KVM/QEMU: Same root partition, multiple read-only guests?

[1clue]

Hi,

I'm finding a need for multiples of a virtual server and would like to know viability.

I'm trying to put together a somewhat secure network. I have 4 subnets planned, and not all of them can see each other.

The biggest example of duplicated services is for DNS and DHCP. I need these services for all 4 subnets, but don't want the less secure networks to know about the more secure networks in any way.

The basic network plan:

1. DMZ: Not totally open, but everything that's open is here. Hooked to the external router.
   
2. NAT: A plain old home router for guests, wireless and digital cockroaches. Hooked to the external router.
   
3. DMZ: Hooked to the external router. DMZ knows where the public side is, but does not have any other information.
   
4. Private: Hooked to DMZ. No access initiated from outside, all outbound access allowed specifically by rules.
   

So here's what I have in mind:

1. Build a VM with DHCP/DNS on it.
   
2. The main VM has read/write access to root partition but does not serve DHCP or DNS
   
3. Each actually used server has read-only access to everything but logging, service-specific directories and maybe /tmp.
   
4. I'd like a way for these systems to not have access to a compiler.
   
5. Is it feasible to have a Gentoo build that has multiple target roots, one for the build system and one which has only specific software on it, and have the build system know about both for reasonably simple updates?
   

Thanks.

[1clue]

What I'm thinking is something akin to a chroot, but for a VM guest rather than just a chroot. One master with full access, then multiple read-only guests working off the limited edition.

I guess that sort of answers my question, I could build my packages, mount my read-only model, copy files from the appropriate packages, and then run the guests.