* [pve-devel] Vmbr bridge permissions and SDN improvements?
@ 2022-03-04 11:08 Neil Hawker
[not found] ` <48dda161-4379-c446-6e92-67dafaf92532@binovo.es>
2022-03-07 11:51 ` DERUMIER, Alexandre
0 siblings, 2 replies; 3+ messages in thread
From: Neil Hawker @ 2022-03-04 11:08 UTC (permalink / raw)
To: 'pve-devel@lists.proxmox.com'
Hi,
We're currently using version 7.1-10 and have the use case where we need to hide the vmbr bridges from normal users to prevent them circumventing network security that is applied through SDN vNets.
For context, our setup is a Proxmox cluster that is used as a learning environment for students where they can create and manage their own VMs to practice their Cybersecurity skills in an isolated environment. Being able to hide the vmbr bridges from users would achieve this.
I have found on the community forum (https://forum.proxmox.com/threads/sdn-group-pool-permissions.93872) that Spirit had contributed changes that have yet to be accepted/merged in that would achieve this as well as some SDN GUI improvements.
I appreciate developers are very busy, but is it possible for Sprit's changes to be included in an upcoming version and if so, any rough idea when they might get released?
Thanks
Neil
^ permalink raw reply [flat|nested] 3+ messages in thread
[parent not found: <48dda161-4379-c446-6e92-67dafaf92532@binovo.es>]
* Re: [pve-devel] Vmbr bridge permissions and SDN improvements?
[not found] ` <48dda161-4379-c446-6e92-67dafaf92532@binovo.es>
@ 2022-03-07 10:01 ` Neil Hawker
0 siblings, 0 replies; 3+ messages in thread
From: Neil Hawker @ 2022-03-07 10:01 UTC (permalink / raw)
To: 'Eneko Lacunza', 'Proxmox VE development discussion'
Hi Eneko
Thank you for the suggestion, we hadn’t thought about nested virtualization which is an interesting idea. My initial thoughts are this would create additional complexity with management of the platform (provisioning, authentication and licensing) and system overheads.
Your suggestion however, has given me the thought that we could use nested virtualization for pen testing purposes in future by having an all-in-one VM containing its sub vms/networks.
Ideally if the use of vmbr bridges could be restricted using permissions Spirit proposed in their changes, that would require minimal configuration changes for us to make particularly mid-academic year.
Thanks
From: Eneko Lacunza <elacunza@binovo.es>
Sent: 07 March 2022 08:56
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>; Neil Hawker <n.hawker@chester.ac.uk>
Subject: Re: [pve-devel] Vmbr bridge permissions and SDN improvements?
CAUTION !
This email was NOT sent using a University of Chester account, so we are unable to verify the identity of the sender. Do not click links or open attachments unless you recognise the sender and know the content is safe.
=====
Hi Neil,
Have you considered using nested Proxmox servers, so that you only have the desired networks in students' nested Promoxes?
Cheers
El 4/3/22 a las 12:08, Neil Hawker escribió:
Hi,
We're currently using version 7.1-10 and have the use case where we need to hide the vmbr bridges from normal users to prevent them circumventing network security that is applied through SDN vNets.
For context, our setup is a Proxmox cluster that is used as a learning environment for students where they can create and manage their own VMs to practice their Cybersecurity skills in an isolated environment. Being able to hide the vmbr bridges from users would achieve this.
I have found on the community forum (https://forum.proxmox.com/threads/sdn-group-pool-permissions.93872<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforum.proxmox.com%2Fthreads%2Fsdn-group-pool-permissions.93872&data=04%7C01%7Cn.hawker%40chester.ac.uk%7C2c6719c1547a4477574908da00184b85%7C18843e6e1846456ca05c500f0aee12f6%7C0%7C0%7C637822402169129755%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=H4P5MgWm0zeSubD7vK5jIAR7o6LTusSWaL8CKaKnC%2FQ%3D&reserved=0>) that Spirit had contributed changes that have yet to be accepted/merged in that would achieve this as well as some SDN GUI improvements.
