[Openais] Two questions; Intro to AIS? and TOTEM errors in fence loop
linux at alteeve.com
Tue Nov 3 05:31:41 PST 2009
Darren Thompson wrote:
> Madison et al (sorry I did not realise Kelly was
> your surname ;-)
> To provide increased protection for you Dom0s, what you can do is
> configure the last bridge (br2) (e.g. the one that your VM will be
> attaching to), as a "bind bridge".
> By that I mean remove the IP address from the ethernet port and the
> Bridge. The bridge is a layer 2 device so does not need an IP address to
> function and it adds one more layer of isolation between the Internet
> and your Dom0 servers.
> I currently use this style for some Internet facing servers myself and
> so far (touch wood) no one has yet managed to comprise any of my Dom0
> servers, and I'm sure that brighter minds than mine have tried... :-)
> The down side of that is that the VM's will not be able to communicate
> with the Dom0 servers (except through an external router/firewall). You
> can still access the VMs consoles through 'virt-manager' as it sets up
> some sort of VNC proxy port.
> I hope this helps
No worries about the name, I've gotten used to answering both Madi and
I think I am doing the same thing, if I understand what you are
suggesting. Being that peth2 is polluted with the internet, dom0's eth2
has no IP (nor the bridge). The only device with IPs on the
Internet-facing bridge is my firewall's 'eth1' (connected to xenbr2).
Then a firewall protects connections to all other VMs, inc. dom0s. Is
this this indeed what you are doing?
I've not worried about direct access because, should anything go very
wrong, I can always log into the office's internal network and get at
the nodes via IPMI.
Anywho, if I misunderstood, let me know. If I am doing the same, then
cool. As they say, geniuses think alike and fools seldom differ. :D
More information about the Openais