Monday, December 3, 2018

SmartOS Virtualization with one public IP address



Is it possible? (title of this question)



Googling Virtualization with one public IP address yields nothing useful



What I have:





  • SmartOS on a dedicated server.

  • Dedicated server has one public IP address.



What I want to do:




  • Host multiple guest OS from that server




Problem:




  • Access to the guest through the (server that virtualizes the guest)'s IP address.





Is this possible at all?




Sorry, newbie to all this





Research



http://www.machine-unix.com/beginning-with-smartos/#comment-7256
Does not solve my problem - the guide sets up an internal IP




http://blog.bgentil.fr/smartos-use-global-zone-as-gateway-for-guests.html



Ideas




  • Perhaps it is possible to do host-based translation like with nginx proxy?


Answer



Yes, you can!




For general help with SmartOS:



Google treats SmartOS as a synonym for Solaris. Always use the search located at smartos.org; do not use Google directly. #SmartOS on Freenode and the mailing list are also invaluable resources.



Security concerns with a single IP setup at a datacenter:



In SmartOS you typically have an admin interface (private/LAN) and a public one (public/WAN). I realize this may not be possible in your deployment, but it's very important that to know that KVM virtual hosts will run unprotected VNC on the admin interface. You will need to secure that using a firewall or configuration change.



What you'll want to do is set up a zone that will act as a firewall,gateway,load balancer, etc. That firewall zone will have two nics, one on the admin interface, one on the WAN. You can place all of your guests on a virtual switch which will be like having them connected to a physical one.




Since you only have one IP, which I would try to rectify, this can be tricky to set up in a zone, if you mess up your network configuration you may loose access to the machine. Although generally not advised, you may need to run your firewall in the global zone.




  1. For the guests to get out to the internet, set up NAT:
    http://wiki.smartos.org/display/DOC/NAT+using+Etherstubs


  2. For incoming https/http: I run an nginx instance and use a file for each
    service/website in the sites-available/sites-enabled folders. The
    default configuration of NGINX with SmartOS is minimalistic and will
    not contain these folders.


  3. For incoming tcp/udp services: You can use the built-in firewall (see

    man fwadm) in your firewall zone or use HAProxy if you want to do
    virtual hosts. (You could use HAProxy exclusively and eliminate NGINX)



-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...