OneGate: expose a communication port inside the VM

Hello.

In our setup, the OpenNebula frontend is not exposed on Internet for security reason.

In such a setup, we can’t run a service like OneKE on our public network because OneGate is not publicly reachable.

I started reading libvirt documentation on channels to see if there is a way to expose a communication port inside the virtual machine and make onegate cli communicate through that port instead.

On the hypervisor side, we may need something to forward the communication :thinking:

Before digging more the subject, does someone have an idea or suggestion on that topic?

Regards.

Hi Daniel,

yes we are aware of this issue. We’re actively working on providing the “onegate-proxy” service (currently in testing phase), which will be installed on hypervisor hosts. It will be based on https://www.kernel.org/doc/Documentation/networking/tproxy.txt which will cause all the traffic targeted for 169.254.169.254:5030 (example) endpoint inside guests to be routed via hypervisor hosts. Then something like a ssl tunnel or vpn (between frontends and hosts) could be used to reach the onegate endpoint.

Regards.

1 Like

Do you have any issue I can subscribe?

Yes, OneGate proxy service · Issue #5973 · OpenNebula/one · GitHub :+1:

1 Like