[colug-432] Cloud-based nested virtualization or other "wrapping" alternatives

Jeff Frontz jeff.frontz at gmail.com
Tue Jun 21 15:40:16 EDT 2016

On Tue, Jun 21, 2016 at 2:41 PM, Roberto C. Sánchez <roberto at connexer.com>

> On Tue, Jun 21, 2016 at 02:24:58PM -0400, Jeff Frontz wrote:
> >
> >    do the
> >    processor primitives that support virtualization allow too much
> access to
> >    the physical hardware, and thus they're not exposed to the
> >    hosted/top-level instance?.
> >
> I did do some research and found this Xen wiki page:
> http://wiki.xen.org/wiki/Nested_Virtualization_in_Xen
> The
> highlighted warning near the bottom of the page makes it clear that even
> having nested virtualization enabled would be a danger to the admin of
> the top-level host.

OK, thanks -- that's what I suspected.  I'm guessing that processors would
have needed to be designed with nested virtualization in mind (which, as
I'm finding, is way too nichey).

On your other suggestion-- I've been toying with that, but haven't found
any big-name (or not-so-big-name but US-based) providers that offer a true
private VLAN between a client-controllable subset of hosted instances.
Linode offers a VLAN (with an unroutable IP range), but the network is
common to all of their clients' hosted instances at a location (which gets
me back to relying on the legacy distro/kernel for its own security --
where I am now).  My searching also yielded something called "vRack"
offered by OVH (who doesn't seem to have a footprint in the US) and
references to "Private VLAN" (again, by providers that seem to be
euro-centric -- gandi, elastichosts, Rackulus -- or small -- servernorth).
Are there any well-known (or personally well-regarded) providers that offer
a truly "private VLAN"?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20160621/513c6a22/attachment.html 

More information about the colug-432 mailing list