You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I understand the steps in the prod-host-setup but I also assume that network namespaces are actually crucial for production use.
The documentation seems to be a bit unspecific here.
So to clarify (and maybe to update the production docs?):
When I run multiple microvms which need access to e.g. internet, is it absolutely required to run them in individual network namespaces for full network isolation?
For me, it is tricky with nftables to actually fully isolate VMs from each other to prevent attacks of other VMs if compromised. I managed "isolation lite" by only allowing tap0 to talk to eth1, but not to tap1 ,tap2, etc. But is this already good enough?
(The production docs speak about mitigation of spectre, rowhammer etc, but if one VM can reach another VM via ssh or any other open port, I don't need those fancy exploits inside a VM to disrupt operations).
On the other hand if network namespaces are not required to reach a good network isolation, I would love to avoid the complexity of managing many namespaces, veth links and bridges to allow to run like 10 or 20 isolated VMs.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I tried to get what the "best practice" according to the docs (especially https://github.com/firecracker-microvm/firecracker/blob/main/docs/prod-host-setup.md) for guest isolation would be.
I understand the steps in the prod-host-setup but I also assume that network namespaces are actually crucial for production use.
The documentation seems to be a bit unspecific here.
So to clarify (and maybe to update the production docs?):
When I run multiple microvms which need access to e.g. internet, is it absolutely required to run them in individual network namespaces for full network isolation?
For me, it is tricky with nftables to actually fully isolate VMs from each other to prevent attacks of other VMs if compromised. I managed "isolation lite" by only allowing tap0 to talk to eth1, but not to tap1 ,tap2, etc. But is this already good enough?
(The production docs speak about mitigation of spectre, rowhammer etc, but if one VM can reach another VM via ssh or any other open port, I don't need those fancy exploits inside a VM to disrupt operations).
On the other hand if network namespaces are not required to reach a good network isolation, I would love to avoid the complexity of managing many namespaces, veth links and bridges to allow to run like 10 or 20 isolated VMs.
Clarification or hints are very welcome :)
Beta Was this translation helpful? Give feedback.
All reactions