Re: [pve-devel] Vmbr bridge permissions and SDN improvements?

[Neil Hawker <n.hawker@chester.ac.uk>]

Hi Eneko

Thank you for the suggestion, we hadn’t thought about nested virtualization which is an interesting idea. My initial thoughts are this would create additional complexity with management of the platform (provisioning, authentication and licensing) and system overheads.

Your suggestion however, has given me the thought that we could use nested virtualization for pen testing purposes in future by having an all-in-one VM containing its sub vms/networks.

Ideally if the use of vmbr bridges could be restricted using permissions Spirit proposed in their changes, that would require minimal configuration changes for us to make particularly mid-academic year.

Thanks

From: Eneko Lacunza <elacunza@binovo.es>
Sent: 07 March 2022 08:56
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>; Neil Hawker <n.hawker@chester.ac.uk>
Subject: Re: [pve-devel] Vmbr bridge permissions and SDN improvements?

CAUTION !


This email was NOT sent using a University of Chester account, so we are unable to verify the identity of the sender. Do not click links or open attachments unless you recognise the sender and know the content is safe.

=====

Hi Neil,

Have you considered using nested Proxmox servers, so that you only have the desired networks in students' nested Promoxes?

Cheers

El 4/3/22 a las 12:08, Neil Hawker escribió:

Hi,



We're currently using version 7.1-10 and have the use case where we need to hide the vmbr bridges from normal users to prevent them circumventing network security that is applied through SDN vNets.



For context, our setup is a Proxmox cluster that is used as a learning environment for students where they can create and manage their own VMs to practice their Cybersecurity skills in an isolated environment. Being able to hide the vmbr bridges from users would achieve this.



I have found on the community forum (https://forum.proxmox.com/threads/sdn-group-pool-permissions.93872<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforum.proxmox.com%2Fthreads%2Fsdn-group-pool-permissions.93872&data=04%7C01%7Cn.hawker%40chester.ac.uk%7C2c6719c1547a4477574908da00184b85%7C18843e6e1846456ca05c500f0aee12f6%7C0%7C0%7C637822402169129755%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=H4P5MgWm0zeSubD7vK5jIAR7o6LTusSWaL8CKaKnC%2FQ%3D&reserved=0>) that Spirit had contributed changes that have yet to be accepted/merged in that would achieve this as well as some SDN GUI improvements.



I appreciate developers are very busy, but is it possible for Sprit's changes to be included in an upcoming version and if so, any rough idea when they might get released?



Thanks

Neil

_______________________________________________

pve-devel mailing list

pve-devel@lists.proxmox.com<mailto:pve-devel@lists.proxmox.com>

https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.proxmox.com%2Fcgi-bin%2Fmailman%2Flistinfo%2Fpve-devel&data=04%7C01%7Cn.hawker%40chester.ac.uk%7C2c6719c1547a4477574908da00184b85%7C18843e6e1846456ca05c500f0aee12f6%7C0%7C0%7C637822402169129755%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Ur1DGse304OpUAdjmdI7i9pfMFY6sIXKX07VGTDg8GI%3D&reserved=0>





Eneko Lacunza

Zuzendari teknikoa | Director técnico

Binovo IT Human Project



Tel. +34 943 569 206 | https://www.binovo.es<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.binovo.es%2F&data=04%7C01%7Cn.hawker%40chester.ac.uk%7C2c6719c1547a4477574908da00184b85%7C18843e6e1846456ca05c500f0aee12f6%7C0%7C0%7C637822402169129755%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ZySLpr35A4QsypF9rA%2BIMrszhY9HB3Cmp42wLBXzHWc%3D&reserved=0>

Astigarragako Bidea, 2 - 2º izda. Oficina 10-11, 20180 Oiartzun



https://www.youtube.com/user/CANALBINOVO<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fuser%2FCANALBINOVO&data=04%7C01%7Cn.hawker%40chester.ac.uk%7C2c6719c1547a4477574908da00184b85%7C18843e6e1846456ca05c500f0aee12f6%7C0%7C0%7C637822402169129755%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=4NXZcop16DzRkhILlzXiININi70VtriKV6EzhJNYuYE%3D&reserved=0>

https://www.linkedin.com/company/37269706/<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2F37269706%2F&data=04%7C01%7Cn.hawker%40chester.ac.uk%7C2c6719c1547a4477574908da00184b85%7C18843e6e1846456ca05c500f0aee12f6%7C0%7C0%7C637822402169129755%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wINFvSFOdI1PhAYeHy%2FQ7MdUuh%2F7z076eulOGkMuRx4%3D&reserved=0>