gmail.com> wrote:
Hello,
thank you for your patience for trying to let me see the light.
Indeed I don't understand what you are explaining. Maybe if I give you more
concrete details it will help.
My internal network is 192.168.196.0
My DMZ network is 192.168.188.0
ovirt-engine is running on a centos server with IP 192.168.186.3
ovirt host is on a centos server with IP 192.168.186.4
On the host I created a VM that I want to be in the DMZ. When I created the
VM, nic 1 was automatically added and is linked to the ovirtmgmt network.
In the VM nic1 becomes eth0 and was assigned an IP address with DHCP
192.168.186.167.
After that I added a host device to that VM using passthrough. This device
is called ens7 in the VM and I gave IP 192.186.188.4.
That device is directly connected to my physical DMZ switch and from there
to the firewall.
This part is OK.
My problem is that through eth0 my VM has access to my internal network.
Removing the device seems impossible because this is ovirtmgmt network.
I can not change or remove the IP of my host because it would not be
reachable anymore on my internal network.
Maybe the solution is obvious but I can't see it. I'm running in circle with
this problem and it makes me crazy.
Hi Istvan,
why are you using device passthrough?
Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1.
As far as i can understand, you're directly communicating through DMZ.
Luca
--
"E' assurdo impiegare gli uomini di intelligenza eccellente per fare
calcoli che potrebbero essere affidati a chiunque se si usassero delle
macchine"
Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
"Internet è la più grande biblioteca del mondo.
Ma il problema è che i libri sono tutti sparsi sul pavimento"
John Allen Paulos, Matematico (1945-vivente)
Luca 'remix_tj' Lorenzetto, http://www.remixtj.net ,
<lorenzetto.luca(a)gmail.com>
12:50 p.m.
New subject: ovirtmgmt network security
Hi Istvan,
I agree with Luca. You can remove nic1.
'ovirtmgmt' network is not mandatory on the vm, you can run the vm with no
vnics (vitrual nics) at all.
The 'ovirtmgmt' network is used for communication between the engine and
the host.
Whether the vm using the 'ovirtmgmt' network or not won't affect the
management capabilities.
You said that the vm nic with 'ovirtmgmt' was automatically added when you
added the vm.
It is strange and shouldn't behave this way. Are you sure that in the add
vm dialog you didn't choose it as the network of nic1? (you could leave
this section in the dialog unfilled, it is not mandatory).
BTW, if you don't want any VM to use the 'ovirtmgmt' network you can go to
the edit network dialog of 'ovirtmgmt' (in the Network main tab) and
uncheck the 'vm network' checkbox.
Hope it helps you,
Alona.
On Mon, Oct 30, 2017 at 11:26 AM, Luca 'remix_tj' Lorenzetto <
lorenzetto.luca(a)gmail.com> wrote:
On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki
<buki.istvan(a)gmail.com>
wrote:
> Hello,
>
> thank you for your patience for trying to let me see the light.
>
> Indeed I don't understand what you are explaining. Maybe if I give you
more
> concrete details it will help.
>
> My internal network is 192.168.196.0
> My DMZ network is 192.168.188.0
>
> ovirt-engine is running on a centos server with IP 192.168.186.3
> ovirt host is on a centos server with IP 192.168.186.4
>
> On the host I created a VM that I want to be in the DMZ. When I created
the
> VM, nic 1 was automatically added and is linked to the ovirtmgmt network.
> In the VM nic1 becomes eth0 and was assigned an IP address with DHCP
> 192.168.186.167.
>
> After that I added a host device to that VM using passthrough. This
device
> is called ens7 in the VM and I gave IP 192.186.188.4.
> That device is directly connected to my physical DMZ switch and from
there
> to the firewall.
> This part is OK.
>
> My problem is that through eth0 my VM has access to my internal network.
> Removing the device seems impossible because this is ovirtmgmt network.
> I can not change or remove the IP of my host because it would not be
> reachable anymore on my internal network.
>
> Maybe the solution is obvious but I can't see it. I'm running in circle
with
> this problem and it makes me crazy.
>
Hi Istvan,
why are you using device passthrough?
Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1.
As far as i can understand, you're directly communicating through DMZ.
Luca
--
"E' assurdo impiegare gli uomini di intelligenza eccellente per fare
calcoli che potrebbero essere affidati a chiunque se si usassero delle
macchine"
Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
"Internet è la più grande biblioteca del mondo.
Ma il problema è che i libri sono tutti sparsi sul pavimento"
John Allen Paulos, Matematico (1945-vivente)
Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , <
lorenzetto.luca(a)gmail.com>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
9:04 p.m.
New subject: ovirtmgmt network security
--_000_150938667850870226leedsbeckettacuk_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Yes you don't need ovirtmgmt on the VMs and I think if you use passthrough =
it will pin it to the host, probably better to create a DMZ logical network=
and attach the hosts in the cluster to the DMZ VLAN which will allow them =
to migrate and be setup for HA.
Regards,
Paul S.
________________________________
From: users-bounces(a)ovirt.org <users-bounces(a)ovirt.org> on behalf of Alona =
Kaplan <alkaplan(a)redhat.com Sent: 30 October 2017 09:50
To: Luca 'remix_tj' Lorenzetto
Cc: users
Subject: Re: [ovirt-users] ovirtmgmt network security
Hi Istvan,
I agree with Luca. You can remove nic1.
'ovirtmgmt' network is not mandatory on the vm, you can run the vm with no =
vnics (vitrual nics) at all.
The 'ovirtmgmt' network is used for communication between the engine and th=
e host.
Whether the vm using the 'ovirtmgmt' network or not won't affect the manage=
ment capabilities.
You said that the vm nic with 'ovirtmgmt' was automatically added when you =
added the vm.
It is strange and shouldn't behave this way. Are you sure that in the add v=
m dialog you didn't choose it as the network of nic1? (you could leave this=
section in the dialog unfilled, it is not mandatory).
BTW, if you don't want any VM to use the 'ovirtmgmt' network you can go to =
the edit network dialog of 'ovirtmgmt' (in the Network main tab) and unchec=
k the 'vm network' checkbox.
Hope it helps you,
Alona.
On Mon, Oct 30, 2017 at 11:26 AM, Luca 'remix_tj' Lorenzetto <lorenzetto.lu=
ca@gmail.com<mailto:lorenzetto.luca@gmail.com>> wrote:
On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki <buki.istvan@gmail.com<mailto:=
buki.istvan(a)gmail.com>> wrote:
_______________________________________________
Users mailing list
Users@ovirt.org<mailto:Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
To view the terms under which this email is distributed, please go to:-
http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html
--_000_150938667850870226leedsbeckettacuk_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html <head <meta http-equiv=3D"Content-Type"
content=3D"text/html; charset=3Diso-8859-=
1" <style type=3D"text/css"
style=3D"display:none"><!--P{margin-top:0;margin-b=
ottom:0;} --></style </head <body dir=3D"ltr"
style=3D"font-size:12pt;color:#000000;background-color:#F=
FFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;"
<p>Yes you don't need ovirtmgmt on the VMs and I think if you use
passthrou=
gh it will pin it to the host,
probably better to&=
nbsp;create a DMZ
logical network and attach the h=
osts in the cluster to the DMZ VLAN which will allow
th=
em to migrate and be setup for HA.</p
<p><br </p
<p>Regards,</p <p>
Paul S.
