[colug-432] Cloud-based nested virtualization or other "wrapping" alternatives

Tom Hanlon tom at functionalmedia.com
Tue Jun 21 16:55:09 EDT 2016


I have run openstack on openstack. For training we launch a rackspace VM,
and install openstack on that VM and launch instances inside that host.

So we have
host1>hostA>hardware

You would expose the inner host to exploit if you gave it a routable
network. If you made host1 host only network and hostA with some public
route I think you would have what you are looking for.

Maybe better labels would be
legacyhost>modernhost>hardware

This thread wandered into containers, but speaking only of VM's what is the
problem with this approach?

Also, it was a management disaster but I believe I ran classes for a
stretch that had the users laptops run VM's and within those VM's we ran
VM's. In that case I think we had public IP's in the nested instances.

--
Tom


On Tue, Jun 21, 2016 at 3:40 PM, Jeff Frontz <jeff.frontz at gmail.com> wrote:

>
>
> On Tue, Jun 21, 2016 at 2:41 PM, Roberto C. Sánchez <roberto at connexer.com>
> wrote:
>
>> On Tue, Jun 21, 2016 at 02:24:58PM -0400, Jeff Frontz wrote:
>> >
>> >    do the
>> >    processor primitives that support virtualization allow too much
>> access to
>> >    the physical hardware, and thus they're not exposed to the
>> >    hosted/top-level instance?.
>> >
>>
>> I did do some research and found this Xen wiki page:
>>
>> http://wiki.xen.org/wiki/Nested_Virtualization_in_Xen
>>
>> The
>> highlighted warning near the bottom of the page makes it clear that even
>> having nested virtualization enabled would be a danger to the admin of
>> the top-level host.
>
>
> OK, thanks -- that's what I suspected.  I'm guessing that processors would
> have needed to be designed with nested virtualization in mind (which, as
> I'm finding, is way too nichey).
>
> On your other suggestion-- I've been toying with that, but haven't found
> any big-name (or not-so-big-name but US-based) providers that offer a true
> private VLAN between a client-controllable subset of hosted instances.
> Linode offers a VLAN (with an unroutable IP range), but the network is
> common to all of their clients' hosted instances at a location (which gets
> me back to relying on the legacy distro/kernel for its own security --
> where I am now).  My searching also yielded something called "vRack"
> offered by OVH (who doesn't seem to have a footprint in the US) and
> references to "Private VLAN" (again, by providers that seem to be
> euro-centric -- gandi, elastichosts, Rackulus -- or small -- servernorth).
> Are there any well-known (or personally well-regarded) providers that offer
> a truly "private VLAN"?
>
>
> Thanks,
> Jeff
>
>
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20160621/e398e53e/attachment-0001.html 


More information about the colug-432 mailing list