Shorewall and Proxmox VE Cluster Configuration
This is a follow up article describing how to use Proxmox VE and Shorewall together. This article focus on using Shorewall within your Proxmox cluster. If you have not read the first article I recommend that you do so, it will aid your understanding with what is going in this one.
Network Layout and Shorewall Configuration
We are going to be using a bridging configuration. This is what Proxmox VE uses with by default. Bridging allows for easy migration of hosts without having to re-configure the firewall each time a machine is migrated.
Proxmox VE does not come with a firewall by default there are several solutions to this problem but the most flexible and robust is integrating the Shorewall firewall. This document assumes a basic knowledge of the Shorewall program and will not cover all of Shorewall capabilities but will give you a good working model to get you started. For more advanced topics check out the Shorewall documentation.
Shorewall will have 3 zones: 1) the fw zone which is the Proxmox host, 2) the net zone which is the Internet and 3) the dmz zone which is where the virtual machines will reside. The hardware just has one network interface card; vmbr0 is a just a bridge interface.
I've been aware of Proxmox VE for a couple of years now. I've installed it a few times and tested it out. I have recommended it to others and know a few local people using it in production (at MSU-Bozeman and Rocky Mountain College for example). Since I'm involved in the OpenVZ community I've also noticed some of the contributions to OpenVZ that have come from Proxmox VE (vzdump for example) and have run into Martin Maurer in the comments section of this site. I asked him if he would be interested in doing an interview and he accepted.
What is Proxmox VE?
Proxmox VE is a very light-weight Debian-based distribution that includes a kernel with support for both KVM and OpenVZ. This means you get the best of both virtualization worlds... containers (OS Virtualization) and fully-virtualized machines (Machine Virtualization). Proxmox VE also includes a very powerful yet easy to use web-based management system with clustering features. Boot the Proxmox VE install media, answer a few simple questions, and within 10 minutes you have a very powerful virtualization platform you can manage from a web browser. Install it on one or more additional machines that are networked together and use Proxmox VE's cluster management tool to create a virtualization cluster that allows for centralized management, automated backups, iso media and template syncing, as well as virtual machine migration features. Proxmox VE really is a time saving turnkey solution... and it is freely available under a GPL license.
Andrew Niemantsverdriet from Rocky Mountain College gave a presentation entitled, "Proxmox to Virtualize Infrastructure" at Linuxfest Northwest 2009 in Bellingham, WA. A PDF of his slides has been added as an attachment.
To view the video, click on the full story or the thumbnail image on the right.
Proxmox VE version 1.1 does not ship with a firewall. This is a bad thing for a production server for obvious reasons. Proxmox VE 2.0 is supposed to ship with firewall support built in. Until that time here is an easy script that you can put on your Proxmox VE box to protect it and the virtual machines running on it, if you so choose. This is based off of http://wiki.openvz.org/Setting_up_an_iptables_firewall but works with KVM machines and tailored to a Proxmox install.
Installation and Usage
Proxmox VE is a “bare metal” ISO Linux distribution that is a virtual machine platform. It is geared towards enterprise users and designed to be installed on enterprise grade hardware. The Proxmox VE distribution combines two virtual machine technologies; KVM and OpenVZ as well as a web interface to manage everything. Proxmox VE also integrates into its web interface a way to manage multiple computers as a cluster. For the rest of the article Proxmox VE shall be referred to as PVE. This article is written about PVE 1.1, the latest stable release.