Generally I handle this by using a different eth device (or vlan) for the instance network. Then you make sure that no services on compute are listening on 0.0.0.0
If you have only one interface for example, you can run three vlans across it eth0:10 -> public network <public ip address> for routing and floating ips and such. Nothing should listen here eth0:11 -> management network <192.168.0.0/24 range> Rabbit and mysql run on this network. All services (ssh, etc.) run here eth0:12 -> vm network <10.0.0.0/8 range> for vms. Nothing should listen here (except dnsmasq obviously) Vish On May 31, 2012, at 7:35 PM, William Herry wrote: > We use FlatDHCP network mode, all thing work fine, instance has 10.0.0.x ip > and 10.0.0.1 as gateway > Our problem is that service(most time compute node) has little restrict from > instance, > which instance can see a lot opened port on service, I am thinking if this is > a security problem > > restrict service on compute node not listen on 10.0.0.x ip is the way I can > thing to solve this, any other ways? > > Thanks > > -- > > > > William Herry > ==================== > [email protected] > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : [email protected] > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