<br=
</p <div style=3D"color: rgb(33,
33, 33);" <hr tabindex=3D"-1"
style=3D"display:inline-block; width:98%" <div
id=3D"divRplyFwdMsg" dir=3D"ltr"><font
style=3D"font-size:11pt" face=
=3D"Calibri, sans-serif" color=3D"#000000"><b>From:</b>
users-bounces@ovirt=
.org &lt;users-bounces(a)ovirt.org&gt; on behalf of Alona Kaplan <alkaplan=
@redhat.com><br <b>Sent:</b> 30 October
2017 09:50<br <b>To:</b> Luca
'remix_tj' Lorenzetto<br
<b>Cc:</b> users<br
<b>Subject:</b> Re: [ovirt-users] ovirtmgmt network
security</font <div> </div </div
<div <div dir=3D"ltr" <div <div
<div <div
<div <div>Hi Istvan,<br <br </div I agree with Luca. You can remove nic1.<br 'ovirtmgmt' network is not mandatory on the vm, you can
run the vm with no =
vnics (vitrual nics) at all.<br </div The 'ovirtmgmt' network is used for communication
between the engine and th=
e host.<br </div Whether the vm using the 'ovirtmgmt' network or not
won't affect the manage=
ment capabilities.<br <br
</div You said that the vm nic with
'ovirtmgmt' was automatically added when you =
added the vm.<br </div It is strange and shouldn't behave this way. Are you sure
that in the add v=
m dialog you didn't choose it as the network of nic1? (you could leave this=
section in the dialog unfilled, it is not mandatory).<br
<br </div BTW, if you don't want any VM to use the
'ovirtmgmt' network you can go to =
the edit network dialog of 'ovirtmgmt' (in the Network main tab) and unchec=
k the 'vm network' checkbox.<br
<div <div
<div><br </div <div>Hope it helps you,<br </div
<div>Alona.<br </div </div
</div </div <div class=3D"gmail_extra"><br <div class=3D"gmail_quote">On Mon, Oct 30, 2017
at 11:26 AM, Luca 'remix_tj=
' Lorenzetto
<span dir=3D"ltr"><<a
href=3D"mailto:lorenzetto.luca@gmail.com" target=
=3D"_blank">lorenzetto.luca(a)gmail.com</a>&gt;</span>
wrote:<br <blockquote
class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex; border-left:1=
px #ccc solid; padding-left:1ex" <span
class=3D"">On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki <<a href=
=3D"mailto:buki.istvan@gmail.com">buki.istvan@gmail.com</a>>
wrote:<br > Hello,<br ><br >
thank you for your patience for trying to let me see the light.<br ><br >
Indeed I don't understand what you are explaining. Maybe if I give you=
more<br > concrete details it will
help.<br ><br > My internal network is 192.168.196.0<br > My DMZ network is 192.168.188.0<br ><br >
ovirt-engine is running on a centos server with IP 192.168.186.3<br > ovirt host is on a centos server with IP
192.168.186.4<br ><br > On the host I created a VM that I want to be in the
DMZ. When I create=
d the<br > VM, nic 1 was automatically
added and is linked to the ovirtmgmt netwo=
rk.<br > In the VM nic1 becomes eth0
and was assigned an IP address with DHCP<b=
r > 192.168.186.167.<br
><br > After that I added a host
device to that VM using passthrough. This de=
vice<br > is called ens7 in the VM
and I gave IP 192.186.188.4.<br > That device is directly
connected to my physical DMZ switch and from t=
here<br > to the firewall.<br > This part is OK.<br
><br > My problem is that through
eth0 my VM has access to my internal networ=
k.<br > Removing the device seems
impossible because this is ovirtmgmt network=
.<br > I can not change or remove the IP of my host because
it would not be<b=
r > reachable anymore on my internal network.<br ><br >
Maybe the solution is obvious but I can't see it. I'm running in circl=
e with<br > this problem and it makes
me crazy.<br ><br <br <br
<br </span>Hi Istvan,<br <br why are you using device
passthrough?<br <br Anyway.
If you don't need the VM to access to ovirtmgmt, remove nic1.<br As far as i can understand, you're directly communicating
through DMZ.<br <span
class=3D"HOEnZb"><font color=3D"#888888"><br Luca<br
<br <br
--<br "E' assurdo impiegare
gli uomini di intelligenza eccellente per fare<b=
r calcoli che potrebbero essere affidati a chiunque se si
usassero delle<br macchine"<br Gottfried Wilhelm von Leibnitz, Filosofo e Matematico
(1646-1716)<br <br
"Internet =E8 la pi=F9 grande biblioteca del mondo.<br Ma il problema =E8 che i libri sono tutti sparsi sul
pavimento"<br John Allen Paulos, Matematico
(1945-vivente)<br <br Luca
'remix_tj' Lorenzetto, <a href=3D"http://www.remixtj.net"
rel=3D"noref=
errer" target=3D"_blank"
http://www.remixtj.net</a> , <<a
href=3D"mailto:lorenzetto.luca@gmail.co=
m">lorenzetto.luca(a)gmail.com</a>&gt;<br
</font></span <div
class=3D"HOEnZb" <div
class=3D"h5">______________________________<wbr>_________________<br Users mailing list<br <a
href=3D"mailto:Users@ovirt.org">Users@ovirt.org</a><br <a
href=3D"http://lists.ovirt.org/mailman/listinfo/users" rel=3D"noreferrer=
"
target=3D"_blank">http://lists.ovirt.org/<wbr>mailman/...
