[Openais] Two questions; Intro to AIS? and TOTEM errors in fence loop

Madison Kelly linux at alteeve.com
Tue Nov 3 05:31:41 PST 2009


Darren Thompson wrote:
> Madison et al (sorry I did not realise Kelly was
>  your surname ;-) 
> 
> To provide increased protection for you Dom0s, what you can do is
> configure the last bridge (br2) (e.g. the one that your VM will be
> attaching to), as a "bind bridge".
> 
> By that I mean remove the IP address from the ethernet port and the
> Bridge. The bridge is a layer 2 device so does not need an IP address to
> function and it adds one more layer of isolation between the Internet
> and your Dom0 servers.
> 
> I currently use this style for some Internet facing servers myself and
> so far (touch wood) no one has yet managed to comprise any of my Dom0
> servers, and I'm sure that brighter minds than mine have tried... :-)
> 
> The down side of that is that the VM's will not be able to communicate
> with the Dom0 servers (except through an external router/firewall). You
> can still access the VMs consoles through 'virt-manager' as it sets up
> some sort of VNC proxy port.
> 
> Again
> 
> I hope this helps
> 
> Darren

No worries about the name, I've gotten used to answering both Madi and 
Kelly. :P

I think I am doing the same thing, if I understand what you are 
suggesting. Being that peth2 is polluted with the internet, dom0's eth2 
has no IP (nor the bridge). The only device with IPs on the 
Internet-facing bridge is my firewall's 'eth1' (connected to xenbr2). 
Then a firewall protects connections to all other VMs, inc. dom0s. Is 
this this indeed what you are doing?

I've not worried about direct access because, should anything go very 
wrong, I can always log into the office's internal network and get at 
the nodes via IPMI.

Anywho, if I misunderstood, let me know. If I am doing the same, then 
cool. As they say, geniuses think alike and fools seldom differ. :D

Cheers!

Madi


More information about the Openais mailing list