[ovs-dev] [PATCH] docs: Add INSTALL.OpenNebula

Wed, 05 Dec 2012 03:51:41 -0800 

>From 32dd91bcc835b41e28b48fcc8f3278dc69f8851d Mon Sep 17 00:00:00 2001
From: Jaime Melis <[email protected]>
Date: Wed, 5 Dec 2012 12:33:40 +0100
Subject: [PATCH] INSTALL.OpenNebula: New instructions for using with
 OpenNebula.

---
 INSTALL.OpenNebula | 177
+++++++++++++++++++++++++++++++++++++++++++++++++++++
 Makefile.am        |   1 +
 README             |   2 +
 3 files changed, 180 insertions(+)
 create mode 100644 INSTALL.OpenNebula

diff --git a/INSTALL.OpenNebula b/INSTALL.OpenNebula
new file mode 100644
index 0000000..927a8bc
--- /dev/null
+++ b/INSTALL.OpenNebula
@@ -0,0 +1,177 @@
+                    How to Use Open vSwitch with OpenNebula
+                    =======================================
+
+This document describes how to use Open vSwitch with OpenNebula 3.8.1 or
+later.This document assumes that you followed INSTALL or installed Open
vSwitch
+from distribution packaging such as a .deb or .rpm.
+
+This guide will address the usage of VLAN tagging and OpenFlow filtering of
+OpenNebula Virtual Machines. On top of that any other Open vSwitch feature
may
+be used by tuning and extending the Open vSwitch drivers in OpenNebula.
+
+Setup
+-----
+
+You need to install Open vSwitch on each OpenNebula Host. Please refer to
the
+INSTALL guide to do so.
+
+It is also necessary to install the Open vSwitch compatibility layer for
Linux
+bridging. Please refer to the INSTALL.bridge guide.
+
+The sudoers file must be configured so oneadmin can execute `ovs_vsctl` in
the
+hosts.
+
+Next, create an Open vSwitch bridge by using the ovs-vsctl utility (this
+must be done with administrative privileges):
+
+    % ovs-vsctl add-br ovsbr
+
+An Open vSwitch bridge should be created in each host, preferably with the
same
+name, and the name of this bridge should be specified in the network
definition
+template with the `BRIDGE` parameter.
+
+OpenNebula Configuration
+------------------------
+
+The Open vSwitch driver (ovswitch) is enabled by default in OpenNebula. To
make
+use of it, simply associate a host to that network driver (as oneadmin).
+
+    $ onehost create <hostname> im_kvm vmm_kvm tm_shared ovswitch
+
+Driver Actions
+--------------
+
+
+- Pre:   Not enabled for Open vSwitch.
+- Post:  Performs the appropriate Open vSwitch commands to tag the virtual
tap
+         interface (network isolation) and applies traffic filtering rules.
+- Clean: It doesn't do anything. The virtual tap interfaces will be
+         automatically discarded when the VM is shut down.
+
+Network Isolation
+-----------------
+
+The driver will be automatically applied to every Virtual Machine deployed
in
+the Host. Only the virtual networks with the attribute `VLAN="YES"` will be
+isolated. There are no other special attributes required.
+
+    NAME    = "ovswitch_net"
+    TYPE    = "fixed"
+
+    # "ovsbr" is an Open vSwtich bridge
+    BRIDGE  = "ovsbr"
+
+    VLAN    = "YES"
+
+    # Optional
+    VLAN_ID = 50
+
+    # Lease information
+    LEASES = 10.0.0.10
+    LEASES = 10.0.0.11
+    LEASES = ...
+
+Any user with Network creation/modification permissions may force a custom
vlan
+id with the ''VLAN_ID'' parameter in the network template. In that
scenario, any
+user may be able to connect to another network with the same network id.
+Techniques to avoid this are explained under the Tuning & Extending
section.
+
+Traffic Filtering
+-----------------
+
+The first rule that is always applied when using the Open vSwitch drivers
is the
+MAC-spoofing rule, that prevents any traffic coming out of the VM if the
user
