[ovirt-users] oVirt and VDSM isolatedprivatevlan hook

2014-06-26 Thread Matjaž Črnko 
Hello,

I'm looking for a way to prevent the users/administrators of our virtual
machines to change their ip.
One of the interesting solutions I stumbled upon is the isolatedprivatevlan
hook[1]

I installed the hook via yum, added the Custom VM Setting
(UserDefinedVMProperties=isolatedprivatevlan=^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}),(?:[0-9]{1,3}\.){3}[0-9]{1,3}$),
that I'm not sure if it's correct as it was written up quickly.

Now when I set the custom setting via the panel and try to start the VM I
get the following error:
VM TestVM is down. Exit message: XML error: Invalid specification of
multiple filterrefs in a single interface.  If I read the wiki[1]
correcty the interface should have multiple filterrefs when this hook
is activated. So I'm wondering if the hook is simply out of date/not
working or am I missing something else?

I'm running oVirt 3.4.2-1.el6 on CentOS 6 (everything up to date).

Any help would be greatly appreciated, (including other ways of preventing
the VM ip changes from users)
Črnko

[1] - http://www.ovirt.org/VDSM-Hooks/isolatedprivatevlan
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt and VDSM isolatedprivatevlan hook

2014-06-26 Thread Sven Kieske 
In short:
I believe this hook is out of date,
you can define logical networks in ovirt and assign
them v-lans, so you can go with one logical network
per vm and assign a unique vlan to that, ovirt
takes care of the complete deploy process, you need no
hook.

the only thing you need of course is some network hardware
which is capable of vlan tagging.

HTH

Am 26.06.2014 14:02, schrieb Matjaž Črnko:
 Hello,
 
 I'm looking for a way to prevent the users/administrators of our virtual
 machines to change their ip.
 One of the interesting solutions I stumbled upon is the isolatedprivatevlan
 hook[1]
 
 I installed the hook via yum, added the Custom VM Setting
 (UserDefinedVMProperties=isolatedprivatevlan=^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}),(?:[0-9]{1,3}\.){3}[0-9]{1,3}$),
 that I'm not sure if it's correct as it was written up quickly.
 
 Now when I set the custom setting via the panel and try to start the VM I
 get the following error:
 VM TestVM is down. Exit message: XML error: Invalid specification of
 multiple filterrefs in a single interface.  If I read the wiki[1]
 correcty the interface should have multiple filterrefs when this hook
 is activated. So I'm wondering if the hook is simply out of date/not
 working or am I missing something else?
 
 I'm running oVirt 3.4.2-1.el6 on CentOS 6 (everything up to date).
 
 Any help would be greatly appreciated, (including other ways of preventing
 the VM ip changes from users)
 Črnko
 
 [1] - http://www.ovirt.org/VDSM-Hooks/isolatedprivatevlan


-- 
Mit freundlichen Grüßen / Regards

Sven Kieske

Systemadministrator
Mittwald CM Service GmbH  Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt and VDSM isolatedprivatevlan hook

2014-06-26 Thread Dan Kenigsberg 
On Thu, Jun 26, 2014 at 01:38:16PM +, Sven Kieske wrote:
 In short:
 I believe this hook is out of date,

Correct. It happens to have been broken quite long time ago (ovirt-3.1)
with the introduction of no-mac-spoof filtering.

I remember reviewing a gerrit post that aimed to change things there,
but I fail to find it now (could the author has retracted a draft?)

Basically, the hook should replace (and not add) a filterref. Anybody
cares to send a quick fix or file a BZ?

 you can define logical networks in ovirt and assign
 them v-lans, so you can go with one logical network
 per vm and assign a unique vlan to that, ovirt
 takes care of the complete deploy process, you need no
 hook.
 
 the only thing you need of course is some network hardware
 which is capable of vlan tagging.

Alternatively, we can consume libvirt's clean-traffic filter. Given
the onslaght of requests regarding this, I've file
http://www.ovirt.org/Features/Avoid_IP_Spoofing; a user filing an RFE
could help, too.

Integrating this with Engine may take a while, so I'd be pleased if you
try out this suggestion for a noipspoof hook
http://gerrit.ovirt.org/29093

Regards,
Dan.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users