[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Multiple VMs - one static routable IP address



On Thu, May 17, 2007 at 10:24:24PM -0500, cyber@xxxxxxxxx wrote:
> >>only have one routable IP address however. I need to service ports: 22, 
> >>25, 80, 110, and 443
> >your going to have problems with 22, 110 and 443. You can potentially do 
> >it for port 80, but yuo would have to service the request on the host. 
> >THis is going to be the same for all the virtual machines if you have non 
> >routable addresses, no real way around it.  You could possible try ipv6 - 
> >but then your client would have to use ipv6 (both of you can use the ipv4 
> >in ipv6 ability)
> 
> Thanks for the reply Alex!
> 
> Ports 80 and 443 I'm not terribly worried about.  Apache in proxy mode 
> gets around that simple enough.  It'd mean an additional install of 
> Apache, but that's not a terribly big deal nor a deal breaker for me.
> 
> Well, I'm honestly not familiar enough with ipv6 to know how to do 
> anything differently.  I'm no stranger to tcp/ip stacks, but I haven't 
> even dabbed a toe in the ipv6 pool.
> 
> How does the S390 hosting guys do this sort of thing?  They can't really 
> be using routable IP addresses for everything?  I realize this is more a 
> networking question than a VM question, but I figured there would be some 
> sort of soft router type functionality built into the solution (just like 
> there is for the bridging and such) to address the complication of it now 
> being multiple machines.  I can't be the only guy who does hosting on a 
> business class DSL line, but with only one routable IP.
> 
> Maybe the solution is to spin up a DomU as the firewall and put the apache 
> in proxy mode there, as well as a sendmail MTA router to the 10-net behind 
> it.  Ports 22 (sshd) and 110 (ipop3) are easy enough to configure around 
> and just give a different port to every VM.  The only real sticking point 
> was port 25 really.  My sendmail kung-fu just isn't that strong for a 
> multiple machine environment.  Everything I've ever done is with one 
> server, and multiple backup MX's.
> 
> I just keep coming back to the original question tho, what do the big VM 
> environments do when they have hundreds or more VM's...  are they really 
> using up hundreds of routable IP addresses?  Really?
most of the uml that i have seen use routeable.

the problem with 22 and 443 is they are encryption and authentication.  how do 
you determine which 22 is the destination, having said that you could assign 
port 23 to one machine for ssh (it doesn't need to be stuck to port 22).

the mta on the firewall machine - you could as well, but it would leave a trail 
(add its foot print to email travelling through it)

> 
> Originally I was planning on putting all my own personal websites and 
> email on Domain-0, as well as an iptables based firewall.  Having read 
> more, seems like the recommendation is to keep Domain-0 behind a DomU 
> where the firewall runs.  Makes sense, and doesn't seem difficult to do... 
> just a new paradigm for me.  I've always only had one server, and it did 
> everything and anything.  I love the idea of breaking it all up from a 
> security and manageability standpoint...  just not sure what to do about 
> getting all the bits to the right VMs that need to be routed correctly.

if its for security of apps, why not look at chroot ?


> 

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.