br </div
</div </blockquote </div
<br </div </div
</div To view the terms under which this
email is distributed, please go to:- <br=
<a
href=3D"http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html"=
target=3D"_blank">http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaim=
er.html</a <p></p </body
</html
--_000_150938667850870226leedsbeckettacuk_--
Hello,
thank you for your patience for trying to let me see the light.
Indeed I don't understand what you are explaining. Maybe if I give you mo=
re
concrete details it will help.
My internal network is 192.168.196.0
My DMZ network is 192.168.188.0
ovirt-engine is running on a centos server with IP 192.168.186.3
ovirt host is on a centos server with IP 192.168.186.4
On the host I created a VM that I want to be in the DMZ. When I created t=
he
VM, nic 1 was automatically added and is linked to the ovirtmgmt
network.
In the VM nic1 becomes eth0 and was assigned an IP address with DHCP
192.168.186.167.
After that I added a host device to that VM using passthrough. This devic=
e
is called ens7 in the VM and I gave IP 192.186.188.4.
That device is directly connected to my physical DMZ switch and from ther=
e
to the firewall.
This part is OK.
My problem is that through eth0 my VM has access to my internal network.
Removing the device seems impossible because this is ovirtmgmt network.
I can not change or remove the IP of my host because it would not be
reachable anymore on my internal network.
Maybe the solution is obvious but I can't see it. I'm running in circle w=
ith
this problem and it makes me crazy.
Hi Istvan,
why are you using device passthrough?
Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1.
As far as i can understand, you're directly communicating through DMZ.
Luca
--
"E' assurdo impiegare gli uomini di intelligenza eccellente per fare
calcoli che potrebbero essere affidati a chiunque se si usassero delle
macchine"
Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
"Internet =E8 la pi=F9 grande biblioteca del mondo.
Ma il problema =E8 che i libri sono tutti sparsi sul pavimento"
John Allen Paulos, Matematico (1945-vivente)
Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , <lorenzetto.luca@gmail=
.com<mailto:lorenzetto.luca@gmail.com>
11:13 p.m.
New subject: ovirtmgmt network security
On Mon, Oct 30, 2017 at 10:50 AM, Alona Kaplan <alkaplan(a)redhat.com> wrote:
Hi Istvan,
I agree with Luca. You can remove nic1.
'ovirtmgmt' network is not mandatory on the vm, you can run the vm with no
vnics (vitrual nics) at all.
The 'ovirtmgmt' network is used for communication between the engine and
the host.
Whether the vm using the 'ovirtmgmt' network or not won't affect the
management capabilities.
You said that the vm nic with 'ovirtmgmt' was automatically added when you
added the vm.
It is strange and shouldn't behave this way. Are you sure that in the add
vm dialog you didn't choose it as the network of nic1? (you could leave
this section in the dialog unfilled, it is not mandatory).
BTW, if you don't want any VM to use the 'ovirtmgmt' network you can go to
the edit network dialog of 'ovirtmgmt' (in the Network main tab) and
uncheck the 'vm network' checkbox.
Hope it helps you,
Alona.
Hi Alona,
Yes, removing nic1 was the solution I was looking for.
You are right, I probably added nic1 during the creation of the VM. This is
my first ovirt install and I'm a little bit overwhelmed by all the details
one has to know to create a system that is reliable and efficient.
Fortunately, thanks to people like you and Luca, I'll be able to overcome
the initial difficulties.
