Message de Olivier BATARD <firstname.lastname@example.org>:
> We're trying to build a vserver infrastructure on Debian Lenny with
> following parameter :
> OS :
> - One host with the kernel 2.6.26 / Debian lenny
The usage of the Lenny Kernel is not a good idea.
with the debian tools
> - 3 guests, each one runs on a logical volume in reiserfs
> Network :
> - 2 Vlan, one for the the lan, one for the dmz
> - some guests's ip are one the dmz, some on the lan
> - on the hosts we have an /etc/interface with two interfaces with bonding
> (balance-rr mode)
> - Vlan have been set up in the network configuration, each guest interfaces
> as bond0.vlan as device.
> Here's my problem,
> On a dmz guest, when I run a ip route show, I see the routes of the host, so
> a route to the lan ...
Linux-Vserver doesn't virtualize the network layer, so all the routes
are seen by all the guests.
which is not good for security ...
I think it's not really a problem. You can use iptables on the host
side for isolating your networks.
> What is the best solution to isolate the guest and controlling routing ? . I
> googled it and I found some answers by using ip route with alternate
> table ...
Sure. I use 802.1Q VLANs and alternate routing tables.
Is it the best and easiest solution now ?
In my opinion, it is the most simplest and cleanest way to do that.
How can I set up that
> correctly in Debian ?
The solution is not specific to Debian.
vconfig add eth0 7
ip rule add from 10.7.0.0/16 table 7
ip route add 10.7.0.0/16 dev eth0.7 table 7
ip route add default via 10.7.0.1 table 7
echo eth0.7 > /etc/vservers/vs_7/interfaces/0/dev
echo 10.0.7.0.2 > /etc/vservers/vs_7/interfaces/0/ip
Google => "presentation-vserver.odp" for the full example.
But the author has forgotten two details:
- a routing table can be enabled only when at less one IP is available
on the matching network
- you must force "automatic promotion of secondary addresses to primary"
In fact, i wrote a script that handle routes during the start sequence
of the Vservers.
An example is available here:
You can get some ideas here for firewalling:
My old ugly scripts are available here:
> Thanks by advance ...
-- Laurent Spagnol Administrateur système Linux CRI - Université de Reims Campus du Moulin de la Housse BP 1039 - 51687 Reims cedex 2 Tel: 03.26.91.88.32 Fax: 03.26.91.31.87Received on Tue Jan 12 22:56:44 2010