[Openstack] question about security

Vishvananda Ishaya vishvananda at gmail.com
Fri Jun 1 07:39:42 UTC 2012


Generally I handle this by using a different eth device (or vlan) for the instance network.  Then you make sure that no services on compute are listening on 0.0.0.0

If you have only one interface for example, you can run three vlans across it

eth0:10 -> public network <public ip address> for routing and floating ips and such. Nothing should listen here
eth0:11 -> management network <192.168.0.0/24 range> Rabbit and mysql run on this network. All services (ssh, etc.) run here
eth0:12 -> vm network <10.0.0.0/8 range> for vms. Nothing should listen here (except dnsmasq obviously)

Vish

On May 31, 2012, at 7:35 PM, William Herry wrote:

> We use FlatDHCP network mode, all thing work fine, instance has 10.0.0.x ip and 10.0.0.1 as gateway
> Our problem is that service(most time compute node) has little restrict from instance, 
> which instance can see a lot opened port on service, I am thinking if this is a security problem
> 
> restrict service on compute node not listen on 10.0.0.x ip is the way I can thing to solve this, any other ways?
> 
> Thanks
> 
> -- 
> 
> 
> 
> William Herry
> ====================
> WilliamHerryChina at Gmail.com
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120601/e96e0a83/attachment.html>


More information about the Openstack mailing list