So... I am currently rebuilding / restructuring one of my labs or rather: My homelab
And because it's my homelab and I'm building everything from scratch, it needs to be perfect (TM) of course!
Let's start with the basics:
Usage: Automatated testing, CI and HPC (numerical simulations)
Networking:
Servers: Wild mixture, ranging from 3TB RAM Quad Socket to single socket E5-2680 v4 machines
Misc:
So, now for a couple of points I can't decide on because, you know, it needs to be perfect
So basically, I want to have a certain degree of separation between the VMs because some may be "rented out" to different customers and in case of malicious software one of the VMs
I think many of those points could be solved quite nicely by using the Proxmox firewall, e.g. having more restrictive settings for rented-out VMs and less restrictive settings for internal VMs if necessary
And because it's my homelab and I'm building everything from scratch, it needs to be perfect (TM) of course!
Let's start with the basics:
Usage: Automatated testing, CI and HPC (numerical simulations)
Networking:
- All (max 18) servers connected to fully licensed Mellanox SX6036, each server both with a 56G Ethernet and Infiniband connection
- Another 1G or 10G network for IPMI, possibly with ethernet access? Switch not determined yet
Servers: Wild mixture, ranging from 3TB RAM Quad Socket to single socket E5-2680 v4 machines
Misc:
- Homelab will often be turned off at night to save power
- There will be a Raspi / comparable mini computer providing the following services
- Private CA for homelab (SSL + SSH certificates), based on Hardware RNG (Infinite Noise TRNG) and Yubikey
- Stratum 1 timeserver with GPS clock
- DNS + DHCP?
So, now for a couple of points I can't decide on because, you know, it needs to be perfect
So basically, I want to have a certain degree of separation between the VMs because some may be "rented out" to different customers and in case of malicious software one of the VMs
- Completely separate subnet just for private VM inter-VM communication?
- Realised with VLAN and SR-IOV Virtual Functions
- Can be extended to multiple VMs on different servers for customer requirements by adding another VLAN and having spare SR-IOV Virtual Functions
- Best way to connect the Raspi to everything (servers, VMs)
- Completely isolate VMs from rest of Cluster? But may need access from VM to other parts of the cluster (Kubernetes, bare metal servers, etc...) for private test VMs, etc...
- Internet access for VMs via Bridge or NAT / Routed?
- How to ensure access from workstation to everything (VMs, IPMI, etc...)
- Basically forbids NAT for VM networking because that would prevent easy access from workstation to specific VMs
- Tool to manage DHCP and DNS? By hand / Bare metal?
I think many of those points could be solved quite nicely by using the Proxmox firewall, e.g. having more restrictive settings for rented-out VMs and less restrictive settings for internal VMs if necessary