Setup
I'm new to Linux networking, and I have been learning about the concepts and tools available for a few days. I'm designing a solution which implements the following networking model.
There is a host machine which is running N untrusted VMs. Here is the connectivity I want provide to the VMs:
-
Each untrusted VM should have access to a runtime api running on the host, but not to any other api running on the host
-
VMs should not be able to talk to each other
-
VMs should be able to connect to the broader internet
-
VMs should not be able to connect to the local/private networks which the host machine is connected to
Current Incomplete Design
Public Internet Access
Somehow connect the eth0 on the guest to the eth0 device on host without allowing access to private networks which the host is connected to or internal networks on the host.
Runtime API Access
Set up a tap device on the host machine, runtime0, and assign it an IP address. Ensure that the runtime api is listening on the ip address for runtime0 on a prespecified port.
For each guest, create a tap device, runN, which is mapped to run0 within the guest. To enable access to the runtime api create a veth link between runN and runtime0. Within the guest, assign the run0 device the same ip address as the runtime0 device on the host.
The goal here is that a process running on the guest can just connect to the ip address for the run0 device and it will route directly to the runtime api on the host.
I appreciate any help, links, books, or advice you have to offer. Developing an understanding of these networking concepts on my own has been more rewarding than I expected.
No comments:
Post a Comment