I appreciate developers are very busy, but is it possible for Sprit's changes to be included in an upcoming version and if so, any rough idea when they might get released?
Thanks
Neil
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com<mailto:pve-devel@lists.proxmox.com>
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.proxmox.com%2Fcgi-bin%2Fmailman%2Flistinfo%2Fpve-devel&data=04%7C01%7Cn.hawker%40chester.ac.uk%7C2c6719c1547a4477574908da00184b85%7C18843e6e1846456ca05c500f0aee12f6%7C0%7C0%7C637822402169129755%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Ur1DGse304OpUAdjmdI7i9pfMFY6sIXKX07VGTDg8GI%3D&reserved=0>
Eneko Lacunza
Zuzendari teknikoa | Director técnico
Binovo IT Human Project
Tel. +34 943 569 206 | https://www.binovo.es<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.binovo.es%2F&data=04%7C01%7Cn.hawker%40chester.ac.uk%7C2c6719c1547a4477574908da00184b85%7C18843e6e1846456ca05c500f0aee12f6%7C0%7C0%7C637822402169129755%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ZySLpr35A4QsypF9rA%2BIMrszhY9HB3Cmp42wLBXzHWc%3D&reserved=0>
Astigarragako Bidea, 2 - 2º izda. Oficina 10-11, 20180 Oiartzun
https://www.youtube.com/user/CANALBINOVO<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fuser%2FCANALBINOVO&data=04%7C01%7Cn.hawker%40chester.ac.uk%7C2c6719c1547a4477574908da00184b85%7C18843e6e1846456ca05c500f0aee12f6%7C0%7C0%7C637822402169129755%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=4NXZcop16DzRkhILlzXiININi70VtriKV6EzhJNYuYE%3D&reserved=0>
https://www.linkedin.com/company/37269706/<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2F37269706%2F&data=04%7C01%7Cn.hawker%40chester.ac.uk%7C2c6719c1547a4477574908da00184b85%7C18843e6e1846456ca05c500f0aee12f6%7C0%7C0%7C637822402169129755%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wINFvSFOdI1PhAYeHy%2FQ7MdUuh%2F7z076eulOGkMuRx4%3D&reserved=0>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [pve-devel] Vmbr bridge permissions and SDN improvements?
2022-03-04 11:08 [pve-devel] Vmbr bridge permissions and SDN improvements? Neil Hawker
[not found] ` <48dda161-4379-c446-6e92-67dafaf92532@binovo.es>
@ 2022-03-07 11:51 ` DERUMIER, Alexandre
1 sibling, 0 replies; 3+ messages in thread
From: DERUMIER, Alexandre @ 2022-03-07 11:51 UTC (permalink / raw)
To: pve-devel
Hi,
my patches from october are here
https://lists.proxmox.com/pipermail/pve-devel/2021-October/050211.html
(does somebody have time to review them ?)
Le vendredi 04 mars 2022 à 11:08 +0000, Neil Hawker a écrit :
> Hi,
>
> We're currently using version 7.1-10 and have the use case where we
> need to hide the vmbr bridges from normal users to prevent them
> circumventing network security that is applied through SDN vNets.
>
> For context, our setup is a Proxmox cluster that is used as a
> learning environment for students where they can create and manage
> their own VMs to practice their Cybersecurity skills in an isolated
> environment. Being able to hide the vmbr bridges from users would
> achieve this.
>
> I have found on the community forum
> (https://forum.proxmox.com/threads/sdn-group-pool-permissions.93872)
> that Spirit had contributed changes that have yet to be
> accepted/merged in that would achieve this as well as some SDN GUI
> improvements.
>
> I appreciate developers are very busy, but is it possible for Sprit's
> changes to be included in an upcoming version and if so, any rough
> idea when they might get released?
>
> Thanks
> Neil
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-03-07 11:51 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-04 11:08 [pve-devel] Vmbr bridge permissions and SDN improvements? Neil Hawker
[not found] ` <48dda161-4379-c446-6e92-67dafaf92532@binovo.es>
2022-03-07 10:01 ` Neil Hawker
2022-03-07 11:51 ` DERUMIER, Alexandre
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox