Blinkiz,

I appreciate your support for this website. I really do. I really would love to post much more frequently than I do but blogging turns out to be more work than it looks when you have a day job. Did you have a specific use case with lvm you were interested in? eg. taking snapshots, backups etc?

Hi
I have come up with an idea of what you can blog about!

I want to protect my host with firewall (iptables). But I never got this working because I then blocked all my guests at the same time. I would like to know how I can block access to my host (only ssh open) but let all traffic flow in and out from the guests as normal.

Blinkiz,

I guess you're talking about bridged networking right? I'll check it out and see what security options I can think of.

Yes, correct, bridged networking.

Had recently similar problems :
Set up a VM-Internet-Host for a customer and looked for a firewall software to protect it.
For another, older single machine i used shorewall
for years, but this time i'd liked to give
fwbuilder a try (nice gui stuff, automatic fallback
in case somethings misconfigured etc),
but it never worked as expected. Allways thought i'm
doing something wrong, but at last i came to the conclusion
that this typical fast-n-easy br0 (consisting of one or more
physical/virtual nics) isn't firewall friendly (if its possible at all) : because what of these nics do u use
for the fw rules ? The "real" interface in this case is the
bridged one - afaik. So how do u write rules that direct traffic between br0 and the "hidden" nics behind ?

If it's possible at all, i believe it's not that easy :-)

In these tests i've come across that vde2 stuff that looked
very promising - it looked to me if i could exactly in that
way. Defining "real" virtual switches and nics which can be
routed/firewalled seperately.

qemu (kvm?) already supports vde2 stuff : till, yeah till
you like to manage those vms by either libirt, convirture
etc. I didnt see any option to access vde2 stuff in those
programs - yet.

Since i'd had to present some result, i finally did what
i used to do : put endian (oder other fw distro - pfsense etc.) in a separate vm.

Hope it was useful... :-)

joern

> I would like you to blog a little bit about performance.
> Give us recommendations about speeding up our
> virtualization environment.

One can never have to much speeeeeed :-)

I'd feel sorry that i didn't try that PageTableStuff,
but i promise ! What does it speed up ? Should read
that post again, can't remember :-)

Would have opened an own thread because i have also questions regarding performance:

qemu/kvm support VMWARE SVGA II, is that more speed, better for video than the usual cirrus vga ?
Someone tested this already ?
But again, no way to select these options in virt-manager and alike...

what virtual disk format / controller type / setup is
best for a really speedy virtual disk i/o ?
ide/scsi/virtio/direct-block-device ?
what gives more speed : just throwing a single virtual
disk on a phys. 6-disk-raid10 array or building 3 phys.
raid1 arrays and distribute 3 virtual disks building a raid0
on top of it ?

if someone provides me with the info howto benchmark
CORRECTLY virtual machines, i'd could help testing SOME
of this.

nic setup : i usually make that simple bridge setup for connecting vms.
But at current time, i do put everything into vms !
Let me try: my WS is accessing a vm's service that gets data
from nfs-share at the vm-host, so the data passes the same
virtual nic twice -> once the vm accessing the nfs share
and then delivering the data back through the virtual nic, out to the phys. nic to the WS. I dont really know
if them same laws are valid for both virtual and phys. nics,
but at the time data flows in one direction on a physical
device it can't flow in the other at the same time ?
That would cut the transfer rate by half at least...
So would it help, by letting the vm access the nfs-share
through a second virtual nic on another bridge and serving
the data on the first bridge ?
In theory the vm could then read (nic2) and write (nic1)
at the same time...

I'm sure one can get good results by a clever vm setup,
so lets go... :-)

Question over questions : Dear Haydn help ! :-)

True, it's not easy for the fact that you mentioned ie. the bridges use the physical interface. The only idea I have so far ( although I have not labbed it out so not even sure it would work ) is to make your physical interface a trunk to pass vlans and bridge your host to separate vlan where you can implement more secure firewall policies. I'm currently visiting family so unable to test this theory. Any ideas on this?

>is to make your physical interface a trunk to pass vlans and >bridge your host to separate vlan where you can implement
>more secure firewall policies.

Sounds complicated!
I'd like to keep things simple. That vde2 stuff looked
"logical" to me : "switches" with "ports" where u plugin "cables" - just like in real life :-)
Kinda "Sims" for networking people :-)

A few days ago i had a - REALLY SHORT - look on
vlan setups. I believe vlan-nic-defs in linux have some
limitions/restrictions ?

But please : proof me wrong :-)
Give a short setup and i'll try !

> I'm currently visiting family

Nice time !

Actually, not that complicated once the steps are laid out. I agree that VDE will probably be simpler to implement but performance is known to be poor with vde and I'm' sure blinkiz would like to keep maximum performance seeing that he is performance oriented.

I'll work on a quick and dirty set off instructions that you can test if you have the time/resources. If it works, we can put a post with some detailed instructions.