[colug-432] Cloud-based nested virtualization or other "wrapping" alternatives

Tom Hanlon tom at functionalmedia.com
Tue Jun 21 16:55:09 EDT 2016

I have run openstack on openstack. For training we launch a rackspace VM,
and install openstack on that VM and launch instances inside that host.

So we have

You would expose the inner host to exploit if you gave it a routable
network. If you made host1 host only network and hostA with some public
route I think you would have what you are looking for.

Maybe better labels would be

This thread wandered into containers, but speaking only of VM's what is the
problem with this approach?

Also, it was a management disaster but I believe I ran classes for a
stretch that had the users laptops run VM's and within those VM's we ran
VM's. In that case I think we had public IP's in the nested instances.


On Tue, Jun 21, 2016 at 3:40 PM, Jeff Frontz <jeff.frontz at gmail.com> wrote:

> On Tue, Jun 21, 2016 at 2:41 PM, Roberto C. Sánchez <roberto at connexer.com>
> wrote:
>> On Tue, Jun 21, 2016 at 02:24:58PM -0400, Jeff Frontz wrote:
>> >
>> >    do the
>> >    processor primitives that support virtualization allow too much
>> access to
>> >    the physical hardware, and thus they're not exposed to the
>> >    hosted/top-level instance?.
>> >
>> I did do some research and found this Xen wiki page:
>> http://wiki.xen.org/wiki/Nested_Virtualization_in_Xen
>> The
>> highlighted warning near the bottom of the page makes it clear that even
>> having nested virtualization enabled would be a danger to the admin of
>> the top-level host.
> OK, thanks -- that's what I suspected.  I'm guessing that processors would
> have needed to be designed with nested virtualization in mind (which, as
> I'm finding, is way too nichey).
> On your other suggestion-- I've been toying with that, but haven't found
> any big-name (or not-so-big-name but US-based) providers that offer a true
> private VLAN between a client-controllable subset of hosted instances.
> Linode offers a VLAN (with an unroutable IP range), but the network is
> common to all of their clients' hosted instances at a location (which gets
> me back to relying on the legacy distro/kernel for its own security --
> where I am now).  My searching also yielded something called "vRack"
> offered by OVH (who doesn't seem to have a footprint in the US) and
> references to "Private VLAN" (again, by providers that seem to be
> euro-centric -- gandi, elastichosts, Rackulus -- or small -- servernorth).
> Are there any well-known (or personally well-regarded) providers that offer
> a truly "private VLAN"?
> Thanks,
> Jeff
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20160621/e398e53e/attachment-0001.html 

More information about the colug-432 mailing list