Istvan
On Mon, Oct 30, 2017 at 11:26 AM, Luca 'remix_tj' Lorenzetto <
lorenzetto.luca(a)gmail.com> wrote:
> On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki <buki.istvan(a)gmail.com>
> wrote:
> > Hello,
> >
> > thank you for your patience for trying to let me see the light.
> >
> > Indeed I don't understand what you are explaining. Maybe if I give you
> more
> > concrete details it will help.
> >
> > My internal network is 192.168.196.0
> > My DMZ network is 192.168.188.0
> >
> > ovirt-engine is running on a centos server with IP 192.168.186.3
> > ovirt host is on a centos server with IP 192.168.186.4
> >
> > On the host I created a VM that I want to be in the DMZ. When I created
> the
> > VM, nic 1 was automatically added and is linked to the ovirtmgmt
> network.
> > In the VM nic1 becomes eth0 and was assigned an IP address with DHCP
> > 192.168.186.167.
> >
> > After that I added a host device to that VM using passthrough. This
> device
> > is called ens7 in the VM and I gave IP 192.186.188.4.
> > That device is directly connected to my physical DMZ switch and from
> there
> > to the firewall.
> > This part is OK.
> >
> > My problem is that through eth0 my VM has access to my internal network.
> > Removing the device seems impossible because this is ovirtmgmt network.
> > I can not change or remove the IP of my host because it would not be
> > reachable anymore on my internal network.
> >
> > Maybe the solution is obvious but I can't see it. I'm running in circle
> with
> > this problem and it makes me crazy.
> >
>
>
>
> Hi Istvan,
>
> why are you using device passthrough?
>
> Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1.
> As far as i can understand, you're directly communicating through DMZ.
>
> Luca
>
>
> --
> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
> calcoli che potrebbero essere affidati a chiunque se si usassero delle
> macchine"
> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
>
> "Internet è la più grande biblioteca del mondo.
> Ma il problema è che i libri sono tutti sparsi sul pavimento"
> John Allen Paulos, Matematico (1945-vivente)
>
> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , <
> lorenzetto.luca(a)gmail.com>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
11:27 p.m.
New subject: ovirtmgmt network security
Glad to hear it!
You're welcome!
Il 30 ott 2017 9:13 PM, "Istvan Buki" <buki.istvan(a)gmail.com> ha scritto:
On Mon, Oct 30, 2017 at 10:50 AM, Alona Kaplan
<alkaplan(a)redhat.com>
wrote:
> Hi Istvan,
>
> I agree with Luca. You can remove nic1.
> 'ovirtmgmt' network is not mandatory on the vm, you can run the vm with
> no vnics (vitrual nics) at all.
> The 'ovirtmgmt' network is used for communication between the engine and
> the host.
> Whether the vm using the 'ovirtmgmt' network or not won't affect the
> management capabilities.
>
> You said that the vm nic with 'ovirtmgmt' was automatically added when
> you added the vm.
> It is strange and shouldn't behave this way. Are you sure that in the add
> vm dialog you didn't choose it as the network of nic1? (you could leave
> this section in the dialog unfilled, it is not mandatory).
>
> BTW, if you don't want any VM to use the 'ovirtmgmt' network you can go
> to the edit network dialog of 'ovirtmgmt' (in the Network main tab) and
> uncheck the 'vm network' checkbox.
>
> Hope it helps you,
> Alona.
>
>
Hi Alona,
Yes, removing nic1 was the solution I was looking for.
You are right, I probably added nic1 during the creation of the VM. This
is my first ovirt install and I'm a little bit overwhelmed by all the
details one has to know to create a system that is reliable and efficient.
Fortunately, thanks to people like you and Luca, I'll be able to overcome
the initial difficulties.
Istvan
On Mon, Oct 30, 2017 at 11:26 AM, Luca 'remix_tj' Lorenzetto <
> lorenzetto.luca(a)gmail.com> wrote:
>
>> On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki <buki.istvan(a)gmail.com>
>> wrote:
>> > Hello,
>> >
>> > thank you for your patience for trying to let me see the light.
