[ovirt-users] oVirt and VDSM isolatedprivatevlan hook
Hello, I'm looking for a way to prevent the users/administrators of our virtual machines to change their ip. One of the interesting solutions I stumbled upon is the isolatedprivatevlan hook[1] I installed the hook via yum, added the Custom VM Setting (UserDefinedVMProperties=isolatedprivatevlan=^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}),(?:[0-9]{1,3}\.){3}[0-9]{1,3}$), that I'm not sure if it's correct as it was written up quickly. Now when I set the custom setting via the panel and try to start the VM I get the following error: VM TestVM is down. Exit message: XML error: Invalid specification of multiple filterrefs in a single interface. If I read the wiki[1] correcty the interface should have multiple filterrefs when this hook is activated. So I'm wondering if the hook is simply out of date/not working or am I missing something else? I'm running oVirt 3.4.2-1.el6 on CentOS 6 (everything up to date). Any help would be greatly appreciated, (including other ways of preventing the VM ip changes from users) Črnko [1] - http://www.ovirt.org/VDSM-Hooks/isolatedprivatevlan ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt and VDSM isolatedprivatevlan hook
In short: I believe this hook is out of date, you can define logical networks in ovirt and assign them v-lans, so you can go with one logical network per vm and assign a unique vlan to that, ovirt takes care of the complete deploy process, you need no hook. the only thing you need of course is some network hardware which is capable of vlan tagging. HTH Am 26.06.2014 14:02, schrieb Matjaž Črnko: Hello, I'm looking for a way to prevent the users/administrators of our virtual machines to change their ip. One of the interesting solutions I stumbled upon is the isolatedprivatevlan hook[1] I installed the hook via yum, added the Custom VM Setting (UserDefinedVMProperties=isolatedprivatevlan=^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}),(?:[0-9]{1,3}\.){3}[0-9]{1,3}$), that I'm not sure if it's correct as it was written up quickly. Now when I set the custom setting via the panel and try to start the VM I get the following error: VM TestVM is down. Exit message: XML error: Invalid specification of multiple filterrefs in a single interface. If I read the wiki[1] correcty the interface should have multiple filterrefs when this hook is activated. So I'm wondering if the hook is simply out of date/not working or am I missing something else? I'm running oVirt 3.4.2-1.el6 on CentOS 6 (everything up to date). Any help would be greatly appreciated, (including other ways of preventing the VM ip changes from users) Črnko [1] - http://www.ovirt.org/VDSM-Hooks/isolatedprivatevlan -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt and VDSM isolatedprivatevlan hook
On Thu, Jun 26, 2014 at 01:38:16PM +, Sven Kieske wrote: In short: I believe this hook is out of date, Correct. It happens to have been broken quite long time ago (ovirt-3.1) with the introduction of no-mac-spoof filtering. I remember reviewing a gerrit post that aimed to change things there, but I fail to find it now (could the author has retracted a draft?) Basically, the hook should replace (and not add) a filterref. Anybody cares to send a quick fix or file a BZ? you can define logical networks in ovirt and assign them v-lans, so you can go with one logical network per vm and assign a unique vlan to that, ovirt takes care of the complete deploy process, you need no hook. the only thing you need of course is some network hardware which is capable of vlan tagging. Alternatively, we can consume libvirt's clean-traffic filter. Given the onslaght of requests regarding this, I've file http://www.ovirt.org/Features/Avoid_IP_Spoofing; a user filing an RFE could help, too. Integrating this with Engine may take a while, so I'd be pleased if you try out this suggestion for a noipspoof hook http://gerrit.ovirt.org/29093 Regards, Dan. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users