Product Documentation and Knowledge Base - HomeDocumentation


Charon-SSP


Dedicated NIC for Guest System

Owned by
W.Erber
Last updated: Feb 26, 2020Version comment
1 min read

Providing a dedicated NIC for guest operating systems is the standard method in non-cloud environments. However, this configuration poses some challenges in cloud environments where MAC address / IP address combinations are fixed parameters set by the cloud provider.

This section will provide some information about how to configure such a setup in a cloud environment.

Basic Concept

The following images illustrates the basic concept when working with a dedicated network interface for the guest operating system. There are, of course, many variations depending on the specific environment.


Scenario: host and guest system have a dedicated NIC. The NIC used by the Charon host has a private and a public IP address, the NIC used by the guest system a private IP address and optionally a public IP address.

(info) If the NIC dedicated to the guest OS does not have a public IP address, the guest system may still be able to access the Internet via the customer network reachable across a VPN gateway. This will depend on the customer specific network configuration. This type of connection is the recommended way to provided external network access to the guest system as the VPN ensures that traffic across a public network is encrypted.



The basic steps to implement the above configuration are as follows:

  • Create a cloud instance in which the Charon host system runs.
  • Add two NICs to the Charon host system. One for the Charon host and one for the guest system.
  • Configure the appropriate access rules for instance and NICs.
  • One NIC is dedicated to the Charon host, one to the guest system. Configure a private and public IP address for the NIC used by the Charon host. Configure a private IP address for the NIC used by the guest system (and optionally a public IP address - not recommended).
  • On the Charon host, remove the private IP address from the NIC dedicated to the guest system if it was automatically configured and ensure that the interface will be enabled when the system starts.
  • Assign the appropriate NIC to the guest system.
  • Configure the guest system MAC address to be the same as the the one of the NIC selected for the guest.
  • After booting the guest system, configure the private IP originally assigned to the guest NIC by the cloud provider as the IP address of the guest Ethernet interface.
  • Set the default route of the guest system to the default gateway or VPN gateway of the LAN.

Depending on firewall rules and cloud-specific security settings, the guest system should then be able

  • to communicate with the host system,
  • other systems in cloud-internal network (e.g. other guest and host systems), 
  • the customer internal network via a previously configured VPN gateway,
  • directly with the Internet if a public IP address was configured for the interface (not recommended).

Additional sections in this manual show the basic configuration steps for the above examples.

(warning) In this scenario any traffic between host and guest system (if configured with a public IP address) and external systems reachable via the Internet gateway is not encrypted by default. If this traffic runs across a public network, it is exposed to being monitored and even modified by third parties. The user is responsible for ensuring data protection conforming to the user's internal security rules. It is strongly recommended to use encrypted VPN connections for any sensitive traffic.

(warning) Guest operating systems are often old and no longer maintained by the original vendor. This means they are more easily compromised by attacks from the Internet. Therefore, direct Internet access for the guest system is not recommended.

The actual configuration steps vary depending on the cloud environment used. Some examples are provided in further sections of this document.

Configuration Example

(warning) The interface names used in this example may be different on your system. Please refer to the AWS documentation and the interface naming section in this document for more detail. Make sure you use the correct names!

(info) The example uses only a private address for the dedicated interface. If a public address is required, the basic steps for making the interface available to the guest system are the same.

Step 1: configure a second network interface on the Charon host system for use by the Solaris guest system.

The Solaris guest system should have a dedicated network interface. To achieve this, perform the following steps:

  1. Create a new network interface in the same subnet with only a private IP address and attach it to the running client instance (see Network Management). Make a note of the private IP address assigned to the interface.

  2. Create an interface configuration file for the second interface (if you are not sure about the correct name, review the AWS interface naming conventions). The file for the first interface should already exist.
    # cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth1

  3. Edit this file to fit the characteristics of eth1. The private IP address used for this interface will be assigned to the Solaris guest. Therefore, configure the Linux Interface without IP address, similar to the following example:

    BOOTPROTO=none
    DEVICE=eth1
    NAME=eth1
    ONBOOT=yes
    TYPE=Ethernet
    USERCTL=no

  4. Make sure the default interface stays on eth0 by adding the following line to /etc/sysconfig/network:
    GATEWAYDEV=eth0

  5. Prevent the cloud setup from changing your network configuration by adding the following lines to /etc/cloud/cloud.cfg:
    network:
       ; config: disabled

  6. Restart the network (if the command fails, check your configuration for errors; you may also have to kill any running dhclient processes):
    # systemctl restart network

Expected result:

  1. The system should still be reachable via eth0.
  2. Interface eth1 should be up with out having an IP address configured.


Step 2: add the dedicated Ethernet interface to the emulator configuration.

  • Start the Charon Manager and open the configuration window for the emulated system.
  • Configure the emulated system with the dedicated Ethernet interface as its interface.
  • Set the MAC address to the same value as used by the host interface (the value assigned by AWS).
  • Save your configuration.


Step 3: configure the interface on the Solaris guest system to use the private IP assigned to the second NIC by AWS.

Using the steps below, the Solaris guest system is configured to use the second NIC configured on the host system.

  1. Boot Solaris and configure the IP address assigned to the dedicated guest NIC for the Solaris Ethernet interface as shown in the examples below:
    # ifconfig <interface-name> <private-guest-nic-ip>/<netmask (Solaris 10 example)
    or
    # ifconfig <interface-name> <private-guest-nic-ip> netmask <mask>     (Solaris 2.6 example)
    Make permanent by editing /etc/hosts and set the new address for the systems hostname. Then edit /etc/netmask and add the netmask for the subnet-network.
  2. Add default route on Solaris:
    # route add default <default-gateway-of-cloud-lan> <metric>
    Make permanent by editing /etc/defaultrouter and add the address of the gateway.

  3. Add DNS server to Solaris
    1. Edit /etc/resolv.conf and add a nameserver line for the DNS server.
    2. Make sure, DNS is used for hostname translation: # cp /etc/nsswitch.dns /etc/nsswitch.conf or edit nsswitch.conf to use files dns for the hostname resolution.

Expected result (depending on security rules and firewalls):

  1. The guest system should be able to communicate with the host system across the cloud LAN using the private IP addresses.
  2. The guest system should be able to communicate directly with the Internet if the dedicated NIC has a public IP address (not recommended).

(warning) Do not forget that traffic transmitted across the Internet by the guest system is not encrypted by default. Take appropriate measures to protect your data. It is strongly recommended to protect the Solaris guest system by an appropriate firewall and security group configuration. If possible, any communication across the Internet should be encrypted (e.g., by using a VPN).




© Stromasys, 1999-2024  - All the information is provided on the best effort basis, and might be changed anytime without notice. Information provided does not mean Stromasys commitment to any features described.