+changes the MAC address.
+
+The firewall directives must be placed in the network section of the
Virtual
+Machine template. These are the possible attributes:
+
+- BLACK_PORTS_TCP = iptables_range: Doesn't permit access to the VM
through the
+  specified ports in the TCP protocol.
+- BLACK_PORTS_UDP = iptables_range: Doesn't permit access to the VM
through the
+  specified ports in the UDP protocol.
+- ICMP = drop: Blocks ICMP connections to the VM. By default it's set to
accept.
+
+iptables_range: a list of ports separated by commas, e.g.: 80,8080.
+Currently no ranges are supported, e.g.: 5900:6000 is not supported.
+
+Example:
+
+    NIC = [
+        NETWORK_ID = 3,
+        BLACK_PORTS_TCP = "80,8080",
+        ICMP = drop
+    ]
+
+Tuning and Extending
+--------------------
+
+Remember that any change in the /var/lib/one/remotes directory won't be
+effective in the Hosts until you execute `onehost sync` (as oneadmin).
+
+    $ onehost sync
+
+The vlan id is calculated by adding the network id to a constant defined in
+`/var/lib/one/remotes/vnm/OpenNebulaNetwork.rb`. You can customize that
value to
+your own needs:
+
+    CONF = {
+        :start_vlan => 2
+    }
+
+Restricting the VLAN_ID atttribute
+----------------------------------
+
+You can either restrict permissions on Network creation with ACL rules, or
you can entirely disable the possibility to redefine the VLAN_ID by
modifying the source code of
`/var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb`. Change these lines:
+
+                if nic[:vlan_id]
+                    vlan = nic[:vlan_id]
+                else
+                    vlan = CONF[:start_vlan] + nic[:network_id].to_i
+                end
+with this one:
+
+                vlan = CONF[:start_vlan] + nic[:network_id].to_i
+
+OpenFlow Rules
+--------------
+
+To modify these rules you have to edit:
+`/var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb`.
+
+1. Mac-spoofing
+
+These rules prevent any traffic to come out of the port the MAC address has
+changed.
+
+    in_port=<PORT>,dl_src=<MAC>,priority=40000,actions=normal
+    in_port=<PORT>,priority=39000,actions=normal
+
+2. Black ports (one rule per port)
+
+    tcp,dl_dst=<MAC>,tp_dst=<PORT>,actions=drop
+
+3. ICMP Drop
+
+    icmp,dl_dst=<MAC>,actions=drop
+
+Troubleshooting
+---------------
+
+When an Open vSwitch driver actions fails it will be reflected in the logs:
+
+- `/var/log/one/oned.log`
+- `/var/log/one/<vm_id>.log`
+
+Further Reading
+---------------
+
+- OpenNebula Hosts: http://opennebula.org/documentation:rel3.8:host_guide
+- OpenNebula ACLs: http://opennebula.org/documentation:rel3.8:openvswitch
+- OpenNebula Open vSwitch guide:
+  http://opennebula.org/documentation:rel3.8:manage_acl
+
+Bug Reporting
+-------------
+
+Please report OpenNebula problems to the OpenNebula Users mailing list.
Open vSwitch specific problems should be reported to [email protected].
diff --git a/Makefile.am b/Makefile.am
index e2e0aa4..6d44400 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -47,6 +47,7 @@ EXTRA_DIST = \
  INSTALL.Fedora \
  INSTALL.KVM \
  INSTALL.Libvirt \
+ INSTALL.OpenNebula \
  INSTALL.RHEL \
  INSTALL.SSL \
  INSTALL.XenServer \
diff --git a/README b/README
index b0e6d05..39daa74 100644
--- a/README
+++ b/README
@@ -103,6 +103,8 @@ To use Open vSwitch...

     - ...with Libvirt, read INSTALL.Libvirt.

+    - ...with OpenNebula, read INSTALL.OpenNebula.
+
     - ...as a drop-in replacement for the Linux bridge, read
       INSTALL.bridge.

-- 
1.8.0

_______________________________________________
dev mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/dev

Reply via email to