Attaching as a patch after reading "Documentation/email-clients.txt" and realising that gmail (Web GUI) doesn't work for sending inline patches.
On Wed, Dec 5, 2012 at 12:51 PM, Jaime Melis <[email protected]> wrote: > From 32dd91bcc835b41e28b48fcc8f3278dc69f8851d Mon Sep 17 00:00:00 2001 > From: Jaime Melis <[email protected]> > Date: Wed, 5 Dec 2012 12:33:40 +0100 > Subject: [PATCH] INSTALL.OpenNebula: New instructions for using with > OpenNebula. > > --- > INSTALL.OpenNebula | 177 > +++++++++++++++++++++++++++++++++++++++++++++++++++++ > Makefile.am | 1 + > README | 2 + > 3 files changed, 180 insertions(+) > create mode 100644 INSTALL.OpenNebula > > diff --git a/INSTALL.OpenNebula b/INSTALL.OpenNebula > new file mode 100644 > index 0000000..927a8bc > --- /dev/null > +++ b/INSTALL.OpenNebula > @@ -0,0 +1,177 @@ > + How to Use Open vSwitch with OpenNebula > + ======================================= > + > +This document describes how to use Open vSwitch with OpenNebula 3.8.1 or > +later.This document assumes that you followed INSTALL or installed Open > vSwitch > +from distribution packaging such as a .deb or .rpm. > + > +This guide will address the usage of VLAN tagging and OpenFlow filtering > of > +OpenNebula Virtual Machines. On top of that any other Open vSwitch > feature may > +be used by tuning and extending the Open vSwitch drivers in OpenNebula. > + > +Setup > +----- > + > +You need to install Open vSwitch on each OpenNebula Host. Please refer to > the > +INSTALL guide to do so. > + > +It is also necessary to install the Open vSwitch compatibility layer for > Linux > +bridging. Please refer to the INSTALL.bridge guide. > + > +The sudoers file must be configured so oneadmin can execute `ovs_vsctl` > in the > +hosts. > + > +Next, create an Open vSwitch bridge by using the ovs-vsctl utility (this > +must be done with administrative privileges): > + > + % ovs-vsctl add-br ovsbr > + > +An Open vSwitch bridge should be created in each host, preferably with > the same > +name, and the name of this bridge should be specified in the network > definition > +template with the `BRIDGE` parameter. > + > +OpenNebula Configuration > +------------------------ > + > +The Open vSwitch driver (ovswitch) is enabled by default in OpenNebula. > To make > +use of it, simply associate a host to that network driver (as oneadmin). > + > + $ onehost create <hostname> im_kvm vmm_kvm tm_shared ovswitch > + > +Driver Actions > +-------------- > + > + > +- Pre: Not enabled for Open vSwitch. > +- Post: Performs the appropriate Open vSwitch commands to tag the > virtual tap > + interface (network isolation) and applies traffic filtering > rules. > +- Clean: It doesn't do anything. The virtual tap interfaces will be > + automatically discarded when the VM is shut down. > + > +Network Isolation > +----------------- > + > +The driver will be automatically applied to every Virtual Machine > deployed in > +the Host. Only the virtual networks with the attribute `VLAN="YES"` will > be > +isolated. There are no other special attributes required. > + > + NAME = "ovswitch_net" > + TYPE = "fixed" > + > + # "ovsbr" is an Open vSwtich bridge > + BRIDGE = "ovsbr" > + > + VLAN = "YES" > + > + # Optional > + VLAN_ID = 50 > + > + # Lease information > + LEASES = 10.0.0.10 > + LEASES = 10.0.0.11 > + LEASES = ... > + > +Any user with Network creation/modification permissions may force a > custom vlan > +id with the ''VLAN_ID'' parameter in the network template. In that > scenario, any > +user may be able to connect to another network with the same network id. > +Techniques to avoid this are explained under the Tuning & Extending > section. > + > +Traffic Filtering > +----------------- > + > +The first rule that is always applied when using the Open vSwitch drivers > is the > +MAC-spoofing rule, that prevents any traffic coming out of the VM if the > user > +changes the MAC address. > + > +The firewall directives must be placed in the network section of the > Virtual > +Machine template. These are the possible attributes: > + > +- BLACK_PORTS_TCP = iptables_range: Doesn't permit access to the VM > through the > + specified ports in the TCP protocol. > +- BLACK_PORTS_UDP = iptables_range: Doesn't permit access to the VM > through the > + specified ports in the UDP protocol. > +- ICMP = drop: Blocks ICMP connections to the VM. By default it's set to > accept. > + > +iptables_range: a list of ports separated by commas, e.g.: 80,8080. > +Currently no ranges are supported, e.g.: 5900:6000 is not supported. > + > +Example: > + > + NIC = [ > + NETWORK_ID = 3, > + BLACK_PORTS_TCP = "80,8080", > + ICMP = drop > + ] > + > +Tuning and Extending > +-------------------- > + > +Remember that any change in the /var/lib/one/remotes directory won't be > +effective in the Hosts until you execute `onehost sync` (as oneadmin). > + > + $ onehost sync > + > +The vlan id is calculated by adding the network id to a constant defined > in > +`/var/lib/one/remotes/vnm/OpenNebulaNetwork.rb`. You can customize that > value to > +your own needs: > + > + CONF = { > + :start_vlan => 2 > + } > + > +Restricting the VLAN_ID atttribute > +---------------------------------- > + > +You can either restrict permissions on Network creation with ACL rules, > or you can entirely disable the possibility to redefine the VLAN_ID by > modifying the source code of > `/var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb`. Change these lines: > + > + if nic[:vlan_id] > + vlan = nic[:vlan_id] > + else > + vlan = CONF[:start_vlan] + nic[:network_id].to_i > + end > +with this one: > + > + vlan = CONF[:start_vlan] + nic[:network_id].to_i > + > +OpenFlow Rules > +-------------- > + > +To modify these rules you have to edit: > +`/var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb`. > + > +1. Mac-spoofing > + > +These rules prevent any traffic to come out of the port the MAC address > has > +changed. > + > + in_port=<PORT>,dl_src=<MAC>,priority=40000,actions=normal > + in_port=<PORT>,priority=39000,actions=normal > + > +2. Black ports (one rule per port) > + > + tcp,dl_dst=<MAC>,tp_dst=<PORT>,actions=drop > + > +3. ICMP Drop > + > + icmp,dl_dst=<MAC>,actions=drop > + > +Troubleshooting > +--------------- > + > +When an Open vSwitch driver actions fails it will be reflected in the > logs: > + > +- `/var/log/one/oned.log` > +- `/var/log/one/<vm_id>.log` > + > +Further Reading > +--------------- > + > +- OpenNebula Hosts: http://opennebula.org/documentation:rel3.8:host_guide > +- OpenNebula ACLs: http://opennebula.org/documentation:rel3.8:openvswitch > +- OpenNebula Open vSwitch guide: > + http://opennebula.org/documentation:rel3.8:manage_acl > + > +Bug Reporting > +------------- > + > +Please report OpenNebula problems to the OpenNebula Users mailing list. > Open vSwitch specific problems should be reported to [email protected]. > diff --git a/Makefile.am b/Makefile.am > index e2e0aa4..6d44400 100644 > --- a/Makefile.am > +++ b/Makefile.am > @@ -47,6 +47,7 @@ EXTRA_DIST = \ > INSTALL.Fedora \ > INSTALL.KVM \ > INSTALL.Libvirt \ > + INSTALL.OpenNebula \ > INSTALL.RHEL \ > INSTALL.SSL \ > INSTALL.XenServer \ > diff --git a/README b/README > index b0e6d05..39daa74 100644 > --- a/README > +++ b/README > @@ -103,6 +103,8 @@ To use Open vSwitch... > > - ...with Libvirt, read INSTALL.Libvirt. > > + - ...with OpenNebula, read INSTALL.OpenNebula. > + > - ...as a drop-in replacement for the Linux bridge, read > INSTALL.bridge. > > -- > 1.8.0 > -- Jaime Melis Project Engineer OpenNebula - The Open Source Toolkit for Cloud Computing www.OpenNebula.org | [email protected]
0001-INSTALL.OpenNebula-New-instructions-for-using-with-O.patch
Description: Binary data
_______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