>> >
>> > Indeed I don't understand what you are explaining. Maybe if I give you
>> more
>> > concrete details it will help.
>> >
>> > My internal network is 192.168.196.0
>> > My DMZ network is 192.168.188.0
>> >
>> > ovirt-engine is running on a centos server with IP 192.168.186.3
>> > ovirt host is on a centos server with IP 192.168.186.4
>> >
>> > On the host I created a VM that I want to be in the DMZ. When I
>> created the
>> > VM, nic 1 was automatically added and is linked to the ovirtmgmt
>> network.
>> > In the VM nic1 becomes eth0 and was assigned an IP address with DHCP
>> > 192.168.186.167.
>> >
>> > After that I added a host device to that VM using passthrough. This
>> device
>> > is called ens7 in the VM and I gave IP 192.186.188.4.
>> > That device is directly connected to my physical DMZ switch and from
>> there
>> > to the firewall.
>> > This part is OK.
>> >
>> > My problem is that through eth0 my VM has access to my internal
>> network.
>> > Removing the device seems impossible because this is ovirtmgmt network.
>> > I can not change or remove the IP of my host because it would not be
>> > reachable anymore on my internal network.
>> >
>> > Maybe the solution is obvious but I can't see it. I'm running in
>> circle with
>> > this problem and it makes me crazy.
>> >
>>
>>
>>
>> Hi Istvan,
>>
>> why are you using device passthrough?
>>
>> Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1.
>> As far as i can understand, you're directly communicating through DMZ.
>>
>> Luca
>>
>>
>> --
>> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
>> calcoli che potrebbero essere affidati a chiunque se si usassero delle
>> macchine"
>> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
>>
>> "Internet è la più grande biblioteca del mondo.
>> Ma il problema è che i libri sono tutti sparsi sul pavimento"
>> John Allen Paulos, Matematico (1945-vivente)
>>
>> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , <
>> lorenzetto.luca(a)gmail.com>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
>
11:03 p.m.
New subject: ovirtmgmt network security
Le 30 oct. 2017 10:26 AM, "Luca 'remix_tj' Lorenzetto" <
lorenzetto.luca(a)gmail.com> a écrit :
On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki <buki.istvan(a)gmail.com> wrote:
Hello,
thank you for your patience for trying to let me see the light.
Indeed I don't understand what you are explaining. Maybe if I give you
more
concrete details it will help.
My internal network is 192.168.196.0
My DMZ network is 192.168.188.0
ovirt-engine is running on a centos server with IP 192.168.186.3
ovirt host is on a centos server with IP 192.168.186.4
On the host I created a VM that I want to be in the DMZ. When I created
the
VM, nic 1 was automatically added and is linked to the ovirtmgmt
network.
In the VM nic1 becomes eth0 and was assigned an IP address with DHCP
192.168.186.167.
After that I added a host device to that VM using passthrough. This device
is called ens7 in the VM and I gave IP 192.186.188.4.
That device is directly connected to my physical DMZ switch and from there
to the firewall.
This part is OK.
My problem is that through eth0 my VM has access to my internal network.
Removing the device seems impossible because this is ovirtmgmt network.
I can not change or remove the IP of my host because it would not be
reachable anymore on my internal network.
Maybe the solution is obvious but I can't see it. I'm running in circle
with
this problem and it makes me crazy.
Hi Istvan,
why are you using device passthrough?
Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1.
As far as i can understand, you're directly communicating through DMZ.
Hi Luca,
As I have only one VM in the DMZ currently I assigned the NIC directly to
the VM instead of creating a logical network to get maximum performance and
better security because only the VM can access that network interface. If
one day I have to create another VM inside DMZ I'll create a logical
network and bind the NIC to that network instead of the VM.
OK, I removed nic1 and it looks good. The only interface left is the DMZ
network and I can reach it through the firewall. :-)
Thanks you so much for your help and patience.
Istvan
2580
days inactive
2583
days old
7 comments
4 participants
participants (4)
-
Alona Kaplan -
Istvan Buki -
Luca 'remix_tj' Lorenzetto -
Staniforth, Paul